Why a lively imagination may bolster security more than best practices

Flexible thinking is more likely to help you protect yourself against malicious security crackers than slavish attention to best practices.

Knowing how to protect yourself and your privacy depends on understanding the dangers and figuring out solutions to the problems that create those threats. Knowing how to protect yourself against a virus depends on knowing why a virus is dangerous in the first place, and having at least some vague understanding of how viruses work. Knowing how to protect yourself from the ill effects of someone using your personally identifying information to commit identity fraud depends on knowing what information people want from you for that purpose, and how they get it.

Some people rely on others to protect them, hoping those others:

  1. know what they do not know, and do not want to know, about protecting themselves -- without putting in the time to learn enough about the subject to be able to actually determine whether those supposed protectors are exaggerating their skills
  2. care enough about their security to actually do a diligent job of protecting it -- more, in fact, than they themselves care, since they are not willing to do the work for themselves -- rather than only caring about whether they can be sued for failures

As should be obvious once you understand the requirements for success of the strategy of leaving your security up to others, real security is your responsibility. This does not mean it is your fault if you are the victim of some depraved malicious security cracker's scam, but it does mean that you must take necessary steps to protect yourself, because ultimately nobody else is likely to do as much for you as you yourself can do.

Of course, the truth is that you really cannot know how you might be subjected to misappropriation of your personally identifying information and how to protect yourself against it, to take but one example of a potential security threat. Such knowledge is not something that can be written down and disseminated to the world, because it is not a static body of knowledge. It is dynamic and ever-changing; the field of battle on which the innovations of an arms race are constantly tested, and regularly surpassed by new innovations. Back in the early '80s, DES was widely regarded as uncrackable, and was considered "the answer" for protecting data against unauthorized access, but by today's cryptographic standards it is laughably vulnerable.

Understanding security is not a matter of studying and memorizing a lot of facts. It requires not knowledge so much as a way of thinking that helps you consider the way a security system can be subverted, broken, or circumvented -- and, based on that, the ways it can be improved, or that its deficiencies can be mitigated by careful use or the application of additional tools that patch the holes in the shield.

As demonstrated by the events described in Quantum Hacking cracks quantum crypto, the current biggest weakness in new quantum key exchange systems is not the methods of ensuring keys have not been harvested off the wire; it is the hardware deployment used to make the quantum key exchange work in the first place. As explained in 10 (+1) reasons to treat network security like home security, the security provided by a lock is limited by the strength of the door the lock secures and the doorframe in which the door is mounted -- and a combination of strong locks, doors, and doorframes is only as secure as the window a couple feet to the left.

Obsessive focus on the intended uses of a security feature leaves you open to the unexpected. Flexibility and imagination are often more important for ensuring security against malicious security crackers and other "enemies" than slavish devotion to "best practices". Yes, you may have antivirus and firewall software installed on your laptop, but that will not do you much good if someone steals it from the trunk of your car. Maybe encryption can protect your data even if someone steals the laptop, but if you do not keep backups on a separate computer that will not help you finish your Master's thesis, as the unfortunate soul whose laptop was stolen found out.

When was the last time you considered the possibility that your computer may already be infected? Do you ever think, "Oh, it'll be no problem to leave my desk without locking the screensaver just this once!"?

Do you want to be the guy who designed an RFID system for passports to help protect your country from terrorists, and did not think to consider whether detecting particular RFID signals from passports can be used by a radio receiver or a bomb can be used to detonate the device when someone with a passport from your country walks by?

Thinking "outside the box", taking an imaginative and flexible approach to thinking about how processes and devices can be (ab)used for purposes for which they were not designed, can actually provide you with interesting ways to protect yourself as well as alert you to ways your security might be compromised. Consider, for instance, the fact that guns can keep computers in your luggage safe. The fact that firearms in your luggage are treated differently from computers in your luggage, in terms of how you are allowed -- or required -- to transport them can actually be leveraged to ensure greater safety for your computers. It also happens to point out an important fact about TSA security requirements; you are not allowed to effectively secure your luggage against theft or vandalism except in specific, uncommon circumstances.

The upshot of all of this is that Albert Einstein was right when he said "Imagination is more important than knowledge." Security is not really about what you know; it is about how you think.