2009 – That’s a wrap!

Wait, I hear it again
Don’t turn on the lights until we
Hear the way it ends
from Peruvian Skies by Dream Theater

During the course of 2009 I wrote about a number of issues that have had recent developments. So by way of winding down 2009 [yeah I'm glad it's over too] here are updates if not possible conclusions to some of these long running sagas.

In posts entitled Does encryption imply expectation of privacy? and No privilege for you! the basic issue involved was reasonable expectation of privacy or rather legal confusion regarding same when applied to digital communication. According to this article in the Washington post the U.S. Supreme Court will be ruling on the issue of expectation of privacy in the spring of 2010.

The case the court accepted Monday involves public employees, but a broadly written decision could hold a blueprint for private-workplace rules in a world in which communication via computers, e-mail and text messages plays a very large role.

A federal appeals court in California decided that a police officer in the city of Ontario had a right to privacy regarding the texts he sent on his department-issued pager, even though his chief discovered that some of them were sexually explicit messages to his girlfriend. That court said the chief’s decision to read the messages without a suspicion of wrongdoing on the part of the officer violated Fourth Amendment protections against unreasonable searches.

Most employers routinely tell their workers that they have no expectation of privacy when it comes to e-mail and other communications that involve company equipment, and the city of Ontario is no different. It says it “reserves the right to monitor and log all network activity including e-mail and Internet use, with or without notice.”

But the police officer in the case, said the department sent a different message when it handed out pagers to SWAT team members. The department said that the devices were limited to 25,000 characters each month, but that officers also using them for personal purposes could pay for any overage charges.

When the police chief wondered whether the devices were being used mostly for personal messages, the company that provided the texting service, Arch Wireless, turned over transcripts. They showed that a large portion of [the officer's] messages were personal and many of them were sexually explicit. According to court documents, a review of one month’s use showed that 57 of 450 messages were business related.

A lawyer who often represents employers in workplace issues, said the issue is “one of increasing importance to employers.” Though the case before the court involves government employees, case law in the private workplace often evolves from such decisions.

In the world of laptops, cellphones and BlackBerrys, the line between business and personal communications is often blurred and that employers are tolerant “within the realm of reason.”

But often they are under legal obligation to monitor computer use. And when employers monitor the computer use of their workers, it is often because of complaints from co-workers.

The case, Ontario v. Quon, will be heard in the spring.

While this case does not explicitly address either encryption or privileged communication it does serve to illustrate that this is far from a done deal. And the Supreme court ruling will only be one small step towards clarifying the issue. So I’m guessing we can expect lots more on this in the coming years.

In a series of posts about ID Theft, Privacy, Fear and Loathing in Colorado [also in this post and this post] I discussed “Operation Numbers Game”. Here’s a quick recap of the controversial investigation.

“Operation Numbers Game” began after a Texas man told Greeley [Colorado] authorities someone there was using his identity. The suspect in that case alerted law enforcement to the firm that prepared his taxes. Investigators obtained a search warrant [and] seized the returns last year from a tax preparation firm that catered to Latinos in Greeley, where Hispanics make up about a third of the population.

A District Court judge halted the investigation in April. He ruled Weld County authorities violated people’s privacy rights and had no probable cause to inspect the tax returns, which were used to file charges of criminal impersonation and identity theft against more than 70 people.

Weld County appealed the decision.

Weld County District Attorney Ken Buck, a Republican U.S. Senate candidate who advocates stricter immigration laws, has maintained the investigation was about identity theft, not illegal immigration.

Well this little fishing expedition may actually be over. As reported by the Denver channel, the Colorado Supreme Court has ruled against Weld County.

The Colorado Supreme Court says Weld County authorities violated privacy rights of immigrants when sheriff’s deputies seized thousands of tax returns to investigate them for identity theft.

The Court’s Monday ruling affirmed a decision by a Weld County District judge who suppressed evidence against one of the defendants. That judge said authorities had no probable cause to search the man’s tax returns and that the documents are confidential.

The Colorado Immigrant Rights Coalition praised the Supreme Court ruling, saying Weld County’s attempt to enforce federal immigration law was “wrong-headed, costly and did great damage to the community.” The Coalition also said the cases “demonstrates why we need solutions to our broken immigration system.”

“Today’s ruling confirms Operations Number Games to have been an egregious abuse of power by Weld County officials,” the Coalition said in a prepared statement. “Paying taxes is not a crime and should not be made to seem like one. Rather, it is what the U.S. government asks of its residents. Those targeted had their privacy rights violated. The ruling goes to show that the Constitution protects the basic rights of all U.S. residents, regardless of suspected immigration status.”

No word yet on how this ruling will effect Weld County District Attorney Ken Buck’s senate bid and I’m smart enough to not hazard guesses involving politics.

In a series of entries that are shaping up to be the most popular of 2009 I wrote about Colorado Weirdness and the subsequent followup Back to normal in Colorado wherein the primary weirdness was the “balloon boy” incident. This just kept getting stranger as it turned out that the whole thing was a hoax perpetrated with the idea of getting a reality TV show. Well, according to the Denver Post this saga may finally have run it’s course. For now.

Richard and Mayumi Heene, the Fort Collins couple who briefly duped law enforcement and the television-watching world this fall by claiming their son was adrift in a home-made balloon, were sentenced to jail time today for perpetrating the publicity stunt.

Richard Heene, who last month pleaded guilty to a felony charge of attempting to influence a public servant and who took blame today as the brains of the hoax, was sentenced to 90 days in jail. He will have to serve 30 days of the sentence full-time in the Larimer County jail, with the remaining 60 days served on work-release. He must also serve four years on probation.

Mayumi Heene, who helped hatch the scheme and who pleaded guilty to a misdemeanor charge of false reporting, was sentenced to four years probation and 20 days of jail, to be served through a program that allows her to perform jail-supervised community service a couple days a week and return home at night.

The Heenes must also pay a still-to-be-determined amount of restitution, a figure a prosecutor said today could be $47,000 or more. Richard Heene’s lawyer said he intends to challenge that figure.

“In summary,” [Larimer County Court Judge Stephen] Schapanski said in imposing Richard Heene’s sentence, “what this case is about is deception, exploitation — exploitation of the children of the Heenes, exploitation of the media and exploitation of people’s emotions — and money.”

Asked after the hearings whether the Heenes have now given up the pursuit of television notoriety, [Richard Heene's attorney David] Lane was ambiguous.

“I don’t know if they’re done with reality TV,” he said. “Is reality TV done with them?”

And finally there’s this pair of posts about the medical marijuana gold rush in Colorado, Once I was a caregiver and didn’t even know it and Caregivers in Colorado: the saga continues. This has well and truly hit the big time with international coverage by CNN. Take this story by Jim Spellman for instance.

Driving down Broadway, it’s easy to forget you are in the United States. Amid the antique stores, bars and fast-food joints occupying nearly every block are some of Denver’s newest businesses: medical marijuana dispensaries.

The locals call this thoroughfare “Broadsterdam.” As in Amsterdam, Netherlands, these businesses openly advertise their wares, often with signs depicting large green marijuana leaves.

“The American capitalist system is working,” said attorney and medical marijuana advocate Rob Corry.

It’s a matter of supply and demand.

“The demand has always been there,” he said, “and the demand is growing daily because more doctors are willing to do this, and now businesses, entrepreneurs, mom-and-pop shops are cropping up to create a supply.”

Colorado voters legalized medical marijuana in 2000. For years, patients could get small amounts from “caregivers,” the term for growers and dispensers who could each supply only five patients. In 2007, a court lifted that limit and business boomed.

Between 2000 and 2008, the state issued about 2,000 medical marijuana cards to patients. That number has grown to more than 60,000 in the last year.

State Sen. Chris Romer, a Democrat whose south Denver district includes Broadsterdam, said the state receives more than 900 applications a day.

“It’s growing so fast, it’s like the old Wild West,” Romer said. “This reminds me of 1899 in Cripple Creek, Colorado, when somebody struck gold. Every 49er in the country is making it for Denver to open a medical marijuana dispensary.”

Wild West indeed. Everywhere in Colorado counties and municipalities are rushing to declare moratoriums on new medical marijuana dispensaries until somebody figures out how to regulate them. “Why is that a problem?”, you ask. Well let me give you some examples. I’ve already mentioned that in the People’s Republic of Boulder there are now twice as many reefer shops [err... dispensaries] as coffee shops. While this may may not be particularly surprising for Boulder, how about the town of Windsor, Colorado (population 18000) where there are more medical marijuana dispensaries than coffee shops, gas stations, grocery stores and liquor stores combined. At this point I’m thinking that maybe the Federal government should wake up, smell the reefer, legalize pot and tax the heck out of it. Everybody wins. And in this economy just think of all the jobs for caregivers that will be created. That’s right, just suck it up and torch that spliff (or vice versa). You know you want to.

How the TSA can be like Rihanna or not

copyright Chuck JonesBy now everybody has heard about the most recent debacle involving the unredacted TSA manual that was leaked to WikiLeaks. In case you’ve been too busy Christmas shopping or listening to the great free holiday music posted on this blog here, here and here (with a bonus here) CBS news covered it like this.

It was a security breach and a big embarrassment for the Transportation Security Administration. A secret manual that tells airport screeners around the country how to do their jobs somehow wound up on line for all the world to see.

It detailed who should be screened, how often bags are checked for explosives, how to deal with CIA agents traveling with high-value intelligence assets – even provided images of various special identification cards, as CBS News correspondent Bob Orr reports.

The breach reveals some of the government’s most sensitive aviation security secrets. A 93-page manual prepared for federal airport screeners shows samples of law enforcement and official credentials – federal air marshals, CIA officers, and members of Congress – IDs which criminals or terrorists could copy.

Mostly this story has been analyzed to death by everyone from security pros to politicians and pretty much everyone has come to the same conclusion: this was a really bad idea, but good luck getting the nasty genie back into the bottle. That and there are some really clueless TSA employees. But of all the stuff I’ve read about the asinine affair this article by Stewart Baker in the Adfero Group Security Debrief really stands out. Like the Grinch who Stole Christmas [bet you were wondering how I was going to tie this to the season] Stewart has a wonderful, awful idea.

Rep. Peter King, the ranking member of the House Committee on Homeland Security, and other Republican members have sent a letter  to Secretary Napolitano expressing concern about the “repeated reposting” of the unredacted TSA security manual on multiple Web sites and asking her to say whether the sites can be compelled to take it down. They’re right to worry. Whenever someone posts a document that compromises our security, there’s much handwringing about this issue and much breast-beating about the first amendment.  It seems like an unanswerable conundrum.

But there is an answer.  In general, the sites that posted the TSA document don’t post copies of the latest Rihanna album, “Rated R.”  That’s because the damages for posting Rihanna’s album is likely to be $150,000 for each of the thirteen cuts — the damages for willful infringement of Rihanna’s (and Def Jam Recordings’) copyright. First amendment or not, Congress and the courts have agreed that this is a perfectly fine way to deter certain kinds of speech.  Plenty of Democrats and Republicans on the Judiciary Committee have voted for just such deterrence

So here’s my question.  Who thinks that protecting Rihanna’s profits is more important than keeping TSA’s procedures out of al Qaeda’s hands?  Why do we create $1.45 million in liability for pirating “Rated R” and no liability at all for the willful posting of sensitive, properly redacted homeland security information?

And here’s a proposal for Rep. King:  why not set the penalty for willfully disseminating properly classified or sensitive documents at twice the penalty for willfully disseminating registered copyright materials?  And why not let anyone whose security has been put at risk bring that suit?  After all, when the music industry finally gives up its litigation campaign against ordinary Americans, its lawyers are going to have to pay the rent somehow.

Holy free speech abridgment, Batman! What an evilly genius idea! Just let the FBI behave like the RIAA. Of course this begs the questions, “why does the RIAA have have this kind of juice?” and “who got us into this crazy situation?“. Actually the answer to both questions is the same: The US congress. That’s right, the usual suspects. But given Stewart’s conclusion, I suspect that he’s being as facetious with this post as I was when I smacked him with the Grinch stick.

Anyone who voted to increase damage awards for copyright infringement should have no trouble supporting the same protection for national security.  Since the $150,000 figure comes from the “Digital Theft Deterrence and Copyright Damages Improvement Act of 1999,” I’m guessing that a lot of those folks are still around.

Either way I sincerely hope that congress really does love Rihanna more than air security.

Gift of holiday music for all – present 3

As my holiday gift to you, loyal readers, instead of security related commentary, this series of posts contains holiday music for you to enjoy. For free. For you and whoever you would like to share it with.

The earlier posts in this series present 1: Impressions of Christmas 2001 and present 2: Christmas Child 2002 were original arrangements of traditional Christmas carols or new compositions performed, recorded and produced by Larry Hall and me. This present is a bit different. It this years collection of holiday music performed by musicians utilizing the Garritan sample libraries.

Composers and arrangers use Garritan Libraries to realize their compositions and to simulate what a real orchestra and a real conductor would sound like. While the state-of-the-art of digital music continues to advance, our goal is to provide tools for musicians and create opportunities, rather than replace musicians. What products like the Garritan Personal Orchestra have done is to bring the possibility of realizing orchestral compositions to everybody from the most renowned composers to Hollywood film scorers to TV jingle men down to amateurs and music students in their dormitory rooms.

The work done in the recordings on this album are a testament not only to the sophistication of music technology, but also to the skill of the composers, arrangers and programmers who have used these tools so remarkably well. Finally, let’s not forget the powerful force of the sentiments of the season and the inspiration behind the music. Each year we come back to these melodies and forms because they inspire us like no other.

Many thanks to everyone who submitted a song for the Christmas CD. A big thanks as well to Dan Kury who organized this effort and mastered the songs for the album.  And many thanks to James Mireau for the cover art.

The Garritan Community Christmas 2009 CD was a collaborative effort of the Garritan Community and was put together in the spirit of giving for the holiday.

This is the sixth year that the Garritan Community has released an annual collection of free Christmas music. While this is not an endorsement of the Garritan products [they don't compensate me in any way for this], it’s hard not to be completely blown away by the quality of Garritan sound libraries and the talent of the musicians who use them in this project.

A Garritan Community Christmas Volume 6

A Garritan Community Christmas Volume 6

Welcome to the 6th Annual Garritan Community Christmas Album, a unique musical project. A community of musicians from all over the world met on the Garritan community forum and agreed to submit their own recordings of holiday music, to be freely distributed. Each of these orchestral recordings were made not with large live orchestras in vast recording studios at huge expense, but rather were created by a single person working on their own desktop or laptop computer. What they have in common is the use of Garritan libraries representing software musical instruments based on samples of real instruments.

Happy Holidays from Security For All!

Gift of holiday music for all – present 2

As my holiday gift to you, loyal readers, instead of security related commentary, this series of posts contains holiday music for you to enjoy. For free. For you and whoever you would like to share it with.

I should explain where this music comes from. In 2000, Larry Hall and I decided to start recording original arrangements of Christmas Carols. As musicians [Larry is a guitarist, I'm a keyboardist] we were both drawn to Christmas music because traditional Christmas carols are so ingrained in our collective psyche that arrangements can have enormous latitude, exploring different styles and voicing without confusing the listener. By December 2001 we had some material recorded with the help of fellow musicians, drummer Troy Harms and bassist Dean Vendl, so we decided to send the CDs as “Christmas Cards” to those on our collective lists. Thus it began with the music in present 1: Impressions of Christmas 2001.

The “Christmas CD card” idea was such a hit with friends and family that we decided to follow it up with more of the same for the holiday season in 2002. Besides, we already had Larry’s studio configured and a whole bunch of new toys to play with. This musical gift is from that second EP which includes an original composition for which the collection is named. Enjoy.

Christmas Child 2002

1. A Day, Bright Day of Glory – Traditional

2. Patapan (Guillo, Pran Ton Tamborin) – Traditional Burgundian-French

3. We Three Kings of Orient Are – Written by Rev. John H. Hopkins, Jr.

4. Christmas Child – Written by Joe Webster

Larry Hall – acoustic and electric guitars
Joe Webster – keyboards and vocals

Arranged by Larry Hall and Joe Webster
Produced by Larry Hall
Production assistance by Joe Webster
Recorded by Larry Hall at Thirsty Ear Studio
Photograph of Alexis Hall by Robin Morris
Art Direction and Design by Rita Kiefer

This music is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License. That means you can use it for whatever you want – play it on your iPod, burn a CD, give it to your friends, use it in your podcast, play it on the radio, use it as the theme music to your hit TV series – whatever you want. Just give credit to the musicians who made it.

In case you were wondering, that cute baby in the cover image is now a bright, beautiful, talented young keyboardist who collaborates with her father far more often than I do these days.

Happy Holidays from Security For All!

Gift of holiday music for all – present 1

It’s the holiday season! I love this season, and in particular I love Christmas music. As a musician I’m partial to Christmas music for several reasons: traditional Christmas carols are so ingrained in our collective psyche that as an arranger one can explore many different styles and arrangements without confusing the listener and the Christmas season is just, well, inspirational.

So as my holiday gift to you, loyal readers, instead of security related commentary, this post and the several following will contain holiday music for you to enjoy. For free. For you and whoever you would like to share it with.

Actually there is a little security related stuff here [hey - you didn't think you'd get off that easy]. This music is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License. That means you can use it for whatever you want – play it on your iPod, burn a CD, play it on the radio, use it as the theme music to your hit TV series – whatever you want. Just give credit to the musicians who made it, which in this case are Larry Hall, Troy Harms, Dean Vendl and me.

Impressions of Christmas 2001

1. Angels We Have Heard on High – A Caribbean Salvation Army Zydeco band, whose normal drummer is replaced by a rocker meets some strolling mariachis.

Larry Hall – Guitars and programming
Troy Harms – Drums
Joe Webster – Keyboards

2. Bring a Torch, Jeanette Isabella_Carol of the Bells – Chris Webster first suggested doing “Carol of the Bells” as a round. It evolved into this quasi-minimalist tone poem somehow.

Larry Hall – Guitars and Mandolins
Joe Webster – Keyboards

3. I Heard the Bells on Christmas Day – Counterpoint. The Longfellow poem counterpoints war with the peace and hope message of Christmas. What began with the idea to counterpoint the two traditional melodies ended up counterpointing many melodies and diverse musical styles.

Larry Hall – Guitars and Mandolins
Joe Webster – Keyboards

4. O Come, O Come Immanuel – In the weeks following September 11, every TV news show had dramatic, mournful theme music featuring a distant trumpet and and a tolling bell. The inspiration for this arrangement came from that theme music.

Larry Hall – Guitars
Dean Vendl – 7-string electric bass
Joe Webster – Keyboards

Cover image by Digital Blasphemy.

Happy Holidays from Security For All!

Gray haired computing part 3

In part 1 of this series we talked about finding the right computer system and decried the lack of availability of such systems. In part 2 we talked about how to get connected with friends and family when access to a computer system is impossible or impractical. So in this part we’ll start from the assumption that the senior in question – most likely yourself, dear reader – already has a computer system that is more or less usable and are ready to do something fun and useful with it. How do you get from senior citizen to senior netizen, from lost in space to hacker space without being pwned in the process. Actually it’s easier than you think. In fact you probably already know a whole lot more than you realize.

First off let’s define some of this confusing cyberspeak. I mentioned being “pwned” so let’s start there:

In hacker jargon, pwn means to compromise or control, specifically another computer, web site, gateway device, or application.

Why would someone want to do that? As it turns out that’s big business these days. You’ve probably heard about botnets. Here’s what that means.

Botnet is a jargon term for a collection of software robots, or bots, that run autonomously and automatically. Typically botnets are operated by criminal entities.

And what do those criminal entities do with botnets? Mostly they sell bandwidth and compute resources – from the pwned PCs (bots) – to spammers.

Spam is the abuse of electronic messaging systems (including most broadcast media, digital delivery systems) to send unsolicited bulk messages indiscriminately. The most widely recognized form of spam is e-mail spam.

Basically it breaks down like this: Your computer gets pwned and turned into a bot and becomes part of a botnet that is used to send spam like those “cheap viagra” emails that everybody receives.

Another thing you’ve probably heard about is phishing.

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.

Those are the two biggest threats on the internet. In fact they usually turn out to be a single threat. Here’s how that works: You get a phishing email that purports to be from your bank. Instead of sending you to your bank’s web site it links you to a malicious site that transfers malware to your computer, turning it into a bot.

Malware, short for malicious software, is software designed to infiltrate or damage a computer system without the owner’s informed consent. The term “computer virus” is sometimes used as a catch-all phrase to include all types of malware, including true viruses.

I’m guessing that right about now you are thinking “this sounds really complicated”. While plenty of companies,both legitimate and fraudulent, would like you to believe that, it’s actually not. In truth phishing and spreading malware is nothing more than con games being run in this new environment, the internet. The point being, it’s up to you to avoid being a mark. And this mainly requires a change in the way you think about communication over the internet.

I’ve written about this issue before in a post called the Technology generation gap.

There have been grifters and scam artists around since time immemorial, but it’s only been with the advent of the ubiquitously anonymous internet that the scams, schemes and spam have become pervasive. Back in the day, a grifter’s work was strictly up close and personal as opposed to nowadays when you can hit millions of marks with a single shot. Kind of like a knife fight versus carpet bombing.

You have to understand is that email is not like actual physical mail. It’s easy to get caught up in the abstraction of sending and receiving electronic mail. It appears to work exactly the same as sending or receiving correspondence. Only much faster. Unfortunately there are some dramatic differences between how mail and email work, and these differences make email significantly less private and reliable than mail. When you send a letter via mail it is picked up from a postal drop, transported through a series of post offices where it is postmarked and finally delivered to the intended recipient. Note that the same physical letter that was sent is received and the content of the letter often validates the identity of the sender. Junk mail is also easily identifiable as such. With email it works much differently. When an email message is sent, a copy is sent to and stored on the outgoing email server owned by the sender’s email provider. Then a copy of the message is broadcast over the internet and received, after any number of intermediate stops along the way, by the incoming email server owned by the recipient’s email provider. From there the recipient gets a copy of the email message. Note that there are at least 5 copies of the message created and stored on at least 5 different computers for that one email message. And the sender and recipient only have control over their respective copies. Also because email is by definition computer generated the content cannot be used to validate the sender’s identity. In other words, anyone can type “Dear Grama, … Love, Katey“, but it doesn’t make them Katey. Also, remember those postmarks on letters? They show you where the letter originated from. While email contains a record of where it was sent from, including all intermediate stops along the way, you can’t trust the voracity of this record. It can easily be “spoofed” to appear to be from anywhere the sender wishes. Furthermore since the bulk of the “daisy chain” of email message copies is not controlled by the sender or receiver it can be altered, corrupted or otherwise misused anywhere along the line and no one will be the wiser.

The next thing to understand is that the internet is designed to be anonymous. Just like the famous New Yorker cartoon: “On the internet nobody knows you’re a dog“. Unlike real life where we tend to trust people until they are proven to be untrustworthy, on the internet there are no people, as in actual living human beings, to trust. Actual humans are not directly responsible for a fair portion of internet traffic. Much of the content on the web is generated by bots or other automated processes. For us actual human internet users this requires a complete reversal of the way we’ve always thought about communication. In other words, we must assume that anything we get from the internet is suspect until proven otherwise. Guilty until proven innocent. This is the hardest thing for most of us who grew up before the information age to do. But it’s critical to understanding how the internet works.

The bottom line is this: Trust no one and don’t be an idiot. If it sounds too good to be true, it is. I mean seriously, when you see a scary message pop up on your screen like “your computer is infected with a terrible virus” ask yourself “why would anyone care about my computer?” The answer is obvious, and unless you enjoy being a sucker you’ll treat it the same way you would the street corner three-card-monty dealer. Move on. Nothing interesting here.

Now hold on there, bucko. It has to be more complicated than that. What about all that anti-virus stuff and anti-phishing services? What about Windows update? Well you got me there. The sad fact is that Microsoft Windows spawned a whole industry of snake oil products [Whoa! I knew I felt a conspiracy theory coming on!] that are now required for Windows users. But at least now the Microsoft serpents have eaten the other serpents [Woo Hoo! A vague biblical reference too!] with the introduction of Microsoft’s own anti-malware tools for free. So at least you won’t have to pony up annual subscriptions. Yet. So if you are running a Windows computer, threaten to cut the person who foisted it on you out of your will until they set this up for you. If you have a Mac or Linux computer just send the clever and generous person who gave you such good advice a digital smooch. But just remember, regardless of how much anti-malware stuff you have on your computer, or how up to date you are with all of those “security patches” you are still at risk if you act like an idiot. By contrast you could be running an old unpatched, unprotected Windows 2000 box and be just fine as long as you refuse to be a mark for online grifters.

So that’s the secret. Like most things in life, the easiest solution is the best.