Security Is Hard, But That Doesn’t Mean You Should Ignore It

Six weeks ago I was out drinking in a Kipling-themed bar in Rangoon, Myanmar — as you do — and happened to find myself next to a table of high-powered international telecommunications consultants, overhearing juicy lines like “Skype and Viber are going to kill us.” Needless to say I told Twitter right away. Then an old friend who’s also a genuine International Man Of Mystery got in touch and asked if we could chat about Myanmar’s proposed ban on VOIP. Securely.

He has his very good reasons to insist on secure communications. But to my embarrassment and dismay, given that I’m a software pro with scads of hacker friends, I was largely unprepared for that request. The sad truth is that real online security has never seemed worth the hassle to me. Oh, I switched my Facebook connections to HTTPS-only as soon as I could; I select/Control-C/Control-V a portion of every password I enter when in Internet cafes; and I disabled Java when its huge security hole was revealed earlier this year. But truly secure communications? That’s always seemed like more trouble than it’s worth.

I felt foolish and credulous and unprepared — until earlier this month. So I’d just like to thank David Petraeus for making me feel a whole lot better about the situation:

The sad truth is that real online security, while possible — ignore the conspiracy theorists who claim that hackers can break into absolutely anything — is hard to do right and easy to screw up. This is a big deal and a big problem. Not just for Syrian activists today; as the panopticon society grows up around us, soon online privacy will be just about the only kind of privacy we’ll have at all.

Alas, right now it seems that many-to-most people value conformity more than privacy. What’s more, instead of worrying about security ourselves, we trust others — Amazon, Apple, Facebook, Google — to take care of it for us. As the great Bruce Schneier points out, in some ways we’ve regressed to a feudal notion of security.

The problem is, you can’t trust a feudal lord. For instance, Andrew Auernheimer, aka “weev,” was recently found guilty of hacking in a case which has been analogized — correctly, in my view — to finding someone guilty of trespassing because they looked past the sign on a shop window to see what goods were on sale within. This is, well, insane.

(All tweets above via Meredith Patterson.)

Even worse, it will have a deadly chilling effect on security researchers everywhere. We need people like weev to find security flaws, and disclose them in a (relatively) responsible manner before serious black-hat bad guys do. Security through obscurity is no security at all, and feudal security isn’t much better. Ask David Petraeus.

Security is, by its very nature, something most people generally hardly worry about at all – until and unless that one awful day comes when it’s the only thing they worry about. By then it’s usually too late to start taking it seriously. But even if/when people realize this, and start taking responsibility for their own online privacy and security, if security tools aren’t dead-easy to use, they’ll be used incorrectly or not at all.

What can you do? Well, the EFF recently posted “Don’t Be Petraeus: A Tutorial On Anonymous Email Accounts,” which everyone should read. And next week I’m going to post a brief overview of some other security tools out there now. Be advised in advance that I’ll probably get some things wrong: I’m a good software developer but no security expert. Let’s hope that in a few years’ time the tools are easy enough that even non-techies can use them without fear — because increasingly, if you don’t have privacy and security online, you won’t have it at all.

Image credit: yours truly, Flickr.