No Need to be Greedy to get Security

A short while ago my brother asked me if there was some way he could get to his home computer from his College dorm. This isn’t such a huge technical problem as it is a security concern.

His home computer was essentially the family computer. It has games, pictures, a music library, and lots of old homework. But it also has financial records, private email, and the like. Every family computer is a treasure trove of vital information for thieves and crackers. Its information would be far more valuable than a bunch of jewelry or the children’s stash of allownace, so you can clearly see why making a connection from the Internet to the family computer requires some security considerations.

This whole situation got me thinking of the state of information security as a whole. When it comes right down to it, my family’s home system is relatively more secure than most home or small business networks. Keeping the computer behind a firewall helps somewhat right off the bat because it separates us from the rest of our ISP’s subnet. That’s probably the most important security step anyone can take, and its so utterly easy. I’ve walked into offices countless times where a single computer was plugged right into the cable or DSL line. That’s just inviting trouble!

The situation with dialup Internet access is much worse. Consider AOL, for example. For years, customers have been logging into their AOL accounts using no security precautions at all. Username and password sent in the clear, which is about as secure as writing your bank account and PIN numbers on the back of a postcard. To add insult to injury, AOL is now charging users extra for a secure log-in procedure, which is nothing more than pure greed. Two questions come to mind:

  1. Why did it take more than a decade to implement a secure log-in procedure?
  2. Why, when it finally comes, is it being offered only as a premium service?

This is sending absolutely the wrong message to computer users everywhere.

The issue I take with it, of course, is that while iron-clad protection is indeed difficult if not impossible to achieve, an enormous difference can be made with just a little bit effort. In AOL’s case, simple security such as end-to-end encryption during a log-in procedure should not be an incredibly difficult task to achieve. While their rotational password scheme does offer an added layer of security, and makes encryption a little less important as far as log-ins go, does this mean that regular users will just have to suck it up and be content with their lack of security?

I sure as hell wouldn’t be.