back to article Sad fact of the day: Most people still don't know how to protect themselves online

In light of the contrast between widely observed personal security routines such as locking the door at night and more carefree behavior online, Mozilla decided to interrogate its community to find out what people think about security, encryption, and privacy. The advocacy-oriented maker of Firefox and other less-loved …

  1. Anonymous Coward
    Mushroom

    Not that surprising...

    If the people who allegedly did want to look out for your welfare ended up to be more interested in your paychecks as well. I mean seriously: what do you expect?

    But I agree, the market is in dire straits (awesome song though). And some of it started when 'some people' started to market Linux, OpenBSD, FreeBSD as the #1 solutions for security. Install that and you'll be safe for life. Yet as we all know: it doesn't work that way.

    Look: keeping yourself safe also implies to get an understanding of what is going on. And hardly any Internet user will do that. Why should they? Their internet provider themselves advertised how easy everything was, right?

    Yeah, you heard that right. Who's fault is this? Well => the big bad companies I say. "go online with a click of your mouse", but of course if you click on the wrong section.. all hell breaks loose, but everyone knew that, right? Bzzzzt.

    Of course said companies made sure to safe guard themselves. Such a fun world we live in....

    "I'm the only one who gets you on the internet and I demand that you agree to my terms. Which are: all I do is good, you do not hold me accountable. You click on everything you want!"

    <user clicks on phishing mail and loses 40k>

    So what other options were there?

    1. RudderLessIT

      Re: Not that surprising...

      "ShelLuser" - You love Linux. We get it.

      However this is not an option for the majority of the population. Think of a stereotypical atomic family. Do they have the time to purchase a new computer and install a new,, or replace the OS?

      How does that even help, when the majority of data is being picked up from mobile devices (browsers on mobile devices are not the same as computer browsers)?

      The article does give one good piece of advice: keep everything updated. No matter what type of device, OS or applications, keep applying the updates (and ignore those saying to stick with older OS versions).

      1. Charles 9

        Re: Not that surprising...

        "The article does give one good piece of advice: keep everything updated. No matter what type of device, OS or applications, keep applying the updates (and ignore those saying to stick with older OS versions)."

        But what happens when the updates cripple functions, install spyware, or (worst case) are hijacked and are used to install malware instead?

        1. Anonymous Coward
          Anonymous Coward

          Re: Not that surprising...

          Oh get a grip, at least with updates installed you've reduced the RISK and isn't that what we're trying to do here? keep information secure and the best way to do that is to reduce the risk.

          We can be sanctimonious about Linux until the cows come home, the fact is most people use mobile devices, Microsoft or a random other. All of those should be kept up to date as much as possible and that'll reduce risk.

          1. Charles 9

            Re: Not that surprising...

            "Oh get a grip, at least with updates installed you've reduced the RISK"

            No, because updates could introduce bugs (or worse, be tainted) which INCREASES RISK. So it's REALLY a coin flip.

  2. Gene Cash Silver badge

    Personal info protection from Mozilla?

    The people that removed the ability to control which cookies are accepted?

    1. JLV

      Re: Personal info protection from Mozilla?

      I used to have no-3rd party, ask me for acceptance 1st time. And I still gave most websites the delete-on-session-close treatment.

      Did you find an extension/plugin providing that functionality? On balance, I still prefer Firefox to Chrome so I won't bail for that, but it's annoying for sure.

      1. Updraft102

        Re: Personal info protection from Mozilla?

        I use Self-Destructing Cookies to delete all the cookies when a tab is closed, plus a manual delete-all-cookies button that I use frequently (after signing in somewhere like here to post a comment, for example). I don't keep any of 'em.

        I tried long ago to use the "ask for permission" cookie settings, but it got to be a huge hassle, and many sites malfunctioned without their cookies set, so then I had to go back and change the settings to "allow" or live with the malfunction. Allowing them all and then deleting them after the session is done is far easier, and everything works.

        Other than my bank saying it does not recognize the computer I am using each and every time I log in, I have not had any annoyances eliminating all cookies frequently. Of course, I am perpetually logged out of every site, but that's the idea... I can be tracked without cookies if I am logged in, at least within the context of everything else I do while logged in at that site.

  3. Mage Silver badge
    Big Brother

    10% confident

    Also they could be wrong.

    Self assessment is worthless.

    1) Analyse the the threats

    2) Proper expert questioning of people, not self selected online.

    Or Ask Bruce Schneier

  4. Barry Rueger

    Door locks - bad analogy

    For the most part all you need to secure your door is one key and a turn of your wrist. And a key is a key and a lock is a lock.

    Online security is an endless forest of sites, applications, functions, and threats; all different, all needing a specific approach to security, and all changing daily.

    Much of your security also relies on things you can't control, like Android updates.

    I'm fairly knowledgeable, but I'll admit that there are occasions when I decide it's just not worth the hassle. Things are an order of magnitude worse for ordinary users.

    Story of the week: I installed a "Pay by Phone" app yesterday so that I could pay for a parking meter with my phone instead of digging for $2.50 in loose change. Not only did it demand that I enable a lock screen with PIN, it forces my dig out my credit card and enter the CVS code every time I park.

    Overkill like this why people hate security.

  5. anonCoward24
    Facepalm

    RFIDs in privacy-aware conference?

    SXSW in Austin probably would rate pretty high in terms of having a concentrate population that proclaims high and low their hacktivism, privacy, no-to-snooping...

    Yet the organisers, and as far as I can tell, the attendees, see nothing wrong with an RFID embedded in the nametag. There is even a RFID policy https://www.sxsw.com/rfid/ that at least does not make the RFID mandatory.

    It used to be that you could "opt out" of having your badge scanned for RFID, and have the barcode be read instead. In theory then you could nuke the RFID, and all would be cool. It seems the current gatecheck people are not able to read barcodes anymore, so. Oh well. Since talking about these things can have you tagged as trouble...

    To the hypocrites proclaiming privacy, and wearing their RFID tags as if nothing were the matter, I say, (nothing)

    I *am* Anon coward, and proud of it!

    1. Anonymous Coward
      Anonymous Coward

      Re: RFIDs in privacy-aware conference?

      I am Anon Coward too, and so's my wife!

  6. Ole Juul

    conflicting desires

    A big problem is that there is a conflict between on-line security and the desire to be part of what is popular. Regardless of your skill level at protecting yourself online, it becomes easier once you learn to say "no" to a lot of things - especially peer pressure.

    1. Anonymous Coward
      Anonymous Coward

      Re: conflicting desires

      Until it becomes a "Walking On The Sun" fad that forces you into either having no security or no social life (which to many can mean no life worth living).

  7. Anonymous Coward
    Anonymous Coward

    I remember a while back a company wanted to encrypt everything on the internet. They were going to act as the ISP. I think they were shut down...

    The idea still has merit, though some compromises would probably be needed. The government would want to be able to create a "back door" at the ISP level (with a court order) And, the overhead for the encryption would be significant...

    In theory it would still work and be (at least more) secure. Extra personal encryption could be added on top the ISP encryption...

    With the threats consumers face growing everyday, I don't see how encrypting everything can be avoided. It's the only thing that provides the most basic level of security.

    Governments are going to want to delay something this as long as possible, but crazy not to be working in this direction.

    The reality is the 90% that don't think they know enough, know just enough to realize the internet is incredibly unsecure. Hopefully the governments will also realize nothing they are doing on the internet is sufficiently secure either. I wonder how many scandals it will take, before Trump mandates on Twitter to just encrypt everything.

    1. Charles 9

      "With the threats consumers face growing everyday, I don't see how encrypting everything can be avoided. It's the only thing that provides the most basic level of security."

      Until you realize you can be pwned on the hardware that would be needed to do the encryption. Imagine pwned CPUs, network chips, etc. And the level of technical knowledge (not to mention real, legitimate patents) needed to roll you own silicon puts you in No Man's Land. The ONLY people capable of building the chips that run your machine aren't trustworthy. Heck, even beyond computers, can you trust your letter carriers, postal employees, and so on? Heck, remember village gossips?

      Let's face it. Privacy as we know it was a fleeting thing to begin with. And now the global village has caught up.

  8. Anonymous Coward
    Anonymous Coward

    online security

    For the normal people, this is what I tell them. There is no security online. Basically, they should expect no privacy like standing outside naked in the public on the internet.

    Using this mentally, it will fundamental changes their mind-set being online, like they should avoid talking\ posting\ emailing\ uploading\ downloading\ messaging about private stuff anywhere online (don't share your birthmark, your bank account and maybe your password?). They should expect 24hrs tracking when being online.

    It makes the logic really simple, like why think about encryption, long password, https, vpn, tor and other security measurement when they shouldn't even click on or upload that damn cat photo to cloud at all? One day, someone will want to hack it and it'll be on reddit where everyone will be staring at it. If they need to do anything online, they need to remember the risk. It's as simple as that.

    Only when they are prepared and would like to take the extra steps to protect themselves online that we introduce security practice. Otherwise, there's no privacy. You normal people didn't put the effort into getting it. Deal with it.

    Anon for topic.

    1. Charles 9

      Re: online security

      "Only when they are prepared and would like to take the extra steps to protect themselves online that we introduce security practice. Otherwise, there's no privacy. You normal people didn't put the effort into getting it. Deal with it."

      What if no effort that can be exerted by man is sufficient. What if this is the Global Village now where everything can be read by everyone, even if it was ten years ago, and there's nothing you can do to stop it?

      Owen Bytheway, this is stretching beyond the Internet, too. Ubiquitous cameras, microphones, aerial and satellite surveillance that's increasingly able to see through things. Heck, even the idea of "dead drops" is becoming riskier because there's always a chance (and growing) someone or something's there to observe the drops, linking you to it. Let's see you try to keep your privacy in THIS.

  9. Michael Thibault

    >Mozilla is developing products that advance privacy and security and is creating media content that serves to educate and advocate.

    Which media is to be delivered within FF as non-offable PSAs (whether in place of the stuff µBlockOrigin snuffs out, otherwise in addition to the ads). You have to start somewhere, I guess.

    What might benefit the public is a full-on, sleaze-and-scum tour of the covert goings-on that underly the monetary churn behind the cat pic dander, the social mud, and the half-assed vids that make the internet go 'round.

  10. Anonymous Coward
    Anonymous Coward

    I'm much less worried about being hacked

    Than I am by companies like Google and Facebook trying to slurp up as much personal information as possible. If I'm hacked maybe I'm disrupted for a few days while I take care of that (call credit card company or banks to cancel transactions, reinstall affected devices, etc.) but corporation information collection builds up year by year.

    I'm not happy about government surveillance, but at least I figure they have little incentive to target me personally so given a choice I'd rather have privacy against corporations than against my government.

    Even though Mozilla is way way better than Google, they still have to get paid to support themselves, so they're in it to some degree. Makes sense that they'd try to hype up the hacker angle, and forget about the thing that affects people much more in the long run.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm much less worried about being hacked

      you get hacked and it could basically stuff your life up for at least a year.

      Until you have had your identity stolen my a I humbly suggest that you STFU.

      I have had my ID stolen and it sucks big time believe me.

      Even now, 5 years later I'm fighting a court case where some scumbag company wants it's pint of blood from me despite them having the evidence that it wasn't me that bought stuff from them in the first place.

      I'm counter suing them to get my costs back £4500 and rising.(case is not in the UK)

      1. F0rdPrefect
        FAIL

        Re: I'm much less worried about being hacked

        Being in the UK and being a company director, of a very very small company, our wonderful government gave away all of my personal information, including my signature, because with no warning it made all of my filed company documents free to access online from Companies House.

        First i knew about it was when HMRC queried an attempt at VAT registration under my name.

        Also had 2 credit accounts be set up as me with alternate delivery addresses, but caught those in time to stop anything happening.

        Personal security is no longer possible.

  11. Anonymous Coward
    Anonymous Coward

    The biggest enemy of security...

    ... is the spectre of being accused of "Victim Blaming" - telling people to secure their private and personals online is now widely seen as the equivalent of telling women that if they wear short skirts they deserve to be raped.

    Set against that background is it any wonder nobody learns to protect themselves online? Much easier just to get offended at the suggestion.

  12. Anonymous Coward
    Anonymous Coward

    Firefox vs. Chrome

    - Interesting how Chrome has decimated Firefox's share. Hardly something to celebrate if you're Mozilla. Same goes for everyone else, here's why...

    - Closed out my lady's Gmail account. It was for work. Many SMB's / Orgs insist on Gmail in EU / Latam / Asia to keep costs low. Bet Google love that!

    - What I didn't expect is that despite locking down the account Google still slurped all her Bookmarks, Search History, and Forms data including Passwords... So how did that happen?

    - When I rechecked using Google Dashboard / Activity etc, Chrome-Browser-Sync was disabled. So it seems Google don't keep their own T&C.

    - Chrome also has hidden unstoppable forced add-ons (risk of microphone audio recordings sent to cloud). So I don't TRUST CHROME ever again!

    1. RyokuMas
      Devil

      Re: Firefox vs. Chrome

      "Interesting how Chrome has decimated Firefox's share."

      Pretty straightforward really, when you consider that Google pasted "Upgrade your browser!" calls to action all over their search results page, but hey! what's the point of having a monopoly if you don't abuse it?!?

  13. Anonymous Coward
    Anonymous Coward

    Mozilla should get its own house in order

    Options -> Disable JavaScript: Buried like M$ does with Win10 settings.

    Options -> Disable Images: Also buried like M$ does with Win10 settings.

    Options -> Privacy: Accept Cookies defaults to Always accept 3rd party.

    To disable Images this must also be set: dom-image-srcset-enabled false.

    Firefox defaults to Google for tons of settings, have to blank all for Privacy.

    Search: Where is Startpage.com or Duckduckgo.com (Yahoo less trustable).

    Its tricky to turn off all the overbearing warnings about Full-Screen Toggling.

    Even harder to stop Firefox checking Addon versions even if all disabled.

    1. Aristotles slow and dimwitted horse

      Re: Mozilla should get its own house in order

      Wow. You make it sound like such a chore to change this stuff when in reality it's really quite simple.

      It took me about 5 clicks and 30 seconds to add Startpage to the list of search engines and to remove the default ones.

      1. Anonymous Coward
        Anonymous Coward

        Re: Mozilla should get its own house in order

        Yeah. I agree that it ain't that hard to remove 'google' from your life most of the time. He probably wants his mummy to put his socks on in the morning as well.

    2. Anonymous Coward
      Anonymous Coward

      "You make it sound like such a chore / probably wants his mummy to put his socks on"

      - I'll happily take all the help I can get. However you miss the point. We're all tech pros on here, and so we all have friends / family / colleagues / relations that call upon us for help.

      - For the longest time Firefox -> Tools -> Options Enable-Javascript / Show-Images were easily readily available. But some special interests at Mozilla chose to obfuscate these Settings.

      - The fact that 'YOU can manage it' doesn't say much. So you can stop smugly patting yourself on the back as its unwarranted.

      - Instead spare a thought for the gray warriors out there trying to navigate these changes. You might even know some if you care to look...

      1. jake Silver badge

        Re: "You make it sound like such a chore / probably wants his mummy to put his socks on"

        "gray warriors"? I think you'll find that us "old greys" built the system, and are quite aware of its limitations when it comes to privacy. It's the millennials that I have to keep bailing out of online trouble ...

  14. Pete 2 Silver badge

    Knowledge is not a requirement

    > What was surprising was the high percentage of people who identified as truly feeling defenseless

    But we don't expect people to be savvy about other areas of technology, in order to use it.

    You don't have to be a nuclear engineer to plug in your electric kettle. You don't have to be a mechanical engineer to drive your car. And you don't need to be a financial wizz-kid to have a bank account.

    So it is a little unreasonable to expect "ordinary" people to know, or care, about phishing, viruses, trojans or all the other BUGS IN THE COMPUTER SYSTEMS that allow these things to affect users. The reasons that computers, phones and other platforms are insecure is because security was never designed in. And good security is not requiring million-character passwords that must be different for every account. Nor is it requiring the user to jump through hoops just to access a website. Those are aspects that inhibit good security because people will circumvent them or not use them.

    Good security must be transparent. It must not get between the user and what they want to do. It is a failing of IT systems that we don't have secure and usable practices and that the O/S's we use allow and provide for so many security holes.

    1. Charles 9

      Re: Knowledge is not a requirement

      "You don't have to be a nuclear engineer to plug in your electric kettle."

      But you DO need to know to be wary of exposed wires, especially in presence of water (especially once you add salt to it).

      "You don't have to be a mechanical engineer to drive your car."

      But you usually DO need a license. AND you're frequently expected to be able to keep an eye on basics like tire pressure, fuel and fluid levels, etc.

      "And you don't need to be a financial wizz-kid to have a bank account."

      But you ARE told to be wary of unusual activity in your bank statements.

      IOW, at some point the USER has to take some responsibility for using the public networks. Now, requiring a license to use a computer may be a bridge too far, even in a place like the UK where they send agent to enforce TV licenses, but there are just some things that can't be done any other way.

  15. Evil Auditor Silver badge

    I'm basically Mr Robot.

    I do whatever I'm told to do.

    Just wondering how many understood it that way.

  16. Anonymous Coward
    Trollface

    We have transparency

    Everyone knows about tracking and stuff. Most people don't care. What they need is to get screwed over, to learn the hard way.

    1. Anonymous Coward
      Anonymous Coward

      Re: We have transparency

      The problem with the Spartan approach is that sometimes people don't survive. Sounds pretty fair until it's one of your family...

  17. jake Silver badge

    "Most people still don't know how to protect themselves online^w"

    FTFY, Mozilla. You're welcome, no charge.

  18. InfoSecuriytMaster

    Its good that this is being discussed. Here's a short list over the last week or so:

    EFF Self Defense https://ssd.eff.org/

    Schneier: Countering DOXing

    https://www.schneier.com/blog/archives/2017/03/defense_against.html

    B.S. has several more relevant over the recent past too.

    Schneier on Digital Security Exchange

    https://www.schneier.com/blog/archives/2017/03/digital_securit.html

    (DSE is at https://medium.com/@levjoy/building-a-digital-security-exchange-d392ad2f4982#.uefklg2nq

    )

    ZDNet: keep Smart TV from spying

    http://www.zdnet.com/article/how-to-keep-your-smart-tv-from-spying-on-you/

    WIRED: excerpt from Kevin Mitnicks new book on how to go invisible

    https://www.wired.com/2017/02/famed-hacker-kevin-mitnick-shows-go-invisible-online/

    ZDNet: lock down in 60min

    http://www.zdnet.com/article/how-to-lock-up-your-digital-life-in-less-than-an-hour/

    Wired: protect all your /dev

    https://www.wired.com/2017/03/easiest-way-protect-devices-hacks-keep-updated/

    ZDNet: protection from thumb drives

    http://www.zdnet.com/article/this-usb-firewall-protects-against-malicious-device-attacks/

    C|net: VPN

    https://www.cnet.com/how-to/understanding-vpns-and-how-to-choose-one/

    regards

    _/)_ B:ISM

  19. HorstKo

    It's PEBCAK first, then the technology

    How many users fill in "surveys" for "gradious price draws"? Giving away almost ALL identifiable data/infos:

    - Your phone number

    - Your ISP

    - How many children under 16 you have

    - Income bracket

    - Where you live

    - Favorites

    - Email address

    - plenty more

    And THEN they are whining about scam calls, scam mail etc? The best technology cannot stop that. If $USER does not use $BRAIN, nver mind upgrade to $BRAIN 1.5.

    IMHO, THAT is the biggest problem. But as I read most of your comments, it is never them. It is the bad ISP, the bad friend with shitty advice or the OS that let's crap on their machines. Really?

    Not in my world. It starts and stops with the person in front of it.

    HAND.

  20. Jove Bronze badge

    It is not Governments and their Agencies that I am concerned about.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like