Security is an ecosystem, not a product

People talk about security as though it's something you can buy and sell. They don't always think of it as something you can buy with money; sometimes they think of it as something they can buy with the right choices in technology and personal practices. While this is less incorrect than the notion you can buy security with money, it is not the whole story.

Usually, when people try to make their computers secure, they're looking for the right tool to make them secure. People tend to have opinions about what constitutes:

  • the right antivirus software
  • the right firewall
  • the right spam filter
  • the right browser
  • the right operating system
  • and so on

There's no such thing as "the right" any of those to achieve "security". There are, at any given time, some choices that are better than others. Some choices are more secure than others. Some impose greater costs on the user than others, as well. Some, believe it or not, may be exceedingly good (for right now) at providing security within their specific area of specialization but introduce other vulnerabilities that you may find unacceptable.

Security, on a personal level, is a balancing act where the thin beam on which you're walking keeps changing direction. You can't just pick the right answer and stick with it -- you have to maintain personal security awareness, and an ongoing ability to make good decisions based on that awareness. The best antivirus software for you today may be the worst tomorrow, and only mediocre on a different computer of yours. A week from now, it may become more of a liability than a help, and a year from now you may find that on a new system having any antivirus software at all is a bad idea.

If you think that's too complicated, you're in for a shock, because it gets worse.

Real security is not something you can have just by erecting walls around yourself, setting guards at the points of ingress and egress, and so on. You have to help others secure themselves, too, because until (nearly) everybody is able to maintain his or her own security, there will always be significant threats to yours. Poor security is both individual and collective in nature: every individual must see to his or her own security, and everyone's security is dependent to some degree on the security of everyone else.

For instance, there's the matter of spam. Spam is not a problem you can solve by guarding against it. You have exactly two options for truly protecting yourself from spam:

  1. You can stop using any communication media that allow for automation and bulk sending. This means no more IM services, no more email, and no more SMS texting.
  2. You can help others be secure, spread the word about good security, so that the spam botnets of the world dry up and the cost of spamming grows until it is no longer cost-effective to be a spammer.

Filtering spam is just an arms race, after all. You come up with a better method of filtering, so the spammers come up with a better method of getting around filtering. If you don't think spammers can keep this up indefinitely, you might want to consider that we may at some future date look back on spam as the driver of some of the greatest innovations of information technology:

  1. As people attempt to achieve the universal Turing test, they come up with schemes like CAPTCHA. Each time such a system is improved, the science of programmatic optical character recognition is advanced because spammer software "learns" to pick characters out of ever-more obscuring visual "noise". It has gotten to the point now where many of the available CAPTCHA-like options can be unreadable to humans, too.
  2. Many would claim that Linux systems are the most scalable in the world; you can link together hundreds of Linux systems in grid-computing supercomputers with relative ease. Despite this, the biggest grid-computing system in the world will almost certainly a botnet for the foreseeable future, not designed to run on a scalable OS, but on an OS whose security against infection is easy to compromise.
  3. Achieving more with less through automation is an area of advancement ruled by spambot creators and other malware makers, as well. As the technical security features of various systems get more sophisticated, the malware used to propagate botnets needs to be slimmer, sleeker, and harder to find. Notice the successes in these areas, the surprisingly minimal yet functional nature of viruses and worms propagating across the Internet.
  4. The closest thing to successful artificial life in this world did not come from a biology laboratory. It's self-propagating mobile malicious code.

In order to actually significantly cut into spam, you have to do something other than come up with better ways to filter, to react on the receiving end. The most widespread means of filtering spam will always be the first to be circumvented, and so the problem remains.

Authoritative "security from above" won't work either. Getting ISPs to be more intrusive in their monitoring and management activities because individuals won't take care of their own security is, at best, ineffective. ISPs and other "parental" overseers on the Internet have limited resources, and any solution they could employ with those resources that is sufficiently draconian to be effective would shut the majority of their customers out of the Internet. Are you willing to burn the village to save it?

Ultimately, your individual security -- as demonstrated by the spam situation -- is not just a matter of your individual security. It is a matter of everybody's individual security. Improving your security involves not only choosing the best tools and techniques for yourself, but advocating them for others as well, and educating those others. This is why, in addition to an IT security industry full of people whose real goal is not security but is instead profit and market dominance, there is also a strong and vibrant security community full of people willing to argue and discuss and disseminate freely and at great length. Any security professional neck-deep in the security industry (who knows Symantec) but disconnected from the security community (doesn't know Bugtraq) is not the security professional you want.

Security is protection of both privacy and resources -- and not just your own privacy and resources. It is protection of everybody's privacy and resources. The moment you allow someone else's resources to get abused (botnet infection), yours get abused as well (spam). The moment you allow someone else's privacy to get abused (intrusive Internet activity tracking), yours gets abused as well (harvesting contact information about you from other people's communications).

Security is only possible with freedom (and privacy is a big part of freedom), because the more you impose restrictions on people the more you create conflicts of interest in those who maintain those restrictions. Freedom is the only thing you cannot have if you do not grant it to others -- and security follows suit. Freedom, in effect, *is* security of privacy and property. If you want to be free (of spam, of infections, of identity theft, and so on), you have to help others achieve that freedom as well.

Security is an ecosystem -- not a product. You cannot buy it except at the cost of giving it away.