Being Secure Online: A Reference

Last week I had the rare opportunity to make a presentation to a highly engaged group of seniors on behalf of the Yukon Status of Women Council. I say “rare” because it’s not often that I interact with internet users who are genuinely concerned with protecting their privacy and security online. Most people take too lackadaisical an attitude towards these matters, and when you consider the excursions that even our own government is making into our private online affairs, that’s just not okay.

I promised the attendees of that session a reference to assist with following up on the matters we’d discussed. Rather than provide a print-out, though, since this is such an important issue, I figured a public blog post couldn’t hurt. Plus, for reference, here’s a link to the slide deck from the presentation.

Risk vs. Benefit

First off, I’d like to briefly discuss my approach to internet security. The question of the “correct” approach to security problems kept coming up and I kept responding with the standard geek adage, “It depends…”

Every action you take, both online and offline, entails a degree of risk, and you have to assess the potential benefit and its value to you. And so it is with internet security, and, of course, understanding risks online is the most important aspect of protecting oneself. For example, many people watch movies online. Acquiring them for free via BitTorrent involves tremendous risk of being infected by malware, and of potentially breaking copyright laws that could get you in trouble with the law. Is it worth all that risk, or does paying $4 to rent a safe copy of a movie legally on iTunes make more sense?

I’ve read a lot about the “right way” to protect oneself in a given circumstance online, but one expert’s truth always contradicts another’s, and really neither can be considered absolutely correct. Like most things in life, the “truth,” if there is such a thing, lies somewhere in between. And you’ll never find it, because it’s always changing. So instead of learning the Officially Correct Way to resolve a security or privacy situation online, it’s better to equip yourself with an understanding of the dangers and get some suitable tools for effectively responding to them. After all, rules are just static and inflexible ways of doing things one way. Knowledge grants you the power to respond organically to ever-changing situations.

So the question online isn’t about simple, constant internet “safety.” It’s more about:

  1. Constantly educating yourself about online opportunities and dangers;
  2. Keeping your eyes open and being street-smart online;
  3. Making sure you’re going to benefit from your actions online; and
  4. Avoiding the risks of other people taking advantage of your online activities.

Just like in the “real” world, good judgement reigns supreme online. Would you drive your car without a seatbelt? No, because you know that even the benefit of efficient transportation isn’t worth the risk of injury in an accident. So would you browse the internet using an unsupported operating system like Windows XP? Of course not, it’s a target for all sorts of bad people; you’d upgrade or buy a new computer.

Internet Service Providers

I presented that there are essentially three methods of accessing the internet:

  1. Private fixed landline access;
  2. Private mobile access; and
  3. Free public wireless access.

Private fixed landline access in Whitehorse is unfortunately limited to one thing: cable internet from Northwestel. The sole benefit with this method of internet access is, of course, the total volume of data available for consumption — that is, the amount of “stuff” you can download or upload. The drawbacks are cost — it’s really quite expensive, particularly at the lower end of the company’s product line — and the fact that you can never be sure of what you’re getting.

During my session with this group of very intelligent seniors, it was clear that no one trusts Northwestel to be honest or accurate with their measuring of our internet use. For all we know, Northwestel has a cage of monkeys pounding on a keyboard to manufacture numbers for billing purposes. There’s nothing that would disprove this idea other than the company’s cold, “Trust us,” attitude. Trust must be earned, however… but that’s another sermon.

Private mobile access is internet service that is provided via the cellular phone network. Luckily, there is some competition in this space: we have both Bell and TELUS available to us here in Whitehorse. This method of internet access can be more affordable — it generally starts at about $5 a month — and it’s very convenient, since you can take it with you. Of course, the major drawback here is data volume. If you’re looking at watching movies on Netflix, this is not the best way to access the internet.

Another thing to consider, and this is where we get to the heart of the matter, is privacy. Bell tracks and resells what you do online. While TELUS certainly also tracks your activities, it doesn’t hawk that data on the open market (though I’m sure they give it up to the government upon unwarranted request, as does every carrier). This is where the question of risk/benefit comes in. Are you okay with having your life’s activities sold to the highest bidder without discernible benefit to you? (Ignore Bell’s “qualified advertising” argument, it’s a sham.) Personally, I prefer to maintain as much privacy as possible — or to enjoy direct benefit from the resale of my privacy, when appropriate. So I go with TELUS rather than Bell, and I strongly recommend you do, too.

Then there’s free public wireless access. This is the single most dangerous method of internet access you can use. As the saying goes, there’s no such thing as a free lunch, and that’s especially true here. Of course, there is a cost associated with providing this internet access, and to offset it, McDonald’s or Tim Hortons or wherever is tracking and reselling your behaviour to all sorts of other companies. (And, again, no doubt giving it to the government.)

Then there’s the fact that it’s completely public and open. That means it’s like you’re communicating in a big, open, public room with wonderful acoustics that bounce all the sounds around nicely so everyone can hear what everyone else is saying… if they’re listening. And that’s what the bad guys are doing: listening very carefully for that moment you type a password into an insecure web page, and then they grab it and it’s theirs to do what they like with.

Personally, I never use free public wireless internet. There’s just too much risk. Of course, it’s all about saving money, so many people so use it. But it’s worth coining a new adage to describe that situation: “Penny wise, security poor.” What you give up greatly outweighs what you get with free public internet, in my opinion. Avoid it whenever you can.

To summarize your internet options, then:

  1. If you’re just browsing web pages and checking email, pick up an internet stick from TELUS or learn how to set up your mobile phone as a “hot spot.” This is generally cheaper and better quality than Northwestel’s lowest-tier cable internet packages, plus offers the added benefit of being mobile.
  2. If you’re planning on replacing your cable TV connection with a Netflix subscription (what an excellent idea, by the way), plug your nose and subscribe to cable internet with Northwestel.
  3. If you need to check the weather or a sports score in a pinch, maybe use the free wireless internet at McDonald’s, but otherwise avoid it like the plague. (And circle back to option 1 here: if you’ve got the mobile internet in your pocket, why consider the extreme risk of free public wireless internet?)

Hard Work

It too often goes unmentioned, but ensuring that you’re operating in as secure an environment as is currently technically possible requires commitment and hard work. In a nutshell, you must:

  1. Stay up to date with an understanding of evolving dangers online;
  2. Make sure you have security software installed (yes, even on a Mac);
  3. Keep your computer is up to date with the latest security patches and software upgrades.

On the matter of security software, here are my recommendations:

  1. Intego VirusBarrier to protect your from malware on a Mac;
  2. Little Snitch to protect you from network intrusions on a Mac;
  3. Kaspersky Internet Security for a full suite of protection on a Windows PC; or
  4. Microsoft Windows 8’s built-in “Defender” is also a good (and free) option.

So you either need to commit the time to adopting “The Way of the Geek,” or you need to pay an actual professional geek to do it for you. It’s time or it’s money, your choice.

Which leads to a big question this group of seniors had: who is available in Whitehorse to provide this service? We brainstormed a bit to identify computer support service providers in Whitehorse, and came up with this list (presented in no particular order):

  1. Mid-Arctic
  2. Polarcom
  3. Computer Nerds for Hire
  4. Staples
  5. Computerisms
  6. Meadia Solutions

If there was one take-away from the group’s discussion about these companies, it was the exceptionally poor service that was generally provided by all of them. Some people did report positive experiences with a couple of the companies listed above. But it was clearly more common that these seniors suffered at the hands of these service providers than gained benefit. In the Whitehorse market, there’s clearly tremendous room for improvement in the quality of service provided to home computer users, particularly seniors.

For the time being, how can you choose between them? My advice is call them all for a chat and pick the one that is the most polite, respectful, patient, and offers to support you in a way you feel comfortable with. Hopefully at least one of them fits the bill.

Passwords, Damn Passwords

Passwords are the bane of existence. I hate them. No, I loathe them.

But. They are also the keys to our security online. Literally. They’re like keys that we open doors with. And so, while it pains me to say it, as we have a different key to every door in our lives, we must have different passwords for every online service we encounter. And every password must be incomprehensibly complex.

Here are the password rules I set out in the session:

  • Never recycle a password
  • Never share a password
  • A password should be longer than 8 characters
  • A password should never contain a dictionary word
  • A password should have a combination of:
    • Upper case letters
    • Lower case letters
    • Numbers
    • Special characters
  • Change all passwords regularly
  • Don’t write your passwords down

That’s crazy! Try to remember just one password that follows those rules. Now consider that many of us engage with dozens — hundreds, even (if you’re like me, that is) — of online services every day. And try to remember all of those passwords. No wonder the world has settled on “123456” as a standard password. Less strain on the brain, eh?

That might be the case, but if that’s your password, you may as well not have a password at all. And while you’re at it, just leave your doors unlocked. It’s really important to use complicated passwords that are different everywhere. But how can you remember all of them?

Many geeks will give you this rule: don’t use password management software. I hate that rule. It’s dumb. It’s the same as saying, don’t put all your keys on the same key ring, or don’t put all your cards in one wallet. Of course there’s a risk of someone gaining access to your password collection. But when it’s a question of using “qwerty” as your password on two-dozen web sites, versus having a invariably complex jumble of characters for every online service, I say go with the latter. If you’re smart about it, and protect that collection as you would your wallet or key ring, you’ll be fine.

To assist in maintaining a balance between sanity and password security, here is some software I recommend you consider:

About that last service I mention there, Abine’s Do Not Track Me also lets you create unlimited, alias email addresses on the fly to mask your identity and control the flow of unsolicited communication. When you consider that a password only represents 50% of your security solution, the other half commonly being your email address, it makes sense to be able to obscure the entirety of your online identity.

In a nutshell, when you sign up for online services, Do Not Track Me will generate an anonymous email address for you on the fly, hiding your real email address from the service provider. Then when the service provider sends you an email, the Do Not Track Me service secretly redirects it to your real email address. If the service provider resells your email address, and you start to receive unsolicited messages, you can track that and potentially cut it off without having to sacrifice your real email address.

Again, you’re putting a lot of trust into Abine as a company, but I feel the benefit is worth it.

In Closing

Being online requires that you are:

  1. Educated;
  2. Prepared;
  3. Smart; and
  4. Cautious.

The internet world is not so different from what we experience day-to-day, but it’s easy to get distracted by its gee-whiz factor. If you make sure you’re equipped with good defensive tools and conduct yourself wisely, however, your threats level will be minimized.