Like most geeks out there, I have parents. I also have a wife and non-techie friends. Also, like most geeks when it comes to broken computers, viruses, and misbehaving applications, I am at the top of the call list for these people. It has taken me 6 months to convince my wife to use a password safe on her computer for her logins to her bank and credit card websites and at the same time I convinced her to utilize the “Generate Password” button in her password safe software. I have tried to convince my parents and non-tech friends to do the same thing. I have also explained the benefits of utilizing GnuPG to digitally sign and/or encrypt their email. In almost all instances this line of discussion ends with them looking at me with a blank stare on their face saying one of two things: “Why go through all the trouble?” or “I just don’t care that much.”
It seems that while people want to “be protected” when surfing online or doing business they do not want to take the necessary steps to do that. They will use passwords that are related to them in some form or fashion. They will blindly send personal data over the internet through unencrypted means, be it email or an unsecured website. They will write down passwords for important things and leave them in easy to find locations. The basic argument is that it is “too much trouble” to do things the right way. This seems to be the common issue among people. They want all this security but when it becomes a hindrance, they all of sudden do not care.
I wonder why this is? I mean, using a password safe is about the easiest thing someone could do to be more secure. Generating passwords at random, not using ones that have meaning to a person or their personal life, and then storing them in an encrypted file just does not get easier. Especially with something like KeePass, which is so user friendly. I can understand how encrypting email can be difficult to do as well as cumbersome for some people, so I do not get so upset over that issue. But it is still an example of how just taking a few extra steps can really help keep a person secure and their private information private on the internet. I think if people were shown just how much information was sent out over the internet in “clear text” they would be shocked and would want to learn more about security.
Security does not stop with passwords and encryption. It also involves a level of understanding of who to trust on the internet. The reason phishing works so well is because people do not take the time to look around to ensure that they are at the correct website or that the person on their IM really is from the company they say they are. Phishing is just a new form of social engineering. Websites designed to look like other websites, people pretending to be someone they are not, or even people calling you on the phone. It is just a matter of asking the right questions and understanding exactly what is happening. These are basic things that people just do not think about when they give out personal information. The idea that someone would do these kinds of things does not even cross most people’s minds until they have been taken for money, information, or even their identity.
Security and privacy go hand in hand. Keeping your self secure in what you do on the internet will help you keep some level of privacy. Also remaining private on the internet will help you stay that much more secure when surfing the internet. So I would like to challenge everyone to make 2007 the year you become more secure online. Start using a password safe, get your friends to start encrypting emails to and from you, and start using something like onion routing to stay anonymous when surfing online.
You are only secure as you want to be.