SoylentNews is people
SoylentNews
I'm just informed enough about IT security to know that I really know very very little about it. That said, I probably know ten times as much as do 99% of people. I'm an expert in my field, and while I've been a jack of all trades on many fronts, today's threats to privacy and IT security require expert knowledge to combat.
I do not have time.
- For example, I hear that Microsoft added updates to Win7/8 that threaten my family's privacy...yet I have not yet gone and removed the offending updates. I moved myself to Ubuntu/xfce, but my son is still using Win8. I'll get to it eventually.
- For example, java script is a security risk, and I have No-Script, turn off 3rd party cookies, etc, but invariably I have to turn it off for some website (i.e. to pay my bill), and eventually, I stop turning it back to full security.
- I installed Cyanogenmod and Fdroid on my phone. And for the most part its great..and I have very few apps with permissive permissions settings....but my wife is still using an iphone and ipad, with all sorts of apps...with ridiculous permission leaks..and that is a struggle.
The long winded point I have is that it is now just too damn much work to do it all right. I'm tired after a 10 hour workday. I've obviously taken more steps than most, but it is still leaky as hell...
I need a company/organization that I can reasonably trust to manage my information security/property, to manage my computers, manage my vpns, e.g., to isolate my web browser windows over multiple vpns, ... all of it, and it can't be GOOGLE. My data is my property, as long as I can hold it, so it needs to be a company/organization that built in privacy obligations (like lawyers and doctors supposedly do).
-Signed: A Frustrated Tired Old Nerd (with children)
[Ed's Comment: Does such a company exist? Is it even possible to provide such a service? Or have we just identified a niche in the market for some enterprising person to fill?]
(Score: 4, Insightful) by Anonymous Coward on Monday October 05 2015, @02:34PM
First, accept that all your boxes and all your networks are already compromised by someone. Whoever scares you most. Russian mafia, NSA, whoever.
Why assume that? Because they could be, at any time, and frankly you'd be none the wiser. The real professionals will always get in where they want to - you can at best hope to keep out idiotic scriptkiddies.
Next, don't assume that you can secure anybody's machine unless they will obey your every order, and you can confirm that they actually did so. Even the military follow this up with checks, people looking over other people's shoulders, and so on. So basically, all your kids' and wife's machines are constantly being recracked because of things they do regardless of your efforts.
Corollary: the best you can do, aside from standard procedures like patches and configurations, is to keep important data off the electronics. If it ain't there, it ain't cracked. (This goes along with cutting microphone wires, putting tape over camera lenses and so on.)
Ultimately you can try to educate your family, but the fact is, like every user group, they don't get it, won't get it, and don't want to get it more than they want to see that cute cat video. So all you can do is protect yourself.
And if you want a way to do things with just a tad more security and flexibility, keep some read-only bootable media around for when you have a suspected crack, or when you want to do something with less recorded backtrace of cookies, use virtual machines which you can drop and recreate at a moment's notice for fresh instances...
... and back things up to help defend against encryption-style blackmail.
(Score: 3, Insightful) by Nerdfest on Monday October 05 2015, @05:48PM
Look at Snowden and the NSA if you want to see how hard security is. These people are supposed to be the experts and a contractor walked out with a treasure trove of information.
(Score: 1, Interesting) by Anonymous Coward on Monday October 05 2015, @05:58PM
There are many armchair experts at everything™ here on soylent, but I have an ever growing laundry list of credentials. Threats are getting to dynamic and too numerous for a non-specialist to even conceive of.
Don't trust the "usual names" here on soylent. None of them have any more knowledge on security than an average CS or admin does. Think about how many times you have had to patch something; every time that happens, a team of architects, designers, developers, QA, and admins failed simultaneously at keeping your assets secure. Think of them as medical assistants and IA specialists as doctors. They have some knowledge but it is more likely to be wrong via incompleteness as it is to be right.
However, the post I am responding to handles the general philosophy of what you ought to do in a manner which makes me feel it unnecessary to add to. Out of nearly fifty posts, that humble currently +1 insightful AC is the one you should be listening to.
If you want more technical, specific advice, you are going to tell me what the deliverables are; i.e. what your risk tolerance is in technical terms, what your assets are, categorize them, give me information on importance weighting, and what the constraints are; critical use assets, budget in dollars and initial time investment along with an ongoing maintenance budget. That is step zero. A risk assessment that includes use-case analysis, impact analysis, and budgeting. Then we can start working on a development plan. A plan to fail is a failure to plan. Yeah its hard and takes more effort than anyone is comfortable with. That is why nobody gets it right.
(Score: 1, Insightful) by Anonymous Coward on Tuesday October 06 2015, @01:34AM
Thank you very much.
I'm actually not an amateur. I spent ($years) in infosec until I figured out that it's a codeword for scapegoat, then I moved on.
I also figured out that bosses don't care about security, they care about not being sued - which is a kind of security itself. But that meant that all my employers were always primed for catastrophe.
The rest of my advice simply follows directly from that.
It's really all about reducing exposure in the teeth of cruel reality, and being prepared for when it all goes bad.