Become a Patron of Ask Leo! and go ad-free!
Transcript
We’re under constant threat
Not a day goes by when our technology isn’t somehow being bombarded by threats of compromise of some sort.
- malware
- phishing
- keyloggers
- ransomware
- bots & zombies
and probably more we don’t even realize.
As a result, we take steps. We use an assortment of tools and techniques to protect ourselves.
- Ad blockers
- anti-spyware tools
- anti-virus tools
- security suites
- firewalls
- password managers
- two-factor authentication
- VPNs
- DNS filters
and probably a host of other special-purpose tools I can’t even think of right now.
The goal, of course, is to be safe.
But can we “be” safe? Can we “be” secure?
Unfortunately, that’s the wrong question to ask.
There’s no such thing as “safe” or “secure”
You can’t be perfectly safe, or perfectly secure.
That’s true in life, and that’s especially true when it comes to technology.
The best we can hope for is safe or secure “enough”.
Security is a spectrum
It’s a spectrum where we make trade-off’s all the time, choosing between security and convenience.
Consider passwords:
A short easy to remember password? Convenient, but not very secure.
A long complicated one? More secure, but also difficult to manage.
You could write it down, that’s more convenient, but not as secure as, perhaps, using a password manager to track it for you.
Yet even there, a password manager is, itself, a tradeoff – it’s convenient, but you’re trusting the password manager to do things correctly, and not be compromised itself.
Security – all security – involves tradeoffs. Be it the passwords you choose, the security software you run, the websites you choose to visit … even the networks you choose to connect to when traveling.
Everything involves risk.
Managing that risk means we’re making tradeoffs on the security and safety spectrum.
What can we do
I don’t mean for this to scare you. The single most important thing you can do is very simple: be aware.
Just know that there’s no such thing as perfect security.
Never assume that because you’ve done “X” or installed “Y” that you’re now “safe”.
It just doesn’t work that way. You may be safer, but never perfectly safe.
All you need to is remember the spectrum of security, remember the trade-offs, and make informed decisions that balance convenience and security.
What do you think?
I’d love to hear what you think. If you’re watching this anywhere but on askleo.com come visit askleo.com/21748 for the full transcript, and moderated comments.
How do you balance convenience & security?
’till next time, I’m Leo Notenboom.
- Stay safe..
- have fun…
- and don’t forget to back up! :-)
Very good points Leo !
As you ask for it, I think that one should break down the computer security question into 2 different aspects:
1) harm to functionality
2) privacy
The first question relates to: “how can bad guys stop my computing systems from doing what they are supposed to do ?” Typically: ransomware, denial of service attacks, malware that formats disks, corrupts data and programs…
This part is actually easy to solve (that is to say: make the attack an inconvenience, instead of a drama) : as you’ve pointed out so many times: back up ! A denial of service attack can only last for so much time, and all the rest is solvable with a good back up strategy.
Much, much harder is the privacy question, and there, your point is even more important. Here, the question is: can bad guys have access to my private stuff ? If you are the main target of the NSA and the KGB, then honestly, there’s not much you can do. If, as you point out often, you are much less interesting, there’s more hope. But again, I think that the main question is: should you put something private on a computer if it isn’t strictly necessary ? Each time you’re thinking of putting something private on a computer that you wouldn’t want the world to know, you should think twice: is this necessary ? Do I need to do it ? And, as you point out so rightly, people should know the risks and make the trade off between the inconvenience of the private stuff being known, the effort taken to protect it, and the necessity to put that private stuff on a computer in the first place. If you put your sex tapes of your last travel to the Philipines on facebook, don’t come crying that they travel the world and that it is a huge embarrassment, or worse. Should you have put them there in the first place ?
A combination of 1 and 2 is when online accounts are hacked and the access is stolen. That’s both a privacy problem, and a problem of functionality (you can’t get into your stuff any more). My view there is that for *essential* online services, you should use paid-for service with *paper* or *physical* access, so that in the end, you can always prove that you are you, and the one that paid for the account. I’m mainly thinking of e-mail, but also of online web services for instance. You should only use “throw away” free online accounts where it doesn’t matter too much if tomorrow, you can’t log in any more.
Finally, if you need to work with very confidential material, you should take special steps, like booting from a system on a USB stick that only serves that purpose, wonder if you need network access while doing so, and use good cryptography. This is for instance what one should do when working with crypto currency accounts if the wallets contain important amounts of money. Even there, you are not perfectly safe (there can be firmware attacks that compromise even non-networked devices – think of stuxnet-like attacks), but you’ve eliminated a whole lot of attack vectors nevertheless.
As you say so rightly, it is always a trade off, and the biggest security problem is ignorance. If you manipulate bitcoin wallets on a windows machine where you are also surfing on porn sites, you shouldn’t be too surprised that things turn out badly.
My ‘fingers crossed’ security with my Windows 10 system is:-
Malwarebytes Anti Exploit**.
Malwarebytes Anti Malware.
Super AntiSpyware.
Bullguard Internet Security.
Trusteer** (for Banking)
Roboform
The 2 marked with ** are freeware, the other 4 are paid for. Altho’ there is duplication here, they do not conflict & I work on the basis that one of them will pick up problems missed by the others. I shall be very interested to hear/read other users comments.
A good analogy might be driving a car. People worry so much about computer security, and rightly so, and get in their car which is also fraught with safety tradeoffs and think nothing of it, when the stakes in that situation are literally life and death.
There is nevertheless a difference between “real life” safety and security considerations, and computer security. Real life security and safety has to do with physical nearness. You may consider that the lock on your front door will not resist any sophisticated (state or big corp sponsored) burglar team, but that there’s no reason why such a team would be around *in your neighborhood*. So in fact, your daily security systems only have to be sufficient to keep *the local mob* out. This limits the *number of potential enemies* significantly, and your front door lock will probably cope with it.
However, a networked device is exposed to several billions of potential enemies *all over the world*. Our animal instincts are not tuned to that. We’re not, with our common sense, trained to withstand armies of billions of enemies who are at the other side of the world.
If you’re living, say, in a house nearby a countryside village in France, you might consider the drunk guys in the village on Friday evening a potential problem, as well as the few strange youngsters on their motorcycles, but you shouldn’t consider a sophisticated Hong Kong burglar team as a potential thread for your house. With your computer, a Novosibirsk based hacker crew is just as well a threat, or even more so, than your neighbor’s teenage whiz kid. Because you might have a chat with the teenage boy, but you will never see the Novosibirsk guys of your life.
Indeed. And, of course, there’s also a trade-off between security and reliability. If you don’t install any security apps, there’s an increased risk that your computer will be compromised; on the other hand, the more security apps you install, the more likely it is that one of those apps will break your computer.
“How do you balance convenience & security?” – The only security apps I use are those which come bundled with Windows: namely, Defender and Firewall. I use strong passwords for all sensitive logins and have configured my router to use OpenDNS which provides an additional layer of security (albeit a somewhat thin one). Beyond that, it all comes down to commonsense and backups. It’s a very low maintenance approach.
It’s been a while, but I’m probably going to add Open DNS to my arsenal again as well. MY ISP’s DNS servers aren’t that great.
COMPLETE waste of 3:34 minutes. Tell me something I didn’t know. What was the purpose? Not a single suggestion – just another summarization of the obvious with cutesy stick figures. I expected more from you, Leo. All I got was pissed off at feeling disrespected.
You would think an “expert” such as yourself could compile a list of what he considers to be the “best” real world security solutions for protecting our hardware; a list that includes both free and paid-for programs and how to configure them so as to maximize their effectiveness.
Leo has an article out on recommended security software. Although as this article we are commenting on implies, It’s not perfect :-)
https://askleo.com/what_security_software_do_you_recommend/
With all respect, but I think you missed the essential of what Leo tried to convey. The most important thing is that:
1) you are aware of what threats exist
2) you have to evaluate for yourself the trade off between security and convenience.
1) is needed in order for you to have a good grip on 2).
You cannot compile a general advice, because it is too much situation-dependent. That’s essentially what Leo wanted to say, I think (although I cannot speak for him).
Should you only use tails (https://tails.boum.org/index.en.html) and full encryption of everything you ever do, or can you cope with a standard windows machine without anything (probably good enough for gaming) ? Probably depending on what you’re doing, you’re somewhere in between.
It may feel like a waste of time for you, but it’s sadly nessessary to refresh the memory of a great many peoples.
You see, peoples tend to forget things. Some times, you need to rephrase things so that some peoples that failled to understand you the first time may have another chance to understand.
“What was the purpose?” – To stimulate a discussion, perhaps?
“You would think an “expert” such as yourself could compile a list of what he considers to be the “best” real world security solutions.” – There really is no such thing as “the best.” Or, maybe more accurately, there are lots of things that could be considered to be the best. It’s extremely subjective and really depends on what factors you consider important. Per-PC cost? Detection capabilities? Parental control features? Performance impact? Ease-of-use? Technical support? I could make a valid argument that Windows Defender is the best antivirus solution because it’s no-cost, non-intrusive and exceptionally easy to use. Or I could argue that Avira is the best because it’s no-cost too and has somewhat better detection rates than Windows Defender. Or I could argue that Kaspersky is the best because of its reliably high detection rates and low performance impact. Or I could argue that ESET is the best because it has a consistently great track record and excellent technical support. Or I could argue that Sophos or Webroot is the best because….
Realistically, there are probably about a dozen antivirus products which could, for one reason or another, be considered to be the best and those products all provide great protection from the threats you’re most likely to encounter in the wild. It’s really simply a matter of choosing the product that best matches your needs.
Sorry you feel that way. For the record, askleo.com is full of recommendations and suggestions, though perhaps not bundled into a nice package. Then again, I do have a top level article on internet safety (referenced as my “most important article” on the Ask Leo! home page), and even a book on the topic, in case those come closer to meeting your expectations.
This article was intended to be exactly what it is: a statement that perfect security simply doesn’t exist. What you don’t see is that many, many people continue to search for it, regardless.
And yes, it was an experiment to see how people reacted to a different style of video. Thanks for the feedback on that. :-)
I use Windows Defender, free Malware Bytes, RoboForm, minimum 16 character passwords, backup weekly on multiple external USB devices, encrypt sensitive info which is also backed up on multiple devices, don’t open an email if I don’t know the sender, and I also use “throw away” email addresses for initial correspondence with companies or people I’m not sure won’t spread my email address. Since I only use my computer 4-6 hours a day, it’s shut off and power physically removed when not in use. If someone can remotely flip a physical switch, then I give up.
Holy moly, Leo! If this podcast wasn’t on Ask Leo, I’d have thought you were talking about the 2016 elections. “Convenience” v. “Security” indeed. The most secure way of managing passwords, in fact of indexing which of your files are on which device? Long ago in a galaxy far away, we had these odd things called “pens” and “paper.”
Seriously: how many “man-hours” are spent trying to find which computer/laptop/tablet/flash-drive/external hard drive/CD/DVD/floppy disk has that love letter you wrote but never sent when you were a wee 30-something. I have stopped even looking at new devices, until they build one with a 1,000 Terabyte memory.
Leo’s point is an old one … there are no absolutes. But my take on this hits close to home: Be prepared.
No matter how safe or secure, when disaster strikes what will you do? Do you have a disaster plan in place? This, obviously, goes far beyond our digital lives. At one end of the spectrum are Prepers, at the other end are hapless targets & early victims. Some folks have a little preparation and don’t know it. Someone has a medical crisis and you dial 911. Your house catches fire and you get your family out, dial 911, grab something like the photo albums, and maybe even fight the fire. Did you plan all this? Common sense runs high in most folks. Some have earthquake kits. Some have Go Bags.
In the context of computer safety & security and in the extreme, if your home was destroyed and all your computer related equipment laid to waste, do you have backups elsewhere to help the recovery process? Was that list of passwords burnt to a crisp? Is your address book gone? This is along the same line as protecting “important papers.” If your email is hacked what will you do? If an on-line account is beached what will you do? If one or more of your personal network devices is infected or attacked, what will you do?
Are you prepared?
I’ll do a little plinking in the woods on the way my favorite fishing spot today, with not a care about any of this … I’m prepared as much as I care to be, today. Could I do more? Sure. Will I? Not today.
And yes, I’ll carry bear mace along with a rifle and sidearm and basic first aid kit.
I enjoy very much your videos and comments. This, however, has nothing to do with you information. How did you make a video with speed writing on a whiteboard. Hope you will answer this.
http://www.videoscribe.co/ :-)
Internet security certainly is a trade off, as you say.
Last year, I ‘invested’ in a well known security package, which seemed to fit the bill – it wasn’t cheap, but I reasoned that it would be value for money.
This thing was so good at security, that it slowed my computer down to a snails pace, I temporarily removed it and the speed went back to normal. After a few weeks, I uninstalled this and went back to my trusted, if less secure, old package.
Regards
“This thing was so good at security, that it slowed my computer down to a snails pace.” – Yeah, it’s usually best to stick with something that you know works well on your system. Realistically, if you’re using one of the established and well-known products – Kaspersky, ESET, Sophos, Bitdefender, Webroot, etc. – there’s really not much point in switching as, at best. you’ll only get very marginally improved protection.
In fact, a security package that doesn’t allow you any more to do anything on your computer, has actually achieved its security goal in a sense. If you can’t do anything with your computer any more, then you won’t put sensitive stuff on it, or important stuff, or whatever stuff, and hence, it is perfectly safe, no matter what happens to it :-)
This package simply makes the balance “convenience vs. security” swing over entirely to “security”. In a sense, it was worth its money. That said, hitting your computer with a big hammer has about the same effect, and is probably cheaper (the hammer, I mean) ;-)
Just a quick note: MS Windows 8 & 10 come with security software installed as part of the OS. AKA Windows Defender
I think that the security issue boils down to something that Leo is always preaching: “How to protect yourself from yourself”; that means a slew of things that one has to be careful about when using the computer such as: having the basic knowledge on how the Internet works; be always skeptical; be very ALERT to recognizing spams, scams etc; not clicking on file attachments one was not expecting and suspicious URLs (like making some bank transactions on an address bar without the “https”). The best of all “Backup”.
As always a very good article, Leo!
That absolute security is essentially impossible to achieve, and that even very competent people are sometimes caught “opening a security hole”, is seen every day. Leo, hint: “drown attack” ;-) You should switch off SSLv2 support on your site…
The drown attack is an interesting case of security violation. It is NOT a bug. It is not really a user error. It is one of those quirks with cryptography, where a combination of different systems suddenly renders the whole vulnerable, although each individual aspect is secure.
Leo,
It wasn’t a joke. Your site is still vulnerable to the Drown attack. If this is not maintained by you, you should urgently contact the administrators of those who do. It means that https on your site is not secure.
https://en.wikipedia.org/wiki/DROWN_attack
My host will automatically update when a proper fix becomes available.
“A short easy to remember password? Convenient, but not very secure. A long complicated one? More secure, but also difficult to manage.” – Adding complexity to a password does not necessarily make it more secure. Password cracking tools such as John the Ripper and Hashcat use mangling rules to substitute symbols for letters in dictionary words and, consequently, “P@55w0rd” is no more secure than “Password” – both could be broken equally easily and quickly.
That said, it’s extraordinarily unlikely that somebody would attempt to brute-force your password. It’s simply not how passwords hacks happen these days. Instead, passwords are phished or obtained via the compromise of a credential database (the latter is, obviously, beyond your control) or by somebody you know guessing your password.
What software can care of security, so I don’t have a lot software on my laptop?
Quick answer: Don’t install any. In Windows 10 & 11, Windows Security — previously known as Windows Defender — comes pre-installed.
What Security Software Do You Recommend? Basic Protection in Four Steps