“I thought you might be worried… about the security… of your shit.”

In computer security and cryptography, “adversary” is sometimes used as a generic term to describe anyone trying to break into a system, crack a code or generally wreck havoc in another’s digital domain. It’s a great term – brings a cloak & dagger feel to an extremely dry subject and lays out the theater of computer security as something of a game. Some weeks ago, writer Mat Honan met his adversary in a now well publicized and widely discussed attack. This post won’t dwell on the particulars of this specific attack as Honan himself (and many others) already explained and debated the whole thing in excruciating detail over the past few weeks. Rather, this is an exercise in wondering now what.

The list of Bad Things that can happen to the digital you is immense, but it can be summarized to two items: data loss (your baby’s pictures are gone) and privacy breaches (everybody can read your W-2). Until the advent of the cloud, data loss was all that most people cared about. If you wanted to avoid headaches, there was an easy solution – backup your shit. And that was good advice, until… we’ve been sold on the cloud. It’s approaching household name status now, with Apple, a company whose branding strategy trends toward stating the blinding obvious, using the term to name a product.  Now backing your shit up is not a problem anymore. Your shit is automatically backed up for you! Where? In the cloud, of course! Neatly organized – together with everybody else’s shit.

Think about it. Evernote begs you to capture your whole life into it so everything can be accessible everywhere. People use Dropbox as if it’s as secure as their hard drives. These products work well, fantastically well, and therein lies the danger – there’s no warning anywhere that maybe one shouldn’t be using these services for sensitive information. Evernote has zero cryptography support. Dropbox doesn’t offer two-factor authentication (yet).  There’s intrinsic value to the data you shove into these great services, but you don’t think about it much. This value may be small today, but growing everyday for each one of us.  By contrast, your bank’s web application sucks, but you are very careful in how you use it, and there’s a fair amount of government regulation to make sure that your bank is careful too. Now far be it from this correspondent to recommend government regulation for cloud storage of data that’s not financial or healthcare related, but mark my words – one day someone from these cloud-praising companies may be sitting in a congressional hearing trying to explain what the hell happened. It’s a good idea to get your act together in advance.

Hanlon’s Razor says “never attribute to malice what can be adequately explained by stupidity”. What Mr. Hanlon missed is that (1) sometimes disaster is enabled by a mix of both and (2) when you’re on the receiving end, a disaster caused by malice may not feel very different than one caused by stupidity. Which impels the question: who is the adversary then? The adversary is not just the black hat kid social-engineering or scripting his way into your data. He’s also the lazy developer who stored passwords in plain text, the incompetent ops manager who doesn’t patch and upgrade software in a timely manner, the hare-brained product manager who doesn’t double check the customer care policies for potential security flaws.

In the wake of Mat Honan’s troubles, many articles came about explaining what you should do to avoid his fate. They are filled with great advice. Here’s another: pick your adversaries wisely.