No one has ever been shot by a hacker who was breaking into their computer through the Internet. Not so for thieves coming in through the back door.
Roblimo’s Hideaway
I wrote a piece titled No, Evil Hackers Aren’t After You, and promptly had 17 zillion readers (by actual count) get mad at me for not taking their security concerns seriously. I still think the idea of a giant robot eyeball on a flexible stalk growing out of your microwave oven is still a little silly, and I believe there are many simple, down-to-Earth security problems to worry about before you try to spot rogue CIA agents watching your house from a grassy knoll in Dallas.
- First, a brief note: I planned to write this follow-up a lot sooner, but I was sick. I mean congestive heart failure sick, hauled off to the ER for a nice vacation at Manatee Memorial Hospital, or as I sometimes call it, my second home. A lovely place, but you really don’t want to go there — even though they now have WiFi in all patient rooms so you can watch Netflix 24/7 (or whatever).
Back in the world of security, let’s start with your door locks. You have locks for your doors, don’t you? And you lock your doors when you’re either not at home or aren’t someplace where you’ll notice someone rattling that knob or handle, don’t you? Shockingly, unlocked doors are so common where I live, in Florida’s not-very-famous Manatee County, that our Sheriff’s crime prevention people say the majority of thefts from homes aren’t from break-ins but are done by people who try door after door, front and rear, until they find an unlocked house. Then, of course, they clean it out.
The most popular items with our local criminals (and probably yours) are guns. Computers, especially laptops, are number two. This doesn’t mean Mr. Wantzum Drugz says to himself, “I scored me a nice Glock 20 from the nightstand so I guess I don’t need to take that McBook Prose laptop from their home office.” No, Wantzum will grab them both. Your TV? HDTVs have gotten big enough that they are less popular with thieves than they were a decade or two back. This doesn’t mean your TV is safe from theft, just that your computers are even more likely targets.
In real life, which is more likely: Trumpmaster Putin’s minions using your TV’s camera to watch you watching TV or a crackhead coming into your house (through an unlocked door) to grab your stuff?
Yes. The crackhead — or more likely, these days, methsmokers or pillpoppers. But that doesn’t really matter. Thieves are thieves, and my doggie says she’ll bite them if they try to steal from us no matter what drugs they do or don’t use.
Thinking of which, police have said for many years that an alert dog is one of the best anti-burglar measures you can have. The point isn’t whether your dog will bite intruders, but that a potential thief hears barking and probably goes to the next house instead of trying yours. My dog doesn’t prevent theft. She just makes it more likely that thieves will go after your place instead of mine. Don’t want or can’t have a dog? Alarm systems are cheap these days, to the point where there’s really no excuse not to have one.
Okay, your dog is wary of strangers and you have a home alarm system (that you remember to set whenever you go out). Now you go leave your laptop in a carry case on your motorcycle. Not you, you say? A Secret Service person did this not long ago in New York. It got stolen, of course. The thief may not have gotten Trump Tower security information off of its hard drive because it was encrypted, but the agent still was out a laptop. Whoops!
Are your hard drives encrypted? Especially laptop drives? If you have data stored on your computers that someone can use to make your life miserable, including credit card numbers, an encrypted hard drive can save the day in case of theft. Using Linux is pretty good, too, since a passworded Linux install will foil most low-end thieves.
And Lock your car. Law enforcers all over the Tampa Bay part of Florida (and presumably elsewhere) say that even more common than thieves who jiggle house doorknobs, looking for one that isn’t locked, are people trying car after car. Some insanely high percentage of cars are left unlocked, say our Sheriff’s crime prevention officers — as in 25 percent to 50 percent in many cases, with church parking lots often having more unlocked cars than mall lots, which still have more than enough to keep a fast-moving thief happy and prosperous. Hallelujah!
Would you believe that guns left in unlocked cars are stolen so often that this is one of the biggest ways criminals get guns? Once again, computers are #2 on the thief’s desirability scale, but that’s plenty high when it comes to auto burglary swag. They need to be in the trunk or otherwise concealed in your securely locked car, with the car alarm set, assuming you have one.
I’ve been talking about nothing but physical security today. You can have the world’s greatest firewall, but if a side door to your server room is propped open because a lazy employee forgot to lock it after slipping out for a cigarette, your server room is wide open in the most literal sense of the word.
All security starts with the basics: secure your stuff, lock the doors, etc.
Online security concerns are real, even if I think some people worry too much about some of them, but physical security is overlooked far too often. Please don’t make it easier for thieves to steal your hardware than it is for them to steal data you send over the public Internet.
Robin “Roblimo” Miller is a freelance writer and former editor-in-chief at Open Source Technology Group, the company that owned SourceForge, freshmeat, Linux.com, NewsForge, ThinkGeek and Slashdot, and until recently served as a video editor at Slashdot. Now he’s mostly retired, but still works part-time as an editorial consultant for Grid Dynamics, and (obviously) writes for FOSS Force.
>> I still think the idea of a giant robot eyeball on a flexible stalk growing out of your microwave oven is still a little silly <<
So do I. That statement in and of it self sets the tone of the entire article. It's clear from this article, and your previous piece, that you don't take privacy concerns seriously, and seem to argue here as you did previously that if you have nothing to hide you have nothing to fear.
My recommendation to anyone coming across this piece of crap is don't bother.
Another waste of time. It’s great that you acknowledge online security threats are real, but your entire article seems bent on minimizing their importance. You are absolutely doing a disservice to your readers. When people who should know better discount these threats it only reaffirms the uneducated viewpoint that there is nothing to worry about. Being aware of online security threats today isn’t paranoia…it’s common sense.
Online spying is a real problem, both through indiscriminate wholesale data collection by governments and unscrupulous corporations, and also by targeted and/or discovered attacks by criminals, bullies, and other maladjusted persons against individuals. This will only increase as governments seek more control over the uncontrollable, and companies rush to put out the latest cloud connected gadget with zero forethought to the security/privacy issues it will present to its users. Uneducated users will continue to accept the status quo because they don’t know any better.
I’ll leave you with a quote I find particularly relevant:
“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” –Edward Snowden
I offer my prayers for your health. Take are of yourself.
I’m still rather unimpressed with this. I understand that there are priorities and that it’s all but useless to lock the door when the window next to it is wide open. But that’s a red herring. To begin with the locked door IS a deterrent to the blind man who can’t see the window or when the area under the window is planted with Spanish Daggers. Security isn’t all or nothing.
As I commented on your prior post, I’ll stipulate that I’m not interesting enough to fear the NSA. However my machines are just as interesting as the next on a botnet. You failing here is that the people who are savvy on the issues will reject your premise and those who are not will be more complacent. The anti-virus vendors make a good living off the security holes people unwittingly fall through. And the criminals do as well.
I think your advice would be more valuable if you were to educate those who need it to the real pitfalls and not trivialize the issue with eyeballs popping out of your microwave.
Something along the lines of
(1) Never connect directly to the Internet.
(2) Always use a firewall (don’t disable it)
(3) Keep your anti-virus software up to date.
etc.
None of this is perfect, but they are relatively easy to do.
Nothing can save the user from himself. Not opening unrecognized email would do more than any of the above.
I look forward to something from you on how the comparative naif can avoid becoming a statistic.
I think I interpreted this one a little differently. What I got was the possibility of spying is still present. No doubt about that. But deal with the easy stuff because it’s easy–lock your car, put valuables where they are hard to see, protect your house, etc. Grab an advertising pen and get a used envelope out of the recycle bin and make notes of more things you see that need to be taken care of.
If somebody cleans out your house, including your non-encrypted laptop that has your personal info on it and isn’t backed up, you’re in a world of hurt. That’s whether or not Putin or the NSA has your underwear size. If you’re organized and efficient, you can probably do most of the easy stuff in half a day and not have to think much about it any more.
THEN, after lunch, go for the online threats. Those will take some time and a lot more thinking. A lot more thinking. And those notes you made in the morning. That may be hours and hours and lots of research. But while you’re doing that, the doors are locked and most of your stuff is protected fairly well.
Thanks for the Snowden quote, Mike. I hadn’t seen it.
Securing privacy has become a critical component to security in general.
Here’s an example of a useful resource on privacy:
https://privacytoolsio.github.io/privacytools.io/
It contains more information than a novice could probably handle in one sitting, but it has several really good sections that a person could single out as pertaining to themselves and implement without much trouble.
For anyone who thinks privacy isn’t a requirement for security:
What do you think will happen when all that government/corporate accumulated data suffers a massive data breach?
It has happened. It will happen again.
Sorry to hear about your health problems and I hope that you’re doing much better. All the best.
Now on to the negative stuff; sorry.
> I still think the idea of a giant robot eyeball on a flexible stalk growing out of your microwave oven is still a little silly, and I believe there are many simple, down-to-Earth security problems to worry about before you try to spot rogue CIA agents watching your house from a grassy knoll in Dallas.
And that’s why you’re getting negative responses, Rob: because you’re making a strawman argument.
You’re absolutely right about the importance of securing your house. I don’t know where you get the impression that a properly-configured router precludes locking my doors or owning a dog.
Good tips on encryption; thanks for those. The rest of the article, I’m afraid, isn’t so helpful.
Speaking of security….I noticed something odd today. After updating both my CEntOS desktop and my Ubuntu laptop I got this error message about the Hard disks. (DRDY-Error….not sure exactly what it said because it whizzed by too fast.) I proceeded to bootup Ubuntu from a USB, and checked the main hard drive with “e2fsck -f -c -v /dev/sda1” after what seemed like message upon message about blocke being unreadable, it finished with the message:
“Unix Filesystem Has Been altered” or something of that nature. Could it be that there’s something going on with the updates out there in the wild? Mind you…these are two DIFFERENT systems who’s repos are pointing in two DIFFERENT locations, how could they BOTH get the same type of error? I think I will hold off on updating anything until I can figure out whats’ going on. IN the meantime I have to go to work now…but when I get home in the morning, I will try to re-create this problem and this time I’ll try to screen-capture everything that displays, so as to get some better feedback on this!
P.S. I noticed they both had the 4.10 kernel…I don’t know if that has anything to do with it…but I’ll definitely have tons more info when I get back home later!!
First off, best of luck with your health. Worrying about the responses to your articles /might/ be part of your problem; if so, perhaps you should stick to subjects that better suit you, this is one that you are way off base.
It’s so true that it is very hard to get people to take security seriously and you make that so much harder. Unless of course the intention is that your readers get their true value from the comments rather than the article.
In regards to this article? I will only say this:
In this day and age when you can blame someone else for you inablility to read a warning on a cup and WIN?…(I know we all remember the lawsuit of the man vs McDonald’s over their “hot coffee”!) I think there’s a severe lack of personal accountability. If YOU decide to leave YOUR laptop in the trunk of YOUR unlocked car? Then you deserve whatever consequences arise from those actions. Period. No one should have to FORCE you to lock your doors when you and your family are home at night, why should the same not be true for your electronic devices? No one should have to remind you or give you friendly notes telling you you shouldn’t speak your ATM PIN number out loud when you’re typing it in…in a crowded bank lobby, why must there be this incessant diatribe of what you should and shouldn’t do regarding your electronic life? Granted, some folks aren’t savvy enough to know what they should do regarding their desktop or laptop. But those people are few and far between as almost everyone knows what Facebook is, knows all about Twitter and about InstaGram, so there shouldn’t be that much disconnect when it comes to online security and privacy. For those who live their life with the “…I Have Nothing To Hide, and The Government Is NOT Spying On Me…” then I can only wish you luck as we hurtle towards a quite myopic and dystopian future. I prefer to err on the side of caution, and to refuse to use Windows or Mac OS….I will continue to use my Linux laptop and desktops, I will persevere and keep my ClamAV virus signature files up-to-date, I will continue to run the root kit hunters I have installed to help keep my systems clean. I will always encrypt my hard drives with the highest levels I can. I will forever backup my data to external storage, keeping it on my person at all times. (To hell with the “cloud”!…I carry my cloud with me EVERYWHERE, and MY cloud?…doesn’t require an internet connection in order for me to access my Linux-centric training PDF’s and other technology manuals.) I don’t want my documents accessible from anywhere that requires internet in order to get at them when I need to.) I will continue to make regular backups of ALL my data from ALL my machines on the TWO 4TB (that’s TERA-BYTE!) hard drives so that there’s redundancy at all times. And After a year? I erase the first 6 months and compress the last 6, thereby increasing space on my drives for the new backups and preventing older data from possibly being obtained. (I once lost a 2TB hard drive while on vacation….I have learned my lesson, now?….my HD comes with me everywhere while at home and I usually place it in the hotel room safe when on vacation. But since it’s all encrypted and it requires TWO levels of authentication in order to even access the drive itself?…I’m not too worried about it. Speaking of which have you seen the PRICES for a 4TB external hard drive? The prices are so low that NO ONE HAS ANY EXCUSE to NOT HAVE FULL BACKUPS OF ALL THEIR DATA these days! I hear all about the ransomware attacks and people ACTUALLY PAYING for the decryption key that some hacker promises to you? Like…..how do you TRUST the word of someone WHO’S JUST STOLEN YOUR DATA!!??? Had you owned an external HD?…you’d get the email or error message from the cyber-terrorist (and make no mistake that IS terrorism!) you could read the email….laugh all the way to the bedroom where you’ve got a full backup from yesterday…..re-install your operating system and then make sure to not click on whatever it was you clicked on that go you there in the first place!
@Eddie G:
> In this day and age when you can blame someone else for you inablility to read a warning on a cup and WIN?…(I know we all remember the lawsuit of the man vs McDonald’s over their “hot coffee”!)
Unfortunately, the people who refer to that case usually *don’t* remember it. At least, not accurately.
One, it wasn’t a man, it was a 79-year-old woman.
Two, there was no warning on the cup; the warnings were added to the cups *after* the lawsuit.
Three, the woman received third-degree burns over 16% of her body. The coffee was too hot; it should not have been that hot.
The result of the lawsuit *is* laughable: McDonald’s added a “CAUTION: COFFEE IS HOT” warning to its cups instead of changing the temperature. Because from McDonalds’ perspective, the problem wasn’t the serious, debilitating injury to an elderly woman, it was the legal liability.
Give https://www.ttla.com/index.cfm?pg=McDonaldsCoffeeCaseFacts a read for more. And the next time you want to lecture somebody on personal accountability, show some yourself and use the internet-connected device you’re currently typing on to check the basic facts of the case you’re referring to.
It typically takes a catastrophic data loss before users will consider backups.
Security is sort of the same scenario…pretty much no one thinks about it until it’s too late. That is true from individual users all the way to the largest corporations. Most companies only perform security theater if they do anything at all. They may take some steps, but they leave so many openings, not becuase thier IT security people are incompetent, but because to realyl do it right is 1: inconvenient to users and especially executives/managers 2: time consuming and 3: expensive 4: Often brittle in ways that make organizational change difficult.
One of the current problems with IT security is that REAL, MEANINGFUL security is almost a herculean task when you are considering a typical corporate environment.
A single extremely knowledgeable user can do pretty good securing a handful of machines, but everyone else is pretty much screwed.