Note: Alert readers have probably noticed that we talked with Tom about cloud security back in March. Another good interview, worth seeing (or reading).
Tom Henderson: I like the fact that Apple battles the NSA. I think it's all grandstanding to be honest, don’t you think? It’s so nice that they are able to have at least a PR battle with the NSA, whereas I'm guessing that the NSA is already not only through the backdoor but, well, they have their own entrance. And maybe Apple knows it or maybe they don't.
Robin Miller: But how then, let's assume there's no perfect security protection, business or personal, what can we do business wise or personally -- if anything?
Tom Henderson: We’ll take the consumer side first. Just with some quick recommendations. If you like privacy, separate your life into two different browsers. One of those browsers will be your social media browser. The other browser will be, when you buy stuff or when you do banking. Why? Because the correlations between your online social behavior will be used against you in the buying department, Amazon and Facebook are thick as thieves as an example, and if you want to prove the fact, go to Amazon, shop for a few distinct items, perhaps something out of your normal profile, then see those ads popping up on Facebook, not quite instantly but really soon. It doesn't take long for those guys to correlate what's going on and have a good time trying to sell you stuff, which is where all that ad revenue goes. This is the entire business profit model of Google and Google Analytics.
Robin Miller: It works, it takes less than an hour, and you will be followed everywhere including on Slashdot. I work for ad-supported websites, so I can never advocate using any of the ad blockers. But if I did... sometimes I wouldn't use it because I want to see what kind of ads are being run. I would notice that those ads for something I looked at on Amazon or at Best Buy, Those ads follow me all over the web, from the New York Times to The Washington Post, as it were.
Tom Henderson: In our terms, using the Internet is very heavily funded by ad revenue. Ad blockers block a lot of that revenue automatically. If we all did that, the face of the web would change tomorrow morning. We would have a completely different model based on further cuts in advertizing. But the Direct Marketing Association and all of the organizations make money this way, so we'll never have that, so you’re fighting an enormous block of legislative bribery money – oh I’m sorry; campaign contributions.
Robin Miller: Same thing.
Tom Henderson: Then ensure that unfortunately a lot of this is going to continue to be ad driven.
Robin Miller: One thing that I think my wife and I are doing right: we don't have a bank anymore, we have a credit union, a local credit union and they do use secondary authorization on everything, you have to not just know the account number and the password, but you also need to know the answers to fairly obscure questions about our past, what year teacher was your favorite in what grade, things like that. Does that help?
Tom Henderson: This is, you know, the credit union trying to use information that you told them about, it will verify that it's you and not somebody else who cracked into your account.
In terms of allowing them to do that, we don't really have a choice. Is it good that some credit unions do this sort of thing? The answer is sure. I prefer credit unions over banks. But that's a personal choice because I believe that credit unions are motivated in a different way than banks are, but that said, using a secondary auth is always a good idea. If you’re a commercial organization, you need to think about using private circuits. That involves using VPNs.
If you use VPNs and the security surrounding them, you can get secondary auth if that's important to you, but you can also vet your users in other ways using access control lists. So there's a way to help keep people from peering in on the conversation. There are ways to be able to ensure the data stored in place is encrypted because you purposefully did it with a key that you know is very difficult to break.
I'm not sure any key is necessarily unbreakable it just takes hardware. Hardware is cheap these days. It's really cheap.