Paranoia and Security

I’ve always found paranoia to be a perfectly defensible positionPat Conroy

Let me make something clear right from the outset, when it comes to the security of the technology that supports my business, I am not a raving, paranoid lunatic; I am completely capable of carrying on calm, quiet, rational conversations.

Back in the day, when hard drives were the size of washing machines, tape drives consumed half-inch tape on 12 inch reels, computers were huge blue boxes serviced by a cadre of adoring acolytes, and networks were comprised of tin cans, bits of string, and acoustic couplers security was simple – those without the blessing of the high priest (the systems administrator – a god-like being capable of patching a OS binary on the fly). The concept of an external attack was practically inconceivable simply because (a) it was the rare computer that supported even dial-up access, (b) dumb terminals and acoustic couplers were not your typical household appliance, and (c) an attack coming in at 300 baud (about 30 characters per second) is something you would notice. It was a halcyon time, carefree and innocent. A time where security was a backup tape and a warm blanket. A time doomed by its own success and the crushing inevitability of Moore’s Law.

Today, if your tech is connected to the outside world though anything other than a electrical power cord (and I have my suspicions about those), it is vulnerable to attack; it is not a matter of if, it is a matter of when. Therein lies the faustian bargain we make with the Internet – access to untold amounts of knowledge, pleasure, and power in exchange for our tech’s soul. But fear not, for tech also offers some hope of salvation if not complete redemption.

As it is written in the Encryptinomicon, “security comes like a centipede in the night.” The path to security takes many steps, and the starting point is your password. The ideal way to begin to secure your tech is to secure your accounts, and secure accounts begin with strong, unique passwords – one password, one account, no reuse. A strong password is a long random string of characters, digits, symbols, and spaces (my default is to use 50 character strings containing of which ⅕ are digits and ⅕ are symbols, no repeats) . Problem is strong passwords are difficult to remember – so use password management software and you only have to remember 2 passwords (one to get you into your computer and one to get you into the software).

The next step is to encrypt your data, that way if the black hats do get in, they won’t be able to read what they got. Good on-the-fly encryption software is inexpensive and virtually transparent (figure that file save is going to take a few milliseconds longer), so there is little excuse not to be using it.

Now it’s time to look at how we connect to the internet and to acknowledge that unprotected access means exposing  your computer to every other computer that accessed before you, so before you surf, put a router between your computer and that WAN. You are not less of a geek if you hide your tech behind a router, and you are not being anti-social if you turn off all but the most essential ports (if you use it turn it on, otherwise shut it down). A router puts a line of defense between your tech and the black hats (they have to hack it before they hack you) and turning off unused ports means denying them a means of entry. If you are shopping for a router, get one that includes a firewall in addition to network address translation (NAT).

The final icing on the security cake is to put a DMZ between your tech and that untrustworthy Internet. A DMZ works like this – the internet comes in to a router/firewall (the front end). This router connects to (1) a server (the DMZ) managing the services you offer to outside users (web sites, e-mail), and (2) a second router/firewall (the back end). The front end router is configured so that incoming traffic only only flows to the DMZ server. The back end router is configured so that only the DMZ server can send data to your tech. So, when the black hats come calling, they have to hack 2 firewalls and a computer before they get to your tech. A hint for the truly suspicious – the DMZ server should not use the same operating system as your tech and the routers should not be manufactured by the same company. This way, a flaw in one can’t be used as leverage against the other.