chxo internets

Internet Security is an Oxymoron

What have we been reminded of in the past three weeks?

1. Governments are willing to go to extraordinary lengths to lie and spy on friends and enemies alike. The diplomatic cable releases from Wikileaks are the tip of the iceberg, in that they are not the biggest secrets, just the low-level ones available to millions of rank-and-file government employees.
2. The CEO uses the same password for everything, and never changes it. Gawker, a company that was purpose-built for the Internet, had such lax security policies (and such bravado in the face of 4chan) that it was only a matter of time before they were ripped apart. But how much better are the policies where you work? I thought so. I can’t tell you how many times I’ve seen exactly the same thing out there, and it’s always the head of the firm that has the weakest password.
3. The FBI might have infiltrated the OpenBSD crypto stack. Even if this turns out to not be true, it is a damning simply by being plausible. The OpenBSD codebase is developed, used, and audited by some seriously security-conscious programmers, admins, and academics. Can they prove that there is not a clever exploit baked in by a conspirator? And if not the FBI, how about some other government with deep pockets and a desire to eavesdrop on VPNs?

Now consider the daily deluge of XSS attacks and buffer overflows and plugin exploits out there. I seriously question the notion that we have any expectation of privacy or security in our online lives. The courts may be able to keep the police from reading your email, but there is nothing stopping anyone else.

This is all well and good if the extent of your internet activity is posting pictures of your kids on Facebook. But if you do any serious, world-changing work, you need to re-evaluate the risks involved with using this hodgepodge of easily compromised hardware and software, and hedge against the exposure or corruption of any secrets you need to keep.