Archive for the ‘Internet’ Category

In my previous post I lamented the increasing loss of our personal privacy and anonymity due to the efforts of both malignant marketers and our own government.  Now I’ll propose some solutions to get a handle on how much of your communications and Internet behavior you want to expose to these vermin.

Selecting the appropriate approach is a function of perceived costs including the cost of failure, that is, a breach of anonymity or privacy.  There are different penalties, obviously Google figuring out who you are may be an irritation, but the secret police’s discovering you may have desperate consequences.

We’ll be looking at three general options: encrypt the traffic between you and a server you are accessing, using a private Virtual Private Network, and finally using an anonymizing network such as Tor.  These are in increasing order of complexity but provide increasing levels of security, too.  This is a focus on network security, there are some other security-related things you can do right in your own PC, I’ll deal with them in a later post.

1.  SSL between the User and the Server

This is the standard “HTTPS” technology that encrypts everything between your computer and the website or server.   SSL is what your bank uses, or Amazon, when you are doing financial transactions.  You are using SSL when the web address bar starts out “HTTPS://”. Once the tunnel is set up (which is completely invisible to the user), the data moving between them in either direction is encrypted in what is a practically-unbreakable cypher.  The data is therefore safe from anyone.  There are ways for a hostile party to insert themselves between you and the server and thus capture the data, but there are also defenses against this.  This is a good technology, the following options in this discussion all assume the User is using SSL to talk through the network.

Most of the big email providers such as Gmail, Yahoo Mail, or Hotmail use SSL in all their activity.  If you are not sure, you can always try typing the “https://www. . .” at the beginning of the URL and see if the site takes it.

But if SSL is all you are using, although the data is hidden the identities of you and the server are not – in fact, they are completely in the open because the actual network addresses need to be unencrypted so the data can be routed.  By capturing the packets that encapsulate the messages between the User and the Server, although the adversary can’t read the data their sources and destinations are clearly visible.  And of course if a government (or an ISP operating under a court order) may prevent the user from getting to some websites at all.

So in this case, the data is private but your identity is not.

2.  An anonymizing Virtual Private Network (VPN)

Several services market themselves to users wishing to anonymize their Internet access.  You pay a subscription fee which allows you to connect (via an SSL connection) to the VPN company’s server, of which there may be several in various locations around the world.  The VPN provider then gives you a new IP address, and forwards your traffic to the destination website.  So the destination website in effect thinks that you are located at the VPN’s server, instead of where you actually are.  To use a VPN you have to install a piece of software on your machine that supports your end of the VPN’s tunnel.

Once the SSL connection to the VPN is set up, the conversations with the real destination websites may be encrypted as an additional SSL layer, or they may be unencrypted – in the clear.  In either case, an adversary who can see the user’s packets can see that they are talking to one of the VPN’s public IP addresses, but they cannot decrypt the contents so they can’t see what the ultimate destination is.  This would be the case if the User’s ISP has been compromised and is handing User’s packets to someone for analysis.

At the destination web server, they know that the user’s traffic is coming from a VPN’s public exit node, but they don’t know where or who the originating user is ( unless of course the User has logged in with a real identity and the Server has been compromised).  So, in the main, privacy and anonymity have been preserved.  There are threats to this in the situation where a sufficiently powerful adversary (e.g. a government) is involved, see below.

The very weak link in this approach, though, is the VPN provider itself.  If the VPN provider keeps records of which User IPs were mapped to which exit-node IPs, the link between User and Server is suddenly available to subpoena or to malicious recording.  Even if the VPN provider vows to keep no persistent records, a hacker could penetrate their systems and record this data anyway.  Or the provider could err in erasing the active-session data and it could suddenly become available.

This is a lot of protection compared to just plain SSL, and it hides your data even if the site you are talking to is not encrypted. And you are somewhat further obfuscated because the VPN provider has a large pool of outbound IP addresses, so marketing schemes that capture your IP address as a way of identifying you will be at least partially foiled because you will likely have a new IP every time you show up.  And because it’s a single hop (you through the VPN to the provider to the destination) it’s quite fast.

A good example of this is ProXPN (this is not an ad, they don’t know me from Adam). There are other good solutions, but this one has the imprimateur of security fussbudget Steve Gibson, for what that’s worth.

3.  A multi-stage anonymizing network, such as Tor

Now we start to get serious. Tor was invented by the US Naval Research Laboratory, as the Onion Routing Project. The goal was to invent a technology that would allow the US government to visit whatever websites they wanted to, and have this access never forever traced back to the government.  Tor (The Onion Router) is a public, not-for-profit implementation of that technology. It’s called “onion routing” because it uses multiple layers of encryption and routing (like the layers of an onion) to totally obfuscate your identity. And the cool part is it’s free (your tax dollars at work). Right now Tor is extensively used by dissidents and journalists in the Middle East, China, and southeast Asia, as well as more mundane commercial users.

Tor operates much like the VPN at the start: the user contacts a Tor entry server and sets up an SSL connection with it.  However, instead of connecting to the destination web server right away, Tor wraps the User’s data packets in another layer of encryption and forwards them to another intermediate Tor server, which again re-encrypts the packets and routes them to yet another server, and so on.  Eventually, the layers of encryption are peeled off and at the Tor exit server the User’s packets are sent to their destination.  The paths through the Tor network are randomly selected so an adversary has a virtually impossible task to track them.  By its design, every one of these intermediate servers in this temporary chain knows only the address of the previous server, so the compromise of one does not compromise the whole chain.  And each server uses different keys in performing their encryption, so an adversary is presented with an essentially impossible decryption challenge several times over.

Like the VPN service solution, your anonymity and privacy are protected, but because of the multiple layers of encryption and the lack of any centralized provider (the intermediate nodes are independent of each other and do not know the totality of the route to and from the user) you are completely anonymized and there is no attack point even with a court order or physical access to the server or any intermediate network provider’s records.

Tor requires the same kind of VPN tunnel software on your end, as well as some other specialized software, and the Tor package includes a customized version of Firefox that guarantees not to keep cookies or history.  Their website offers you a complete bundle, you just install it and you are on.

So there you have it: three network-based privacy solutions that will cause even the NSA some headaches.  Browse in peace!


Read Full Post »

Privacy and anonymity on the Internet and in real life are under increasing assault due to companies’ and governmental agencies’ ability to capture incredible amounts of data mainly from Internet traffic, and their ability to track users across websites and services, generally without users’ knowledge.  Once it’s been captured, this data is essentially impossible to erase regardless of whether it is right or in error, and many organizations that have captured such troves of data have demonstrated a weak ability to maintain control of it.

Often this data is used “just” for commercial purposes, but could also be used to threaten to expose users of certain websites or services, or expose holders of unpopular political, social, or economic views, or to prevent people from accessing whatever websites someone in power wishes them not to access.

Privacy and anonymity are different but interrelated, and both are deeply and honorably enshrined in American legal and cultural traditions.  For our purposes,

  • Privacy means other people can’t get information about me (e.g. tax returns or medical records) that I don’t willingly give them, and it’s no business of anyone else’s what websites I go to or what I do online.  To have privacy is part of what it means to be an autonomous human being; if you have no privacy, other people can know everything about you and be able to make decisions for you or predict your actions.
  • Anonymity means I can express opinions, access Internet-based data, or visit websites without anyone knowing who I am in real life, or where I am physically (not being able to find or contact me, in other words to be able to harass, expose, or arrest me).  This should include someone not being able to identify me via some pseudo-me that they have constructed from my presence using cookies, malware, or other hidden identifiers.  Just their not knowing my real name is not enough, to be anonymous is to be unreachable.

I am disturbed by people who, in the wake of 9/11 or because of some other real or perceived terrorist activities, take the position that “only people with something to hide need to hide behind privacy.”  This is nonsense.  We all deserve privacy in our private lives, unless for a very specific reason someone gets a court order to pierce this veil.  Nor is anonymity somehow un-American.  In the early days of our Revolution, Madison, Jay, and Hamilton wrote the Federalist Papers under the name of Publius to avoid any untoward personal issues from their views.  Purer and more patriotic Americans never existed than these!

This situation has been brought about by aggressive data capture technologies, and the ability to cheaply store incredible amounts of raw data and quickly process it to correlate, trace, and extract meaning from even the tiniest pieces of it.  Governments, repressive or otherwise, have used court orders to compel Internet-based services to disgorge details on individuals’ use of these services and have also developed network-penetration techniques (hacking) to harass individuals and obstruct their access to data.  Technology has thus leapt ahead of accepted proper use of it, and indeed ahead of the common person’s ability to even comprehend what is happening.

Here is a good, and seemingly harmless example.  If a woman is a regular Target shopper, using a Red Card or consistently using a single credit or debit card, and she becomes pregnant, Target will know that fact by the third or fourth month with a very high degree of certainty, based on subtle shifts in her buying habits.  Not because she’s buying diapers, because she isn’t yet, but by other changes they won’t make public.  At this point they start biasing their ads delivered to her for the purpose of increasing her “lock in” to Target, so that Target becomes her preferred store during the next couple of years.

But if Target can do this, what if an insurance company could buy data on policyholders that would allow them to determine that you are developing some serious health problems, and raise your rates, or drop you entirely,or not take you on in the first place?  Or could the state pre-emptively revoke your driver’s license?  Or arrest you because they felt you were exhibiting signs of radicalism, whatever that may mean?  And worse yet, if any of these things happened to you, would you even know the reason, or would you think it was some accident of nature?

And now we have the evidence that the National Security Agency has for many years, without any warrant or even hint that any wrong-doing was being carried out, been recording phone call details and Internet access data (“metadata”) on a great fraction of the American public on an ongoing basis.  These governmental criminals then look you in the face and say, “we’re not listening to your calls or looking at your data, we’re just recording this ‘metadata,’ you don’t have to worry!”

Let’s look at this metadata.  For a phone call, it would include your number, where you were, were you moving, who you called, where they were, at what time of day, and how long it lasted.  You may say, “so they know I call my sister in Toledo every Friday evening.  So what?”  Well, if they have the metadata on every call you have made for the last several years, they can build a profile of your normal calling patterns to a surprising level of detail.  Now you start calling – even twice a week, say, a lover in San Antonio.  They would be able to see this as a deviation from your usual calling pattern, and they could be alerted, perhaps, and perhaps interested.

So metadata on calls and Internet accesses is far from harmless.  They don’t have to listen to the calls with this kind of stuff at their fingertips.  Indeed, the call metadata is in many ways superior to merely listening in on somebody’s line.  What Target can do with charge-card metadata, the NSA can to a thousand times over with call metadata.

So what they want to do is to record communication metadata on everybody in the country, forever, so they can go back into it at their convenience, and analyze it retro-spectively looking for some hint of wrongdoing.  At this point, we have no personal privacy any more, we are as good as naked on the street.  Even the Chinese or Russian police states don’t (yet) have this power.

So I ask: is this the kind of country we want to live in?

Read Full Post »

In the beginning, so to speak, the computers were in large buildings, and indeed sometimes they were the building itself.  In some ways they were like the particle accelerators of today, things that had a substantial presence in the landscape not only because of their size but because they consumed the output of a modest-sized power plant to run them. They made the wires hum, literally.  And they were employed in only the most important work: code-cracking, Big Science, and collecting taxes.

Thanks to the replacement of vacuum tubes first by transistors and then by integrated circuits, relentless engineering progress has brought us computers you can hold in your hands and cost only a couple of hundred bucks.  Computing power that would have been a state secret even in the Korean War is now deployed to shoot out emails to your cousin, balance your checkbook, and share the exploits of your cat with the world.  This is good, and progress, and I’m not knocking it.  But as the tasks we employ our computers on has broadened to include the mundane, so our computers have gradually become mundane — just formless boxes that we kick around under our desks. What was once the building has become in our perception visually little more important than a wastebasket.

The original IBM PC was a corporate-decor-friendly beige box whose size and shape arose from the size of the internal components, especially the mother board and the front-facing diskette (later fixed disk) drives.  They were invariably plunked down in the middle of the desk with the monitor on top so operators could conveniently load and remove 5 1/4″ floppy diskettes, which held about 250,000 bytes.  Nowadays, only optical drives (CDs and DVDs) drive the form factor and these are falling out of favor, replaced by terabyte hard drives and network connections to vast farms of cloud storage.  We never place monitors on them, they are virtually 100% towers, standing on end.  Yet todays machines are virtually the same size and shape as the original of 30 years ago, but have been shaded off into uniformly dreary dark gray and black, with variously-decorated front panels of translucent plastic showing the occasional status light blinking away.  They are utterly forgettable and ignorable.

But this is wrong — modern PCs are miracles of engineering and construction, and they perform miracles for us day-in and day-out, and it’s unfair for them to be just pushed into the background.  At least, they don’t have to be.

We expect computer cases to do only a few things.  They protect the innards from the occasional careless kick, bump, or coffee-spill.  They keep the data and power cables from being snagged as people pass by.  To some extent they protect the circuits from static electricity, especially in the winter.  And they provide a convenient space for all the component advertising stickers and inventory labels that everyone feels the need to festoon them with.

Cases do not protect against dust, although this is commonly believed to be so; in fact, they are vacuum-cleaners and dust-catchers par excellance.  Cases often create cooling problems because they restrict airflow, thus necessitating multiple fans that then suck in all manner of dust and pet-hair that ultimately interfere with cooling even further, and circuit failure from thermal overload  resulting from blocked cooling is quite common.  Note that Apple, which is noted for design excellence, bypasses this completely by clamping heat-generating circuits directly to an internal framework of aluminum alloy which then becomes a heat-sink, eliminating the need for any fans at all.  But such design excellence — the melding of form and function — is an exception.

It doesn’t have to be!  The greatest example of this is the physical packaging of the Cray supercomputers of the 1970s.  They were six-foot-tall cylinders of smoked glass containing the actual processing circuits, fanned out around a central bus, with convenient bench seats arrayed around the base, within which were the I/O circuits and power supplies.  Spare, elegant, and they could be put in the lobby for visitors to admire, yet their form was dictated by the need to keep their interconnect cables as short as possible.  Seymore Cray was an engineer, and he employed engineers, yet the machines were beautiful as well as powerful.

So if we want to move away from the gray-box-on-the-floor packaging, what would we do?  If it should look some other way that better reflects its surroundings or it’s purpose, yet be totally practical, what would that be?

First, I ignore those bizarre situations where the innards of a PC have been jammed into anything with an available cavity, from mailboxes to toilets to statues of clowns.  They’re just hiding the PC somewhere and while they may be funny or cool social commentary about their job or life (the toilet, for example), they really don’t rank as considered design.  Similarly I am ignoring what is amazingly common, simply covering the existing case with a wood panels and then trumpeting this as some kind of artistic statement.  They might as well just cover it with wallpaper, and in many cases that would have been a better plan.

We then seem to have two remaining approaches: first to rearrange and wrap the circuits in a completely different form, perhaps almost sculptural, that downplays but doesn’t deny the inner computer, yet makes it something pleasing to look at so you don’t feel obliged to put it on the floor, or second to celebrate the computer by showing off the circuits in some pleasing way that reminds us that this is a technological product but one with it’s own distinct aesthetic that we embrace as reflective of our technology-mediated culture.  I have examples of both approaches on my Pinterest board here: http://pinterest.com/jimirick/pc-cases/

Whatever the aesthetics, the end-product must work as a computer: it must provide access to peripheral ports, it must be maintainable, and it must have adequate cooling for all it’s anticipated power regimes.

My own efforts in this have been focused on the second alternative, to find a way to overtly celebrate the technology yet completely break out of the enclosed-box paradigm.  My current project involves turning the case as it were inside out, leaving just a central spine, onto which I have attached all the various components right out there in the open.  The mother board is on one side, and everything else is arrayed on the other.  The spine and base are made out of mahogany, cherry, hard maple, and walnut, thus contrasting the sleek industrial look of the components with the ancient and handcrafted feel of the wood cabinetry.  Where there must be fittings or screws, I have used brass ones to contrast nicely with the dark wood.  The doorbell button above the optical drive is the on-button.


There are only two fans: one in the power supply unit, and the other over the heat-sink of the CPU chip.  Because they are not enshrouded in a monstrous box, they both run at essentially idle and the machine is eerily quiet.  It will, of course, accumulate dust, but the cased machines accumulate dust, too, you just can’t see it until it does some damage to the works.  And because the case fans would be moving air at higher speeds, the level of dust inside is larger and denser.  But you don’t have to look at it, although your repairman might.



Peripheral side.

As to the pure esthetics of it, some people don’t like to look at circuits, they prefer boxes or perhaps the Apple “inscrutable slab” look, and feel that my machine is like “looking at the mayor without his pants on,” and to them I can only say, well, look somewhere else then.  I’m proud of how it looks, I like the circuits and heatsinks and cables, and I’m not tempted to put it on the floor, ignore it, and occasionally kick it.  So there.

For any resident technoids, this machine is built around a Gigabyte GA-Z77X-UD3H motherboard matched with an Intel i5-3570K unlocked-clock quad-core CPU, and has 8 GB of DDR3 memory and a 1 TB Seagate Barracuda disk.  It dual-boots Windows 7 and Ubuntu Linux desktop.  I have named it Machine Des Moines, after Des Moines, our family ghost, because as I pointed out to him it has a case, but you can see right through it.  He was honored.


Tuning the BIOS on the prototype.

Read Full Post »

I just got through building myself a new desktop PC.  It’s a combination of the techno and the craftsman — a hot new unlocked 3rd-generation quad-core Intel i5 on a Gigabyte motherboard using the cool Intel Z77 chipset, but without any case.  That’s right, all the boards, cables, fans, and drives are mounted on a vertical wooden spine with nothing around them, hanging out there for everybody to see, bare and uncovered.  Kind of like doing the Bay to Breakers ride in San Francisco: hey, here’s all my stuff, like it or look somewhere else.

But this isn’t about building hardware, it’s about remembering the smug satisfaction I had when I hit the “on” button (an old round brass doorbell button) for the first time and all the engines lit.  I paged through the many Gigabyte BIOS configuration screens and saw all the stuff I could twiddle and reset, it was great.  Digging, getting inside things, looking behind the “user interface” and into the minds of the designers, this makes it all worth while.  Hacking it, making it truly mine.  Works for me, big time.

And in that context, it’s disturbing to see how the term “hacker,” which to me is a good and honorable word , is so often used to describe techno-criminals of the worst sort.  Some crook exploits a known exposure in software that a few idiot users have not patched, and steals passwords or vacuums their bank account, and they cry that they were “hacked.” They really weren’t hacked, they were robbed with a computer after they failed to take the most basic precautions to prevent it.  There is a profound difference between hacking and theft.

I suppose it’s useless to try to stop this wretched misuse of the word, once the general press locks onto a name for something they don’t understand it’s all over but the self-righteous pontification.  But I try; if somebody calls me a hacker I am silently pleased, and I hate to see a perfectly good word turned into a criminal classification.

I recently did find a really good description of what a hacker is, in my terms, and I pass this on for your edification, here.  If you want to hack, here’s the real deal from one of the experts.  What struck me, though, was that one of his suggestions was to become a better and more fluent writer in your own native language, because:

If your writing is semi-literate, ungrammatical, and riddled with misspellings, many hackers (including myself) will tend to ignore you. While sloppy writing does not invariably mean sloppy thinking, we’ve generally found the correlation to be strong — and we have no use for sloppy thinkers. If you can’t yet write competently, learn to.

He also points out that “attitude is no substitute for competence,” which is true to the core, and more surprisingly “develop an analytical ear for music,” and “develop your appreciation of puns and wordplay.”  Guess I’d agree with these, too, from my personal experience.  QED, the essence of being a hacker is no longer to be a reclusive, socially-disabled monomaniac.  Perhaps this reflects the almost overwhelming penetration of technology into our society.  The population of potential hackers is now much larger and includes all kinds of otherwise-normal people.  I’m for it.  Hacking is too much fun and way too important to our national future to be a closed community.

Read Full Post »

You are going to have to change the way you make up and use passwords, or you’re going to be very sorry.  There.  I’ve said it.  And I really mean it.  Sorry to start out so negative.  Read on, and I’ll tell you why.  And I’ll tell you right up front what to do about it, so you don’t have to read the whole thing if you don’t want.

This is different from the post I just wrote about the Mat Honan hack, which had nothing do to with password strength or hacking or encryption or anything like that, because in that hack the customer service drones at Apple and Amazon simply gave the hackers the passwords — nothing technical can protect you from that kind of “service. ”  No, this is about technically hacking your passwords using a psychological understanding of how humans construct passwords, databases of stolen passwords, and readily-available password-cracking software to lay waste to the presumed security of what people believe are “clever” passwords.  They aren’t clever, folks, they are transparent.

As Dan Goodin said in Ars Technica recently:

The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.

If you read the rest of this post, you will see how this works and why this really has become an issue in the last 6 – 9 months, where it wasn’t before.  If you believe me already and don’t want to dig into the details, fine, here is what you need to do.  If you’re not sure yet, read on — it’s technical but I have simplified it for you, and when you’re done back up to here and start executing these steps:

  1. You need to stop using anything but computer-generated, high-entropy gibberish passwords, at least 12 characters.  See below on the use of long passphrases;
  2. You should manage these passwords through a cloud-resident password manager such as LastPass or 1password, so you don’t have to remember them;
  3. Critical accounts should be protected by two-factor authentication, wherever they offer it (e.g. the service will send you a text-message with a numeric code you have to enter, in addition to your password.
  4. Anything you are storing in the “cloud,” e.g. iCloud, needs to be encrypted with a private key YOU and only you know, before this data leaves your PC.

There have been several papers, blogs, and articles published in the last 6 months that demonstrate this, specifically here and here and here.  These and a few more even more technical are my sources for this analysis.

Root of the Problem: Corporate Security Incompetence

Almost weekly, it seems, we read about some corporation or governmental entity announcing, “Oopsie, we have been hacked and our password files stolen.”  Yahoo, LinkedIn, Gawker, eHarmony, Lastfm, Sony (multiple times), and many more, all the way back to the RockYou penetration in 2009, are all part of this dismal litany.  Now you might think this is relatively harmless, after all they’re encrypted, right (well, sometimes, anyway they’re encrypted, but sometimes they’re not)?  But it turns out that a stolen password file is anything but harmless.  Right now, there are perhaps around 500,000,000 passwords that have in this fashion been turned over to  hackers, who then are free to crack them offline, and share the results of their cracking with each other.

From this immense database of cracked passwords they have extracted rules and probabilities and psychological principles about how real people try to generate secure passwords.  It turns out that these rules are rooted in our human consciousness and apply across broad swathes of the population.  For example, the lame exchange of “L”s by “1”s, or “B”s by “3”, or “O”s by zero and so on.  Or, your name followed by the year you graduated from high school.  Or two words with varying capitalization (duckspit or ducKspiT).  The crackers have built databases and rule engines that follow these and other examples, and run them against stolen passwords until they find a match.

But doesn’t that take, like, twice the age of the Universe to decrypt them?  Well, only if you’re trying to actually decrypt the password.  But they don’t do this — they use their giant index of already-cracked passwords and take yours, encrypt it, and compare the encrypted value with the encrypted password in their index.  If it matches one of them, presto, they have your password, no decrypting necessary!

Example: in the recent LinkedIn hack, they lost 6.5 million passwords, and it took only 6 days for 90% of them to be cracked.  Actually (and I can’t find the reference for this, but I read it somewhere) about 25% of them were cracked in something like the first 30 minutes.  Note the futility of rushing out three or four days later when you heard about it, and “changing your password.”  Almost certainly, your password had already been cracked.

Cracking Engines: Hardware and Software

And they can do this encrypting and comparing very, very quickly.  It turns out that not only are today’s PCs very powerful, the secret weapon is none other than the display adapter boards (GPUs, or Graphics Processing Units) that gamers and statisticians alike use to draw sophisticated images on their monitors.  These boards, by Nvidia, AMD, and others, are in reality very powerful floating-point calculators that are just right for carrying out encryption. You can plug in one, two, or however many you have card-slots for, and you have something that rivals a Cray of 20 years ago.

To make it worse, there is no shortage of free or low-cost software that leverages this hardware to perform the cracking.  Good examples, and far from the only ones, are John the Ripper, HashCat, PassPal, and ExtremeGPU Bruteforcer.  Take a look at them, it’s downright scary.

How fast are they? Well, Rick Redman of KoreLogic has a machine with four GeForce GTX 480s, certainly not huge by today’s standards, and he can try 6.2 BILLION passwords per second.  Yes, billion, and per second.  At this year’s Defcon hacker conference, a project computer called Project Erebus made up of 8 Radeon HD7970 GPUs demonstrated it could test every single combination of 8 characters, including upper and lower cases, numbers, and symbols, in 12 hours.  So, if your password was 8 characters or less, it would have been hacked in less than 12 hours.  Actually, in an average of 6 hours!  This machine, believe it or not, cost less than $12,000.

The Result is Where We Are Now

Which is where?  Corporations and website operators have proved dismally inept at protecting the most basic security component, their login / password files, and these losses have fed crackers who are armed with computational power nearly undreamed of only a few years ago, and software that makes unfortunately fine use of their advanced hardware platform, to extract the passwords.  A big part of the solution would be to punish the corporations who lose this data by a fine that threatens their existence, and put the CIO in prison for a decade, but I have no hope at all that any such thing will ever come to pass.  They own our data, and we have nothing to say about it.  And when they lose it, it’s tough luck — for us.

So we can no longer be Pollyannas and trust these site operators to competently protect our data.  Pretty much, eventually it seems that it will all leak out and fall into the hands of people with the means to pry it open.  So, prudence says to make YOUR passwords one of the ones they have to brute-force and so likely give up on.

The only solution then is to make sure that a) our passwords are long, and b) they are so random that they can’t be guessed according to the human-sourced rules the crackers have, and will fall only to lucky brute-forcing.  12 characters gets us back up into the “thousands of years” area but ONLY if the passwords are inhumanly random.  And that’s where the password-handlers I discussed above come in — they can do the heavy lifting for you in this approach — they’ll generate these passwords for you, store them, and then play them back when you need them.

But what about passphrases — long phrases that you can remember (presumably)?  Because they’re so long, aren’t they resistant to cracking? Well, as Jeremi Gosney has said, “If the phrase you have in mind exists anywhere in writing it’s probably in somebody’s wordlist and can be cracked with a rudimentary dictionary attack.”  So, none of that, please.

Should Password Crackers be Shot?

Actually, I think not.  At first blush, it seems that they are to blame for all our problems, punish them!  But really, if they weren’t doing this, and pointing out the problems, I can assure you the government and the serous crooks WOULD be doing it, and not telling us.  We would be fat and happy using 4-digit pins online, and they would be reading our every word and when push came to shove, they would own us.  So I applaud the crackers for punching holes in our complacency and forcing us to take better care of our online assets.

Final Thoughts on Internet Safety

Sometimes the people I talk to start thinking that the Internet is such a dangerous place that they should get offline at once, or they just give up and think that they can’t find off the hackers and crackers at all, so they might as well not try.  Neither of these is true.  The Internet is just another place we go, like a new downtown or maybe a foreign country.  There are online risks as well as offline risks; we are good at evaluating offline risks (where we would walk at 2 AM or whether we should get out of a stalled car at all on a freeway), but we are still learning about online risks.  Don’t lose heart, you can adapt as your children surely will.  It’s just the march of progress leading us into new places.

Read Full Post »

If you’ve been traveling to Pluto or somewhere recently, and are unaware of the spectacular hack carried out against Mat Honan of Wired Online, see my previous post, which also links to his own description of the whole dismal proceeding.  Read it first, so you have an appreciation for the magnitude of the damage he suffered.  Herein is my analysis and a prescription for how to reduce your chances of being subjected to the same kind of abuse.

First of all, I note that there were no bits involved in this hack — this was not a technical attack, they did not guess any passwords or execute some esoteric  bombardment of his digital assets.  No, this was purely “social engineering,” the hackers put together data they fraudulently obtained from Amazon’s and Apple’s customer service desks to take control of Honan’s Apple customer account and then leverage that to other services.  In short order they controlled every digital asset he had.  But the penetration was not “techie” and so no amount of hard-to-guess passwords or whatever would have helped him avoid it.

A great part of his problem was that the two customer-service desks the hackers contacted had procedures in place that allowed them to ignore the fact that the hackers couldn’t answer the security questions Mat had entered.  They therefore got in with relatively simple, relatively public data  they had figured out or augured out of somebody else.  You can’t fix this, Apple and Amazon (and others) have to, and to an extent they may already have. But still, there are steps you can take to help insulate yourself from their stupid procedures.

And remember, there is always a balance between security and convenience in everything you do, online as well as offline.  The problem is, most people are pretty good at evaluating and deciding how to find this balance offline, but not at all experienced at doing so online.  So, my objective is to help you find that online balance.


First, back up your data! If it doesn’t exist in three places, you really don’t want it all that badly.  So, it’s on your machine, second, buy a terabyte external drive and copy it there once in a while, and finally subscribe to a secure online backup.  I use Carbonite, $55 per machine per year to do it automatically, but there are others.

Second, use a password-vault system  and let it generate your passwords (at least some of them), I use LastPass but there are others.   In my opinion, LastPass is the best.   If you don’t bother to do these two things, stop reading here, you have a prodigious appetite for risk.

Now I’m going to make some suggestions to help you deal with the two biggest exposures Mat had, how his accounts were linked, and how his email accounts were guessable.


This is the biggest convenience – security tradeoff area.  You log onto your gmail account, and lo and behold you can be logged into your calendar.  Or, you log into Facebook, and you are seemingly logged into Instagram, or any number of other services that authenticate (because you told them to “log me in using Facebook, or whatever”) through another application.  Yahoo, Facebook, Twitter, and Google are the largest authentication providers.  Well, when you do this you are linking your logon credentials among those services., so if they have a failure, or if somebody gets your credentials to the host service, they are into all of the ones that are linked.

So then, the obvious solution to this is to not do so much cross-app linking.  Unlikely to happen, linking is waaaay to convenient.  For example, I myself link Foursquare and Instagram to Facebook, so I can cross-post checkins and quickie pictures to my Facebook timeline.  And my Google services are linked, but linked through Google, not Facebook’s ID and password.

So where you link services, be aware of it.  I usually link only within the same “company,” but not always.  Figure out where you’re linked and consider unwinding some of them.  One of the reasons I use LastPass (see above) is that I can offload some of the “I’m here, log me in over there” work to LastPass instead of letting Google et.al. do it — I control LastPass myself, I don’t control Google.


All this is fine, except that even the most sophisticated passworded and unlinked-services approach is useless if their customer service desk hands out your credentials even if whoever is trying to get in can’t answer the security questions.  Their password-reset approach almost universally relies on email to send you a temporary password, so if the attackers have hacked / accessed that account, they now own you because they’ll get to set the new password on your account, and you won’t know it.  This is what happened to Mat.

So then, two suggestions.  First, set up an email address that you use for essentially nothing else, to receive any password resets you ever have.  This is the address that you usually give them when you register with the service.   Sign up with somebody’s email service and give your username as “duckspit491” or the like, not “yourname”.   And put a different password on it than any other of your email accounts.

Second, do not use the same ID or address prefix across all the email accounts you happen to have.  Don’t make it yourname@gmail.com andyourname@yahoo.com and yourname@facebook.com.  If you do this, if all the accounts have one prefix, the attackers just try all the other services to see if you’re using that name there too. And of course, don’t use the same password for the lot of them!  I have always done this, and I’m surprised that it’s not obvious to others that this is a good idea, but it’s not.  But now, for you, it IS a good idea, right?   Again, LastPass will manage these passwords for you so logging in won’t be a chore.


Just a few additional thoughts; if you do the above you will have already reduced your exposure by quite a bit, but here’s some more good practices:

  • Password your phone – the most likely device to be lost. Most people have their phone apps set for auto-login, so if you lose your phone you have lost 90% of your control right there.
  • Consider Gmail’s 2-factor authentication, which can tie logons to Gmail from only the devices that you personally have or use.
  • Don’t log into things you don’t have to. Google wants you to log into your browser, some other services offer that too.  Don’t.  You don’t get much benefit and they get your data. And of course a hacker will get just that little bit more leverage.

Mat Honan was in one sense extremely lucky — the hackers were out to sow chaos and destruction, not out to rob or swindle him, and indeed they didn’t.  But if that had been their intention, they could really have caused him some losses, and he wouldn’t have known where to even start looking for them.

Read Full Post »

Make enough mistakes, and you will pay the price, no matter how much you think you know.  Here’s a good story about such a major hack, which was carried out on Mat Honen of Wired.  It’s worth reading, and reading carefully.

Part of the problem is rather egregiously poor security practices by AppleCare, Amazon, and to a certain extent, Google.  But a big part of the problem was self-inflicted, since Mat wasn’t properly backed up, he linked his cloud-service providers (iCloud and Google) together, he used the same prefix on many different email accounts (yourname@gmail.com, yourname@me.com, etc., you get the picture), and a few other things that made the attack much more successful and more painful.

He does have one key point, which is that cloud services should have higher security requirements than they do now, and that apparently the providers don’t understand that. Just a password is not enough. And as this points out, even the strongest password is useless if the provider’s customer service personnel will hand out your credentials in exchange for very weak authenticators, in this case billing address and last-four of your credit card.

It’s also not a good idea to link cloud accounts to each other, either using the linkages they provide for your use, or by using the same password on all of them.  This is not their fault, it’s yours.

Here’s the story, read it and weep: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

Read Full Post »

Older Posts »