Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

In Search of Perfect Security

Become a Patron of Ask Leo! and go ad-free!

Transcript

Show Transcript

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

29 comments on “In Search of Perfect Security”

  1. Very good points Leo !
    As you ask for it, I think that one should break down the computer security question into 2 different aspects:
    1) harm to functionality
    2) privacy

    The first question relates to: “how can bad guys stop my computing systems from doing what they are supposed to do ?” Typically: ransomware, denial of service attacks, malware that formats disks, corrupts data and programs…

    This part is actually easy to solve (that is to say: make the attack an inconvenience, instead of a drama) : as you’ve pointed out so many times: back up ! A denial of service attack can only last for so much time, and all the rest is solvable with a good back up strategy.

    Much, much harder is the privacy question, and there, your point is even more important. Here, the question is: can bad guys have access to my private stuff ? If you are the main target of the NSA and the KGB, then honestly, there’s not much you can do. If, as you point out often, you are much less interesting, there’s more hope. But again, I think that the main question is: should you put something private on a computer if it isn’t strictly necessary ? Each time you’re thinking of putting something private on a computer that you wouldn’t want the world to know, you should think twice: is this necessary ? Do I need to do it ? And, as you point out so rightly, people should know the risks and make the trade off between the inconvenience of the private stuff being known, the effort taken to protect it, and the necessity to put that private stuff on a computer in the first place. If you put your sex tapes of your last travel to the Philipines on facebook, don’t come crying that they travel the world and that it is a huge embarrassment, or worse. Should you have put them there in the first place ?

    A combination of 1 and 2 is when online accounts are hacked and the access is stolen. That’s both a privacy problem, and a problem of functionality (you can’t get into your stuff any more). My view there is that for *essential* online services, you should use paid-for service with *paper* or *physical* access, so that in the end, you can always prove that you are you, and the one that paid for the account. I’m mainly thinking of e-mail, but also of online web services for instance. You should only use “throw away” free online accounts where it doesn’t matter too much if tomorrow, you can’t log in any more.

    Finally, if you need to work with very confidential material, you should take special steps, like booting from a system on a USB stick that only serves that purpose, wonder if you need network access while doing so, and use good cryptography. This is for instance what one should do when working with crypto currency accounts if the wallets contain important amounts of money. Even there, you are not perfectly safe (there can be firmware attacks that compromise even non-networked devices – think of stuxnet-like attacks), but you’ve eliminated a whole lot of attack vectors nevertheless.

    As you say so rightly, it is always a trade off, and the biggest security problem is ignorance. If you manipulate bitcoin wallets on a windows machine where you are also surfing on porn sites, you shouldn’t be too surprised that things turn out badly.

    Reply
  2. My ‘fingers crossed’ security with my Windows 10 system is:-

    Malwarebytes Anti Exploit**.
    Malwarebytes Anti Malware.
    Super AntiSpyware.
    Bullguard Internet Security.
    Trusteer** (for Banking)
    Roboform

    The 2 marked with ** are freeware, the other 4 are paid for. Altho’ there is duplication here, they do not conflict & I work on the basis that one of them will pick up problems missed by the others. I shall be very interested to hear/read other users comments.

    Reply
  3. A good analogy might be driving a car. People worry so much about computer security, and rightly so, and get in their car which is also fraught with safety tradeoffs and think nothing of it, when the stakes in that situation are literally life and death.

    Reply
    • There is nevertheless a difference between “real life” safety and security considerations, and computer security. Real life security and safety has to do with physical nearness. You may consider that the lock on your front door will not resist any sophisticated (state or big corp sponsored) burglar team, but that there’s no reason why such a team would be around *in your neighborhood*. So in fact, your daily security systems only have to be sufficient to keep *the local mob* out. This limits the *number of potential enemies* significantly, and your front door lock will probably cope with it.

      However, a networked device is exposed to several billions of potential enemies *all over the world*. Our animal instincts are not tuned to that. We’re not, with our common sense, trained to withstand armies of billions of enemies who are at the other side of the world.

      If you’re living, say, in a house nearby a countryside village in France, you might consider the drunk guys in the village on Friday evening a potential problem, as well as the few strange youngsters on their motorcycles, but you shouldn’t consider a sophisticated Hong Kong burglar team as a potential thread for your house. With your computer, a Novosibirsk based hacker crew is just as well a threat, or even more so, than your neighbor’s teenage whiz kid. Because you might have a chat with the teenage boy, but you will never see the Novosibirsk guys of your life.

      Reply
    • Indeed. And, of course, there’s also a trade-off between security and reliability. If you don’t install any security apps, there’s an increased risk that your computer will be compromised; on the other hand, the more security apps you install, the more likely it is that one of those apps will break your computer.

      Reply
  4. “How do you balance convenience & security?” – The only security apps I use are those which come bundled with Windows: namely, Defender and Firewall. I use strong passwords for all sensitive logins and have configured my router to use OpenDNS which provides an additional layer of security (albeit a somewhat thin one). Beyond that, it all comes down to commonsense and backups. It’s a very low maintenance approach.

    Reply
    • It’s been a while, but I’m probably going to add Open DNS to my arsenal again as well. MY ISP’s DNS servers aren’t that great.

      Reply
  5. COMPLETE waste of 3:34 minutes. Tell me something I didn’t know. What was the purpose? Not a single suggestion – just another summarization of the obvious with cutesy stick figures. I expected more from you, Leo. All I got was pissed off at feeling disrespected.

    You would think an “expert” such as yourself could compile a list of what he considers to be the “best” real world security solutions for protecting our hardware; a list that includes both free and paid-for programs and how to configure them so as to maximize their effectiveness.

    Reply
    • With all respect, but I think you missed the essential of what Leo tried to convey. The most important thing is that:
      1) you are aware of what threats exist
      2) you have to evaluate for yourself the trade off between security and convenience.

      1) is needed in order for you to have a good grip on 2).

      You cannot compile a general advice, because it is too much situation-dependent. That’s essentially what Leo wanted to say, I think (although I cannot speak for him).

      Should you only use tails (https://tails.boum.org/index.en.html) and full encryption of everything you ever do, or can you cope with a standard windows machine without anything (probably good enough for gaming) ? Probably depending on what you’re doing, you’re somewhere in between.

      Reply
    • It may feel like a waste of time for you, but it’s sadly nessessary to refresh the memory of a great many peoples.
      You see, peoples tend to forget things. Some times, you need to rephrase things so that some peoples that failled to understand you the first time may have another chance to understand.

      Reply
    • “What was the purpose?” – To stimulate a discussion, perhaps?

      “You would think an “expert” such as yourself could compile a list of what he considers to be the “best” real world security solutions.” – There really is no such thing as “the best.” Or, maybe more accurately, there are lots of things that could be considered to be the best. It’s extremely subjective and really depends on what factors you consider important. Per-PC cost? Detection capabilities? Parental control features? Performance impact? Ease-of-use? Technical support? I could make a valid argument that Windows Defender is the best antivirus solution because it’s no-cost, non-intrusive and exceptionally easy to use. Or I could argue that Avira is the best because it’s no-cost too and has somewhat better detection rates than Windows Defender. Or I could argue that Kaspersky is the best because of its reliably high detection rates and low performance impact. Or I could argue that ESET is the best because it has a consistently great track record and excellent technical support. Or I could argue that Sophos or Webroot is the best because….

      Realistically, there are probably about a dozen antivirus products which could, for one reason or another, be considered to be the best and those products all provide great protection from the threats you’re most likely to encounter in the wild. It’s really simply a matter of choosing the product that best matches your needs.

      Reply
    • Sorry you feel that way. For the record, askleo.com is full of recommendations and suggestions, though perhaps not bundled into a nice package. Then again, I do have a top level article on internet safety (referenced as my “most important article” on the Ask Leo! home page), and even a book on the topic, in case those come closer to meeting your expectations.

      This article was intended to be exactly what it is: a statement that perfect security simply doesn’t exist. What you don’t see is that many, many people continue to search for it, regardless.

      And yes, it was an experiment to see how people reacted to a different style of video. Thanks for the feedback on that. :-)

      Reply
  6. I use Windows Defender, free Malware Bytes, RoboForm, minimum 16 character passwords, backup weekly on multiple external USB devices, encrypt sensitive info which is also backed up on multiple devices, don’t open an email if I don’t know the sender, and I also use “throw away” email addresses for initial correspondence with companies or people I’m not sure won’t spread my email address. Since I only use my computer 4-6 hours a day, it’s shut off and power physically removed when not in use. If someone can remotely flip a physical switch, then I give up.

    Reply
  7. Holy moly, Leo! If this podcast wasn’t on Ask Leo, I’d have thought you were talking about the 2016 elections. “Convenience” v. “Security” indeed. The most secure way of managing passwords, in fact of indexing which of your files are on which device? Long ago in a galaxy far away, we had these odd things called “pens” and “paper.”

    Seriously: how many “man-hours” are spent trying to find which computer/laptop/tablet/flash-drive/external hard drive/CD/DVD/floppy disk has that love letter you wrote but never sent when you were a wee 30-something. I have stopped even looking at new devices, until they build one with a 1,000 Terabyte memory.

    Reply
  8. Leo’s point is an old one … there are no absolutes. But my take on this hits close to home: Be prepared.

    No matter how safe or secure, when disaster strikes what will you do? Do you have a disaster plan in place? This, obviously, goes far beyond our digital lives. At one end of the spectrum are Prepers, at the other end are hapless targets & early victims. Some folks have a little preparation and don’t know it. Someone has a medical crisis and you dial 911. Your house catches fire and you get your family out, dial 911, grab something like the photo albums, and maybe even fight the fire. Did you plan all this? Common sense runs high in most folks. Some have earthquake kits. Some have Go Bags.

    In the context of computer safety & security and in the extreme, if your home was destroyed and all your computer related equipment laid to waste, do you have backups elsewhere to help the recovery process? Was that list of passwords burnt to a crisp? Is your address book gone? This is along the same line as protecting “important papers.” If your email is hacked what will you do? If an on-line account is beached what will you do? If one or more of your personal network devices is infected or attacked, what will you do?

    Are you prepared?

    I’ll do a little plinking in the woods on the way my favorite fishing spot today, with not a care about any of this … I’m prepared as much as I care to be, today. Could I do more? Sure. Will I? Not today.

    And yes, I’ll carry bear mace along with a rifle and sidearm and basic first aid kit.

    Reply
  9. I enjoy very much your videos and comments. This, however, has nothing to do with you information. How did you make a video with speed writing on a whiteboard. Hope you will answer this.

    Reply
  10. Internet security certainly is a trade off, as you say.
    Last year, I ‘invested’ in a well known security package, which seemed to fit the bill – it wasn’t cheap, but I reasoned that it would be value for money.
    This thing was so good at security, that it slowed my computer down to a snails pace, I temporarily removed it and the speed went back to normal. After a few weeks, I uninstalled this and went back to my trusted, if less secure, old package.

    Regards

    Reply
    • “This thing was so good at security, that it slowed my computer down to a snails pace.” – Yeah, it’s usually best to stick with something that you know works well on your system. Realistically, if you’re using one of the established and well-known products – Kaspersky, ESET, Sophos, Bitdefender, Webroot, etc. – there’s really not much point in switching as, at best. you’ll only get very marginally improved protection.

      Reply
      • In fact, a security package that doesn’t allow you any more to do anything on your computer, has actually achieved its security goal in a sense. If you can’t do anything with your computer any more, then you won’t put sensitive stuff on it, or important stuff, or whatever stuff, and hence, it is perfectly safe, no matter what happens to it :-)

        This package simply makes the balance “convenience vs. security” swing over entirely to “security”. In a sense, it was worth its money. That said, hitting your computer with a big hammer has about the same effect, and is probably cheaper (the hammer, I mean) ;-)

        Reply
  11. Just a quick note: MS Windows 8 & 10 come with security software installed as part of the OS. AKA Windows Defender

    Reply
  12. I think that the security issue boils down to something that Leo is always preaching: “How to protect yourself from yourself”; that means a slew of things that one has to be careful about when using the computer such as: having the basic knowledge on how the Internet works; be always skeptical; be very ALERT to recognizing spams, scams etc; not clicking on file attachments one was not expecting and suspicious URLs (like making some bank transactions on an address bar without the “https”). The best of all “Backup”.

    As always a very good article, Leo!

    Reply
  13. That absolute security is essentially impossible to achieve, and that even very competent people are sometimes caught “opening a security hole”, is seen every day. Leo, hint: “drown attack” ;-) You should switch off SSLv2 support on your site…

    The drown attack is an interesting case of security violation. It is NOT a bug. It is not really a user error. It is one of those quirks with cryptography, where a combination of different systems suddenly renders the whole vulnerable, although each individual aspect is secure.

    Reply
  14. “A short easy to remember password? Convenient, but not very secure. A long complicated one? More secure, but also difficult to manage.” – Adding complexity to a password does not necessarily make it more secure. Password cracking tools such as John the Ripper and Hashcat use mangling rules to substitute symbols for letters in dictionary words and, consequently, “P@55w0rd” is no more secure than “Password” – both could be broken equally easily and quickly.

    That said, it’s extraordinarily unlikely that somebody would attempt to brute-force your password. It’s simply not how passwords hacks happen these days. Instead, passwords are phished or obtained via the compromise of a credential database (the latter is, obviously, beyond your control) or by somebody you know guessing your password.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.