Practical privacy and simple cybersecurity.
TheNewOil.org

How I Learned To Stop Worrying And Love Insecurity

In an era where our lives are intricately intertwined with technology, the concept of cybersecurity has become paramount. One need look no further than my own Surveillance Report podcast, which features a weekly “Data Breaches” section that at times becomes so long we have to sacrifice some of the lesser stories. Consequently, many in the privacy and security communities strive to find systems and devices that are “unhackable.” But reality is a harsh mistress (or master, or whatever you prefer), for nothing is truly unhackable.

The truth is that security is complicated for a variety of reasons. For one, code is complicated. Adding one piece of functionality can introduce unexpected bugs, and that’s to say nothing of “side channel” attacks – wherein one can co-opt a functionality in ways that were unintended to leverage a weakness on a completely different (and often unrelated) process, app, device, or other system. For another, humans are emotional, irrational creatures. Any expert hacker will tell you that the most consistent and effective vulnerability is people; that’s why social engineering remains the top method of compromise, usually in the form of some kind of phishing attack.

No matter how robust the security measures may seem, there will always be vulnerabilities waiting to be exploited. This isn't meant to evoke fear or paranoia, but rather to instill a sense of realism. Accepting the inevitability of potential breaches can help us approach cybersecurity in a more effective manner – and perhaps more importantly, can help us find peace. I’ve seen a lifetime’s worth of forum posts from people who are stressed out, burned out, exhausted, lonely, and paranoid from trying to achieve perfect privacy, anonymity, or security – measures that undoubtedly go far above and beyond what they actually need. They’re hitting a point of diminishing returns, losing out on opportunities for job growth, friendship, finding love, and more all in the name of some nebulous dream that experts agree is – at best – a fantasy.

Acknowledging the inherent risks of the digital landscape also doesn't mean succumbing to defeat. I should hope my readers know by now that I’m never advocating for that. But while it's crucial to prioritize privacy and security, it shouldn't come at the expense of our well-being or quality of life. Obsessively monitoring every online interaction or constantly living in fear of a potential breach or slip up can be mentally exhausting and detrimental to our overall happiness. Striking a balance between staying safe online and enjoying the benefits of technology is key.

So, how do we achieve this balance? We need to start by recognizing that there is no such thing as perfect security. Highly decorated computer science expert Gene Spafford has my favorite quote on this subject:

The only system which is truly secure is one which is switched off and unplugged locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn't stake my life on it.

While it’s critical that we do our best, we need to recognize that in this category, “perfection” is a myth. We should get as close to it as possible while realizing that it will forever be out of our grasps.

We also need to continue to emphasize threat modeling. Often times, when I interact with people who are obsessive over perfect privacy and perfect security, after some discussion it turns out they never really sat down and figured out a threat model. A threat model allows you to know when you’ve done enough and are adequately protecting your privacy and security. If/when you start to see negative impacts in your life and wonder if this privacy stuff is worth it, threat modeling allows you to know if it’s safe to relax and how much. Threat modeling should be an ongoing process, and it doesn’t have to be a formal thing; simply asking yourself “what do I gain from doing this? What do I give up? Is it worth it to me? Do I really need it?” can often be plenty. I have an entire page about threat modeling here.

Ultimately though, we need to accept that perfection simply doesn’t exist. There is no perfectly, unhackable system. If you think there is, you clearly haven’t heard of Stuxnet. If a dedicated adversary can reach into a highly secure, top secret, airgapped nuclear facility, then quite frankly none of us have a chance. But the good news is that very few of us do anything to warrant such extreme, dedicated attention. We have to be realistic with both what we can do, but also the risks we face.

America is – statistically speaking – a high-risk place in terms of gun violence. Surprisingly we don’t top the charts by all metrics, but we’re pretty high up there (and when you compare us specifically to other developed, high-wealth nations, then we do top the charts). Despite our (arguably well-earned) reputation, if you ask any American if they worry about it in their day-to-day life, most would probably laugh at you. After I write this blog, I’m going to take a quick trip to the grocery store. In Texas. Yet, I will not be “carrying.” I will not put on any body armor. Truth be told, I won’t even be practicing a particularly high level of “situational awareness” aside from watching out for cars in the parking lot and shoppers whipping around corners. I’ll most likely have my headphones in listening to a podcast. My threat model says that – while mass shootings are disturbingly common to the point of being nearly a part of American culture these days – it’s simply not something I’m likely to face. Of course, I won’t be tempting fate. I’ll keep the volume relatively low on my headphones, I’ll keep my head up and look around for anything out of the ordinary, but I’m not going to obsess over it. I’m not going to be constantly spinning around 360-degrees to check for any shooters behind me, nor am I going to wear body armor and a helmet. I’m not going to clear each corner and aisle a la my military training before scurrying to grab a loaf of bread and then combat roll through the frozen foods to the nearest register (though for the record, the image in my head is quite amusing).

And yet, digitally, this is exactly how so many of us lead our lives. I think perhaps because in the digital world the threats are so abstract, so asymmetrical, and in some cases it can seem so easy to defend against. Combat rolling past the frozen pizzas requires physical energy, but installing a new phone OS takes an hour max and can be done while simultaneously watching the latest episode of Stranger Things, requiring no more energy than a few clicks. On the other hand, a mass shooter in New York is over a thousand miles away from me whereas a scammer in India could be chatting with you in realtime as they convince you to download malware from the comfort of your couch with no pants on. I think between these two things, it’s easy for us to get paranoid and think we’re not doing enough. And – especially as I mention a remote scammer – it certainly does mean we have to keep our guard up and not get complacent. But as I’ve said several times now, we hit a point of diminishing returns. When I first got into privacy, I deleted my Steam account. I later came to regret this after I realized that gaming was still important me, something I valued and wanted to do, and now I had to repurchase all my games I missed. We have to be careful not to let our quest for better privacy and security become so obsessive that we miss out on the things we love and the opportunities to bring us happiness and meaning. My wife and I met online. We didn’t meet on a dating site, but we did meet on one of the social platforms that’s most anathema to privacy. (You can draw your own conclusions from there.) Had I been a hardliner unwilling to make any compromises, I never would’ve been part of that community which not only brought me joy and connection, but also brought (not to be cliché but) my best friend who I love and grow closer to more every day.

Strive to do your best. Aim high. But recognize that perfection is a myth. Threat model and don’t be afraid to relax a little – where your threat model allows – to make room for joy and fulfillment in your life. Learn to accept that life is unpredictable, uncertain, chaotic, and cannot always be controlled. Embrace the chaos. Nothing is unhackable.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...