I originally posted the following in October 2005 and thought it would be a nice follow-up to my recent post Information wants to be free, but you still need to protect it.
= = == === =====
Just as there is a fine line between genius and madness, there is a fine line between appropriate security and paranoia. On which side of that line are you?
Shred your sensitive personal documents before throwing them away? Appropriate security. Spread the shreds in the garden as mulch? Paranoia.
Passwords on your home network? Appropriate security. Issuing smart cards to your wife and kids? What do you think?
For a quick peak into a paranoid security expert’s approach to security, check out Security for the paranoid, which I found via Schneier on Security (one of the few things I make myself check every day).
I have to admit I don’t know if the author is serious or not, mainly because I don’t know him. My first thought when I read it was that he was serious, and seriously paranoid. I know people who think, and act, like this. And, in fact, some of the things he says make sense. For instance:
I frequently see people posting PGP signed e-mails to security mailing lists. It’s not that these people are afraid of someone actually spoofing fake comments from them on the latest CGI flaw; they just make it a practice to sign every e-mail, no matter how trivial it might be. Sure, these people are signing e-mails when it’s really not important, but I doubt they get caught not signing when it is important.
I also delete unused services on my servers. I block unused ports.
But a few things make me think it is just a bit over the top, including:
- I keep my PC’s turned around so I can tell if anyone has installed a hardware keylogger.
- I never check in luggage when I fly.
- It takes five passwords to boot up my laptop and check my e-mail. One of those passwords is over 50 characters long.
One of the keys to establishing good, and appropriate, security is an analysis of the risk/threat, the consequences of becoming a victim, and the cost of the security measure against the cost. This is what the author of this piece misses, as evidenced by comments such as:
- Sure, the threat might not be real. No one may ever actually want what you have on your PC. But does that really matter? Does the threat have to be real to warrant strong security?
- There’s no need to analyze the threat of every situation. Just practice strong security always and you should be okay.
- I don’t do it because I think someone is going to go through my trash to reassemble bits of my research notes. I do it because it’s good security.
I’ve been giving some thought lately to the challenges of enterprise solutions to problems and my belief that “one size can’t fit all”. Though there are some security best practices (for lack of a better phrase) that can be applied in many situations, blind application of these practices to unique situations will likely result in more harm (less security) than it does good.