Terry Zink's Anti-malware Blog

Security features only work if everyone plays along

Since Microsoft released Windows XP SP2 and Windows Vista, they have clamped down on security a bit more.  The firewall is enabled by default.  Unlike previous versions, you could format and reinstall Windows but your system would still be wide open to attackers while this process was occurring and you were installing security patches.

Similarly, with antiviruses, they are good at protecting your computer from bots and from turning your computer into a node of a botnet, but it only works if you keep it up to date.  If you disable your antivirus and your firewall, then you've pretty much defeated the purpose of security.

I tell you this because while it is obvious to everyone, humans are always the weak point in the security process.  Security only works if everyone plays along and follows the rules.  Let me tell you a story to illustrate this, it is a true story.

Next month, I am going to visit China for a couple of weeks.  In order for a US or Canadian citizen to get into China on a tourist visa, you have to get a Chinese travel visa.  To that end, I had to physically mail my passport to an agency that handles these requests.  I also had to fill in a bunch of documentation, and include my work visa.  This means that I had to send in my actual passport and all of my work documentation where I couldn't keep it close to me in my secure location (I've lost my passport before -- it sucks when that happens).

Now, they processed it and sent it back and I got an email confirmation from Fedex saying that they had delivered it.  It was (supposedly) delivered on Sept 25 and I got back into town on Sept 27.  I went to my door, but no package from Fedex!  I went to my apartment head office, and they had nothing either.  I phoned up Fedex and they said that a signature was required, but no one was there so they took it back (even though the confirmation on the web site said they left it there at the door).  I said "Fine, deliver it to the main office then."  They said "Okay."  After I hung up the phone, they added "...sucker!"

Two days pass, and no package from Fedex and I am beginning to panic.  I call up Fedex and ask "WTF is my package?  It's critical I get this!"  They said they'd get someone to look into it and call me back.  Again, after I hung up the phone, they added "...sucker."  Now, at this point I'm beginning to get antsy.  My passport contains my work visa.  I began running through the scenarios, if I couldn't get this thing back, I'd have to call the police because technically a passport is property of the federal gov't.  Maybe they'd kick-start the process.

I got back to my apartment and had a thought.  My condo number is #A106 (not my real one) in Phase II.  What if Fedex delivered it to Phase I?  I walked about 200 yards up the road to Phase I, to #A106.  I walked up the stairs, looked and sure enough, there was a package from Fedex, addressed to me, lying outside the door which a few other bags and stuff.  It had been sitting there for five days unattended, where anyone (or anything, like a raccoon) could have grabbed it and tossed it away.

The reason people send stuff by Fedex is for security and tracking -- so I can have peace of mind that the package is traceable.  But for crying out loud, that only works if you deliver a secure package and don't leave it outside the door!  In other words, all of this security broke down at the end when the driver decided to dispense with all of the security features inherent in tracked mail and leave it unattended when anyone could have picked it up.  Seriously, am I alone in thinking that's analogous to turning off your firewall or disabling your antivirus?

At least I don't have to cancel my trip.