How Security Experts Are Protecting Their Own Data

Today the San Jose Mercury News asked several prominent security experts which security products they were actually using for their own data. An anonymous Slashdot reader writes: The EFF's chief technologist revealed that he doesn't run an anti-virus program, partly because he's using Linux, and partly because he feels anti-virus software creates a false sense of security. ("I don't like to get complacent and rely on it in any way...") He does regularly encrypt his e-mail, "but he doesn't recommend that average users scramble their email, because he thinks the encryption software is just too difficult to use."

The newspaper also interviewed security expert Eugene Spafford, who rarely updates the operating system on one of his computers -- because it's not connected to the internet -- and sometimes even accesses his files with a virtual machine, which he then deletes when he's done. His home router is equipped with a firewall device, and "he's developed some tools in his research center that he uses to try to detect security problems," according to the article. "There are some additional things I do," Spafford added, telling the reporter that "I'm not going to give details of all of them, because that doesn't help me."
Bruce Schneier had a similar answer. When the reporter asked how he protected his data, Schneier wouldn't tell them, adding "I'm kind of a target..."

Is he going for irony, here?

[mark-t]

The EFF's chief technologist revealed that he doesn't run an anti-virus program, partly because he's using Linux, and partly because he feels anti-virus software creates a false sense of security.

By virtue of the fact that he has even mentioned that using Linux is part of his reason to not run antivirus software, wouldn't the fact that he is using Linux be considered to be lulling him into exactly the same sort of false sense of security that he is accusing antivirus software of creating?

Re:Is he going for irony, here?

[Black+Parrot]

Yes.

I think my Linux is more secure than my Windows, but honestly it only takes one exploit.

If the spooks or large organized crime want in, they're in. Small fry *may* be kept out by best practices, but I wouldn't bet on it.

Anything secret shouldn't be on a computer, let alone a computer on the internet. But then there's the eternal trade-off between security and convenience.

Re:Is he going for irony, here?

[tchdab1]

These security experts wouldn't recommend it, but they're relying on security through obscurity.
Think about it, but don't actually think about *it* because that might endanger the security experts.

Re:Is he going for irony, here?

[jeffmeden]

The icing on the cake is that several of them (notably Bruce) basically saying security by obscurity really is a thing (well at least if you're famous)

#1 source of malware is ads on mainstream sites

[raymorris]

> If you spend your time avoiding visiting unsavoury websites and have the knowledge not to downloading/open questionable files

The number 1 source of infections is compromised ads on mainstream sites like Slashdot. Avoiding "unsavoury websites" isn't protecting you. Noscript and an ad blocker would provide much more protection, along with automated offsite backups in a pull configuration (your computer must not be able to delete/overwrite the backups, for ransomware protection).

Re:AV only helps if you are bad

[tsa]

Same here. I hate AV software with a passion bcause it slows your computer to a crawl, gives a false sense of security and once it's on your computer it takes a complete reinstall of the OS to get it off again. The best AV practices are:
Never use MS software to browse the internet and read email
Use an ad blocker
Never even read email from unknown sources, let alone open attachments from there.
MAKE BACKUPS of your files.

Moron Monday

[simplypeachy]

"I don't take precautions because they make me complacent." I'm glad that the idiots in that article aren't the ones making any decisions in the computer security industry. Note how the CEO of MalwareBytes is the exception in that article - that's the person who's worked with exploits and viruses. Kudos for not having your head in the sand.

Re: AV only helps if you are bad

[Anonymous+Brave+Guy]

Sometimes, but there are no guarantees these days. Once a system has been compromised, it is now almost impossible to make sure it's clean again no matter what you do to recover. In a world with the likes of UEFI and "hidden" secondary processors within CPUs, even wiping the hard drive and reinstalling from known good media isn't a reliable fix. It's all rather depressing, this so-called progress.