Security. I am a fan of it. Security is like a nice warm um well security blanket! No really. It is good, and most people take it for granted. The problem is allot of time security is this myth that people believe in that may not really exist. Take Wifi for example. I just used macstumbler while I am sitting at my desk at home. Do you know what I found? 8 wireless networks. One of them was mine. Of the other 7, I saw 4 open networks. Of those 2 had the default network names, and one was just named my network. That means that 50% of the networks around me where not just open for anyone to go into. That is crazy. I bet the people using those open networks don’t know they have a huge security hole on their network, or they don’t care. The network device manufacturer’s have a big problem. Make the setup of the devices too hard and people won’t buy them. Make them too easy (as they are most of the time now) and you have tons of unsecured networks. Having the majority of the people using this gear not know the mechanics of how the gear works does not help the situation. It is like having everyday people work on their cars instead of taking them to mechanic’s.
I don’t think most computer people will argue with the assessment I have made above. Or they can if they want. Wifi security has been discussed to death. Even with proper WEP or WPA encryption the system is still not safe. I know that. I have WPA setup on my wifi point. I know I can also add MAC address filtering, etc. I know better, but I still think I have secured the system enough. Have I really? I think for the most part yes. I think of WPA as the club. you can still steal the car (aka break into my network) but why would you waste time with my network or car when you can steal the guy down the streets car who left the door unlocked or just doesn’t have a club? I have a myth of security.
Another example of gaping security wholes is another growing wireless standard, Bluetooth. I have been a fan of it since I first read about it almost a year before the first mobile phone with bluetooth came out. And when it did, I bought one. A Ericsson (they were just Ericsson back then) r520. So for the record I am a fan of Bluetooth. I am a fan of wifi for that matter. I remember when I was at my first tech job back in 96 I got to play with a demo of a 1mbit (i think) wireless card and point from Raytheon. The problem is bluetooth has the same security myth. It also has the problem of the media blowing the issues into this huge security crisis. The simple fact is that most phones and other bluetooth devices were configured to be as easy to configure as the manufacturer could make them. That means allot of devices are setup to be discoverable by default. That means that if the bluetooth radio on a phone is on, someone else looking for bluetooth devices can see your phone if you are in range. To prove that, last week on Amtrak home from my trip I was able to view up to 4 other bluetooth devices from my seat. To protect yourself all you usually have to do is make a change in the default configuration of your device to not be “discoverable”. Do most people do this? Nope. But if you turn discovery off by default you have people complain that setting up partnerships are too hard. See the problem?
You have people then go around thinking all is ok, until they have a problem or someone tells them their phone is at risk of being broken into. First of all that may or may not be true given that you have to set passkeys, etc. For argument sake lets say it is an accurate assessment. These people then freak out and get mad at hardware vendors for delivering unsecured devices. How do you win?
Most of the time people live in the dream world that their stuff is safe. The crazy thing is that maybe 99% (or the vast majority) of the time people’s fantasy worlds are not broken. That perpetuates the myth that all is safe. Even if someone has been using their unsecured wireless internet connect for free for months.
The more I think about it, the more security myths I think about. And I am only thinking in terms of personal computer security. Don’t get me started on other society security concerns.
A perfect example is a few years ago my mom called me after she saw an Oprah on TV. She was calling to warn me that email I send wasn’t secure and that anyone can intercept and read it. She was shocked, but Oprah set her straight. I was like, yeah mom of course email is not secure. Old news. She was surprised that I knew that. It is scary that the general population assumes something like email is secure, and it isn’t. On the flip side can email be intercepted? Of course if it is not encrypted. Is most mail not encrypted? Yes. Will my mom have to worry about her neighbor reading her email or some stranger intercepting it? Probably not. It is very possible to do, but come on who really is going to try and sniff out her mail? its a real threat, but I don’t think most people won’t ever have to worry about it. Doesn’t mean I don’t think we should all get certificates and secure our mail. I would love to do that, but it is impractical in today’s world. So you see even I let the myth of my stuff is secure live on some level. We all do it, and if you don’t think you do, you are kidding yourself.