Computer Security 101x — Topic 1: What Is Security?
Realistic Advice For Non-Experts
Recent events have impressed upon me just how much help the average person needs in order to have a chance at being secure online. About 35 years ago, the computer moved out of the realm of technologists and into the homes of the masses. It’s the most complicated tool humans have devised for everybody’s daily use. We, the technologists, forgot that not everyone had the desire to become expert in the use of that tool, and we didn’t provide a very good owner’s manual.
I’ll be writing for that non-expert, attempting to explain complex topics, in only as much detail as is needed. I’ll try to skip most of the jargon, because it usually won’t help. In the same way that you don’t need to know all the details of an internal combustion engine in order to drive a car safely, you don’t need to know about cryptographic hash functions in order to use a computer safely.
I’ll focus on examples that can be compared to things you already understand from the real world, and then get right to practical actions you can take. More importantly, when I make recommendations, I’m going to explain my thought process. A lot of advice I see is repeated without consideration, and that doesn’t acknowledge the needs of the individual, or provide any deeper understanding, or even that the advice may be outdated.
I define security as the mortar that fills the gap between privacy and trust.
We usually seek privacy for some form of information. Maybe we have notes recorded in a journal, which we don’t want others to read. Perhaps we’d rather not have anyone else know the location of a valuable item. Our past may contain a secret. Or our future holds one we aren’t yet ready to reveal.
Why do we need to have these secrets in the first place? We assign different levels of trust to each group of people we encounter. Family is usually most trusted. Then close friends. Neighbors and members of your community. Coworkers. While the exact order varies for each of us, one fact is certain: there are fewer people in all those groups combined than there are outside of them. We reserve the lowest level of trust for strangers.
People have sought to fill in the gap between how sensitive a piece of information is and exactly which other people they want to know that information. That’s the essence of security. It’s the padlock on the journal. It’s the safe deposit box we use. Or the lack of publicizing certain thoughts.
One reality of the human condition is that some people will do bad things. If that weren’t true, security wouldn’t be a necessary concept. Even if you feel that you personally have nothing to hide, there are others who feel that you have something to take. So we need walls and gates and locks and safes to protect against these negative events. There are equivalent protections online, but as you can see in the picture above, the mortar isn’t all neat and clean; it’s often messy and needs attention to keep doing its job.
II: Whom Do You Trust (Online)?
When we connected our computers to all the others, the number of strangers that anyone could meaningfully interact with on a daily basis skyrocketed from those in the local area… to anyone, anywhere. The model from the physical world, of being able to assess how much trust to place in your sister or your postal carrier, was greatly diminished, as we had to constantly assess strangers.
Anonymity became prevalent. If you were chatting with user abc123, that might be your sister, or not, or someone pretending to be your sister. There wasn’t really any way to know. This wasn’t a design requirement in early computing, and had to be added later. Huge strides have been made in the intervening decades toward solving the verification problem. Today, if your mobile phone (just a smaller computer) rings and it seems to be your sister calling, it almost certainly is.
But we can’t say that it definitely is, because how can we really know that someone is who they say they are in the first place? All documents can be faked. Biometric markers (DNA, fingerprints, retinal scans, etc.) are highly accurate and nearly unique but hard to test instantly. The problem is significantly harder online.
This leads to the standard rule of online interaction: if we don’t have very high confidence that someone (a person, a company, a website, etc.) is actually who they say they are, then we must assume it’s one of those people trying to do a bad thing. Usually that means trying to take some of our information.
Does that mean we should all give up on technology? No, the average person has to conduct their lives, and today that means other people know where you live, you own a mobile phone, you use credit cards, you have a reasonable email provider, and you fly on airplanes.
This is the tradeoff between security and convenience. Look at the slider bars pictured above. We could move the slider all the way to the security side: we’d be living on an island, in a compound, with no outside interaction, self-sufficient, and no real modern amenities. Or we could move the slider all the way to the convenience side: that’s a life of unlocked doors, no passwords, broadcasting of every detail of our lives, and generally refusing to believe that there are bad people out there.
I think the average person wants to be somewhere in the middle, neither tinfoil-hatted nor willfully blind to the reality of bad things happening. Keep this tradeoff in mind, as it’s a concept we’ll be returning to often.
III: Then Why Should We Trust You?
Based on what I just told you, you shouldn’t. You probably don’t actually know me in real life.
In my defense though, I’m not asking you for anything. I don’t want any of your information and everything I’m sharing is free. I’ll do my best to explain my thought process so that you can make informed decisions for yourself.
My career has progressed through a range of technology roles for over 20 years, increasingly associated with the security concerns of the profession. Now my work actually is in web security. I’m not a leading expert on cryptography or security research, but you don’t need that; you need a guide through the dangers of the online world. I’m just one of those technologists who has been toiling away for decades and thought it might be about time to write an owner’s manual for the masses.