Is security on the web really possible?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
User avatar
Topic Author
CountryBoy
Posts: 1777
Joined: Wed Feb 28, 2007 9:21 am
Location: NY

Is security on the web really possible?

Post by CountryBoy »

Read the article below and then tell me if you think there is anyway one can protect oneself from attacks such as this:

http://dealbook.nytimes.com/2013/07/25/ ... panies/?hp
Sidney
Posts: 6784
Joined: Thu Mar 08, 2007 5:06 pm

Re: Is security on the web really possible?

Post by Sidney »

I'm not technical enough to comment on the technical remedies needed. However, it is my opinion that if there are remedies to really button this up tight, it probably would involve inconveniences that the typical consumer would not accept.
I always wanted to be a procrastinator.
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: Is security on the web really possible?

Post by VictoriaF »

Absolute security is not available anywhere. In comparison to the brick-and-mortar environment, the Web poses some new threats and requires some new safeguards. In the referenced case, the target was financial institutions rather than consumer systems. One way to protect oneself from such events is to keep funds in multiple institutions. The pursuit of simplicity indicates keeping all funds in, e.g., Vanguard; the desire for security suggests diversifying assets among, e.g., Vanguard, Fidelity, and TIAA-CREF.

Victoria
Last edited by VictoriaF on Thu Jul 25, 2013 12:39 pm, edited 2 times in total.
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
rjsob58
Posts: 151
Joined: Thu Mar 14, 2013 10:50 am

Re: Is security on the web really possible?

Post by rjsob58 »

By "one can protect oneself" do you mean you, as an individual? If so, then no except maybe to go to a strictly cash, "off the grid" lifestyle. The only other way I can think of would be to disperse all your assets among a lot of different accounts so that no one account holds a significant portion of your assets, thus limiting your exposure to any single hacking incident. You could also reduce your credit limits on all your credit cards, again limiting your exposure to loss from a single incident.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Is security on the web really possible?

Post by Epsilon Delta »

In the real world limiting losses to theft is done by a combination of making theft technically difficult* and catching and punishing thieves after the fact. Here we have a case of catching and punishing thieves. Many people believe that the web is not part of the real world, but they are wrong.

* Using locks, armed guards etc.
User avatar
Ged
Posts: 3945
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: Is security on the web really possible?

Post by Ged »

Sidney wrote:I'm not technical enough to comment on the technical remedies needed. However, it is my opinion that if there are remedies to really button this up tight, it probably would involve inconveniences that the typical consumer would not accept.
It is truism that a perfectly secure system would have provisions so onerous that it would be unusable.

The best you can hope for is to make it financially unattractive; that is the cost to build an effective attack would be higher than the benefit.
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: Is security on the web really possible?

Post by telemark »

The attack is on the computers that store card information and process transactions, so if you own credit or debit cards you are vulnerable, whether or not you use the web. Read the fine print on your card agreements, and keep an eye on your credit card transactions: using the web lets you do this more often.
Sidney
Posts: 6784
Joined: Thu Mar 08, 2007 5:06 pm

Re: Is security on the web really possible?

Post by Sidney »

telemark wrote:keep an eye on your credit card transactions: using the web lets you do this more often.
I try to do this weekly. Since I have to go in once a month to pay the bill, that is only 3 extra times per month. Takes seconds; worth it.
I always wanted to be a procrastinator.
User avatar
greg24
Posts: 4511
Joined: Tue Feb 20, 2007 9:34 am

Re: Is security on the web really possible?

Post by greg24 »

There is always a risk. As there is risk in most things in life.
mnaspbh
Posts: 204
Joined: Fri Sep 09, 2011 12:26 pm

Re: Is security on the web really possible?

Post by mnaspbh »

CountryBoy wrote:Read the article below and then tell me if you think there is anyway one can protect oneself from attacks such as this:

http://dealbook.nytimes.com/2013/07/25/ ... panies/?hp
If all of the breaches were caused by SQL injection attacks, then the targeted systems were being run by people who don't really understand computer security, or who were just lazy. SQL injection is a very very old technique with easy-to-apply and well-established ways of preventing it.

One easy way to identify companies that really don't understand computer security (or SQL injection attacks and their content-escaping-based cousins): do they prohibit using a single quote, double quote, or dollar sign in a password? If so, they don't get it, and it's probably best to avoid using their services.

(sorry to say that Vanguard's advice on "creating a strong password" is so-so, and the section on "security questions" is really bad)
User avatar
Watty
Posts: 28859
Joined: Wed Oct 10, 2007 3:55 pm

Re: Is security on the web really possible?

Post by Watty »

greg24 wrote:There is always a risk. As there is risk in most things in life.
You also need to consider who is taking the risk.

Things like using credit cards on the internet is secure enough that the card issuing company is willing to take the risk in exchange for all the money they make on the credit cards. Other than then inconvenience I have very little monetary risk when I buy something on the internet with my credit card.
User avatar
JMacDonald
Posts: 2386
Joined: Mon Feb 19, 2007 4:53 pm

Re: Is security on the web really possible?

Post by JMacDonald »

Here is an article about this problem: http://www.latimes.com/business/la-fi-p ... 8913.story
Nearly every incident of online espionage in 2012 involved some sort of a phishing attack, according to a survey compiled by Verizon Communications Inc., the nation's largest wireless carrier.
Best Wishes, | Joe
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Is security on the web really possible?

Post by Mudpuppy »

CountryBoy wrote:Read the article below and then tell me if you think there is anyway one can protect oneself from attacks such as this:

http://dealbook.nytimes.com/2013/07/25/ ... panies/?hp
The first step towards implementing a computer security plan is to accept that you cannot protect against everything. This doesn't mean you should give up and employ absolutely no security measures however. It just means you need to a) make priorities about what you want to secure and b) develop a security plan that encompasses prevention, detection, and response. Then you need to circle back to the first step and realize that no plan will be perfect, but having some plan is better than having no plan.
lostInFinance
Posts: 218
Joined: Sun Mar 03, 2013 2:57 pm

Re: Is security on the web really possible?

Post by lostInFinance »

I think a discussion of the technical issues really misses the point. I bet if your account was hacked and you didn't do something completely stupid, like make your password password, Vanguard will almost certainly absorb the loss. The cost of making you whole is almost certainly less than the bad publicity if the public becomes afraid of holding mutual funds. In all these computer security threads, despite the alleged severity of the threat, no one has been able to find a single real life example of an individual having un-reimbursed losses due to computer fraud with their mutual funds. And the idea of diversifying between Vanguard and Fidelity strikes me as near tin foil hat thinking.
davebarnes
Posts: 542
Joined: Wed Jan 02, 2008 6:06 pm
Location: Berkeley, Denver, Colorado USA

No

Post by davebarnes »

Is security on the web really possible?
No
Relax and enjoy the ride.
A nerd living in Denver
User avatar
prudent
Moderator
Posts: 9085
Joined: Fri May 20, 2011 2:50 pm

Re: Is security on the web really possible?

Post by prudent »

Not possible to have absolute security. You have brilliant programmers being paid a lot of money to do this kind of thing, and organized crime has lots of time and resources. They can co-opt insiders for information, try to plant their own people in jobs with access to data and that's beyond just using SQL injection attacks. The fact that SQL injection still works shows that the companies responsible for safeguarding data are not good at it. It's just about impossible to write bulletproof software that is complex. I think this problem will only get worse. Only when the financial losses are so painful that companies put more money into security will it get better. At the moment it comes down to a cost-benefit analysis, and the cost of losses do not justify paying more to improve security systematically. Sure, known vulnerabilities are going to be corrected, but it's like an arms race.
User avatar
kwan2
Posts: 384
Joined: Thu Jun 14, 2012 9:13 pm

Re: Is security on the web really possible?

Post by kwan2 »

i've been reading up on SSL, Tor, VPNs, OpenVPN, I would say, the question would be from whom.
http://yro.slashdot.org/story/10/03/26/ ... rtificates

it appears somewhat trivial for a government to get fake CA authority, with or w/o a warrant. so SSL, can't get secure.

i did install certificate patrol on FF, though, i'm not sure i understand it all. and changed to opera for flash and gmail, as chrome uses IE's certificates, which apparently are more dubious.

Tor is slow, but the endpoints are worldwide, so if more ppl use it, maybe it would get faster someday, maybe post-snowden, more ppl will grow its nodes.

see:eff.org for fun, i am 1 in 3 million /uniquely identifable with 21 bits of information
https://panopticlick.eff.org/index.php? ... log&js=yes :sharebeer

:beer
“The history of Paris teaches us that beauty is a by-product of danger, that liberty is at best a consequence of neglect, that wisdom is entwined with decay."
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Is security on the web really possible?

Post by Epsilon Delta »

kwan2 wrote:it appears somewhat trivial for a government to get fake CA authority, with or w/o a warrant. so SSL, can't get secure.
Lots of things are trivial for a government.

If you're worried about a government targeting you, you're probably not going to be able to stay secure even with extreme technical measures. If you're worried about it in a more general way you're best bet it to get involved politically.
Post Reply