Look, here’s the crux of it.  In the decade since 9/11/2001, we have spent roughly a trillion dollars on counter-terrorism activities.  A trillion dollars.  This is in response to Osama’s maniacs who killed just over 2,800 people on 9/11.  Of course, that’s awful, and a tragedy.  But at the same time, right around 3,000 people will be killed this month in traffic accidents, and another 3,000 will be killed next month, and the month after that.  We take reasonable precautions against being involved in traffic accidents, but it seems that the same standard of reasonableness is not applied to our (national) precautions against being the victim of a terrorist event.  Virtually all of this trillion-dollar expenditure has been made without any kind of cost-benefit or effectiveness analysis that would demonstrate that these were dollars well spent, or that they have made us safer.

(Incidentally, in researching this subject, I asked a number of people  how many were killed in the 9/11 attacks.  The numbers I got ranged from 5,000 to 25,000, with most clustering around 15,000, or over 5 times the number who actually died.  So as a society we’ve already inflated the damage, and therefore the threat, quite a bit.)

Lots of the people involved with all this spending then say, “we know things you don’t, it’s all very secret, you just have to take our word for it that what we’re doing is right.”  Well, you know, after the firehose of government lying and exaggeration that went into the run-up to the Iraq invasion, I really don’t believe you.  And if the Transportation Security Administration is an example of the quality of your work, I want an immediate audit.

Just in case you’re in danger of falling asleep reading this, here’s the news, in condensed format:

• Our responses to the threats of terrorist attacks on our country (both cyber-threats and regular ordinary terrorist threats) are grossly out of proportion to the actuarial likelihood of either the attack, or the economic or human losses from them;
• Many of the things we do to protect ourselves are ineffective, costly, sometimes make us in fact less secure, and in the bargain threaten our civil liberties and the foundation of the Internet;
• This does not mean that there are no threats to us, of course there are, and we need to prepare to face them;
• But what we need is a measured, focused, risk-driven approach that scales our preventative measures to the realistic dimensions of the threats we face, not an overblown, spend-anything, corporate-greed-driven, go-nuts program.
• Unfortunately, this is what we have going right now.

I’m a cyber kind of guy, and I spend a fair amount of time dealing with cyber-threats for my employer, I’m going to focus this post on cyber-security, but basically the same criticisms hold for terrorist threats against physical targets, too.

Currently the American public is being force-fed a relentless barrage of nonsense in the press, and even in the halls of Congress.  This line of thinking holds that we are as a nation exposed to horrific attacks against our infrastructure by stateless jihadis or hostile governments via the Internet, how we are defenseless against these attacks, how our way of life will vanish, millions will be killed or starve, and so on.

The best (or worst) example of this is the book Cyber War: The Next Threat to National Security and What to Do About It, by Richard A. Clarke (a former cyber-security adviser to the White House) and Richard K. Knacke of the Council on Foreign Relations (2010).  This book serves up 300 pages of the most apocalyptic descriptions of cyber-catastrophe, including chemical plants and refineries exploding and spewing toxins, nationwide power failures, trains sent off the tracks, airliners colliding, networks rendered mute, food shortages, hospitals thrown into chaos, and societal breakdown with widespread looting and rioting.  All this, ” . . . without a single terrorist or soldier appearing in the country.”

Unfortunately, they never offer the slightest shred of evidence that such an attack has ever been tried, or is even technologically feasible, and as such is more a work of speculative fiction than a sober report of the state of our cyber-defenses, whatever they are.  That is typical of this whole discussion: it is driven by point-blank assertions, with no evidence to back them up.  Even when they, or others, allege that such attacks have indeed already taken place, they provide no specifics about the method or the actual losses we have sustained.

In Congress, we have had hearings and public pronouncements by all manner of worthies.  For just one example (I do give examples!) Senator Jay Rockefeller on 3/19/2009 made the following blanket statement:

It would be very easy to make train switches so that two trains collide, affect or disrupt water and electricity, or release water from dams, where the computers are involved.  How our money moves, they could stop that.  Any part of the country, all of the country, is vulnerable. How the Internet and telephone systems work, attackers could handle that rather easily.

If you take this at face value, it does seem pretty scary.  But believe me, as one whose whole career has been in software development and system implementation, just asserting something is  possible a very long way from actually being able to do it.  Mostly, in all the Congressional hearings, and in Clarke and Knacke, all we get is this kind of talk but with no empirical evidence discussing how these attacks would possibly work.  And unfortunately, all this loose talk is treated as the foundation for hundreds of billions of dollars of public expenditures, and this is nuts.

I won’t bore you with further examples of this breathless hyperbole, the references at the end of this post contain many more, if you need further proof.

Why is it we in the public seem to be falling for such histrionics?  I think there are a couple of things at work here.  First, individual people, and people they know, feel vandalized by spam, identity theft, and Facebook account-hijacking by password theft or guessing.  They hear about the theft of corporate and governmental databases, which seem to continue unabated.  They don’t understand how to protect themselves, so they fear the worst, and extend that fear to the country and to the rest of the government.

Another thing at work here is a long-standing generalized fear of technology “moving too fast for us,” a fear that has reared its head in many guises during the last 150-200 years (in other words, since the invention of modern technology):

• Frankenstein came out about the time when electricity was being explored and tamed, and explored the whole concept that somehow we might be able to create and animate soul-less beings through this mysterious power;
• In the book Victorian Internet, there is a whole section devoted to the social and personal stresses brought about by the invention of the telegraph, and these stresses were not inconsiderable;
• The early years of the 20th Century spawned lurid tales of “wire devils,” crooks and confidence men who people felt would exploit and victimize them via the telegraph, because they could not see who they were dealing with face to face;
• After World War II there were large numbers of movies that featured Godzilla or other prehistoric monsters awakened from their unknown lairs by the explosions of atomic bombs, to come ashore and lay waste to humanity, in retribution, I guess, for being bothered.

So, we have a long history of fearing the impacts of technologies we don’t understand and attributing vastly unrealistic powers to them.  This is going on right now, re: the Internet and foreign hackers, in spades.  But as stated in Brito and Watkins (reference below):

Fear is not a basis for policymaking.

And yet, fear appears to be our driving stimulus in this situation.  That is not a good sign.

But using the Internet safely from inside a repressive regime is not necessarily an easy thing to do.  Likely, you would not use your own identity on your posts or in your emails, and even going to certain websites can either be blocked or at least noted for later retaliation.  How would someone go about this, then?  The answer is that there are organizations that provide anonymous proxy services that allow access through sites that are not blocked (yet!) by national firewalls (as in: China, among others).

I point out to you an organization that is working not just to advocate Internet freedom, but providing resources and information to help those trapped within these countries to use the Internet to forward their causes.  Take a look at Access, which describes themselves as:

. . . a global movement premised on the belief that political participation and the realization of human rights in the 21st century is increasingly dependent on access to the internet and other forms of technology. Founded in the wake of the 2009 Iranian post-election crackdown, Access teams with digital activists and civil society groups internationally to build their technical capacity and to help them advocate globally for their digital rights.

If you are proud to think that the technologies we use every day are playing a part overthrowing dictators and oppressive regimes, you might consider participating in or donating to Access or to a similar organization — put your money where your heart is.  Or consider participating in one of their proxy-anonymizer projects.  But get involved — make it happen.

And, if you’re interested in their how-to suggestions on preserving privacy in a repressive country, take a look at this.  Actually, these aren’t bad instructions for US, if you really want to be anonymous in the digital world — you can use these same techniques yourself here at home.

Preparation is about 98% of the battle here, and I’m often dumbfounded at the number of people who are not willing to spend any time to do this.  They don’t backup their data, they don’t know what programs they are using, they don’t know where the CDs are, and especially they don’t have backups of their pictures.  Then, when the inevitable happens, they wander around beating their breasts and rending their garments and saying with incredulity, “is everything really gone?  Forever?”  To them, all I can say is, “yes.”

Preparation

First and foremost, of course, is to have your data backed up to somewhere outside your house.  Go ahead and back it up locally to one of these little external drives if you wish, but even then get another copy of it stored elsewhere.  There are several ways to do this; I have used Jungle Disk, a good solution, but now I’m using Carbonite, which has the advantage of running all the time and backing files up whenever you modify them, to one of the Carbonite data centers.  It’s basic configuration backs up not only your data, music, and pictures, but lots of system-level profiles and stuff so when you do a whole restore, you get a very complete restoration of the machine as you’re used to seeing it.  In addition to this, I use a utility program, MozBackup, to save my Thunderbird-resident email data.

Then, the matter of passwords and website identities.  There are several approaches here, too, including Password Safe, which I used to use, and LastPass, which I now use.  I discuss these options here so I won’t do it again.  LastPass  has also the advantage of being “cloud-resident” so you can access it whenever / wherever so while you’re waiting for your machine to emerge from the Service Department, you will have access to these sites as you yourself, by accessing your LastPass vault from another computer.

This brings up another point, that in addition to preparing yourself to recover your machine, you should plan to get along on borrowed machines while you’re waiting.  Your data files are remotely-accessible from Jungle Disk or Carbonite, so you have data, and Lastpass or Password Safe will let you get at your passwords, but if you use an email client (Thunderbird) as I do, and especially if you have multiple email accounts (as I certainly do!), make sure you know how to get to your mail provider’s webmail portal.  If you use Gmail or another web-resident email system, you already know this and don’t have the same problem.

If you have a lot of programs loaded on your machine, beyond the usual Microsoft etc. programs, it helps to have a list of them — I have about 80 “other” programs of all kinds so this is a big issue with me.  What I do is use the command-line interface (cmd.exe), change my directory to \program files, and execute the following:  dir /b \users\[yourusername]\programs and this will give you  a list of at least every directory that has a program in it, stored in a file called “programs”.  You can figure it out from there.  If you have a 64-bit Windows machine, you will also have to cd to \program files (x86) to get the 32-bit programs, too, and then if you say:  dir /b >> \users\[yourusername]\programs you will have an almost-complete list.  I say “almost” because some of them install inside these directories and there might be three or four actual programs in a directory with the company name on it, so it won’t tell you what actual programs you have installed.  I got fooled by this situation a couple of times.

Linux users have a neat way to do this using apt-get, which will dump all the apt-get commands to a file, which when executed, will reinstall all this stuff in one swell foop.  If you do Linux, look into the apt-get options.

And then finally I strongly recommend that you dump your bookmarks to a text or HTML file, located somewhere Carbonite or whatever will back it up, so you can get to your favorite hundred or so websites without having to remember their URLs.  More on this below.

Recovery

So then, drive croaks, and off to the repair depot it goes.  Thanks to a combination of Carbonite, LastPass, my dumped email addresses, and my dumped bookmarks, I had a reasonable ability to function, cyber-wise, for the three days they had it.  I had access to secured machines both at home and the office, and both Windows and Linux, so I wasn’t afraid to open up my LastPass vault on them.  So, plan went as planned thus far.

Since the drive was dead anyway, I elected to use this as an opportunity to switch from Windows Vista Business 32-bit to Windows 7 Professional 64-bit. They delivered it to me with Win 7 on it, and I immediately used Win Backup to create a system backup file on my external hard drive.  I could have used one of several other OS-image programs but I used the Win system utility.  Then, without taking a moment to do anything else whatsoever, I launched out onto the Internet and downloaded and installed Avast! anti-virus and scanned the whole machine.  So for this machine I’ll be using Win Firewall + Avast! in place of Zone Alarm, which has gotten rather bloated since CheckPoint bought them.  I reviewed the Win Firewall settings, made sure it was on, and then proceeded.

I decided to load as many of my other programs as I could, and then take another OS backup, before I loaded the data back on.  First of course came FireFox, so I had a decent browser to work with, and then the LastPass FireFox plug-in. This immediately reminded me that I wasn’t sure what plug-ins I had loaded, surprise.  So I sat and wracked my brain to remember them.   Then, I just pretty much worked down my list and installed away.  It was at this point that I discovered how many license keys I had managed to not save in LastPass, so I was scrambling to find them, and sometimes I couldn’t until I had recovered my Thunderbird mail files, where I had saved all my registration-response emails.  So, this was another wake-up!

After about 8 solid hours of reloading programs, and reconfiguring them where I had to, I took another system image and launched into data recovery.  Because of the OS change, I couldn’t just have Carbonite restore the whole works because some file locations had changed.  So I had to hand-place some of them — tedious, but it worked.  I suppose the whole data restore took perhaps another 8 elapsed hours, in several chunks due to the directory repositioning.  I timed these for periods when I was going out of the house, or for at night, so elapsed-wise, it was about 2 days more — but I brought back some stuff first so I was pretty well in business right away.  Carbonite gives you this option, to preferentially load certain files first.

Takeaways

• Preparing for disaster is dull and boring, but it’s almost all that matters.  Do it, and do it well, or die and don’t cry.
• Making sure you can function without your own computer for a week or so will improve the quality of your life more than you can imagine.
• There are lots of little things that contribute to sanity, such as license keys, written email addresses, and bookmark lists.  You might consider putting the last two, periodically, on a USB drive you can use with any machine in the interim.  Update it once in a while, and you are in good shape.

The background for this analysis is straightforward: broadly speaking, the incoming conservative Republicans are very strongly pro-big-business, believe that climate change is a hoax, and believe that Islam is a special global threat that requires extraordinary measures to combat it.  They also see government and its regulations and laws as the chief impediment to the national improvement.  And finally, they have a strong fundamentalist-Protestant ethos that is the most basic foundation of their worldview, and for many this ethos is hostile to science.

So, where does this leave us?  Like it or not, here’s what appears to be coming.

Dramatically less research funding, especially in areas not producing technologies leading directly to marketable products.  This article in the Times says it all: National Institutes of Health might drop by 9%, National Science Foundation, -19%, and NOAA,  -34%.  This is in contrast to the Obama administration’s projected reduction of about 5% overall in research funding for the next fiscal year.  One might ask why NSF and NOAA are taking such a hit, and the answer is what appears to be the Republican antipathy toward the whole concept of climate change, see below.  They don’t believe it, and they aren’t going to fund it.  Certainly our current economic situation requires belt-tightening, no question.  But these agencies take the brunt of political punishment for their positions: NIH refuses to promulgate the idea that abortion causes breast cancer and rampant depression, NSF keeps acting as if biological evolution were actually true, and NOAA — well, read on.  Opposing these agencies speaks right into the heart of the Republican / Tea-Party conservative core.  Nobody campaigned saying “we’ll cut emissions and promote greener living,” they campaigned on “drill, baby, drill.”  And obviously, that’s what the electorate wanted to hear.

There will likely be a concerted attack, and that’s not too strong a word for it, on the idea of doing anything about global warming / climate change.  For whatever reason, the Republican Party has embraced the position that climate change is a scientific hoax, or anyway if it’s real, it really doesn’t matter.  Part of this is their pro-business slant, and anything that impacts quarterly profits is anathema.  Several incoming Congressmen have stated that they will hold hearings for the purpose of “putting the lie to all this global warming scare talk.”  Rick Perry, the newly-re-elected Governor of Texas, intends to stop the EPA from regulating greenhouse gasses in Texas and has filed seven lawsuits against the government to prove it, see here.

This position is partly based on the fact that curbing greenhouse gases and addressing climate change will require concerted Federal action, and the Tea-Party view is that this must therefore just be a big liberal power grab.  Others, and some of these I have personally talked to, take a very Christian-fundamentalist view that “the Earth was put here for our use” and it would be an affront to God if we fail to fully exploit it, and anyway the Rapture is coming very soon so it won’t matter if the Earth is left a gutted hulk because God is going to destroy the universe anyway.  And soon.

So given these, we can expect very little if any Congressional support for any green technology investment or research.

Net Neutrality will be threatened and probably eroded.  The Obama administration has taken a strong stand for “net neutrality,” the concept that Internet Service Providers (ISPs) must provide non-preferential routing to all Internet traffic.  In the US, there is an effective oligopoly on Internet service, unlike Europe where it is a competitive free-for-all and hence service is much better (in other words, faster) and the costs are lower.  The big ISPs are determined to not let all this competition happen here, and they intend to leverage their oligopoly position to create a set of tiered services where those content providers who can’t pay the extra tariff will be relegated to second-class service.  Since this is good for the providers’ business, the Republicans are going to fight any net neutrality regulations under the banner of “get the Federal government out of our private lives,” and of course, protect their oligopolistic profits.

Also, and especially in the Internet environment, there will be attempts to enact more intrusive laws that will reduce Internet anonymity and personal privacy.  The Obama administration has not been a shining light here, either, having asked for legislation to require eavesdropping “backdoors” in telecommunication networks and hinting that data encryption might somehow be restricted.  But the more militant parts of the Republican / Tea Party, for all their table-pounding on personal and states’ rights, and freedom, and the Constitution, are worked up considerably against the to them ubiquitous Muslim Terrorists, and believe if they can only curtail some of our freedoms and privacy they will be able to eliminate terrorism or terroristic threats.

How much of this can the new Republican majority enact in two years?  Probably not all that much but they can stall, de-fund, and in general make a mess of things.  And to date the Obama administration has not been an effective counterpoint to them.  My only editorial comment on all this: it’s not pretty if you think that science and technology investments are critically important to our economic and political future, that science should not be trumped by politics and religion, and that personal freedom and privacy are what after all we stand for in the world.

• You might lose your laptop — someone might steal it, or you might accidentally abandon it in an airport, a cab, or a cafe.  Your files just became available.  This problem is magnified if you keep these files on a USB drive — a pocket or “thumb” drive — which is easier than a pencil to lose.  Note that an astounding 12,000 laptops are lost in US airports every week, and 2/3rds of them are never recovered.
• Your computer might ingest some virus, worm, or other malware specimen, that just might be trained to browse around and transmit to who knows who anything interesting it finds in your machine.

So, relying on physical custody of the machine, or relying on it being in your bedroom but still connected to the Internet, is not a winning strategy.  Before you take to filling out your tax forms in longhand, there is a very good solution: store these files in an encrypted vault on your hard drive, a vault that only you have the key for.

There are products out there that get advertised as “secure” and “encrypted by a secret, proprietary method,” and you should stay away from these as they can be broken into quite literally in minutes.  You need to use something that uses the standard encryption approaches that the government uses — AES (the Advanced Encryption Standard), Twofish, or the like.  These will protect your vault — if you choose a strong key — literally centuries after you are dead and gone.

The best of these is a package called TrueCrypt, which I use myself.  And please note that I receive nothing whatsoever from them for this endorsement, I recommend it because I use it and for no other reason.  Plenty of heavy-duty security gurus are TrueCrypt users, so you don’t have to take my word for it.  And it comes for Windows, Mac, and Linux systems.

Here’s what you do.  Go to the TrueCrypt website, download it, and install it.  Then, when you’re ready to create a private vault, decide how many megabytes you want in the vault, and follow their instructions to allocate and create it.  Create a strong password — a really random one — perhaps using LastPass to generate it.  TrueCrypt will format the vault, and thereafter it will behave just like another disk drive on your machine: you can copy to and from it, edit files in it as if they were not encrypted, and so on.  TrueCrypt encrypts and decrypts “on the fly” as you use it, you are never aware that this is anything but a real disk drive.

And this works on a USB drive, too, and you can even encrypt the entire USB space if you want, it’s that flexible.  Each TrueCrypt vault has a password associated with it (they could always be the same, I suppose) and anyone who looks at them will see only a mass of gibberish — no file names, no nothing at all.  The secret is in the password.  Use a package such as PasswordSafe, LastPass, or a website like Steve Gibson’s password generator, to get a nice, long, really high-entropy one that will resist even a focused, brute-force attack.

Just as a sidelight, TrueCrypt can be handled in a way that effectively hides even the existence of the vault in such a way as to provide plausible deniability that there is any encrypted data at all.  They describe this in their documentation here.  Needless to say, dictators and repressive regimes throughout the world are very displeased with TrueCrypt for this reason!

One of the things you have to do when you start to deal with Internet security is to make the assumption that the worst will in fact happen, and take steps for that eventuality.  TrueCrypt should be one of these steps.

Storing passwords.

The problem here is that if you get some malware on your machine, it will snoop around looking for the file you made called “passwords” and send a copy of that file off to it’s master somewhere.  Even if you called this file “Uncle Otis’ Birthday,” most malware is smart enough to just look inside your files and find the neatly-arranged ID / password pairs and presto: you are penetrated.  The way you avoid this is by having this data in an encrypted data store, where only you know the key.  Don’t even think about using Excel and having Excel “encrypt” the data, this is baby-step encryption and it can be brlken in less than 3 seconds by several password crackers on the market.

So what to use?  My most basic suggestion is called PasswordSafe, a free program invented by security maestro Bruce Schneier.  I have used PasswordSafe for several years and it’s a fine product and is supported by bombproof, government-grade encryption.  What it does is keep an encrypted database of ids/passwords (and other stuff, like the idiot “secret questions” and so on that some sites demand).  You open the database with one password, and double-click the appropriate site’s entry.  The password is copied to the clipboard, from whence you paste it into the password field on the website.  PasswordSafe then erases the clipboard.  It has lots of other features including the ability to generate completely random passwords for you if you wish.

PasswordSafe has served me well for several years until I started using LastPass, which I’ll discuss below.  Its very straightforward to use, free, and available here.

I have now started using a different password repository called LastPass, available here.  LastPass does everything PasswordSafe does, but with a while bunch of added features.  Mainly, it interacts through a plug-in with your browser(s), so that when you have it opened and in force, and it arrives at a site where you have an account, it fills the ID and password fields, and can even hit “enter” for you if you want it to.  You don’t have to pull up PasswordSafe’s panel, find the site, double-click it, and paste it in.  LastPass does all that for you, slick as anything.  You can set it to auto-log you in to familiar sites, ask you to review it’s form-fields for some more sensitive sites, and even demand another login to LastPass for some sites, as for instance your bank.

LastPass is cross-platform (Windows, Linux, and Mac) and has plug-ins for essentially all the browsers in common use — IE, FireFox, Safari, and Chrome.  So you are totally covered.  And it has a host of very cool capabilities, for example generating and managing some one-time passwords for use if you’re on public machines, and the ability to use an on-screen, mouse-driven keyboard for entering your LastPass id and password (to foil keyboard-logging software on a public machine), and the ability to work off of a USB drive.  It’s an extremely well thought-out and comprehensive platform and I recommend it highly.

One of it’s other key features is it’s ability to transfer and sync your encrypted database across all the machines you use, so you never have to do this yourself.  And it can do this without the company having access to your passwords at all, they do store it but they don’t have the password, only you do.  If you’re interested in the detailed security features built into all this, I recommend Steve Gibson’s Security Now podcast, specifically this one.

The password to your passwords

Both of these make the assumption that you have one password that is the master, that unlocks the vault for you.  With both products, you need to remember this password at all costs, since if you forget it, they can’t help you — the company doesn’t have it either.  So, write it down in a couple of places (NOT in a file on your computer!) such as in your wallet, or even a copy in your safe-deposit box, or whatever.  Make sure this password 1) is not a word, or a series of words, 2) is not something obvious like your phone number or social-security number, and 3) that you can easily remember.  If you’re stuck about this, you could use the first letter of a phrase that means something to you — but mix in some numbers and capitalize one or two of the letters.

Hope this helps you out!

Preparing To Face the Internet

First, I strongly suggest that you take your machine to someone who will do a “full system backup” for you.  This is not your data files, just the computer’s programs and settings.  If you get a serious malware infection, the only way to get rid of it is to wipe the disk and restore the system, and this will make that faster and easier and get you back in business.  Find a good local help-person or go to Geek Squad or someone like them.

Then, take a few minutes to develop a couple of passwords for yourself, for which I have a few hints below under Password Strategy.

Finally, turn on the Windows firewall and Windows Defender if you have a recent machine, or get a techno-friend to install a good firewall and basic anti-virus program.  They’re not perfect, but they help a lot.  There are free ones for Windows, including Comodo, AVG, Avast, and others.  You don’t need a massive, full-featured “Grand Internet Security” system, take it from me.  You don’t need much, but you do need something.  If you have trouble doing this, go into the store or get a consultant.  The hour or so you will pay them will be, in the long run, very much worth it.

Now, Here Are the Rules!

Versions of these same “average-person” rules have also been promulgated by Leo Laporte, Steve Gibson, and others, they’re not unique with me.  But I say, follow these and be safe(er)!

• Set Windows Update or the Mac Software Update to run automatically.  This is by far the most powerful weapon you have, and it’s free, and self-running.  Yet large numbers of people for reasons I can’t imagine don’t do it.  This, by itself, will protect you from more trouble than you will believe.

• Never click on a link in an email.  Never.  Better to highlight the URL (the HTTP:// . . . thing) with your mouse without clicking it, and copy / paste it into your browser’s address bar.  The problem here is that the actual link destination is hidden under what is visible (which is a label, even if it looks like a URL), so even if the visible link looks OK, the real destination might not be.

• Don’t open email attachments.  These are also sources of malware infections, one of the chief ones.  This is especially true of presumably funny ones forwarded all around, the ones that end in .wmv (Windows Media Player files).  Tell your Aunt Doris to have her pre-teen daughter post it to YouTube or Flickr or whatever, if she thinks it’s so great.  but don’t open it from the email.  When you put something on YouTube, for example, it’s filtered and anti-virused and you’re safe looking at it there.

• Stay away from questionable websites.  This includes almost anything “free”  — porn (even soft porn), free music, free software, and the like.  These sites are laden with viruses and trojans — that’s why their music is free, because they’re being paid by somebody to load malware on your machine!

A New, Simpler, Password Strategy

In the past, I’ve repeatedly produced careful recommendations on constructing strong passwords, great long strings of gibberish that can withstand a brute-force attack for on average several years.  However (see Part 1) these recommendations have been almost universally ignored because the time and effort to implement / forget / recover / look them up and so on actually exceeds the expected average loss to the average user.  So, ever congruent with reality, I’ve revised my suggestions to make them much simpler and more in alignment with the effort people are actually willing to put in.

Now, you only need two or three passwords, and they can be something you can remember.  But please, not “password” or “letmein” or “asdflkjh” or something like that.  If you’re in Minnesota, it should not be “vikings.”  I mean, don’t just give away the keys.  Choose something meaningful to you, yes even English words (a common recommendation is “nothing in a dictionary”), your dog, or whatever.  But not “111111″

You need just two, and maybe three passwords:

• One for almost everything that makes you register: every newspaper, weather site, and all the other things that think they need to recognize you personally when you return.  Use the same username (if you can) and a nice, comfortable password.  To the extent that these are really trivial sites, respond “yes” when the browser asks you, “shall I remember you next time?”

• Financial sites believe strongly in “trial by ordeal” for you to get in, and of course it’s in their best interest to strongly authenticate you as it reduces their fraud costs.  So they will probably have more or less elaborate rules, like mixed-case, letters-and-numbers, X characters long, and all that.  My suggestion is to select one that meets their minimum standards, write it down, and put it in your wallet (without the bank name or userid on it, of course).  That’s all you need.  Note that these sites are now all aflame with the concept of multiple questions, “secret pictures” and other hassle-laden rubbish.  Do what they demand, of course, but I can tell you that these things really don’t work and they’re just a huge hassle for you.

• Optionally, you might want to have a different password for your email accounts, different from the throwaway one, this is up to you.  I do, but I’m a little more freaky about this than maybe you are.  The actual incremental safety from this is fairly small, but I do it anyway.

So that’s it — four rules, two or three passwords, and you will have made yourself fairly safe at a very minimal cost / effort.  So if you do nothing else, do these!

OK then, what does it look like out there?  There are lots of pressing threats, seemingly an infinite number and growing (if that’s possible!).  But as we try to identify how we might best protect ourselves when we’re connected to the Internet, the actual number turns out to be much more manageable.  Here’s a breakdown of the overall threat landscape, from the planetary to you, as I see it now.  It includes:

Infrastructure threats, which target the basic routing and transport of content throughout the globe.  This is not our problem, at least for this discussion, although it is an extremely serious problem for our government and the Internet’s managers.

Organization threats, those that aim at businesses, governments, or other entities, and which are mainly focused on network intrusion, data theft, site defacement, and operational disruption.  I’m not dealing with those here, either.

Personal threats, what we care about here.  These threats, at least the ones that you should worry about, can all be clumped into two main categories:

• Attempts to steal money from you via account break-in, unauthorized credit-card charges, or (occasionally) malicious transactions aimed at disrupting your life, e.g. as caused by an errant ex-spouse;

• Attempts to steal account numbers, passwords, and other personal or family data from  you by loading malicious hidden software onto your computer.  In addition to enabling financial theft, this data might allow someone to impersonate you on the Internet and do things like post obscene messages in Facebook or put porn in your Flickr albums.  Malicious software can also take your computer and make it a spam-spewing robot, or a participant in various kinds of attacks against organizations or even against the Internet’s infrastructure itself, and you don’t want to be a part of this, either.

Now, these are significant threats, of course, and you don’t want to be the one caught standing when the music stops.  Just because these are high-order threats doesn’t mean that you can be excused to do nothing.  On the contrary, you need to take some steps to avoid being victimized, but these steps can — surprisingly — be simpler than you might be thinking, or than what you’ve been told in the past.  What is it that has changed over the last increment of time that modifies our approach to personal Internet security?  Lots of things.

What’s Changed

First of all, the bad news is that the attacks are becoming vastly more sophisticated and therefore vastly more difficult to defend against.  When I look at the technical dissection of typical first-line malware, I’m really impressed: these people really know what they’re doing.  If you let one of these things into your machine, you’re gone.  Attack software is exploiting vulnerabilities that the honest software vendors are hard-pressed to patch by the time the attacks start occurring.  And once something gets into your computer, it’s essentially impossible to remove so your only recovery is a down-to-the-metal system restore.  It’s really nasty.

However, at the same time we’ve learned how to cope with it, just as our immune system learns to cope with an infection, and just as (as a species) we and the infectious agents tend to co-evolve in ways that reduce the impact of a given infection, so that not all the hosts die!  When national credit cards became popular, certain kinds of fraud became possible that weren’t possible when the merchant knew every customer face-to-face.  So our financial system developed ways to deal iwth it — transaction limits, anti-fraud software triggers, merchant interventions, and most importantly, consistent rules for managing disputes and apportioning fraud liabilities.  Thus, the worst of the threats are blunted, coping mechanisms are created, the losses are contained, and the benefits are achieved.

Lets consider for a moment identity theft.  Five years ago this was almost unheard of.  People who claimed identity theft were generally not believed, their credit was ruined, they were threatened with arrest, their assets were attached, and they worked for sometimes years to clear things up, all the time being abused by attorneys, police, and everyone else who just couldn’t believe this was real.  What happens now?  It’s a known and accepted risk, kind of like a fender-bender: nobody wants one, but they happen, and we all know what to do.

Now, if you are an identity theft victim, you call the police, fill out a form, send out the form to your banks and other merchants, get new credit cards, and so on.  The average time to resolve an identity theft incident now is about 10 hours of your time, spread out over a couple of weeks.  Like a fender-bender, not fun and worth avoiding, but fixable.

Same principle applies to electronic account access and transfers.  Banks want people to use electronic transfers, it’s much cheaper than teller-assisted transactions or paper checks.  So to standardize everything, the Federal Reserve Board issued Regulation E, which specifically states that it was issued “to protect consumers using electronic funds transfers.”    Under the provisions of Reg E, it’s almost impossible for a consumer to be held responsible for the consequences of unauthorized electronic access to their accounts, the bank absorbs any unrecoverable losses.  Based on the cost savings and customer satisfaction, they come out ahead even with these losses from time to time.

So . . .

So the net of all this is, although the direct attacks are increasingly cunning and vicious, even when they succeed they don’t impact the individual consumer as much as they used to.  “We,” the society, have learned to cope with the resulting losses, keep the unlucky victims from being unduly penalized, and move on.  And given this, the rules for keeping safe and sound on the Internet have changed, too, and actually simplified quite a bit.  I’ll cover them in Part 3.

As a security-oriented systems guy, I have tried to figure this out, and I was just starting to deal with it as a basic economic cost-benefit analysis when I discovered a great paper presented this at this year’s New Security Paradigms Workshop by Cormac Herley of Microsoft.  It’s entitled So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users.  If you’re not up to reading it, I’ll be summarizing it below as a context for my own recommendations.

Herley summarizes the situation thus:

In this paper we argue for a third view, which is that users’ rejection of the security advice they receive is entirely rational from an economic viewpoint. The advice offers to shield them from the direct costs of attacks, but burdens them with increased indirect costs, or externalities. Since the direct costs are generally small relative to the indirect ones they reject this bargain. Since victimization is rare, and imposes a one-time cost, while security advice applies to everyone and is an ongoing cost, the burden ends up being larger than that caused by the ill it addresses.

So then, as he points out, Average Users aren’t stupid, they are pretty good intuitive cost-benefit analysts.  The paper points out that “user effort is not free” although it is treated as such on virtually all analyses. In other words, most analysts look only at the loss side of the equation — what is being stolen — but not at the time and effort required of users taking steps to prevent these losses.  This failure to account for the costs of implementing security procedures leads to lots of users (rationally) ignoring most of what various security gurus prescribe for them — instead of adopting reasonably-effective safeguards, then end up adopting almost none.

Just for example, with respect to the standard litany of “choose longer passwords, don’t re-use them across sites” and so on, Herley demonstrates that for an average user with about 25 distinct passworded accounts the actual benefit to the user disappears if the user has to spend more than a few minutes per year making up, remembering, and forgetting all their passwords.  Of course, in reality most of us spend more than that per day dealing with passwords.  He also points out that if the user falls victim to a phisher or has a trojan keylogger in his machine, all the standard password protections are rendered useless anyway.

And yet, financial institutions continue to insist on longer passwords with composition-complexity rules and have implemented various other schemes such as “security questions” or “secret pictures” and the like.  None of these are very effective and do NOT per se reduce the likelihood of man-in-the-middle attacks, although it seems like they would.  They mainly irritate users who forget what they answered for their first car’s horsepower, fail the test, and have to have the bank reset their password.

And even this incurs a significant cost: using Wells-Fargo data, a password reset costs the bank $10 in personnel time, and if 10% of their users do a reset every year, that would be a $48,000,000 cost to Wells, which is vastly higher than Wells’ share of the annual $60,00,000 phishing losses.  Clearly in this case, the medicine is worse than the disease!

In addition to the security-related costs users are asked to absorb, they are also overwhelmed by the volume of advice dispensed by various security gurus (including yours truly, in retrospect).  Naive users lack the technical expertise to carry these suggestions out, and their best efforts can often be readily subverted by evil-doers anyway.  Herley points out that the US-CERT CyberSecurity Tips publication has 51 “tips,” each one backed up with a page or more of detailed instructions.  No wonder they bail on security.  Not only is it expensive, it’s incomprehensible.

Does this dismal state of affairs free us to give up and just ignore Internet security?  Not at all! We still face threats that we CAN do something about, and we should.  See my next post on What This Means.

So, the Supreme Court (which doesn’t have to run for re-election) has decided that corporations and unions, which are legal entities created in order to make money and carry out other functions, are equivalent for campaign spending to real people, and so should be able to spend directly in unlimited amounts of money to promote causes or candidates.  This decision is a pretty heroic leap from the constitution or from any existing case law precedent; after all, corporations can’t vote in the election, so they aren’t all that equivalent to biological people, but the court decided 5-4 along conservative – liberal lines (whatever they are) and so for now it’s the law.

Don’t get me wrong, I think this is bad law.  Corporations are not actual people, they are organizations with vast resources in money and talent and they never blink, 24-7, as they pursue their self-serving objectives.  Because of these resources, they should be subject to limitations on the extent to which they can directly enter into the political process.  Not prevented from participating, mind you, but limited.  But however unfortunate this ruling is, it isn’t the end of the world, for a couple of reasons.

Corporate spending on campaigns or issues is at least to some extent self-limited by the corporation’s desire not to take a politically-unpopular position and risk alienating both customers and employees who disagree with it.  Unpopular positions can of course be heavily spun to the public and delivered with day-and-night pounding advertisements, but having worked inside large corporations most of my career I can just say that this is more difficult to successfully execute than you might think.  And of course, political spending competes with product advertising, machinery investment, and other pressing demands for capital and hence is going to be viewed with a jaundiced eye by stockholders.

The second reason is more interesting, and it comes from the actual human people who head these corporations.  A few days after the Court issued their ruling, a group called Fair Elections Now sent a letter to congressional leaders on both sides of the aisle complaining that this new ruling will cause congressmen to hammer them even more than they do now, for contributions to counter the likely flood of corporate advertising.  About 40 executives from the likes of Hasbro, Delta Airlines, Seagrams, Crate and Barrel, Ben & Jerry’s, Men’s Wearhouse, and Playboy Enterprises said in the letter,

Members of Congress already spend too much time raising money from large contributors . . . and often, many of us individually are on the receiving end of solicitation phone calls from Members of Congress.  With additional money flowing into the system, due to the court’s decision, the fundraising pressure on Members of Congress will only increase . . .

This is actually a very healthy development — people who are in a position to make corporate policy but who are impacted personally in other ways, are saying, “stop this right now.”  So maybe, just maybe, we will see some actual legislation passed that will undercut the Court’s ruling.

But ultimate it falls back to the electorate.  We, as a nation, need to increase our attention span and actually study these issues and make up our minds about them, and not be swayed by week-before-the-election advertising.  We need to stop being swayed by partisans screaming “death panels!” and other patent lies.  We need to belly up to our responsibilities, personally, and make the things we want happen.