Optimal User-End Internet Security (Or, Rational Internet Browsing)
Hacking and Cracking, Internet security, Cypherpunk. I find these topics fascinating as well as completely over my head.
Yet, there are still some things that can be said to a layman, especially by the ever-poignant Randall Munroe:
I’m guilty on both charges (reusing poorly formulated passwords, not stealing them).
These arguments may be just be the tip of the iceberg of a much larger problem that needs optimizing: Social Engineering, or mainly how it can be used against our interests (to quip Person 2, “It doesn’t matter how much security you put on the box. Humans are not secure.”). I get the feeling that I’m not managing my risks on the Internet as well as I should.
So the questions I ask are: In what ways do our cognitive biases come into play when we surf the Internet and interact with others? Of which of these biases can actively we protect against, and how? I’ve enforced HTTPS when available, as well as kept my Internet use iconoclastic rather than typical, but I doubt that’s a comprehensive list.
I don’t know how usefully I can contribute, but I hope that many on Less Wrong can.
The problem with the textbook security advice is that if you follow all of it, it will cost you more than the expected loss from following none of it, and since the people who write it rarely bother to give priority guidance, people end up rationally following none of it. What’s actually needed is a very short list of advice that’s feasible to remember and follow, and which will cost less to follow than its expected benefit.
Here’s a couple of my suggestions to start with:
If you’re going to use the same password for two dozen random websites, don’t also use that same password for your PayPal account.
Don’t publish your date of birth, it’s an attack vector for identity theft. If a website demands your date of birth, and you choose to give the real year, at least change the exact day. (Same goes for other identifying pieces of information e.g. mother’s maiden name, date of birth is just the one that comes up most often.)
A lot of what can be said here is merely practical advice rather than anything to do with cognitive biases. One real problem is with the PC—it’s security model is rather like an office with a security guard at the gate. The guard is quite fierce. But—once inside, there’s no further security—all the filing cabinets are unlocked. All the offices are open. You can read everyone’s email. The PC needs a layered security model, but doesn’t have much of one. To counteract this, take the guard’s job seriously… - buy some internet security software and use it.
Stay out of bad neighbourhoods.
Only download software from people who have a reputation to lose. Don’t just believe that pirates crack programs and make them available for free on the Internet out of the kindness of their hearts. Maybe some do—maybe even most of them. But if you download a cracked program and run it, you are giving control of your PC to the pirate. Maybe that free program is not such a good deal after all.
Divide your online activity into personas that don’t identify you, and you can afford to throw away, and accounts that you’re a bit paranoid about. Anything with personal info is in the latter category. Watch out for facebook—it encourages you to put all your personal identifiers into the public domain, which is not a good idea. What use is it for your bank to use your mother’s maiden name and your birthday to secure your dealings with them if you can take all that info from your facebook page?
Don’t access the important accounts from a computer which you don’t trust.
What do people want who try to break your security? One of three things.
Your PC, so they can send spam to other people, or use it to attack other computers, to aid extortion etc. Or nick your credit card details as you type them in.
Your identity, so they can pretend to be you and empty your bank accounts.
Your money, some other way.
If an online id doesn’t contain any info about these things, just don’t worry about it—set a half decent password and leave it at that.
If you contact someone else, you can usually be pretty sure they are who you think they are. If someone else contacts you, the most likely thing they’ll lie about is who they are. This is the only cognitive bias thing—we tend not to realise that who initiates a conversation is important. If you do it, you’re pretty safe. If the other person does, the other party is much more likely not to be who you think they are.
Hi, I’m from your bank and need you to verify this fraud… Hi, I’m a police officer, and your friend x.… Hi, I’m from the state lottery.… Hi, I’m a Nigerian chap who needs a little help (true, but then the part about their immense wealth isn’t...) Hi. I’m your friend x and I’m stuck in London....
Have a cached “Yeah, right—so how do I know that’s who you are?” ready and waiting. If in doubt, terminate the conversation and if necessary reinitiate it yourself—don’t let the other person ‘help’ you to do this. For example, if someone calls saying they are from your bank, you should consider calling the bank back using the phone number on your statement or your bank card. Don’t take the number from the person you’re not sure about !
Maybe not very cognitive-biasy, but it’s the best I can do for you....
Note that social preconceptions of what constitutes a “bad neighborhood” may be wrong. You may have heard that porn sites are bad neighborhoods; but nobody’s getting viruses off abbywinters.com. In contrast, any site offering to give you smiley cursors and screensavers may as well be selling rusty needles in a back alley.
Sadly, many reputation-bearing software vendors bundle security-harming crapware with their software anyway. It’s an improvement over random piracy, though; and one bias that probably worsens people’s security is the notion that if no system is perfectly secure, then they may as well not bother improving — a form of zero-risk bias, I suppose.
For that matter, speaking of reputation and risks, a few years back you could get a Windows system cracked by putting a music CD from a well-known music label in the drive. Users may have expected that a music CD was not software, which expectation proved false.
Something else to consider is that most users probably experience the sunk-cost fallacy, coupled with status-quo bias, when considering switching to different software (e.g. operating system or Web browser). Considering that there are significant security differences among these choices, cognitive biases may be keeping a lot of users on inferior software.
An interesting paper arguing that ordinary people’s carelessness for internet security is in fact individually quite rational, at least in some cases:
http://research.microsoft.com/apps/pubs/?id=80436
“Why would anyone want to attack me? I’m nobody special.” People readily understand why an attacker would want to break into the US Army’s computers, or Microsoft’s, or Al Jazeera’s. The reasons to attack an ordinary user’s PC are somewhat harder to communicate: they want to take over your computer in order to use it to attack others (being part of a botnet); to sniff your email password or cookies so your account can be used to send spam or to phish your friends; and so on.
My approach to Internet security centers around not allowing the browser to execute code with admin privileges:
Never surf the Web under an administrator account. This is easy because I never have log into my Admin account—Windows 7 makes it easy to work under restricted accounts.
Use a modern, secure browser. Never use IE because it relies on ActiveX controls which execute native code.
Always set the UAC to maximum security. Never turn it off. This may sound scary for Vista users (and anyone who has seen the brilliant “Security” ad by Apple), but actually it’s much better in Windows 7.
Never install any software unless absolutely necessary.
When installing software, pay attention to the publisher signature of the .exe installer—most well-known software companies have their .exe files signed. I once witnessed a situation where a co-worker downloaded what he thought was Skype but failed to notice that the .exe had no publisher signature, and ended up sending the bad guys $30 for “Skype activation”. We had to wipe his PC right away—the installation required an admin password so the .exe had enough privileges to install any trojans it wanted.
Always have an anti-virus software installed and running. I use Avast.
Nitpick:
Randall Munroe.
No, I had it coming. Thanks.
Also
You should say “so the questions I ask are”. See begging the question.
Merci.
Check the last name too.
(sorry, having issues with the markdown)
I can’t find the link, but Bruce Schneier, who is basically a cryptographer and security protocols guy, talks about some of these things. A big thing is that we over-weight the risk of the most recent threat we’ve talked about. For instance if you and I talk about six different risks:
Password hacks where an attacker gets the password database on a webforum, then uses that to log into your email account (because you used the same password), then grabs your banking information and gets in because...same password.
Viruses delivered via email attachments
Malware delivered by downloaded software
Attacks against open ports on your computer.
Spear Phishing
“Drive by” malware from SQL injections on internet websites.
You’ll worry most about #6 because it’s the last thing in your mind, while you can do the MOST good worrying about the first one (use at least 3 passwords, one for web forums, one for (each) email address, and one for your banking), then the next two (don’t open attachments unless you’re sure of the source and use a virus scanner).
Also we worry about the big and the personal—movie script type attacks or targeted attacks, when the reality is MUCH more prosaic. Most of us, as in 99.9% (ok, I made that number up, but I’d bet I’m close) of us, will never be specifically and personally targeted through technical computer attacks (attacks against our ideas, or some sort of internet or personal flaming or defamation doesn’t count here, I’m talking technical attacks) as we’re just not interesting.
Over a decade ago I was on the CypherPunks mailing list, and you would occasionally see people asking what they could do to keep the TLAs from spying on them (looking for hard crypto etc.). The only real answer is “don’t do anything to interest them”. Most people are boring, their lives are uninteresting, and there is nothing you can gain from personally going after them.
However, that doesn’t mean that you won’t be attacked impersonally and/or randomly. You do have a bank account, you do have a computer that can be used to pass spam, to infect other machines, or whatever.
Keep understanding that it’s not personal on any level. They aren’t out to get YOU, they’re just out to get your stuff, and devise your strategies accordingly.
To bullet point it:
We think about personal attacks rather than impersonal
We tend to think about the big, flashy, or “Hollywood” attacks and not the more prosaic attack.
We tend to focus on the last threat we’ve discussed, read or thought about, and not develop a more generalized threat model.
Here are a few tips that maybe should not be taken to literally, but are useful to think about and sometimes may be a good idea more directly as well:
Don’t have anything to hide, make sure that anything worth stealing involves some physical object not hooked up to your computer. Act as if a random stranger with a concealed face were physically looking over your shoulder at all times.
Keep an eye on your CPU, ram, bandwidth, etc. usage. Even if you were overtaken by a botnet that didn’t use a noticeable amount of these than that’d also mean it’s not that big a bother anyway.
In general cultivate an intuition for computer science and what exactly your computer needs to be doing at any time so you can notice suspicious behaviour.
Keep your guard up for psychological attacks, hostile memes, and Langford basilisks. If you don’t already know learn what those are and how you can protect yourself.
[insert random quote from “the art of war” here]
I know what a basilisk is, but Google cannot tell me what a Stanford basilisk is. (Did you mean to say “Langford basilisk”?)
/me fixes embarrassing typo
Also, might as well point out that in real life, most basilisks are verbal, and won’t kill you but instead drive you insane Lovecraft-style.
Edit: further note; here on LW actually has the most dangerous basilisks of anywhere I’ve encountered on the net by some margin, and some people have even been [REDACTED].
This reminds me of something Yvain said:
Yes, very relevant. Just know that there’s MUCH more potent stuff out there, even maliciously designed. Not really a lot of it thou, and the vast majority of stuff damaging enough to avoid it is in already known dangers like cults. Still, there is some really nasty stuff out there that can get around even extremely good defences.
To paraphrase wedrifid: in real life, most basilisks are harmless and adorable; you can keep them as pets.
But I suppose it’s a terrible idea to bring up that whole fiasco again.
That gives me a great idea! We should totally make a “basilisk petting zoo” thread! :D
Or maybe not. I’ll wait for responses to this comment before deciding if I should go with it.
SL5? SL6?
I don’t recognize these, and google is of no help. Are they names of some specific basilisks?
This extended.
This is shock level stuff? It’s just making a petting zoo out of entities man were never meant to know possessing no physical form, selected for driving some humans mad in interesting but relatively harmless ways!
Edit: checked the numbers again… seriously you’re suggesting this is higher check level than the singularity? This stuff is age old, and fairly mainstream, Lovecraft wrote about it quite specifically. The SCP foundation is full of it.