Does Your Hardware Spy On You?

Every once in a while I encounter an article that talks about government intrusion into private organizations through means that seem more like a James Bond movie plot than reality. The latest such story appeared in ComputerWorld, “To avoid NSA, Cisco delivers gear to strange addresses.” These articles lead me to wonder whether the authors have an overdeveloped persecution complex or government agencies are really spying on the public in such overtly secretive (and potentially illegal) ways. The fact that some companies apparently believe the threat enough to ship their equipment to odd addresses is frightening. Consider the ramifications of the actions—is it even possible to feel safe ordering hardware you haven’t built yourself (or are the individual components bugged too)?

Obviously, government organizations do require some means of tracking bad guys out there. Of course, the term bad guys is pretty loose and subject to great deal of interpretation. In addition, just how much tracking is too much tracking? Would enough tracking prevent another terrorist attack or the loss of income caused by crooked company executives? There are many questions that remain unanswered in my mind (and obviously in the minds of others) over the use of various tracking technologies.

The topic of government spying, it’s legitimate and illegitimate uses, and just who the bad guy is demands a lot more attention than anyone is giving it. So, how do you feel about government tracking of everything and anything it sets its mind to spy on? Do you feel there should be limits? What do you feel about shipping things to odd addresses to avoid notice and circumvent the system (partly because the system is broken)? I’d love to hear your point of view about the use of modified computer equipment as a tool for spying on the private sector at [email protected].

 

Your Security is an Illusion

I receive a number of queries about security from administrators and users every month, and many of these questions have links to all sorts of security issues that have occurred recently-everything from National Security Agency (NSA) spying to the Target security breach (incidentally, a number of other businesses have been attacked in the same manner). The fact of the matter is that books such as Administering Windows Server 2008 Server Core, Microsoft Windows Command Line Administration Instant Reference, and Windows 8 for Dummies Quick Reference have been telling you all along that security is a matter of vigilance-that software will never do the job alone. Even so, readers keep sending requests for some sort of magic bullet that will allay all their fears and make the task of security automatic.

Maintaining a reasonably secure system is a matter of observing personal, data, and system-wide best practices, something that SeedboxCo.net could help with if you’re unsure about how to go about it. Many other authors have listed these best practices in the past, but here are some of the techniques that people fail to use most often:

  • Use complex passwords that are easy to remember so you don’t need to write them down-consider using a passphrase whenever possible.
  • Change your password reasonably often and don’t rely on the same set of passwords all the time.
  • Keep your passwords secret so that no one else can abuse them.
  • Encrypt your data.
  • Perform local data backups regularly.
  • Ensure your applications remain updated with the latest security fixes.
  • Update your system as needed to ensure it provides a full set of modern security features.
  • Install security applications that check the incoming and outgoing flow of data, and block anything that looks remotely dangerous.
  • Check your system regularly for any files, folders, software, or other items that look out of place.


This list doesn’t even include some of the common user foibles, such as opening e-mail from parties they don’t know. In addition, none of these techniques are automated. You have to perform the manually in order to get the benefits they provide. Yes, it’s true that some of the techniques are automated once you start them, but you still have to start them. For example, installing security software will automatically monitor the data flow on your system, but you still have to install the security software manually.

Even with all of these security measures in place, someone who is truly determined can break into your system. You should simply count on it happening at some point, even if you’re incredibly careful. When a security breach does occur, you need to have a contingency plan in place.

Any good contingency plan will include a method of evaluating the damage caused by the security breach. You need to know just what was compromised and what the fallout of the compromise will be. Make sure that you are open and honest with your customers at this time as failure to do so can lead to other consequences. Silencing employees who speak out is even worse – you don’t want to juggle a legal fight with a whistleblower lawyer at the same time as cleaning up a data breach – so remain open to conversation at this time. Even individuals experience fallout from security breaches, such as identity theft. Once the damage is evaluated, you need a method for fixing the problems it has caused. In some cases, you may actually have to format the drive and start from scratch, which is where that data backup is going to become critical.

There is no magic bullet when it comes to security. Over the years I’ve searched, in vain, for a magic bullet and it isn’t even possible to conceive of one. Therefore, it’s the user and administrator who are best prepared for the eventuality of spying and security breaches that are in the best position to handle it later. Let me know your thoughts on security at [email protected].