Librarians in the Wild: Thinking about Security, Privacy, and Digital Information
Lance Hayden
School of Information
University of Texas
We are not scared enough of the online world - we do things online that, if we were to do them in the real world, something would stop us before we got to that point.
"The Wild" is a term of art in computer security - the real world as opposed to the lab. We need to get over the notion that "civilization" and "The Wild" are two separate things, since the wild exists wherever people are.
Cities in the Jungle:
We build houses, shelters, and entire communities in cyberspace. Civilization (security of resources) is:
Confidentiality - no one can see it unless you share it
Integrity - no one can change it unless you allow
Availability - it's accessible when you want it.
We often behave in our communities in ways that would give us pause in the physical world. Gives example of walking around Austin and passing a dark alley where a guy says "I've smuggled a bunch of money in from Nigeria and I need your help to distribute it - I'll give you a cut." In the physical world some alarm bells would kick in. In the virtual world we seem to be very naive and trusting
Expansion and Exposure:
We build structures in the wild that are enclosed, but also have windows, chimneys, dryer vents, etc. The idea of a burglar not robbing a house because he can't get in through the front door is ridiculous. If you're not careful about keeping your structures secure you run a serious risk of getting hit. Just because you haven't gotten hit doesn't mean you're secure.
Four axioms of wilderness life:
--Large herds attract big predators
--Structures decay quickly
--Protective spells can backfire
--Knowledge is the best survival trait, OR, ignorance can get you eaten
Large herds attract big predators:
Example of Windows vs Mac vs Unix security - Windows exploits are so much more common than Mac exploits because there are so many more Windows than Mac machines. Explains a timeline of Internet populations and activity from early days to today. When the Internet was sparsely populated, hacks were innocent mistakes or the equivalent of teenagers spray painting graffiti on the buildings. Now that the Internet is heavily populated, it's the equivalent of looking around and finding your building is erected in the middle of a drug lord's territory. It's not about the value of information on your computer; it's about what your computer can do, as in a bot net (zombie) attach.
Structures decay quickly:
Our structures are built of software and they decay quickly. Weekly Windows updates are the equivalent of the handyman coming around and checking your drywall, siding, roof, etc to make sure your building is still tight. We add more and more rooms to the house - widgets, apps, software - building rooms with windows, doors, more ways in.
We tend to think of the software we use as a monolithic thing, but a piece of software is built of millions of lines of code - any one of which could have a mistake that could be exploited.
Protective spells can backfire:
Firewalls are usually metaphored as brick walls, but they are actually composed of magic spells and wordy incantations. Basically, if you utter the spell wrong or scuff the protective pentagram on the floor, you actually let the forces of evil out to eat you. Firewall rules must be written in the correct order or you will leave holes. Virus signatures must be up to date, too. If any of these words are wrong, you leave yourself vulnerable.
Knowledge is the best survival trait, OR, ignorance can get you eaten:
Shows the scary part of weak passwords, including the top ten passwords from a hack of RockYou.com. Equivalent to putting Fort Knox behind a door and not wanting to be bothered with a key. USB hacks, phishing, and other hacks exploit human traits, not computer weaknesses.
Security & Privacy Norms
Norms and expectations of security and privacy have changed. As the infrastructures we depend on become bigger and more transparent, we lose more control over our own information, possibly without our consent (or even worse, with our consent).
Security resources:
ISO 27000 standards:
--Plan-Do-Check-Act
--Security controls
Online Resources:
--SANS - www.sans.org
--ISSA - www.issa.org
--ISACA - www.isaca.org
--www.insecure.org
--www.securityfocus.com
--www.cert.org
Comments