Slashdot Mirror
How to Convince Non-IT Friends that Privacy Matters?
mmtux writes:
"As technology becomes more advanced, I am increasingly worried about privacy in all aspects of my life. Unfortunately, whenever I attempt to discuss the matter with my friends, they show little understanding and write me off as a hyper-neurotic IT student. They say they simply don't care that the data they share on social networks may be accessible by others, that some laws passed by governments today might be privacy-infringing and dangerous, or that they shouldn't use on-line banking without a virus scanner and a firewall. Have you ever attempted to discuss data security and privacy concerns with a friend who isn't tech-savvy? How do you convince the average modern user that they should think about their privacy and the privacy of others when turning on their computer?"
Funny? I would call that insightfull.
Don't fight for your country, if your country does not fight for you.
I'm reminded of a time a friend of mine (quite riskily, but with management approval) sent out a set of quite official-looking emails that looked like they were internal, but came from outside the company. More than half the staff emailed willingly supplied their credit card details, internal passwords, and just about any other information asked of them, without checking who it was going to, or what it'd be used for.
When confronted in security meetings afterwards, most justified it as not being a problem, because even though it was an account outside the company and COULD have been used for nefarious purposes, it was still information that ended up in company hands, so why worry?
People will justify anything. I swear when I leave the place I'll have to do the same and go on a spending spree ordering any old crap on everyone's credit cards, and having it delivered to each others addresses.
"'I've Got Nothing to Hide' and Other Misunderstandings of Privacy" by Daniel J. Solove
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565
Try this link.
If it doesn't convince them, it will at least make them think...
http://www.aclu.org/pizza/
A clever man learns by his mistakes. A wise man learns by the mistakes of others.
Watch someone else pee on the fence. Point, laugh, never do it yourself.
Get your own free personal location tracker
any open router could record everything including passwords and perform man-in-the-middle attacks to bypass SSL
It's that sort of misinformation that makes it hard to take valid privacy concerns seriously. How exactly would a router bypass SSL?
You could spoof DNS to redirect all requests to your own HTTP server, and you could dynamically fetch pages from the far end to convincingly fake the remote website. And while you could generate SSL certificates on-the-fly to make it HTTPS, those certificates could only be signed by a certificate authority you control, which is not one that's particularly likely to be present in the target's list of trusted authorities.
It's almost like the people designing SSL thought that the entire route between the two communicating hosts might be insecure -- including the first-hop router -- and therefore provided verifiable, end-to-end encryption and authentication that did not rely (at least at communications time) on resources beyond what is stored or can be generated on those hosts.
Beyond that, any authentication and encryption technologies that would commonly be considered secure by knowledgeable users -- SSH, Kerberos, most VPNs, etc. -- can provide similar guarantees. They all provide verifiably-secure authentication from any endpoint, even if the entire route is hostile, and even if the endpoints have bad DNS, untruthful routes, or totally fake traffic.
It's worth time teach someone the difference between HTTP and HTTPS, but pretending that SSL only works over trusted routers is counter-productive at best; if people feel there's no safe way they can use in the Internet they'll either give up on the Internet or give up on safety.
I'm quite often laughed at by various friends because I encrypt all my hard disks, I do not log in cybercafes or open networks. I do not use a BlackBerry, nor Facebook. I usually pay by cash and rarely by credit card, etc
I just get used to it and stop trying to teach them even the basics (e.g. do not post your work email on a public forum for instance). I just try to insist a bit with good friends.
However, the problem is that there has been a general trend educating people to relinquish their privacy. Many governments (most notably the US) have rather clearly stated that "state security" was more important than individual privacy and many people agreed. Many media, and most notably the online ones have also distilled that fact that privacy was unimportant. I was amazed to see that the "youngest" generation does not communicate by email, not by IM, but by blogging. I have seen kids that would write a blog entry when they want to send one message to one person...
Also, oddly enough, giving examples does not work. Even real examples with real people whose life have been screwed badly. The first reaction of people is that it cannot happen to them.
It really seems people only get a grasp of what privacy is when they have lost it.
Anyway, there are of some interesting tidbits on privacy at
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565
The hypocrisy of someone posting this as AC is just incredible.
An interest only loan will make them -more- money, not less. Perhaps the financial problem was caused by 'financiers' who subscribe to the BVis school of economics.
Not Meta-modding due to apathy.
Tell the father of a friend of mine that SSL is 100% secure. The exact hack you're saying can't happen did.
This friend set up his laptop so it appeared to have a stronger signal than the access point his Dad was connected to. This had the effect of making his Dad's computer route through my friend's laptop. He than ran a man in the middle attack, like you describe, and stored all the info of the transaction. I can only imagine how shocked his Dad was after he had finished his banking when his son told him his bank password and all about the transactions he had just made.
The moral of this story - don't trust wireless for sensitive data. Also check the certificates.
i find that after a person is a victim of identity theft, they are far more likely to take privacy seriously.
A good friend of mine used to never wear his helmet when we'd go mountain bike riding. I tried in earnest twice to convince him that he was really pushing his luck. He continued to ride sans helmet. Then one day as we were riding home, he hit some railroad tracks at an angle and went down hard. On his head.
It took a while for the ambulance to arrive. The pool of blood around his head was fairly expansive. He got a serious concussion. Not good.
He now rides with his helmet.
As others have suggested, sometimes people won't figure things out until they feel the pain. But just as important is the net effect of seeing other people getting hurt. The bike helmet trend didn't take off until people realized that a lot of people were getting injured or killed on bikes, and that many of those incidents could be mitigated through the use of helmets.
There was a painful outcome, an easy solution to reduce the probability of the painful outcome. Right now online privacy is not seen as a threat because hardly anyone actually knows someone else who has been bitten by lax online privacy. But that's starting to change, slowly. Now what we need is an easy (for those people in the world who are not inherently fascinated by computers and privacy) mechanism for managing online privacy. I don't expect the latter to come into being any time soon, given the political climate in the United States, where there's simply too much money telling the government to look the other way as companies gobble up more and more personal data.
Read the EFF's Fair Use FAQ