SoylentNews is people
SoylentNews
I'm just informed enough about IT security to know that I really know very very little about it. That said, I probably know ten times as much as do 99% of people. I'm an expert in my field, and while I've been a jack of all trades on many fronts, today's threats to privacy and IT security require expert knowledge to combat.
I do not have time.
- For example, I hear that Microsoft added updates to Win7/8 that threaten my family's privacy...yet I have not yet gone and removed the offending updates. I moved myself to Ubuntu/xfce, but my son is still using Win8. I'll get to it eventually.
- For example, java script is a security risk, and I have No-Script, turn off 3rd party cookies, etc, but invariably I have to turn it off for some website (i.e. to pay my bill), and eventually, I stop turning it back to full security.
- I installed Cyanogenmod and Fdroid on my phone. And for the most part its great..and I have very few apps with permissive permissions settings....but my wife is still using an iphone and ipad, with all sorts of apps...with ridiculous permission leaks..and that is a struggle.
The long winded point I have is that it is now just too damn much work to do it all right. I'm tired after a 10 hour workday. I've obviously taken more steps than most, but it is still leaky as hell...
I need a company/organization that I can reasonably trust to manage my information security/property, to manage my computers, manage my vpns, e.g., to isolate my web browser windows over multiple vpns, ... all of it, and it can't be GOOGLE. My data is my property, as long as I can hold it, so it needs to be a company/organization that built in privacy obligations (like lawyers and doctors supposedly do).
-Signed: A Frustrated Tired Old Nerd (with children)
[Ed's Comment: Does such a company exist? Is it even possible to provide such a service? Or have we just identified a niche in the market for some enterprising person to fill?]
(Score: 4, Insightful) by Thexalon on Monday October 05 2015, @01:54PM
The concept is "Total Cost of Pwnership": How much effort does it take to compromise your system? If the TCP is far higher than the perceived value of the information stored on the device, then most attackers will simply move on to a softer target. After all, why spend valuable time trying to bust into somebody's FreeBSD system when you can just move on to your neighbors' unpatched Windows box?
If you think you're going to get perfect security, I'll let you know right now - you won't. Nobody has it, not even the military or the NSA. The best you could manage: Anything you really need to secure would be stored on a machine with no networking capabilities whatsoever, where you never transferred data to nor from another machine, kept everything encrypted, and put in a bank deposit box when you aren't working on it. Which somebody could still get to, if they barged into the bank with a warrant or a weapon and forced the bank staff to open it, but probably won't because of the TCP problem.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Insightful) by nitehawk214 on Monday October 05 2015, @03:27PM
This is the best post here, which bridges the gap between, "there is no security, don't bother" and "don't use any electronic devices."
Find the thing you have that is the least secure. (probably a mobile device, since those tend to grow legs and walk away) Deal with any security problems there.
Think about the location and number of users and foot traffic. (My work computer has hundreds of people that can walk up to it, where there are only a few people in the world with keys to my house.), Think about the ramifications of the security being breached. (Breaking into my Steam account would be annoying but easily correctable. Breaking into my bank account would leave me broke for the time it takes the bank to fix it. A hackable wifi thermostat could burn my house down.)
Also look at non-electronic security. I no longer write paper checks out of my primary bank account. Simply knowing a person's bank account number allows you to completely drain it of funds. Just look up the routing number for the bank, and you can print off checks. The name on the check does not have to match the name on the account. The check infrastructure doesn't have the ability to verify if a check is valid. Stores never call the bank to see if it is real.
How are the locks on your house. How easy is it to break in? How many people have keys? Do you live in a secure neighborhood or at least trust your neighbors?
How secure is your vehicle? If you park on the street, consider a dash-cam that has a motion sensor.
Repeat this process until you feel that the thing is secure enough. The difficult part is determining the security level of a device.
Remember that "good security" does not exist, only "good enough security".
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 2) by Fnord666 on Monday October 05 2015, @04:20PM
The concept is "Total Cost of Pwnership": How much effort does it take to compromise your system? If the TCP is far higher than the perceived value of the information stored on the device, then most attackers will simply move on to a softer target. After all, why spend valuable time trying to bust into somebody's FreeBSD system when you can just move on to your neighbors' unpatched Windows box?
Unfortunately this presumes that it is an either/or situation, which it's not. With automation, scripting and botnets, attackers can try to get into both of your computers at the same time. It doesn't require their undivided attention.
(Score: 2) by Thexalon on Monday October 05 2015, @04:39PM
I absolutely agree that they can do multiple things at the same time, but the automated scripts and such are likely to target easily-compromised machines with a large install base too. Why bother writing an automated tool that targets a relatively rare OS when you have so many really easy targets available?
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2, Insightful) by https on Monday October 05 2015, @05:35PM
Because they are using other people's resources to run the attacks. They do not have to manage them efficiently or rationally, and an exploit is an exploit is an exploit is an owned machine, unless you don't actually implement the exploit.
Offended and laughing about it.