Archive for the ‘Privacy’ Category

In my previous post I lamented the increasing loss of our personal privacy and anonymity due to the efforts of both malignant marketers and our own government.  Now I’ll propose some solutions to get a handle on how much of your communications and Internet behavior you want to expose to these vermin.

Selecting the appropriate approach is a function of perceived costs including the cost of failure, that is, a breach of anonymity or privacy.  There are different penalties, obviously Google figuring out who you are may be an irritation, but the secret police’s discovering you may have desperate consequences.

We’ll be looking at three general options: encrypt the traffic between you and a server you are accessing, using a private Virtual Private Network, and finally using an anonymizing network such as Tor.  These are in increasing order of complexity but provide increasing levels of security, too.  This is a focus on network security, there are some other security-related things you can do right in your own PC, I’ll deal with them in a later post.

1.  SSL between the User and the Server

This is the standard “HTTPS” technology that encrypts everything between your computer and the website or server.   SSL is what your bank uses, or Amazon, when you are doing financial transactions.  You are using SSL when the web address bar starts out “HTTPS://”. Once the tunnel is set up (which is completely invisible to the user), the data moving between them in either direction is encrypted in what is a practically-unbreakable cypher.  The data is therefore safe from anyone.  There are ways for a hostile party to insert themselves between you and the server and thus capture the data, but there are also defenses against this.  This is a good technology, the following options in this discussion all assume the User is using SSL to talk through the network.

Most of the big email providers such as Gmail, Yahoo Mail, or Hotmail use SSL in all their activity.  If you are not sure, you can always try typing the “https://www. . .” at the beginning of the URL and see if the site takes it.

But if SSL is all you are using, although the data is hidden the identities of you and the server are not – in fact, they are completely in the open because the actual network addresses need to be unencrypted so the data can be routed.  By capturing the packets that encapsulate the messages between the User and the Server, although the adversary can’t read the data their sources and destinations are clearly visible.  And of course if a government (or an ISP operating under a court order) may prevent the user from getting to some websites at all.

So in this case, the data is private but your identity is not.

2.  An anonymizing Virtual Private Network (VPN)

Several services market themselves to users wishing to anonymize their Internet access.  You pay a subscription fee which allows you to connect (via an SSL connection) to the VPN company’s server, of which there may be several in various locations around the world.  The VPN provider then gives you a new IP address, and forwards your traffic to the destination website.  So the destination website in effect thinks that you are located at the VPN’s server, instead of where you actually are.  To use a VPN you have to install a piece of software on your machine that supports your end of the VPN’s tunnel.

Once the SSL connection to the VPN is set up, the conversations with the real destination websites may be encrypted as an additional SSL layer, or they may be unencrypted – in the clear.  In either case, an adversary who can see the user’s packets can see that they are talking to one of the VPN’s public IP addresses, but they cannot decrypt the contents so they can’t see what the ultimate destination is.  This would be the case if the User’s ISP has been compromised and is handing User’s packets to someone for analysis.

At the destination web server, they know that the user’s traffic is coming from a VPN’s public exit node, but they don’t know where or who the originating user is ( unless of course the User has logged in with a real identity and the Server has been compromised).  So, in the main, privacy and anonymity have been preserved.  There are threats to this in the situation where a sufficiently powerful adversary (e.g. a government) is involved, see below.

The very weak link in this approach, though, is the VPN provider itself.  If the VPN provider keeps records of which User IPs were mapped to which exit-node IPs, the link between User and Server is suddenly available to subpoena or to malicious recording.  Even if the VPN provider vows to keep no persistent records, a hacker could penetrate their systems and record this data anyway.  Or the provider could err in erasing the active-session data and it could suddenly become available.

This is a lot of protection compared to just plain SSL, and it hides your data even if the site you are talking to is not encrypted. And you are somewhat further obfuscated because the VPN provider has a large pool of outbound IP addresses, so marketing schemes that capture your IP address as a way of identifying you will be at least partially foiled because you will likely have a new IP every time you show up.  And because it’s a single hop (you through the VPN to the provider to the destination) it’s quite fast.

A good example of this is ProXPN (this is not an ad, they don’t know me from Adam). There are other good solutions, but this one has the imprimateur of security fussbudget Steve Gibson, for what that’s worth.

3.  A multi-stage anonymizing network, such as Tor

Now we start to get serious. Tor was invented by the US Naval Research Laboratory, as the Onion Routing Project. The goal was to invent a technology that would allow the US government to visit whatever websites they wanted to, and have this access never forever traced back to the government.  Tor (The Onion Router) is a public, not-for-profit implementation of that technology. It’s called “onion routing” because it uses multiple layers of encryption and routing (like the layers of an onion) to totally obfuscate your identity. And the cool part is it’s free (your tax dollars at work). Right now Tor is extensively used by dissidents and journalists in the Middle East, China, and southeast Asia, as well as more mundane commercial users.

Tor operates much like the VPN at the start: the user contacts a Tor entry server and sets up an SSL connection with it.  However, instead of connecting to the destination web server right away, Tor wraps the User’s data packets in another layer of encryption and forwards them to another intermediate Tor server, which again re-encrypts the packets and routes them to yet another server, and so on.  Eventually, the layers of encryption are peeled off and at the Tor exit server the User’s packets are sent to their destination.  The paths through the Tor network are randomly selected so an adversary has a virtually impossible task to track them.  By its design, every one of these intermediate servers in this temporary chain knows only the address of the previous server, so the compromise of one does not compromise the whole chain.  And each server uses different keys in performing their encryption, so an adversary is presented with an essentially impossible decryption challenge several times over.

Like the VPN service solution, your anonymity and privacy are protected, but because of the multiple layers of encryption and the lack of any centralized provider (the intermediate nodes are independent of each other and do not know the totality of the route to and from the user) you are completely anonymized and there is no attack point even with a court order or physical access to the server or any intermediate network provider’s records.

Tor requires the same kind of VPN tunnel software on your end, as well as some other specialized software, and the Tor package includes a customized version of Firefox that guarantees not to keep cookies or history.  Their website offers you a complete bundle, you just install it and you are on.

So there you have it: three network-based privacy solutions that will cause even the NSA some headaches.  Browse in peace!


Read Full Post »

Privacy and anonymity on the Internet and in real life are under increasing assault due to companies’ and governmental agencies’ ability to capture incredible amounts of data mainly from Internet traffic, and their ability to track users across websites and services, generally without users’ knowledge.  Once it’s been captured, this data is essentially impossible to erase regardless of whether it is right or in error, and many organizations that have captured such troves of data have demonstrated a weak ability to maintain control of it.

Often this data is used “just” for commercial purposes, but could also be used to threaten to expose users of certain websites or services, or expose holders of unpopular political, social, or economic views, or to prevent people from accessing whatever websites someone in power wishes them not to access.

Privacy and anonymity are different but interrelated, and both are deeply and honorably enshrined in American legal and cultural traditions.  For our purposes,

  • Privacy means other people can’t get information about me (e.g. tax returns or medical records) that I don’t willingly give them, and it’s no business of anyone else’s what websites I go to or what I do online.  To have privacy is part of what it means to be an autonomous human being; if you have no privacy, other people can know everything about you and be able to make decisions for you or predict your actions.
  • Anonymity means I can express opinions, access Internet-based data, or visit websites without anyone knowing who I am in real life, or where I am physically (not being able to find or contact me, in other words to be able to harass, expose, or arrest me).  This should include someone not being able to identify me via some pseudo-me that they have constructed from my presence using cookies, malware, or other hidden identifiers.  Just their not knowing my real name is not enough, to be anonymous is to be unreachable.

I am disturbed by people who, in the wake of 9/11 or because of some other real or perceived terrorist activities, take the position that “only people with something to hide need to hide behind privacy.”  This is nonsense.  We all deserve privacy in our private lives, unless for a very specific reason someone gets a court order to pierce this veil.  Nor is anonymity somehow un-American.  In the early days of our Revolution, Madison, Jay, and Hamilton wrote the Federalist Papers under the name of Publius to avoid any untoward personal issues from their views.  Purer and more patriotic Americans never existed than these!

This situation has been brought about by aggressive data capture technologies, and the ability to cheaply store incredible amounts of raw data and quickly process it to correlate, trace, and extract meaning from even the tiniest pieces of it.  Governments, repressive or otherwise, have used court orders to compel Internet-based services to disgorge details on individuals’ use of these services and have also developed network-penetration techniques (hacking) to harass individuals and obstruct their access to data.  Technology has thus leapt ahead of accepted proper use of it, and indeed ahead of the common person’s ability to even comprehend what is happening.

Here is a good, and seemingly harmless example.  If a woman is a regular Target shopper, using a Red Card or consistently using a single credit or debit card, and she becomes pregnant, Target will know that fact by the third or fourth month with a very high degree of certainty, based on subtle shifts in her buying habits.  Not because she’s buying diapers, because she isn’t yet, but by other changes they won’t make public.  At this point they start biasing their ads delivered to her for the purpose of increasing her “lock in” to Target, so that Target becomes her preferred store during the next couple of years.

But if Target can do this, what if an insurance company could buy data on policyholders that would allow them to determine that you are developing some serious health problems, and raise your rates, or drop you entirely,or not take you on in the first place?  Or could the state pre-emptively revoke your driver’s license?  Or arrest you because they felt you were exhibiting signs of radicalism, whatever that may mean?  And worse yet, if any of these things happened to you, would you even know the reason, or would you think it was some accident of nature?

And now we have the evidence that the National Security Agency has for many years, without any warrant or even hint that any wrong-doing was being carried out, been recording phone call details and Internet access data (“metadata”) on a great fraction of the American public on an ongoing basis.  These governmental criminals then look you in the face and say, “we’re not listening to your calls or looking at your data, we’re just recording this ‘metadata,’ you don’t have to worry!”

Let’s look at this metadata.  For a phone call, it would include your number, where you were, were you moving, who you called, where they were, at what time of day, and how long it lasted.  You may say, “so they know I call my sister in Toledo every Friday evening.  So what?”  Well, if they have the metadata on every call you have made for the last several years, they can build a profile of your normal calling patterns to a surprising level of detail.  Now you start calling – even twice a week, say, a lover in San Antonio.  They would be able to see this as a deviation from your usual calling pattern, and they could be alerted, perhaps, and perhaps interested.

So metadata on calls and Internet accesses is far from harmless.  They don’t have to listen to the calls with this kind of stuff at their fingertips.  Indeed, the call metadata is in many ways superior to merely listening in on somebody’s line.  What Target can do with charge-card metadata, the NSA can to a thousand times over with call metadata.

So what they want to do is to record communication metadata on everybody in the country, forever, so they can go back into it at their convenience, and analyze it retro-spectively looking for some hint of wrongdoing.  At this point, we have no personal privacy any more, we are as good as naked on the street.  Even the Chinese or Russian police states don’t (yet) have this power.

So I ask: is this the kind of country we want to live in?

Read Full Post »

You are going to have to change the way you make up and use passwords, or you’re going to be very sorry.  There.  I’ve said it.  And I really mean it.  Sorry to start out so negative.  Read on, and I’ll tell you why.  And I’ll tell you right up front what to do about it, so you don’t have to read the whole thing if you don’t want.

This is different from the post I just wrote about the Mat Honan hack, which had nothing do to with password strength or hacking or encryption or anything like that, because in that hack the customer service drones at Apple and Amazon simply gave the hackers the passwords — nothing technical can protect you from that kind of “service. ”  No, this is about technically hacking your passwords using a psychological understanding of how humans construct passwords, databases of stolen passwords, and readily-available password-cracking software to lay waste to the presumed security of what people believe are “clever” passwords.  They aren’t clever, folks, they are transparent.

As Dan Goodin said in Ars Technica recently:

The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.

If you read the rest of this post, you will see how this works and why this really has become an issue in the last 6 – 9 months, where it wasn’t before.  If you believe me already and don’t want to dig into the details, fine, here is what you need to do.  If you’re not sure yet, read on — it’s technical but I have simplified it for you, and when you’re done back up to here and start executing these steps:

  1. You need to stop using anything but computer-generated, high-entropy gibberish passwords, at least 12 characters.  See below on the use of long passphrases;
  2. You should manage these passwords through a cloud-resident password manager such as LastPass or 1password, so you don’t have to remember them;
  3. Critical accounts should be protected by two-factor authentication, wherever they offer it (e.g. the service will send you a text-message with a numeric code you have to enter, in addition to your password.
  4. Anything you are storing in the “cloud,” e.g. iCloud, needs to be encrypted with a private key YOU and only you know, before this data leaves your PC.

There have been several papers, blogs, and articles published in the last 6 months that demonstrate this, specifically here and here and here.  These and a few more even more technical are my sources for this analysis.

Root of the Problem: Corporate Security Incompetence

Almost weekly, it seems, we read about some corporation or governmental entity announcing, “Oopsie, we have been hacked and our password files stolen.”  Yahoo, LinkedIn, Gawker, eHarmony, Lastfm, Sony (multiple times), and many more, all the way back to the RockYou penetration in 2009, are all part of this dismal litany.  Now you might think this is relatively harmless, after all they’re encrypted, right (well, sometimes, anyway they’re encrypted, but sometimes they’re not)?  But it turns out that a stolen password file is anything but harmless.  Right now, there are perhaps around 500,000,000 passwords that have in this fashion been turned over to  hackers, who then are free to crack them offline, and share the results of their cracking with each other.

From this immense database of cracked passwords they have extracted rules and probabilities and psychological principles about how real people try to generate secure passwords.  It turns out that these rules are rooted in our human consciousness and apply across broad swathes of the population.  For example, the lame exchange of “L”s by “1”s, or “B”s by “3”, or “O”s by zero and so on.  Or, your name followed by the year you graduated from high school.  Or two words with varying capitalization (duckspit or ducKspiT).  The crackers have built databases and rule engines that follow these and other examples, and run them against stolen passwords until they find a match.

But doesn’t that take, like, twice the age of the Universe to decrypt them?  Well, only if you’re trying to actually decrypt the password.  But they don’t do this — they use their giant index of already-cracked passwords and take yours, encrypt it, and compare the encrypted value with the encrypted password in their index.  If it matches one of them, presto, they have your password, no decrypting necessary!

Example: in the recent LinkedIn hack, they lost 6.5 million passwords, and it took only 6 days for 90% of them to be cracked.  Actually (and I can’t find the reference for this, but I read it somewhere) about 25% of them were cracked in something like the first 30 minutes.  Note the futility of rushing out three or four days later when you heard about it, and “changing your password.”  Almost certainly, your password had already been cracked.

Cracking Engines: Hardware and Software

And they can do this encrypting and comparing very, very quickly.  It turns out that not only are today’s PCs very powerful, the secret weapon is none other than the display adapter boards (GPUs, or Graphics Processing Units) that gamers and statisticians alike use to draw sophisticated images on their monitors.  These boards, by Nvidia, AMD, and others, are in reality very powerful floating-point calculators that are just right for carrying out encryption. You can plug in one, two, or however many you have card-slots for, and you have something that rivals a Cray of 20 years ago.

To make it worse, there is no shortage of free or low-cost software that leverages this hardware to perform the cracking.  Good examples, and far from the only ones, are John the Ripper, HashCat, PassPal, and ExtremeGPU Bruteforcer.  Take a look at them, it’s downright scary.

How fast are they? Well, Rick Redman of KoreLogic has a machine with four GeForce GTX 480s, certainly not huge by today’s standards, and he can try 6.2 BILLION passwords per second.  Yes, billion, and per second.  At this year’s Defcon hacker conference, a project computer called Project Erebus made up of 8 Radeon HD7970 GPUs demonstrated it could test every single combination of 8 characters, including upper and lower cases, numbers, and symbols, in 12 hours.  So, if your password was 8 characters or less, it would have been hacked in less than 12 hours.  Actually, in an average of 6 hours!  This machine, believe it or not, cost less than $12,000.

The Result is Where We Are Now

Which is where?  Corporations and website operators have proved dismally inept at protecting the most basic security component, their login / password files, and these losses have fed crackers who are armed with computational power nearly undreamed of only a few years ago, and software that makes unfortunately fine use of their advanced hardware platform, to extract the passwords.  A big part of the solution would be to punish the corporations who lose this data by a fine that threatens their existence, and put the CIO in prison for a decade, but I have no hope at all that any such thing will ever come to pass.  They own our data, and we have nothing to say about it.  And when they lose it, it’s tough luck — for us.

So we can no longer be Pollyannas and trust these site operators to competently protect our data.  Pretty much, eventually it seems that it will all leak out and fall into the hands of people with the means to pry it open.  So, prudence says to make YOUR passwords one of the ones they have to brute-force and so likely give up on.

The only solution then is to make sure that a) our passwords are long, and b) they are so random that they can’t be guessed according to the human-sourced rules the crackers have, and will fall only to lucky brute-forcing.  12 characters gets us back up into the “thousands of years” area but ONLY if the passwords are inhumanly random.  And that’s where the password-handlers I discussed above come in — they can do the heavy lifting for you in this approach — they’ll generate these passwords for you, store them, and then play them back when you need them.

But what about passphrases — long phrases that you can remember (presumably)?  Because they’re so long, aren’t they resistant to cracking? Well, as Jeremi Gosney has said, “If the phrase you have in mind exists anywhere in writing it’s probably in somebody’s wordlist and can be cracked with a rudimentary dictionary attack.”  So, none of that, please.

Should Password Crackers be Shot?

Actually, I think not.  At first blush, it seems that they are to blame for all our problems, punish them!  But really, if they weren’t doing this, and pointing out the problems, I can assure you the government and the serous crooks WOULD be doing it, and not telling us.  We would be fat and happy using 4-digit pins online, and they would be reading our every word and when push came to shove, they would own us.  So I applaud the crackers for punching holes in our complacency and forcing us to take better care of our online assets.

Final Thoughts on Internet Safety

Sometimes the people I talk to start thinking that the Internet is such a dangerous place that they should get offline at once, or they just give up and think that they can’t find off the hackers and crackers at all, so they might as well not try.  Neither of these is true.  The Internet is just another place we go, like a new downtown or maybe a foreign country.  There are online risks as well as offline risks; we are good at evaluating offline risks (where we would walk at 2 AM or whether we should get out of a stalled car at all on a freeway), but we are still learning about online risks.  Don’t lose heart, you can adapt as your children surely will.  It’s just the march of progress leading us into new places.

Read Full Post »

If you’ve been traveling to Pluto or somewhere recently, and are unaware of the spectacular hack carried out against Mat Honan of Wired Online, see my previous post, which also links to his own description of the whole dismal proceeding.  Read it first, so you have an appreciation for the magnitude of the damage he suffered.  Herein is my analysis and a prescription for how to reduce your chances of being subjected to the same kind of abuse.

First of all, I note that there were no bits involved in this hack — this was not a technical attack, they did not guess any passwords or execute some esoteric  bombardment of his digital assets.  No, this was purely “social engineering,” the hackers put together data they fraudulently obtained from Amazon’s and Apple’s customer service desks to take control of Honan’s Apple customer account and then leverage that to other services.  In short order they controlled every digital asset he had.  But the penetration was not “techie” and so no amount of hard-to-guess passwords or whatever would have helped him avoid it.

A great part of his problem was that the two customer-service desks the hackers contacted had procedures in place that allowed them to ignore the fact that the hackers couldn’t answer the security questions Mat had entered.  They therefore got in with relatively simple, relatively public data  they had figured out or augured out of somebody else.  You can’t fix this, Apple and Amazon (and others) have to, and to an extent they may already have. But still, there are steps you can take to help insulate yourself from their stupid procedures.

And remember, there is always a balance between security and convenience in everything you do, online as well as offline.  The problem is, most people are pretty good at evaluating and deciding how to find this balance offline, but not at all experienced at doing so online.  So, my objective is to help you find that online balance.


First, back up your data! If it doesn’t exist in three places, you really don’t want it all that badly.  So, it’s on your machine, second, buy a terabyte external drive and copy it there once in a while, and finally subscribe to a secure online backup.  I use Carbonite, $55 per machine per year to do it automatically, but there are others.

Second, use a password-vault system  and let it generate your passwords (at least some of them), I use LastPass but there are others.   In my opinion, LastPass is the best.   If you don’t bother to do these two things, stop reading here, you have a prodigious appetite for risk.

Now I’m going to make some suggestions to help you deal with the two biggest exposures Mat had, how his accounts were linked, and how his email accounts were guessable.


This is the biggest convenience – security tradeoff area.  You log onto your gmail account, and lo and behold you can be logged into your calendar.  Or, you log into Facebook, and you are seemingly logged into Instagram, or any number of other services that authenticate (because you told them to “log me in using Facebook, or whatever”) through another application.  Yahoo, Facebook, Twitter, and Google are the largest authentication providers.  Well, when you do this you are linking your logon credentials among those services., so if they have a failure, or if somebody gets your credentials to the host service, they are into all of the ones that are linked.

So then, the obvious solution to this is to not do so much cross-app linking.  Unlikely to happen, linking is waaaay to convenient.  For example, I myself link Foursquare and Instagram to Facebook, so I can cross-post checkins and quickie pictures to my Facebook timeline.  And my Google services are linked, but linked through Google, not Facebook’s ID and password.

So where you link services, be aware of it.  I usually link only within the same “company,” but not always.  Figure out where you’re linked and consider unwinding some of them.  One of the reasons I use LastPass (see above) is that I can offload some of the “I’m here, log me in over there” work to LastPass instead of letting Google et.al. do it — I control LastPass myself, I don’t control Google.


All this is fine, except that even the most sophisticated passworded and unlinked-services approach is useless if their customer service desk hands out your credentials even if whoever is trying to get in can’t answer the security questions.  Their password-reset approach almost universally relies on email to send you a temporary password, so if the attackers have hacked / accessed that account, they now own you because they’ll get to set the new password on your account, and you won’t know it.  This is what happened to Mat.

So then, two suggestions.  First, set up an email address that you use for essentially nothing else, to receive any password resets you ever have.  This is the address that you usually give them when you register with the service.   Sign up with somebody’s email service and give your username as “duckspit491” or the like, not “yourname”.   And put a different password on it than any other of your email accounts.

Second, do not use the same ID or address prefix across all the email accounts you happen to have.  Don’t make it yourname@gmail.com andyourname@yahoo.com and yourname@facebook.com.  If you do this, if all the accounts have one prefix, the attackers just try all the other services to see if you’re using that name there too. And of course, don’t use the same password for the lot of them!  I have always done this, and I’m surprised that it’s not obvious to others that this is a good idea, but it’s not.  But now, for you, it IS a good idea, right?   Again, LastPass will manage these passwords for you so logging in won’t be a chore.


Just a few additional thoughts; if you do the above you will have already reduced your exposure by quite a bit, but here’s some more good practices:

  • Password your phone – the most likely device to be lost. Most people have their phone apps set for auto-login, so if you lose your phone you have lost 90% of your control right there.
  • Consider Gmail’s 2-factor authentication, which can tie logons to Gmail from only the devices that you personally have or use.
  • Don’t log into things you don’t have to. Google wants you to log into your browser, some other services offer that too.  Don’t.  You don’t get much benefit and they get your data. And of course a hacker will get just that little bit more leverage.

Mat Honan was in one sense extremely lucky — the hackers were out to sow chaos and destruction, not out to rob or swindle him, and indeed they didn’t.  But if that had been their intention, they could really have caused him some losses, and he wouldn’t have known where to even start looking for them.

Read Full Post »

Make enough mistakes, and you will pay the price, no matter how much you think you know.  Here’s a good story about such a major hack, which was carried out on Mat Honen of Wired.  It’s worth reading, and reading carefully.

Part of the problem is rather egregiously poor security practices by AppleCare, Amazon, and to a certain extent, Google.  But a big part of the problem was self-inflicted, since Mat wasn’t properly backed up, he linked his cloud-service providers (iCloud and Google) together, he used the same prefix on many different email accounts (yourname@gmail.com, yourname@me.com, etc., you get the picture), and a few other things that made the attack much more successful and more painful.

He does have one key point, which is that cloud services should have higher security requirements than they do now, and that apparently the providers don’t understand that. Just a password is not enough. And as this points out, even the strongest password is useless if the provider’s customer service personnel will hand out your credentials in exchange for very weak authenticators, in this case billing address and last-four of your credit card.

It’s also not a good idea to link cloud accounts to each other, either using the linkages they provide for your use, or by using the same password on all of them.  This is not their fault, it’s yours.

Here’s the story, read it and weep: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

Read Full Post »

I am split between a positive outlook about how the Internet has improved our lives and extended our experiences, and a generalized uneasiness over continuing breaches of privacy and loss of personal data by merchants and others. Here’s a great article that talks about how much companies DON’T have to report when they have a breach, this is really recommended reading:  http://news.yahoo.com/cybercrime-disclosures-rare-despite-sec-rule-073104140.html.

I’m not sure which is worse — that there are crooks going after our credit card numbers, companies that have grossly-incompetent security capabilities such as LinkedIn, or social media sites like Facebook or Twitter leak our private data around by sharing it, however indirectly, with advertisers.  It’s an ever-changing world and I guess you just have to go in with your eyes open.

Probably the most irritating thing is that there seems to be no downside for Internet security failures by companies.  LinkedIn’s approach to protecting their users passwords was juvenile or worse, they lost millions of them, and for some reason they’re still in business.  Ditto Zappos and others.  And the SEC has been so gutted by budget cuts that they can’t even enforce the laws on the books.  So, in this context, I’m sure most companies see data security as kind of an optional thing, to be evaluated on the basis of PR possibilities and mainly cost.  Bah, sometimes it’s enough to make you a communist.

Read Full Post »

I am hoping that now that we have brought about an abrupt end to Osama bin Laden’s involvement in the International Terror franchise, that cooler heads might prevail in fashioning our response to the actually-continuing threats from various domestic and international nut-cases.  I’m not optimistic.

Look, here’s the crux of it.  In the decade since 9/11/2001, we have spent roughly a trillion dollars on counter-terrorism activities.  A trillion dollars.  This is in response to Osama’s maniacs who killed just over 2,800 people on 9/11.  Of course, that’s awful, and a tragedy.  But at the same time, right around 3,000 people will be killed this month in traffic accidents, and another 3,000 will be killed next month, and the month after that.  We take reasonable precautions against being involved in traffic accidents, but it seems that the same standard of reasonableness is not applied to our (national) precautions against being the victim of a terrorist event.  Virtually all of this trillion-dollar expenditure has been made without any kind of cost-benefit or effectiveness analysis that would demonstrate that these were dollars well spent, or that they have made us safer.

(Incidentally, in researching this subject, I asked a number of people  how many were killed in the 9/11 attacks.  The numbers I got ranged from 5,000 to 25,000, with most clustering around 15,000, or over 5 times the number who actually died.  So as a society we’ve already inflated the damage, and therefore the threat, quite a bit.)

Lots of the people involved with all this spending then say, “we know things you don’t, it’s all very secret, you just have to take our word for it that what we’re doing is right.”  Well, you know, after the firehose of government lying and exaggeration that went into the run-up to the Iraq invasion, I really don’t believe you.  And if the Transportation Security Administration is an example of the quality of your work, I want an immediate audit.

Just in case you’re in danger of falling asleep reading this, here’s the news, in condensed format:

  • Our responses to the threats of terrorist attacks on our country (both cyber-threats and regular ordinary terrorist threats) are grossly out of proportion to the actuarial likelihood of either the attack, or the economic or human losses from them;
  • Many of the things we do to protect ourselves are ineffective, costly, sometimes make us in fact less secure, and in the bargain threaten our civil liberties and the foundation of the Internet;
  • This does not mean that there are no threats to us, of course there are, and we need to prepare to face them;
  • But what we need is a measured, focused, risk-driven approach that scales our preventative measures to the realistic dimensions of the threats we face, not an overblown, spend-anything, corporate-greed-driven, go-nuts program.
  • Unfortunately, this is what we have going right now.

I’m a cyber kind of guy, and I spend a fair amount of time dealing with cyber-threats for my employer, I’m going to focus this post on cyber-security, but basically the same criticisms hold for terrorist threats against physical targets, too.

Currently the American public is being force-fed a relentless barrage of nonsense in the press, and even in the halls of Congress.  This line of thinking holds that we are as a nation exposed to horrific attacks against our infrastructure by stateless jihadis or hostile governments via the Internet, how we are defenseless against these attacks, how our way of life will vanish, millions will be killed or starve, and so on.

The best (or worst) example of this is the book Cyber War: The Next Threat to National Security and What to Do About It, by Richard A. Clarke (a former cyber-security adviser to the White House) and Richard K. Knacke of the Council on Foreign Relations (2010).  This book serves up 300 pages of the most apocalyptic descriptions of cyber-catastrophe, including chemical plants and refineries exploding and spewing toxins, nationwide power failures, trains sent off the tracks, airliners colliding, networks rendered mute, food shortages, hospitals thrown into chaos, and societal breakdown with widespread looting and rioting.  All this, ” . . . without a single terrorist or soldier appearing in the country.”

Unfortunately, they never offer the slightest shred of evidence that such an attack has ever been tried, or is even technologically feasible, and as such is more a work of speculative fiction than a sober report of the state of our cyber-defenses, whatever they are.  That is typical of this whole discussion: it is driven by point-blank assertions, with no evidence to back them up.  Even when they, or others, allege that such attacks have indeed already taken place, they provide no specifics about the method or the actual losses we have sustained.

In Congress, we have had hearings and public pronouncements by all manner of worthies.  For just one example (I do give examples!) Senator Jay Rockefeller on 3/19/2009 made the following blanket statement:

It would be very easy to make train switches so that two trains collide, affect or disrupt water and electricity, or release water from dams, where the computers are involved.  How our money moves, they could stop that.  Any part of the country, all of the country, is vulnerable. How the Internet and telephone systems work, attackers could handle that rather easily.

If you take this at face value, it does seem pretty scary.  But believe me, as one whose whole career has been in software development and system implementation, just asserting something is  possible a very long way from actually being able to do it.  Mostly, in all the Congressional hearings, and in Clarke and Knacke, all we get is this kind of talk but with no empirical evidence discussing how these attacks would possibly work.  And unfortunately, all this loose talk is treated as the foundation for hundreds of billions of dollars of public expenditures, and this is nuts.

I won’t bore you with further examples of this breathless hyperbole, the references at the end of this post contain many more, if you need further proof.

Why is it we in the public seem to be falling for such histrionics?  I think there are a couple of things at work here.  First, individual people, and people they know, feel vandalized by spam, identity theft, and Facebook account-hijacking by password theft or guessing.  They hear about the theft of corporate and governmental databases, which seem to continue unabated.  They don’t understand how to protect themselves, so they fear the worst, and extend that fear to the country and to the rest of the government.

Another thing at work here is a long-standing generalized fear of technology “moving too fast for us,” a fear that has reared its head in many guises during the last 150-200 years (in other words, since the invention of modern technology):

  • Frankenstein came out about the time when electricity was being explored and tamed, and explored the whole concept that somehow we might be able to create and animate soul-less beings through this mysterious power;
  • In the book Victorian Internet, there is a whole section devoted to the social and personal stresses brought about by the invention of the telegraph, and these stresses were not inconsiderable;
  • The early years of the 20th Century spawned lurid tales of “wire devils,” crooks and confidence men who people felt would exploit and victimize them via the telegraph, because they could not see who they were dealing with face to face;
  • After World War II there were large numbers of movies that featured Godzilla or other prehistoric monsters awakened from their unknown lairs by the explosions of atomic bombs, to come ashore and lay waste to humanity, in retribution, I guess, for being bothered.

So, we have a long history of fearing the impacts of technologies we don’t understand and attributing vastly unrealistic powers to them.  This is going on right now, re: the Internet and foreign hackers, in spades.  But as stated in Brito and Watkins (reference below):

Fear is not a basis for policymaking.

And yet, fear appears to be our driving stimulus in this situation.  That is not a good sign.

Read Full Post »

Older Posts »