As Internet Technology Program Manager at the Internet Society, Steve Olshansky primarily works on advancing federated identity, access management and cybersecurity technology and policy. He has over 20 years of experience working in the cybersecurity business, and the best part? He’s the newest member of Security Baron’s Expert Network, responsible for making sure our Internet of Things reviews are 100% technologically sound. In this interview, I asked Steve about VPNs, his career, and cybersecurity in general.
1. When do you think VPNs are necessary? Are most VPNs worth using?
VPNs are always a good idea, even at home or work to prevent your ISP or employer from being able to see your DNS queries and traffic (unless otherwise required by workplace legal compliance issues). But VPNs are especially important when you are in network environments outside your control, such as airports, airplanes, coffeeshops, or any other public Wi-Fi. It is relatively trivial for criminals to snoop your traffic in these open environments, or to masquerade as a legitimate Wi-Fi network and perform various attacks on you and your personal information.
However we need to be cautious about *which* VPN we use since there are significant differences between them. You are entrusting them with access to your Internet traffic, since they control the “pipe” and the endpoints through which it flows. They can monitor your DNS queries and traffic, and keep logs that could be sold or shared. And it is important to keep in mind that these are not charities, they are making money somehow. If they are providing the VPN service at no monetary cost to users, they are likely monetizing your data to generate revenue, similar to many “free” social networks.
It is important to read and understand the Terms of Service (ToS) and Privacy Policies, including and especially all of the fine print. But even that is not sufficient since there is no guarantee they are following their published policies. There are a number of credible VPN evaluation and comparison websites available, and you must do your homework if you care about the security and privacy of your data.
2. What qualities do you look for in a VPN?
No user logs maintained, based in jurisdictions outside of oppressive regimes or countries with a known history of abusing privacy protections, transparency in their operations and policies, good ratings from independent and credible VPN evaluation sites…who dig into the details, user-friendly interface, good customer service, use of a known secure communications protocol such as OpenVPN or L2TP/IPsec, a large number of servers distributed around the world, and the ability to pay anonymously through gift cards.
3. You’ve worked in cybersecurity since the mid-90s. What are the biggest changes in approaches that you’ve seen?
It is disheartening to see some users just give up on privacy and security, on the assumption that the battle is lost and it is not worth the time and energy required to educate yourself to make good choices. The Internet and the various services it supports has become much more complex and difficult to secure, and fundamentally the protocols upon which it relies were not designed for such large and untrustworthy environments, requiring a great deal of effort to retrofit security and privacy protections.
Cybercrime has exploded, and the ongoing “arms race” with law enforcement and national security agencies has become much more challenging. There doesn’t seem to be a shortage of naive people who will set aside disbelief and fall for common and obvious scams. Continuing battles against efforts to weaken encryption, by well meaning but ill-informed policymakers, and law enforcement and national security agencies, and their ongoing disregard for the advice of well-known and highly credible experts offering solid advice as to why there is no such thing as a secure back door (as one frequent example),
or failing to understand that fundamentally the laws of mathematics cannot be ignored. 2+2 will always equal 4, no matter how motivated some may be to dispute that. Weakening encryption hurts us all, including law enforcement and national security agencies. Frequent focus on securing data in transit, which is undoubtedly important, but coupled with a disregard for the security of data at rest, where in many cases it is more vulnerable and an easier target.
4. Tell us how you got started in your career.
When I was in grad school working on my MS in Telecommunications in the mid-90s, the Web was just catching fire and people were looking at new innovations running on the Internet infrastructure. It was immediately clear to me that this would be the wave of the future as a platform supporting many applications, and a complex, fascinating, ever-evolving, and multifaceted one at that. At the time I was particularly focused on the use of the Web for collaboration in contrast to tools like Lotus Notes which was dominant at the time. I remain very interested in the collaboration aspects, which like the Web have grown into dimensions not even conceived of at that time.
5. What is it about cybersecurity and telecommunications that initially interested you?
It is the ongoing intellectual challenges inherent in this arena, and the opportunity to work with many brilliant and fascinating people in many areas. Security and telecom will never be “solved” or “finished,” and it is this dynamic that I find particularly appealing.
6. What do you wish more people knew about keeping themselves safe online?
Trust is a difficult thing to achieve in today’s complex online environment, and requires ongoing effort on all of our parts to stay informed and to take affirmative actions to protect ourselves and our data. And we all have an obligation to the Internet at large, as good “netizens,” to ensure that our actions don’t adversely impact the critical infrastructure of the Internet, which we all benefit from and which many take for granted. An example of this is that failing to adequately secure devices under your control not only poses a direct threat to you and your family, but also means that they could be compromised and used in a botnet to attack others – sometimes without you even being aware this is happening.