All Security Is Security Theatre

In light of the Ashley Madison leak, I wanted to tell, or perhaps remind, you that all security is bullshit. This applies to physical (e.g. home) security as well as digital security. The moral of this post will be: please do the bare minimum, or slightly above it, required for “reasonable” security; do not worry about going beyond that because you basically can’t.

Physical Security

Physical security, like home security or how to be safe when going somewhere, is mostly about not doing the stupidest possible thing. As long as you’re not doing the stupidest possible thing, you’re getting most of what you can out of security.

Consider home security. Presumably, you don’t want people breaking into your house. You don’t want them to hurt you or steal your possessions. So you try to prevent them from doing so: you close your door, you lock it, maybe you even deadbolt it; you close your windows, maybe you take the time to lock them too, usually. This is all you need to do.

I’m going to make up some numbers here, but they should be fairly representative. Let’s say 100 people walk by your house: how many of them are going to break in and steal your jewelry?

  • If the door is open, maybe 5 people will be tempted by how easy it is
  • If the door is closed, but unlocked, maybe 1 or 2 people will try it, at worst
  • If the door is locked, we’re way below 1%; you’d expect maybe 1 in 1000 people, at worst, to try a number of doors, find them locked, and then look for further ways of entry.

At this point, you’re basically protected from crimes of opportunity. Everything past this point is only protecting you against people who are willing to, both psychologically and physically, expend nontrivial amounts of resources breaking into your home. They can’t just break in right then, because you could come home at any minute, and that’s an extraordinarily high risk. So they have to case the joint, which requires coming back at least a few times, and then they have to scout around for vulnerabilities: an unlocked window, a lock that’s easy to jimmy, etc.

So let’s consider that you now have a small number of people who see your house, which has an appropriate “not-extremely-stupid” level of security, and decide that it still looks worth robbing. Let’s say 100 people reach this stage:

  • If all your windows are locked, that will prevent maybe half of them
  • If all your doors are deadbolted, that will prevent many more
  • If all your doors have difficult-to-pick locks, that will prevent a few more (no lock is that hard to pick)

To get any further than this, you have to start doing things like barring your windows (which makes your day to day life less pleasant and reduces property values), installing alarm systems (which are of dubious effectiveness), build a moat, etc.

Let’s assume my numbers are vaguely right: locking your doors and closing your windows stops >99% of all robbery attempts. At that point, you have to start trading off the cost of implementing further security with the actual effectiveness. Locking your windows every day is annoying and easy to forget, and prevents, based on our givens, less than 1% of all robberies. Probably much less. Is it worth it? Is it worth barring your windows? Certainly not.

Even if you do go through these steps, anyone who really wants to get in is not going to be stopped. If someone wants to hurt you and is willing to take the risks (or, perhaps, wants to hurt you and is the government), they will get in. Most doors I’ve seen in my life would be trivial to break down with a solid kick. Most of the rest would take maybe 30 seconds with a sledgehammer. After that you’re getting into concrete doors, and you don’t want to live that kind of life. These attempts, obviously, expose the perpetrator to much greater risk of consequences, but who cares? their goal is to get in and hurt you: you cannot stop someone from doing that if it’s important enough to them. Kings and presidents have been assassinated, you’ll recall: you do not have half the ability to protect yourself that they do.

Lesson: Lock your doors, close your ground floor windows, and accept that you’ll get robbed if anyone really wants to rob you. They probably don’t: one of your neighbors will forget to lock their door one day, and that’s all you need.

We can also consider personal physical security. Do you need to go to the store? Do it during the daytime if you can. If you can’t, avoid bad neighborhoods on your way to the store. If you can’t do that, stay in well lighted areas as much as possible. Walk upright, don’t have headphones in, don’t play on your smartphone. Bam, you’re golden. Nobody who’s out for easy opportunities to rob or hurt someone is going to fuck with you. Only people who are much more dedicated to their crimes will, and the steps to prevent those people from doing so are as likely to backfire as not: carrying a knife or a gun is likely to end up escalating things and getting you hurt worse.

Online Security

Online security is also mostly about not doing the stupidest possible thing, although I think people are less educated as to what the stupidest possible thing is when it comes to digital, rather than physical, security.

For reference, the stupidest possible things in digital security are: using the same password for your email as everywhere else; clicking on links from strangers without observing where they point to; entering sensitive information (passwords, SSNs, etc) into any website that is not over HTTPS, and, of course, giving out your passwords.

What do you want digital security for? The main thing you have to protect against is what we often call “identity fraud,” which is usually in the form of someone grabbing your credit card information and making some purchases with it. This actually usually doesn’t matter; it’s happened to me two or three times and the remediation in all cases has been calling my bank, explaining that, no, I did not order $3,000 worth of audio equipment shipped to Ohio, can you cancel those charges, please? Okay, thanks! and then having to wait a few days for a new bank card. It could, of course, end up worse than that, but your bank takes these things very seriously, so it’s likely to be fine.

What is actually much worse is someone getting into your email account. Your email account is, to a stunningly large degree, who you are online. If I can log into your email, I am you for all intents and purposes. I can intercept all your personal and professional correspondence, obviously, which is horrifying to think about and potentially damaging to one’s career or reputation if, for example, you have otherwise-hideable medical conditions, or you are into wacky sex things, or having an affair, you say mean things about your boss/friends in confidence, or whatever. Beyond that, though, I can sign you up for anything I want, I get all your bank information, I get complete access to all your accounts. I can go reset your password on everything. I can transfer $500 from your bank account to mine, acknowledge it, and delete the email. I can blackmail you by holding hostage those sexy pictures you sent your SO.

That is why you do not, I repeat do not use the same password for your email as for anything else. Find an email provider with a reasonable history of security, always navigate directly to their website when you need to sign in, and use a different password everywhere else.

You can use the same password everywhere else, depending on how much you care. Remembering (or using something like 1password to store) a zillion different passwords sucks, and most of the services you sign up for are hilariously badly secured already, so it’s not like you’re protecting anything. If you use password A at service S, and password B at service T, you’re insulated against S getting hacked and leaking your password for T. But if anyone bothers to hack T, they probably won’t have any real trouble doing it, anyway, so it’s not like you’re buying a whole lot of security. And, anyway, S is hopefully using a salted cryptographic hash for storing your password, so even if you use the same one at both services, it’s unlikely to tip anyone off.

Beyond using at least a couple different passwords and making sure that you only ever sign into things either (a) with one-off credentials not tied to your other accounts or (b) that are HTTPS secured, you’re pretty much set.

You can do things like disabling javascript to prevent clickjacking attempts, using randomly-generated, high-entropy passwords to insulate yourself from rainbow table attacks, encrypting your hard drive, etc, but the cost of those to your daily experience using your computer is pretty high, and buys you very little.

Let’s imagine a situation to put a point on this. Let’s say you’re extremely paranoid: you log out of everything every time you use it; you keep all your passwords in an encrypted password vault which requires you enter your memorized, long, high entropy password every time you use it; you disable javascript in your browser; you never install software except from trusted sources, over HTTPS, and you check the md5sum of each of them; etc. How can I attack you?

Well, if I’m just me, I don’t have a ton of easy options. You’re safe from me. But you already were!

Let’s say I’m a dedicated blackhat hacker. You’re slightly insulated from me, but how hard would it be for me to set up a MITM attack on you? If you’re already afraid of me, fairly. But what if I just invite you over for dinner one night, and contrive to get you to connect to my wifi network?

So say you’re terrified of me; you know I’m an attacker. What if I make friends with your dad, and one day I tell him about a security update he needs to install for his home router? I say I’ll do it for him; it’s easy to mess it up, and I’m pretty well versed in these things. Oops, you’re out of luck.

Or maybe I break into your house and do it from there. That’s not gonna be too hard, either.

Or, like, I pay someone $5000 to sleep with you and steal your laptop while you’re asleep.

Point being, if I have specifically targeted you, and I have any reasonable amount of resources at my disposal, you’re fucked.

There’s also a few more things to consider: It is unreasonable to assume that the NSA does not have full access to all of your information sent over the web, at this point; any credentials or information you sent over the web before the Heartbleed bug was discovered should be considered compromised; anything you send over any website that you cannot guarantee has patched Heartbleed is still getting compromised. And of course there’s probably a thousand more zero-days compromising all your data all the time.

Using a few different passwords, etc, gets you to that >99% security threshold; after that everything else is painful at best and folly at worst.

All this is to say: if there is anything you wish to communicate that you absolutely cannot tolerate having someone else finding out about, don’t say it online. There is no privacy, there is no security, there isn’t even anonymity.

This entry was posted in pedantry, software. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s