Internet Security (in my view)

This is a lengthy response to a friend who wrote me with the following inquiry (to protect her privacy, her name does not appear):

Hey Brian,

You guys have a channel on YouTube, right? I was just curious about what you think about it. I would like to do one (all kid videos) for the convenience, but I’m worried about weirdos watching videos of my kid. I’ve tried to do a private video before, but it’s such a pain. What’s your advice?

Thanks!

Here is my long answer:

Warning: You asked. Don’t blame me for the long response. 😀

Disclaimer: I didn’t take the time to edit this that I should have. I didn’t edit for sensitivity, so please don’t be offended if I come off as insensitive. I didn’t edit for perfection. Perfection is not when there is nothing left to add, but when there is nothing left to take away. This letter is long because I lack the time to make it shorter. It is, however, full of good, important, and heartfelt information related to sharing YouTube videos publicly, and Internet security (keeping things private versus making them public).

In a nutshell, I love having a public YouTube channel. 😛 You should totally go for it.

I used to go to great lengths to keep all of my Internet presence private and secret. A Google search once upon a time would have revealed nothing about me, I never received any spam, and there was no possible way for anyone to stalk me by online information alone. Then I got into website design and began to learn more about online security.

The truth is that nothing is truly private on the Internet unless you have either done the research and designed the security protocol yourself, or you are paying money to have a security firm protect your data for you. Sure, services like Blogger, YouTube, and Picasa offer settings to keep things “private” (meaning unlisted, non-public), but if someone had a reason to get information about you and they were going to dig around in the Internet to do so, having a private blog or private videos wouldn’t stop them.

Blogs, social networking sites and content sharing sites have “private” settings that lull us into a false sense of security, but they offer little more protection than a sticker in your window claiming your home is protected by a high tech, expensive security system; and a deadbolt. Small time and unmotivated criminals will often turn around and go home (in fact, this is a proven method that I heard can prevent something like 60 to 90 percent of all break-ins), but anyone with an objective or strong motive will likely be undeterred.

Most passwords you use to protect your data can be revealed to any tech-savvy twelve year old with a Play Station 2. That’s right, Play Station 2 machines are being employed by amateur and professional hackers all over the world to crack passwords online due to their ability to do thousands of floating point calculations every second. Your WEP password protected WiFi signal? I can hack that in ten to twenty minutes using a laptop running software that reconstructs your password just based on your wireless traffic. (By the way, NEVER use WEP for a wireless Internet connection – always use WPA or WPA II – WPA takes a little longer to crack, unless the FBI is hacking in, they can do it in three minutes.) Oh, and passwords are the strongest when they are at least 12 to 20+ characters long. It doesn’t matter if it’s all special characters, length alone can protect you from these hackers.

The point being, I realized several years ago that if anyone were truly interested in getting in on my private life, my setting things up as “private” wasn’t going to stop them. So I gave up and made everything public.

The easiest way to keep things secure is to monitor what you share. On our family blog I have our phone number posted. It’s a Google Voice number. It’s not associated with my address, it’s not associated with my social security number or any of my financial information. If people dial it, it goes through a simple, mostly convenient screening process before my phone rings. When I pick up, I hear “You have a call from [it plays a recording of them stating their name here]. To pick up press one, to send to voice mail, press two,” … etc. I can share my phone number anywhere because it’s secure. If someone who calls is already in my address book, they aren’t screened. I can define certain behaviors for when they call. When my family calls, they hear a specialized greeting while my phone rings, then when I pick up it tells me who they are. I can still send them straight to voice mail if I want, but why would I do that? 😉

The basic idea is to only publish things that aren’t a vulnerability (like my secure telephone number, which doesn’t create a vulnerability).

My YouTube videos are all public. Sure, a few random people may have seen some of them (in fact, my first and only comment was left by a complete stranger earlier this week – I’ve been posting my family videos there for over a year now). But most of the views are from family and friends that I direct there myself (I just wish THEY would leave comments o_O). The fact that those videos are public just makes it easier for my friends and family to enjoy them without having to go through an annoying screening process.

Some people who choose the public route choose not to put full names online (like omitting their last name, or only posting their last name) while I’ve known some people who only use nicknames on their website. You can take that route if you like, but it’s just another silly sticker. I just throw it all out there.

To quote your reason for writing:

“I would like to do [a YouTube channel] (all kid videos) for the convenience, but I’m worried about weirdos watching videos of my kid. I’ve tried to do a private video before, but it’s such a pain. What’s your advice?”

In the security profession, there is a saying. I don’t know it word for word, but it comes down to the fact that you can’t have both convenience and security. They are polar opposites and arch enemies. Any security you add will take away from convenience and convenience is not secure. So you have to weigh whether you want more security or more convenience. In this case, which is of more value? The security that you are considering implementing (private videos) is weak and cannot deliver the level of security that you believe you will be getting. So you can chose to implement it, but for what? To make it a pain for your friends and family to share in your fun family moments?

You state that your primary concern is weirdos watching videos of your kid. So you don’t take your child out in public? Sure, it may seem that the ratio of weirdos to normals on the Internet is scary, but it’s no different from when you’re at the mall. Besides, most of those weirdos who you don’t want watching videos of your kid are using torrent file sharing networks to distribute and view illegal, disturbing images of children that are much more entertaining to them than watching your child burp and giggle. The odds of them locating you online or in a mall and tracking you to your home to do you evil are relatively low.

My advice specific to your inquiry? Go for the convenience and quit worrying about implementing useless security features. To take it just a small step further, drop the private settings from your blog too. I guarantee you have at least one family member somewhere who isn’t reading your blog because they don’t want to deal with the complicated security settings you’ve set up. Even Rochelle doesn’t keep up with your blog regularly because she can’t subscribe with her RSS feeder due to your security settings.

The question remains, well if that sticker in the window really does deter crime, why drop the security settings even if they are weak? Should I just publish my passwords everywhere too? Here are a few simple things you should do that provide a greater level of security than keeping your blog and videos “private” in public:

  1. Never ever ever ever post your full address anywhere where just anyone can read what you wrote. Keep in mind that a lot of things these days are being automatically tagged with geological meta data (translation: some kind of GPS coordinates or location information collected by the device that recorded the data). So if someone wanted to know your physical location it wouldn’t be hard to track you down, but if they aren’t planning on paying you a visit and they need your address for financial reasons, you’ll have thwarted them by not posting your city, state, zip or street anywhere online (unless you’re making a secure payment or transaction, in which case you NEED to see some kind of “secure” symbol on the page and in the browser interface AND the web address should start with “HTTPS” not “HTTP” alone).
  2. Going along with the first tip, the names of schools, work places, etc. give easy ways to track down where they can find you. Don’t share that stuff online. If your family needs to know where John is working, call them. Don’t put the name of the company online.
  3. Obviously, keep all financial information private. Even how much you make should be kept extremely vague if you must share (certain income brackets represent prime targets for some criminals, you don’t want to call their attention). Something like, “John got a raise and now we don’t have to buy gas with the change we collect under vending machines anymore,” is perfect.
  4. Be smart. If you wouldn’t walk up to a total stranger and share it, your family doesn’t care either. And I’m talking about when you’re in a giddy mood about something when you tend to share things with strangers anyhow. Like when your kid does something cool and you just want to tell the world. That’s the stuff your friends and family are interested in. Share that.

I’m fairly certain you knew most of that. Just keep in mind there are only two kinds of criminals on the Internet you need to worry about. Perverts and Identity Theives.

Let’s say you open everything up to the public today (your blog, your YouTube videos, your photos, EVERYTHING online except your Facebook profile which should retain the highest level of security you can live with). Here are the two worst case scenarios, one from each type of bad guy.

Pervert. He sees a video of your kid and decides he needs to steal him from you. He is able to pay a twelve year old to hack into YouTube and provide him with some location meta data attached to the video by your computer when you uploaded it from your home Internet connection. The guy flies out to your city from San Francisco (there are a ton of nuts there, he’s likely from the city of nuts and fruit) and spends the next month trying to track you down from the vague location data the kid sold him for fifty dollars. Eventually, he finds your home and begins the process of trying to abduct the boy the same way any pervert would without the use of the Internet. Hopefully you guys would be prepared to handle that. The Internet pervert won’t be armed with any additional information that a street stalker couldn’t get without the Internet. Think about all the information you’ve opened up to the public. Is the key to your front door online? No. Public videos don’t give the online pervert any extra ammo.

Identity Thief. He finds your videos, watches your child, and doesn’t care. In the video though he sees that you have a new forty inch flat screen tv (a group of kids walking around in your neighborhood is just as likely to notice your tv and either do the heist themselves or sell your address as a target to some other thief). You must have some money. Not a lot, but who cares? He is able to link you YouTube channel to your blog by reverse following the links. He reads up on you, gets your physical location, etc. So what? In the end he doesn’t have anything more than a person digging through your garbage would have (unless you’re someone who throws credit card numbers away in tact by accident, in which case your trash can is a much bigger security problem to you than having a public blog would be!).

Obviously this is pretty watered down. There are a lot more threats out there on the Internet, but most of them you are already safe from (you stay out of the shady parts of the Internet, right?). In truth though, worrying about the threats won’t do any good. Keep your home secure like you always should, teach your children about the dangers on the outside, and you will have completely thwarted all perverts, online and off line. Monitor your credit, keep your financial information private, and just be smart, and you’ll be safe from all the other ones. Finally, I recommend passwords that are as long as you can make them (don’t go for complicated, just long – a password doesn’t have to be just one word, do a sentence), and DON’T use Internet Explorer. Use Firefox or Google Chrome (Rochelle and I love Chrome – it’s fast, super secure and gets information about how safe a website is from Google, and they know everything).

Those are my thoughts on Internet security. Don’t say I didn’t warn you, but once you get the basic, truly secure ideas in practice, you can relax and quit worrying about everything. OK?

I just have to say it one more time though (since I only mentioned it in passing before). Your Facebook page is the one place you do need to worry about security. Keep that as secure as possible. Don’t let Facebook share things about you that you don’t want shared. You are in control of what you share on your blog, but you have things on Facebook that you might think Facebook is only sharing with your friends, and if you don’t correctly adjust your security settings Facebook might share that information with other sites or people. Look online for help keeping your social networking sites secure, but look to your heart and your brain about what to put on your blog and YouTube channel.

Thanks for reading!

Your friend,

Brian


Advertisements

2 Responses to “Internet Security (in my view)”


  1. 1 Autumn December 6, 2009 at 9:49 am

    Thank you SO much. That was a dose (well, a large, Golden Corral size portion . . . ha!) of common sense that I needed. Thank you for thinking all that through for me. I don’t know anything about computers (obviously) and I really appreciate it. Not offended at all . . . in fact, I think I may put a link to this on my blog, to let everyone read it, too. That was a lot of work and I appreciate it! : )

  2. 2 Mediocre Renaissance Man December 6, 2009 at 12:56 pm

    Final disclaimer:

    I know that I am not an actual security professional, and some of my information may be inadequate or inaccurate. However, this is the advice that I live by, and if it doesn’t work it hasn’t hurt me yet. So if you have something to add to this, please share a comment. However, please remember that my views are of the non-paranoid type, and I do not wish to implement hoards of security protocols in my life living in fear of security-preventable-incidents that are unlikely (even if possible) to happen to me.

    In other words, I am not interested in hearing your reasons why I should keep EVERYTHING private because I believe it is possible to share freely without worrying so much about bad people. In the news I do not hear about many crimes that would have been prevented if the person had simply marked all of their YouTube videos “private.”

    So there.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




Subscribe to Me

What I’m Reading

When I Post

December 2009
M T W T F S S
« Nov   Jan »
 123456
78910111213
14151617181920
21222324252627
28293031  

RSS My Favorite Quotes

  • Quote #60
    "The greatest minds are capable of the greatest vices as well as the greatest virtues." - Rene Descartes
  • Quote #59
    "There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self." - Ernest Hemingway
  • Quote #58
    "The fool doth think he is wise, but the wise man knows himself to be a fool." - William Shakespeare

I have had:

  • 50,400 page views (so far)

I’m a Twit


%d bloggers like this: