Feeds:
Posts
Comments

Make enough mistakes, and you will pay the price, no matter how much you think you know.  Here’s a good story about such a major hack, which was carried out on Mat Honen of Wired.  It’s worth reading, and reading carefully.

Part of the problem is rather egregiously poor security practices by AppleCare, Amazon, and to a certain extent, Google.  But a big part of the problem was self-inflicted, since Mat wasn’t properly backed up, he linked his cloud-service providers (iCloud and Google) together, he used the same prefix on many different email accounts (yourname@gmail.com, yourname@me.com, etc., you get the picture), and a few other things that made the attack much more successful and more painful.

He does have one key point, which is that cloud services should have higher security requirements than they do now, and that apparently the providers don’t understand that. Just a password is not enough. And as this points out, even the strongest password is useless if the provider’s customer service personnel will hand out your credentials in exchange for very weak authenticators, in this case billing address and last-four of your credit card.

It’s also not a good idea to link cloud accounts to each other, either using the linkages they provide for your use, or by using the same password on all of them.  This is not their fault, it’s yours.

Here’s the story, read it and weep: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

I am split between a positive outlook about how the Internet has improved our lives and extended our experiences, and a generalized uneasiness over continuing breaches of privacy and loss of personal data by merchants and others. Here’s a great article that talks about how much companies DON’T have to report when they have a breach, this is really recommended reading:  http://news.yahoo.com/cybercrime-disclosures-rare-despite-sec-rule-073104140.html.

I’m not sure which is worse — that there are crooks going after our credit card numbers, companies that have grossly-incompetent security capabilities such as LinkedIn, or social media sites like Facebook or Twitter leak our private data around by sharing it, however indirectly, with advertisers.  It’s an ever-changing world and I guess you just have to go in with your eyes open.

Probably the most irritating thing is that there seems to be no downside for Internet security failures by companies.  LinkedIn’s approach to protecting their users passwords was juvenile or worse, they lost millions of them, and for some reason they’re still in business.  Ditto Zappos and others.  And the SEC has been so gutted by budget cuts that they can’t even enforce the laws on the books.  So, in this context, I’m sure most companies see data security as kind of an optional thing, to be evaluated on the basis of PR possibilities and mainly cost.  Bah, sometimes it’s enough to make you a communist.

I am hoping that now that we have brought about an abrupt end to Osama bin Laden’s involvement in the International Terror franchise, that cooler heads might prevail in fashioning our response to the actually-continuing threats from various domestic and international nut-cases.  I’m not optimistic.

Look, here’s the crux of it.  In the decade since 9/11/2001, we have spent roughly a trillion dollars on counter-terrorism activities.  A trillion dollars.  This is in response to Osama’s maniacs who killed just over 2,800 people on 9/11.  Of course, that’s awful, and a tragedy.  But at the same time, right around 3,000 people will be killed this month in traffic accidents, and another 3,000 will be killed next month, and the month after that.  We take reasonable precautions against being involved in traffic accidents, but it seems that the same standard of reasonableness is not applied to our (national) precautions against being the victim of a terrorist event.  Virtually all of this trillion-dollar expenditure has been made without any kind of cost-benefit or effectiveness analysis that would demonstrate that these were dollars well spent, or that they have made us safer.

(Incidentally, in researching this subject, I asked a number of people  how many were killed in the 9/11 attacks.  The numbers I got ranged from 5,000 to 25,000, with most clustering around 15,000, or over 5 times the number who actually died.  So as a society we’ve already inflated the damage, and therefore the threat, quite a bit.)

Lots of the people involved with all this spending then say, “we know things you don’t, it’s all very secret, you just have to take our word for it that what we’re doing is right.”  Well, you know, after the firehose of government lying and exaggeration that went into the run-up to the Iraq invasion, I really don’t believe you.  And if the Transportation Security Administration is an example of the quality of your work, I want an immediate audit.

Just in case you’re in danger of falling asleep reading this, here’s the news, in condensed format:

  • Our responses to the threats of terrorist attacks on our country (both cyber-threats and regular ordinary terrorist threats) are grossly out of proportion to the actuarial likelihood of either the attack, or the economic or human losses from them;
  • Many of the things we do to protect ourselves are ineffective, costly, sometimes make us in fact less secure, and in the bargain threaten our civil liberties and the foundation of the Internet;
  • This does not mean that there are no threats to us, of course there are, and we need to prepare to face them;
  • But what we need is a measured, focused, risk-driven approach that scales our preventative measures to the realistic dimensions of the threats we face, not an overblown, spend-anything, corporate-greed-driven, go-nuts program.
  • Unfortunately, this is what we have going right now.

I’m a cyber kind of guy, and I spend a fair amount of time dealing with cyber-threats for my employer, I’m going to focus this post on cyber-security, but basically the same criticisms hold for terrorist threats against physical targets, too.

Currently the American public is being force-fed a relentless barrage of nonsense in the press, and even in the halls of Congress.  This line of thinking holds that we are as a nation exposed to horrific attacks against our infrastructure by stateless jihadis or hostile governments via the Internet, how we are defenseless against these attacks, how our way of life will vanish, millions will be killed or starve, and so on.

The best (or worst) example of this is the book Cyber War: The Next Threat to National Security and What to Do About It, by Richard A. Clarke (a former cyber-security adviser to the White House) and Richard K. Knacke of the Council on Foreign Relations (2010).  This book serves up 300 pages of the most apocalyptic descriptions of cyber-catastrophe, including chemical plants and refineries exploding and spewing toxins, nationwide power failures, trains sent off the tracks, airliners colliding, networks rendered mute, food shortages, hospitals thrown into chaos, and societal breakdown with widespread looting and rioting.  All this, ” . . . without a single terrorist or soldier appearing in the country.”

Unfortunately, they never offer the slightest shred of evidence that such an attack has ever been tried, or is even technologically feasible, and as such is more a work of speculative fiction than a sober report of the state of our cyber-defenses, whatever they are.  That is typical of this whole discussion: it is driven by point-blank assertions, with no evidence to back them up.  Even when they, or others, allege that such attacks have indeed already taken place, they provide no specifics about the method or the actual losses we have sustained.

In Congress, we have had hearings and public pronouncements by all manner of worthies.  For just one example (I do give examples!) Senator Jay Rockefeller on 3/19/2009 made the following blanket statement:

It would be very easy to make train switches so that two trains collide, affect or disrupt water and electricity, or release water from dams, where the computers are involved.  How our money moves, they could stop that.  Any part of the country, all of the country, is vulnerable. How the Internet and telephone systems work, attackers could handle that rather easily.

If you take this at face value, it does seem pretty scary.  But believe me, as one whose whole career has been in software development and system implementation, just asserting something is  possible a very long way from actually being able to do it.  Mostly, in all the Congressional hearings, and in Clarke and Knacke, all we get is this kind of talk but with no empirical evidence discussing how these attacks would possibly work.  And unfortunately, all this loose talk is treated as the foundation for hundreds of billions of dollars of public expenditures, and this is nuts.

I won’t bore you with further examples of this breathless hyperbole, the references at the end of this post contain many more, if you need further proof.

Why is it we in the public seem to be falling for such histrionics?  I think there are a couple of things at work here.  First, individual people, and people they know, feel vandalized by spam, identity theft, and Facebook account-hijacking by password theft or guessing.  They hear about the theft of corporate and governmental databases, which seem to continue unabated.  They don’t understand how to protect themselves, so they fear the worst, and extend that fear to the country and to the rest of the government.

Another thing at work here is a long-standing generalized fear of technology “moving too fast for us,” a fear that has reared its head in many guises during the last 150-200 years (in other words, since the invention of modern technology):

  • Frankenstein came out about the time when electricity was being explored and tamed, and explored the whole concept that somehow we might be able to create and animate soul-less beings through this mysterious power;
  • In the book Victorian Internet, there is a whole section devoted to the social and personal stresses brought about by the invention of the telegraph, and these stresses were not inconsiderable;
  • The early years of the 20th Century spawned lurid tales of “wire devils,” crooks and confidence men who people felt would exploit and victimize them via the telegraph, because they could not see who they were dealing with face to face;
  • After World War II there were large numbers of movies that featured Godzilla or other prehistoric monsters awakened from their unknown lairs by the explosions of atomic bombs, to come ashore and lay waste to humanity, in retribution, I guess, for being bothered.

So, we have a long history of fearing the impacts of technologies we don’t understand and attributing vastly unrealistic powers to them.  This is going on right now, re: the Internet and foreign hackers, in spades.  But as stated in Brito and Watkins (reference below):

Fear is not a basis for policymaking.

And yet, fear appears to be our driving stimulus in this situation.  That is not a good sign.

We have heard a lot lately about how much of the anti-dictatorship uprisings in the Middle East have been mediated by technology, including cell phones and social media such as Twitter and Facebook.  “Freedom of the Press” no longer means just the right to print and distribute newspapers, but to have digital freedom of access to internal and external news sources, free from governmental censorship or retaliation.  Oppressive regimes certainly have noticed this fact, witness the Egyptian government’s attempt to cut Egypt off from the Internet during their recent rebellion.

But using the Internet safely from inside a repressive regime is not necessarily an easy thing to do.  Likely, you would not use your own identity on your posts or in your emails, and even going to certain websites can either be blocked or at least noted for later retaliation.  How would someone go about this, then?  The answer is that there are organizations that provide anonymous proxy services that allow access through sites that are not blocked (yet!) by national firewalls (as in: China, among others).

I point out to you an organization that is working not just to advocate Internet freedom, but providing resources and information to help those trapped within these countries to use the Internet to forward their causes.  Take a look at Access, which describes themselves as:

. . . a global movement premised on the belief that political participation and the realization of human rights in the 21st century is increasingly dependent on access to the internet and other forms of technology. Founded in the wake of the 2009 Iranian post-election crackdown, Access teams with digital activists and civil society groups internationally to build their technical capacity and to help them advocate globally for their digital rights.

If you are proud to think that the technologies we use every day are playing a part overthrowing dictators and oppressive regimes, you might consider participating in or donating to Access or to a similar organization — put your money where your heart is.  Or consider participating in one of their proxy-anonymizer projects.  But get involved — make it happen.

And, if you’re interested in their how-to suggestions on preserving privacy in a repressive country, take a look at this.  Actually, these aren’t bad instructions for US, if you really want to be anonymous in the digital world — you can use these same techniques yourself here at home.

Just for the record, disk and other hardware failures can and do happen to everyone, and being techno-savvy really doesn’t decrease your chances of this happening.  Neither does being a techno-ignoramus.  It can and will happen, sooner or later, to everyone.  Or, perhaps your laptop will be stolen, or your house will burn with your desktop machine destroyed.  So then, are you ready to recover?  I’m going to discuss my experience in both planning for, and recovering from, a total disk drive failure.  Hopefully it will help you prepare for the experience.

Preparation is about 98% of the battle here, and I’m often dumbfounded at the number of people who are not willing to spend any time to do this.  They don’t backup their data, they don’t know what programs they are using, they don’t know where the CDs are, and especially they don’t have backups of their pictures.  Then, when the inevitable happens, they wander around beating their breasts and rending their garments and saying with incredulity, “is everything really gone?  Forever?”  To them, all I can say is, “yes.”

Preparation

First and foremost, of course, is to have your data backed up to somewhere outside your house.  Go ahead and back it up locally to one of these little external drives if you wish, but even then get another copy of it stored elsewhere.  There are several ways to do this; I have used Jungle Disk, a good solution, but now I’m using Carbonite, which has the advantage of running all the time and backing files up whenever you modify them, to one of the Carbonite data centers.  It’s basic configuration backs up not only your data, music, and pictures, but lots of system-level profiles and stuff so when you do a whole restore, you get a very complete restoration of the machine as you’re used to seeing it.  In addition to this, I use a utility program, MozBackup, to save my Thunderbird-resident email data.

Then, the matter of passwords and website identities.  There are several approaches here, too, including Password Safe, which I used to use, and LastPass, which I now use.  I discuss these options here so I won’t do it again.  LastPass  has also the advantage of being “cloud-resident” so you can access it whenever / wherever so while you’re waiting for your machine to emerge from the Service Department, you will have access to these sites as you yourself, by accessing your LastPass vault from another computer.

This brings up another point, that in addition to preparing yourself to recover your machine, you should plan to get along on borrowed machines while you’re waiting.  Your data files are remotely-accessible from Jungle Disk or Carbonite, so you have data, and Lastpass or Password Safe will let you get at your passwords, but if you use an email client (Thunderbird) as I do, and especially if you have multiple email accounts (as I certainly do!), make sure you know how to get to your mail provider’s webmail portal.  If you use Gmail or another web-resident email system, you already know this and don’t have the same problem.

If you have a lot of programs loaded on your machine, beyond the usual Microsoft etc. programs, it helps to have a list of them — I have about 80 “other” programs of all kinds so this is a big issue with me.  What I do is use the command-line interface (cmd.exe), change my directory to \program files, and execute the following:  dir /b \users\[yourusername]\programs and this will give you  a list of at least every directory that has a program in it, stored in a file called “programs”.  You can figure it out from there.  If you have a 64-bit Windows machine, you will also have to cd to \program files (x86) to get the 32-bit programs, too, and then if you say:  dir /b >> \users\[yourusername]\programs you will have an almost-complete list.  I say “almost” because some of them install inside these directories and there might be three or four actual programs in a directory with the company name on it, so it won’t tell you what actual programs you have installed.  I got fooled by this situation a couple of times.

Linux users have a neat way to do this using apt-get, which will dump all the apt-get commands to a file, which when executed, will reinstall all this stuff in one swell foop.  If you do Linux, look into the apt-get options.

And then finally I strongly recommend that you dump your bookmarks to a text or HTML file, located somewhere Carbonite or whatever will back it up, so you can get to your favorite hundred or so websites without having to remember their URLs.  More on this below.

Recovery

So then, drive croaks, and off to the repair depot it goes.  Thanks to a combination of Carbonite, LastPass, my dumped email addresses, and my dumped bookmarks, I had a reasonable ability to function, cyber-wise, for the three days they had it.  I had access to secured machines both at home and the office, and both Windows and Linux, so I wasn’t afraid to open up my LastPass vault on them.  So, plan went as planned thus far.

Since the drive was dead anyway, I elected to use this as an opportunity to switch from Windows Vista Business 32-bit to Windows 7 Professional 64-bit. They delivered it to me with Win 7 on it, and I immediately used Win Backup to create a system backup file on my external hard drive.  I could have used one of several other OS-image programs but I used the Win system utility.  Then, without taking a moment to do anything else whatsoever, I launched out onto the Internet and downloaded and installed Avast! anti-virus and scanned the whole machine.  So for this machine I’ll be using Win Firewall + Avast! in place of Zone Alarm, which has gotten rather bloated since CheckPoint bought them.  I reviewed the Win Firewall settings, made sure it was on, and then proceeded.

I decided to load as many of my other programs as I could, and then take another OS backup, before I loaded the data back on.  First of course came FireFox, so I had a decent browser to work with, and then the LastPass FireFox plug-in. This immediately reminded me that I wasn’t sure what plug-ins I had loaded, surprise.  So I sat and wracked my brain to remember them.   Then, I just pretty much worked down my list and installed away.  It was at this point that I discovered how many license keys I had managed to not save in LastPass, so I was scrambling to find them, and sometimes I couldn’t until I had recovered my Thunderbird mail files, where I had saved all my registration-response emails.  So, this was another wake-up!

After about 8 solid hours of reloading programs, and reconfiguring them where I had to, I took another system image and launched into data recovery.  Because of the OS change, I couldn’t just have Carbonite restore the whole works because some file locations had changed.  So I had to hand-place some of them — tedious, but it worked.  I suppose the whole data restore took perhaps another 8 elapsed hours, in several chunks due to the directory repositioning.  I timed these for periods when I was going out of the house, or for at night, so elapsed-wise, it was about 2 days more — but I brought back some stuff first so I was pretty well in business right away.  Carbonite gives you this option, to preferentially load certain files first.

Takeaways

  • Preparing for disaster is dull and boring, but it’s almost all that matters.  Do it, and do it well, or die and don’t cry.
  • Making sure you can function without your own computer for a week or so will improve the quality of your life more than you can imagine.
  • There are lots of little things that contribute to sanity, such as license keys, written email addresses, and bookmark lists.  You might consider putting the last two, periodically, on a USB drive you can use with any machine in the interim.  Update it once in a while, and you are in good shape.

Regardless of which side of the aisle you sit on, the Republican sweep of the 2010 elections is going to presage some fundamental changes in the tech / science landscape, at least based on what the incoming set of pols say they are going to do.  Time now to take a look at some of these likely results, and of course decide if we like them or not.  One thing for sure, the Democrats have been very timid in advancing their causes during the last two years, and it’s equally sure the incoming Republicans probably will not be.  Whether or not they actually have a “mandate” from the voters to actually implement all these positions is not at all clear, but one can assume they’re going to try.

The background for this analysis is straightforward: broadly speaking, the incoming conservative Republicans are very strongly pro-big-business, believe that climate change is a hoax, and believe that Islam is a special global threat that requires extraordinary measures to combat it.  They also see government and its regulations and laws as the chief impediment to the national improvement.  And finally, they have a strong fundamentalist-Protestant ethos that is the most basic foundation of their worldview, and for many this ethos is hostile to science.

So, where does this leave us?  Like it or not, here’s what appears to be coming.

Dramatically less research funding, especially in areas not producing technologies leading directly to marketable products.  This article in the Times says it all: National Institutes of Health might drop by 9%, National Science Foundation, -19%, and NOAA,  -34%.  This is in contrast to the Obama administration’s projected reduction of about 5% overall in research funding for the next fiscal year.  One might ask why NSF and NOAA are taking such a hit, and the answer is what appears to be the Republican antipathy toward the whole concept of climate change, see below.  They don’t believe it, and they aren’t going to fund it.  Certainly our current economic situation requires belt-tightening, no question.  But these agencies take the brunt of political punishment for their positions: NIH refuses to promulgate the idea that abortion causes breast cancer and rampant depression, NSF keeps acting as if biological evolution were actually true, and NOAA — well, read on.  Opposing these agencies speaks right into the heart of the Republican / Tea-Party conservative core.  Nobody campaigned saying “we’ll cut emissions and promote greener living,” they campaigned on “drill, baby, drill.”  And obviously, that’s what the electorate wanted to hear.

There will likely be a concerted attack, and that’s not too strong a word for it, on the idea of doing anything about global warming / climate change.  For whatever reason, the Republican Party has embraced the position that climate change is a scientific hoax, or anyway if it’s real, it really doesn’t matter.  Part of this is their pro-business slant, and anything that impacts quarterly profits is anathema.  Several incoming Congressmen have stated that they will hold hearings for the purpose of “putting the lie to all this global warming scare talk.”  Rick Perry, the newly-re-elected Governor of Texas, intends to stop the EPA from regulating greenhouse gasses in Texas and has filed seven lawsuits against the government to prove it, see here.

This position is partly based on the fact that curbing greenhouse gases and addressing climate change will require concerted Federal action, and the Tea-Party view is that this must therefore just be a big liberal power grab.  Others, and some of these I have personally talked to, take a very Christian-fundamentalist view that “the Earth was put here for our use” and it would be an affront to God if we fail to fully exploit it, and anyway the Rapture is coming very soon so it won’t matter if the Earth is left a gutted hulk because God is going to destroy the universe anyway.  And soon.

So given these, we can expect very little if any Congressional support for any green technology investment or research.

Net Neutrality will be threatened and probably eroded.  The Obama administration has taken a strong stand for “net neutrality,” the concept that Internet Service Providers (ISPs) must provide non-preferential routing to all Internet traffic.  In the US, there is an effective oligopoly on Internet service, unlike Europe where it is a competitive free-for-all and hence service is much better (in other words, faster) and the costs are lower.  The big ISPs are determined to not let all this competition happen here, and they intend to leverage their oligopoly position to create a set of tiered services where those content providers who can’t pay the extra tariff will be relegated to second-class service.  Since this is good for the providers’ business, the Republicans are going to fight any net neutrality regulations under the banner of “get the Federal government out of our private lives,” and of course, protect their oligopolistic profits.

Also, and especially in the Internet environment, there will be attempts to enact more intrusive laws that will reduce Internet anonymity and personal privacy.  The Obama administration has not been a shining light here, either, having asked for legislation to require eavesdropping “backdoors” in telecommunication networks and hinting that data encryption might somehow be restricted.  But the more militant parts of the Republican / Tea Party, for all their table-pounding on personal and states’ rights, and freedom, and the Constitution, are worked up considerably against the to them ubiquitous Muslim Terrorists, and believe if they can only curtail some of our freedoms and privacy they will be able to eliminate terrorism or terroristic threats.

How much of this can the new Republican majority enact in two years?  Probably not all that much but they can stall, de-fund, and in general make a mess of things.  And to date the Obama administration has not been an effective counterpoint to them.  My only editorial comment on all this: it’s not pretty if you think that science and technology investments are critically important to our economic and political future, that science should not be trumped by politics and religion, and that personal freedom and privacy are what after all we stand for in the world.

Lets say that you are using all the right techniques for protecting yourself out on the Internet — as outlined in my previous posts (here, and here), including using an ID / password database like LastPass.  But right on your own machine you have sensitive and personal files, perhaps your tax returns, your investment worksheets, private letters, or the details of your opinion of your manager at work.  You don’t want these to be broadcast to the world, or to fall into the wrong hands.  But if they’re on your own computer they’re safe, right?  Wrong, for two reasons:

  • You might lose your laptop — someone might steal it, or you might accidentally abandon it in an airport, a cab, or a cafe.  Your files just became available.  This problem is magnified if you keep these files on a USB drive — a pocket or “thumb” drive — which is easier than a pencil to lose.  Note that an astounding 12,000 laptops are lost in US airports every week, and 2/3rds of them are never recovered.
  • Your computer might ingest some virus, worm, or other malware specimen, that just might be trained to browse around and transmit to who knows who anything interesting it finds in your machine.

So, relying on physical custody of the machine, or relying on it being in your bedroom but still connected to the Internet, is not a winning strategy.  Before you take to filling out your tax forms in longhand, there is a very good solution: store these files in an encrypted vault on your hard drive, a vault that only you have the key for.

There are products out there that get advertised as “secure” and “encrypted by a secret, proprietary method,” and you should stay away from these as they can be broken into quite literally in minutes.  You need to use something that uses the standard encryption approaches that the government uses — AES (the Advanced Encryption Standard), Twofish, or the like.  These will protect your vault — if you choose a strong key — literally centuries after you are dead and gone.

The best of these is a package called TrueCrypt, which I use myself.  And please note that I receive nothing whatsoever from them for this endorsement, I recommend it because I use it and for no other reason.  Plenty of heavy-duty security gurus are TrueCrypt users, so you don’t have to take my word for it.  And it comes for Windows, Mac, and Linux systems.

Here’s what you do.  Go to the TrueCrypt website, download it, and install it.  Then, when you’re ready to create a private vault, decide how many megabytes you want in the vault, and follow their instructions to allocate and create it.  Create a strong password — a really random one — perhaps using LastPass to generate it.  TrueCrypt will format the vault, and thereafter it will behave just like another disk drive on your machine: you can copy to and from it, edit files in it as if they were not encrypted, and so on.  TrueCrypt encrypts and decrypts “on the fly” as you use it, you are never aware that this is anything but a real disk drive.

And this works on a USB drive, too, and you can even encrypt the entire USB space if you want, it’s that flexible.  Each TrueCrypt vault has a password associated with it (they could always be the same, I suppose) and anyone who looks at them will see only a mass of gibberish — no file names, no nothing at all.  The secret is in the password.  Use a package such as PasswordSafe, LastPass, or a website like Steve Gibson’s password generator, to get a nice, long, really high-entropy one that will resist even a focused, brute-force attack.

Just as a sidelight, TrueCrypt can be handled in a way that effectively hides even the existence of the vault in such a way as to provide plausible deniability that there is any encrypted data at all.  They describe this in their documentation here.  Needless to say, dictators and repressive regimes throughout the world are very displeased with TrueCrypt for this reason!

One of the things you have to do when you start to deal with Internet security is to make the assumption that the worst will in fact happen, and take steps for that eventuality.  TrueCrypt should be one of these steps.