Anyone who cares about a field of expertise — really cares about it — must have some annoyances about things that could, even should, be better, but aren’t for what seem like the dumbest of reasons. I’ll share five of my pet peeves in the realm of IT security.
Sometimes, I just feel like complaining. I look at the world around me, and despair at the difficulty of making a dent in the rampant dominance of security issues in the world that are, frankly, among the technically easiest to solve. Despite the fact that the solutions are not exactly unknown or difficult to implement, they don’t gain any traction. While he tends to phrase it more diplomatically, Bruce Schneier has essentially made the point that the biggest problem in IT security is people.
The intractable social problem of fixing security failures that only persist because of the tendencies of herd behavior are some of my pet peeves:
Too many people still believe ignorance is an effective security strategy. There is a pernicious meme contaminating the general discourse of security issues that keeping people in the dark can somehow improve security. It can’t. As should be all too obvious by now to anyone who is paying attention, obscurity is not security. In fact, in many cases, quite the opposite is true.
People who know nothing about IT security have godlike power over matters of IT security policy. In particular, members of congress, judges, and law enforcement officers wield a lot of power over matters of IT security, and are clearly incompetent to use it. It’s a sad truth that not everything can be legislated away, nor should it.
People keep insisting that the best way to improve security is to violate it. Prying into the lives of the people you’re supposedly protecting, without their permission or even any probable cause for doing so, is not only insulting, but counterproductive. Try to remember that privacy is security, and avoid making the mistake of burning the village to save it.
We still don’t have widely available, cheap technology for encrypted telephone calls. Despite this, using a telephone to talk to someone about a bank account, sensitive legal matters, or other private topics is almost never questioned as a means of securely communicating. Particularly since the advent of digital cellphone networks and the modern cellphone that can run games like Tetris and Solitaire, there isn’t really any significant technological challenge to using encryption to protect sensitive calls. The only bright point right now is the fact that devices that run the Openmoko Linux and Google Android open source operating systems provide ample opportunity for software call encryption to creep into our mobile telephony lives, but I haven’t seen an encouraging rush to fill that gap yet.
Probably the only thing worse than lacking the available technology is . . .
We have widely available, free technology for encrypted online communication, but (almost) nobody uses it. With encryption tools like GnuPG, OpenSSH, and OTR, there’s simply no excuse for the major mailing list software offerings, bank notification systems, and even my friends to fail to offer or use encryption to help protect their communications from malicious security crackers. Somehow, though, the importance of being encrypted is still lost on most people.
You may have noticed that many of my pet peeves in the realm of IT security fall under a single heading: willful ignorance. That is, in fact, one of the biggest pet peeves in my life in general, even outside of security matters. I just wish I knew a way to mitigate the problem in the world at large.