We are living in interesting times.
Services like NSA or GCHQ are terrorizing everybody with total surveillance. Even companies we rely on to detect and remove malware of our Windows machines do not respond to newly found malware in an appropriate way. When they're confronted with a newly set of malware components, they hold back information and some times they do not even add counter-measures to their anti-malware products. Whistleblowsers that provide us with information on ground-breaking scandals have to live in fear in exile.
How bad could it get?
Behold, geeks to the rescue: It's the most wonderful time of the year ... for security and privacy-aware geeks: 31C3 is the 31th congress of the Chaos Computer Club. In Hamburg, world-top security experts are presenting their work which was done since the previous congress. The videos of the talks are worth watching over the next weeks - big time.
Besides the usual mind-blowing disclosures, I would like to comment on the status of IT security and extreme opinions on it.
Extreme positions like the one of Open Source evangelist Richard Stallman are getting the reasonable ones. In his talk at 31C3, he states that without Open Source, no system can claim to be secure. That does not imply that any Open Source-based system is secure by default. It only implies that any Closed Source-based system can never be seen as secure.
And he does not stop here. He stated that proprietary (closed) source software has to be seen as malware. We are used to "jailbreak" devices we thought we own in order to use them properly. Further more, we should invest more resources in making sure that whistleblowsers like Edward Snowden do not have to fear about their life. We have to fix our Democracy and we have to teach our children how to use Open Source.
Once, I was thinking that Richard Stallman is a well-deserved but rather old relic from the early days of Open Source with extreme opinions that are not realistic any more. This had changed. I now copy most of his ideas and do think that there is much work to be done to fix this IT world of ours.
In a very interesting blog article, security expert Bruce Schneier is summarizing lessons from the SONY hack. There are many interesting quotes from this:
Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable. But good security makes many kinds of attack harder, costlier and riskier. Against attackers who aren't sufficiently skilled, good security may protect you completely.
So: even if there are attackers out there, that get what they want from any secured network, security counter-measures are not spent worthless at all! You can eliminate most drive-by malware/attacker by establishing a minimum level of security over your entire network:
For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.
And there are also lessons to learn for individuals:
My second piece of advice is for individuals. [...] We have no choice but to entrust companies with our intimate conversations: on email, on Facebook, by text and so on. We have no choice but to entrust the retailers that we use with our financial details. And we have little choice but to use cloud services such as iCloud and Google Docs.
So be smart: Understand the risks. Know that your data are vulnerable. Opt out when you can. And agitate for government intervention to ensure that organizations protect your data as well as you would. Like many areas of our hyper-technical world, this isn't something markets can fix.
And this last quotes is clearly not directed toward geeks or security experts: it's for everybody using the Internet.
Over the next years, we should make sure that extreme opinions like "I don't have any thing valuable, so I don't care what facebook is doing with my stuff" or "a skilled hacker is getting there anyway, so why care?" are being extincted completely.