When I was in middle school, my family moved from the sleepy rural town of Hurley, New York to the nearby city of Kingston. While living in Hurley, my family had grown accustomed to the security standards of small communities where the nearest neighbors are quite a long distance from one another--that is to say no security standards. My family almost never locked our doors, and my parents regularly left their keys in the car overnight.
Within a few weeks of moving to the comparatively populated Kingston, my father's car disappeared one morning. He had left the car unlocked, with the keys in the ignition. Some enterprising young man had noticed and taken advantage of the security hole.
A few weeks later we heard from the police at SUNY Albany. Apparently, the guy had taken the car up to the campus and had been breaking into dorm rooms and storing stuff in the car (which he had also been living out of). When the car came back, it was full of stolen stuff. Amazingly, the SUNY police refused to deal with the stolen stuff because the car was originally stolen in Kingston and the Kingston PD refused to deal with the stolen stuff because the robberies happened on SUNY campus, so we were left with a whole bunch of stuff. The guy who did all the stealing went to jail for a few months and my dad started taking his keys out of the ignition at night.
Amazingly, the day that the guy got out of jail, our car disappeared again! Apparently, he had made himself a copy of the key. That key was among his personal things when he was jailed and was among the personal things returned to him upon release. He walked straight to our house, unlocked and started up the car and --creatively-- headed straight to SUNY Albany again and started robbing dorm rooms. When the car came back the second time, Dad finally changed the locks.
When I was a teenager, I got involved with the early idea of online video games. Back then, "online" meant dial-up, and specifically it meant direct dialing either a BBC or a friend's computer. You would plug your phone line into the modem (external modem, of course) and then one of you would call the other one. A few DOS commands later (actually a ton of inscrutably complex commands later) and you were DOOMing it up against one another. In the '80s and early '90s, security considerations were a lot like Hurley... everything was unlocked and the keys were in the ignition.
Years later, at one of the first companies I started, I decided to host the email and web server for the company locally. By "host locally" what I mean is that I got a static IP, stuck an old desktop in a closet and installed Apache. Installing Apache was easy, but configuring security was complex and lengthy. I thought back to the old BBC days and considered "what are the odds that somebody will discover this IP?" The idea of learning about the security was interesting to me, though, and I put in a few days to educate myself, figure it all out, configure and install, etc. before activating the server.
What happened astonished me. The first attack on the server came within a few seconds. The next one just a few minutes after that. By the end of the day, there had been dozens of intrusion attempts against this brand new server that was there to serve up a couple of lame web pages about a nobody video games company and to pass our completely uninteresting emails back and forth. The pace of attacks didn't slow down, either. It continued to increase as time went on.
At the time I started saying that security is serious business. Security wasn't a question of IF you will get attacked or even WHEN, but HOW OFTEN will you get attacked? This is probably more true now than ever before.
Over time, I have come to recognize that this equation is a function of network density. The more dense a network of nodes are interconnected, the more interactions each node needs to expect. These interactions can be anticipated, they can be serendipitous, or they can be hostile. The more deeply and broadly we immerse ourselves as individuals into a more interconnected society, the more interactions we are exposed to. The likelihood of "intrusion attempts" (hostile interactions) goes from "will it happen?" to "when will it happen?" to "how often will it happen?"
The next interesting question becomes "what will tomorrow's intrusion attempts look like?" A decade ago everybody had at least a few Nigerian prince emails. A few years ago, everybody was falling for phishing scams on Facebook.
This year was the year of fake news. Possibly the most insidious of all hostile interactions, fake news plays on our human desire for an echo chamber. Fake news spreads like a virus through the like-minded and hijacks our rational-thinking. The Nigerian emails stole bank account numbers. The phishing scams stole our identities. Now fake news is stealing our ability to think.
Within a few weeks of moving to the comparatively populated Kingston, my father's car disappeared one morning. He had left the car unlocked, with the keys in the ignition. Some enterprising young man had noticed and taken advantage of the security hole.
A few weeks later we heard from the police at SUNY Albany. Apparently, the guy had taken the car up to the campus and had been breaking into dorm rooms and storing stuff in the car (which he had also been living out of). When the car came back, it was full of stolen stuff. Amazingly, the SUNY police refused to deal with the stolen stuff because the car was originally stolen in Kingston and the Kingston PD refused to deal with the stolen stuff because the robberies happened on SUNY campus, so we were left with a whole bunch of stuff. The guy who did all the stealing went to jail for a few months and my dad started taking his keys out of the ignition at night.
Amazingly, the day that the guy got out of jail, our car disappeared again! Apparently, he had made himself a copy of the key. That key was among his personal things when he was jailed and was among the personal things returned to him upon release. He walked straight to our house, unlocked and started up the car and --creatively-- headed straight to SUNY Albany again and started robbing dorm rooms. When the car came back the second time, Dad finally changed the locks.
 |
| I hope this is going somewhere... |
Years later, at one of the first companies I started, I decided to host the email and web server for the company locally. By "host locally" what I mean is that I got a static IP, stuck an old desktop in a closet and installed Apache. Installing Apache was easy, but configuring security was complex and lengthy. I thought back to the old BBC days and considered "what are the odds that somebody will discover this IP?" The idea of learning about the security was interesting to me, though, and I put in a few days to educate myself, figure it all out, configure and install, etc. before activating the server.
What happened astonished me. The first attack on the server came within a few seconds. The next one just a few minutes after that. By the end of the day, there had been dozens of intrusion attempts against this brand new server that was there to serve up a couple of lame web pages about a nobody video games company and to pass our completely uninteresting emails back and forth. The pace of attacks didn't slow down, either. It continued to increase as time went on.
At the time I started saying that security is serious business. Security wasn't a question of IF you will get attacked or even WHEN, but HOW OFTEN will you get attacked? This is probably more true now than ever before.
Over time, I have come to recognize that this equation is a function of network density. The more dense a network of nodes are interconnected, the more interactions each node needs to expect. These interactions can be anticipated, they can be serendipitous, or they can be hostile. The more deeply and broadly we immerse ourselves as individuals into a more interconnected society, the more interactions we are exposed to. The likelihood of "intrusion attempts" (hostile interactions) goes from "will it happen?" to "when will it happen?" to "how often will it happen?"
The next interesting question becomes "what will tomorrow's intrusion attempts look like?" A decade ago everybody had at least a few Nigerian prince emails. A few years ago, everybody was falling for phishing scams on Facebook.
This year was the year of fake news. Possibly the most insidious of all hostile interactions, fake news plays on our human desire for an echo chamber. Fake news spreads like a virus through the like-minded and hijacks our rational-thinking. The Nigerian emails stole bank account numbers. The phishing scams stole our identities. Now fake news is stealing our ability to think.
