Security fatigue: problems in password paradise

________

[5 min read]

A new survey from the Pew Research Center paints a bleak picture of how Internet users feel about their online security. The report starts with bad news about passwords, the high profile tool in the toolkit: “69% of online adults say they do not worry about how secure their online passwords are.”

How does not worrying look in real life?

Consider the findings from Keeper, a vendor of password management software. It recently tallied its annual list of the world’s favorite passwords. The top 10 list opposite, taken from an analysis of 10 million sample passwords, illustrates pretty well what end-users mean by not worrying. These passwords are so terrible that the estimated crack time for the “safest” choice on the list (#6) is about 9/1000 of a second – for the others, the effective crack time is zero seconds. This preference for easy – and insecure – passwords goes hand in hand with a set of attitudes to online security that’s not easy to fathom.

To begin with, Pew notes a tension between lack of trust in institutions and reluctance to take personal action on security:

“[While] they express skepticism about whether the businesses and institutions they interact with can adequately protect their personal information, a substantial share of the public admits that they do not always incorporate cybersecurity best practices into their own digital lives.”

Internet users are right to feel skeptical. Site operators as varied as Target, Ashley Madison and Yahoo! have shown they’re not only lousy at network security, but irresponsible in disclosure and damage control. In December, Yahoo! admitted that hackers had breached its systems and stole information from one billion accounts – and had done so three years before management got around to discussing the attack publicly.

A second and more counter-intuitive finding concerns what people do in response to suffering from an actual online attack:

“Americans who have personally experienced a major data breach are generally no more likely than average to take additional means to secure their passwords (such as using password management software).”

What explains such quick dismissal of self-interest?

Despite being a part of daily life, I think most people find passwords not just difficult but, well, weird. The better they are, the worse they are, since what makes them hard to crack also makes them hard to handle. Unlike, say, car locks and safe deposit boxes, passwords work invisibly on assets that are also invisible. Even as we type them, they dissolve into rows of inscrutable little dots. Plus they’re often stored on remote servers, i.e. in the “cloud” – the perfect metaphor for a tool you can’t see or understand.

Perhaps this abstract quality is what prompts people to manage their passwords in another kind of remote cloud: their brains. Two-thirds of onliners (65%) say memorizing their passwords is their most used strategy, while 86% use memorizing as at least one approach. The way distant second? Writing passwords on a piece of paper, the most used method for only 18% of respondents.

Software developers look at this behavior and think they can put us out of our misery by selling us password management software – 1Password, Dashlane, Keeper, etc – the tools security experts recommend most highly.

The bad news, however, is that almost nobody uses them. A mere 12% of onliners say they use these applications at least sometimes, while those who say they use a password manager most often amount to a tiny minority of 3%. Pew cautions this is not niche behavior, as password software “is used relatively rarely across a wide range of demographic groups.”

There’s a useful lesson here.

People at the selling end of the consumer tech business see code as the solution to everything. If you have trouble remembering your passwords and that makes you unsafe and you’re generally miserable about it all, then you’re gonna love our software. What’s wrong with this logic is not how good the software is or how cheap or how user-friendly. The problem is that it’s software.

This mental fatigue extends far past security. It’s only part of the fallout from how mainstream consumers are taught to behave in the digital world – to expect everything we touch to be effortless, easy and user-friendly, even when it clearly isn’t. Vendors know their customers won’t take lessons, respond to scares or read the manual so they just pretend there’s nothing to learn in the first place.

Same deal with hardware. As a tech at the Apple Genius Bar once explained to me, customers come in with broken, manhandled $1500 machines they’ve never maintained or even cleaned, and leave with their repair ready for more abuse. Imagine treating a $1500 Weber gas barbecue that way.

The only way mainstream consumers are ever going to make peace with their devices – and their passwords – is by getting to know them better. Mystification is a terrible motivator, as I can attest after a decade teaching 20-somethings how their digital world works.

Getting this particular demographic to put down their phones, their ingrained habits and their fear of exploring technology (yep, you heard that right), is hard work for all. Like most people, students have been persuaded there must be an app for that – one that will allow them to learn how a data packet crosses the Internet without any effort on their part. Or while texting. Well, there isn’t and there won’t be.

I see a wholesale change in our approach to understanding digital technology as one of the most important educational missions of the next decade. I’ll be writing more about this educational challenge in the coming weeks and months.

(The Pew survey on cybersecurity is available here.)

D.E.

It’s 2015: Cancon is the aberration, not VPNs or the Internet

witopia-promo-page

WiTopia is a provider of personal VPN services

~~~

In a Globe and Mail piece last Friday, Kate Taylor starts off by asking the wrong question: Digital content may be cheap, but who will pay to create it? Things go downhill from there.

Ms Taylor’s old-fashioned apology for Cancon, with its predictable sideswipes at “freeriding” Netflix and marauding pirates, is based on ideology rather than evidence. It completely misconstrues the role of security tools like VPNs, at a time when Canadians should be far more concerned about their privacy and security online than about shelf space on the network for domestic TV shows. Most of all, it treats the Internet like a cultural and economic aberration that’s ruining our TV system, when the aberration is Canada’s bizarre and unworkable framework for broadcasting.

Virtual private networks and why you need one

What the article says about VPNs:

“The latest scheme is to use a virtual private network, or VPN, to trick Netflix into believing you are located in the United States and can thus subscribe to the video-streaming service’s American catalogue….

Internet advocates love to preach choice, diversity and freedom – after all, a VPN can also be used by citizens in China to access content censored by their government.”

A VPN is specialized client software that encrypts online messages, and is said metaphorically to “tunnel” through the public Internet. It’s a “virtual” network because there’s no real tunnel or separate physical network. Your data packets are still co-mingling with other people’s packets, but only you and folks with the authentication tools – like a password – can read those packets. The VPN is said to be private for exactly that reason, like an office behind a locked door. Continue reading

“Neutrality” ruckus prompts FCC inquiry on broadband and congestion

netneutrality_modern_template_pure_svg.svg

“We can’t have a situation in which the corporate duopoly dictates the future of the Internet and that’s why I’m supporting what’s called net neutrality.” — Barack Obama, podcast, June 2006

~~~

[June 19: So much for pruning – added 300 words in corrections and background.]

On Friday, June 13, FCC Chairman Tom Wheeler made a short but dramatic statement headlined Broadband Consumers and Internet Congestion. Though barely 450 words long and presented outside any formal setting, Wheeler’s reaction to the public hue and cry over the reliability of retail broadband in the US marks an important step forward for end-user welfare. His announcement puts the lie to the vehement criticisms levelled at him about his betrayal of the Open Internet concept (the FCC’s term of art for net neutrality).

Many of his critics also assumed that the Wheeler FCC would never look into paid peering arrangements – well, they actually said they wouldn’t (“… the rules we propose today reflect the scope of the 2010 Open Internet Order, which applied to broadband provider conduct within its own network.” NPRM, fn 113 – pdf uploaded here). That is what Wheeler has now directed Commission staff to do (request “information from ISPs and content providers”).

While the American public are clearly confused by the net neutrality debate, and for good reason, many ISP subscribers have begun to question whether they’re getting the broadband they’re paying for – whatever the underlying business and technical issues may be. Excerpts from Wheeler’s statement follow (the full pdf is uploaded here):

“For some time now we have been talking about protecting Internet consumers. At the heart of this is whether Internet Service Providers (ISPs) that provide connectivity in the final mile to the home can advantage or disadvantage content providers, and therefore advantage or disadvantage consumers. … 

“Consumers must get what they pay for. As the consumer’s representative we need to know what is going on. I have therefore directed the Commission staff to obtain the information we need to understand precisely what is happening in order to understand whether consumers are being harmed. … 

“The bottom line is that consumers need to understand what is occurring when the Internet service they’ve paid for does not adequately deliver the content they desire, especially content they’ve also paid for. In this instance, it is about what happens where the ISP connects to the Internet. It’s important that we know – and that consumers know.” 

highway-401-congestion

***

Continue reading

The Internet in 2025: 12 reasons to fear our online future (Pew 5)

patel-theverge-internet-is-fuckedBe very afraid: see Nilay Patel’s hard-hitting post in The Verge last week

~~~

The trends are mostly about fragmentation

Or at least the triumph of depth of experience over outreach and a sense of commonality.

This is the 5th and last of my responses from the 2013-14 edition of the Pew/Elon experts survey on the future of the Internet. I only answered 5 of this year’s 8 questions; my four prior responses are these:

The final Pew question was the only one described as open-ended, i.e. it did not begin with the usual Yes/No binary choice. By the time I was done writing my relatively short response, I was seriously depressed. As Free Press president Craig Aaron said to The Verge’s Nilay Patel: “What we need right now is decisive action. We can still unfuck the Internet.” Sure, but where’s decisive action going to come from? The FCC? The CRTC? Questions for another time. Continue reading

The Internet in 2025: which tech giants will dominate? (Pew 2)

pew-survey-company-question-2

Screen grab from Pew/Elon survey questionnaire, January 2014

~~~

The Pew survey included a question about tech firms that was set up a little differently than the others. As the screen grab above shows, participants were asked to rank the long-term success, or lack of success, among the Big 5 as listed, as well as among other firms of our choosing.

Although it’s about 10 years too early to say “I told you so,” the news over the last few days provides some support for conclusions drawn in my response. As you can see, I’m calling for Amazon and Apple to become “More important”… Facebook and Microsoft to become “Less important”… and Google to “remain the same.”

grip-iphone-3b

Apple: too big to be successful any more?

A recent financial piece in the New York Times (Trying to See Apple From a Different Angle) says the stock market “doesn’t know quite what to make of Apple.” Two general reasons are adduced. One is cyclical: the company has had problems with sales of its cash cow, the iPhone. The other is structural: Apple has the largest market cap of any multinational, as well as the highest brand rating on the global Interbrand survey (all that engineering brainpower finally knocked a syrupy, dark-brown soft drink off its throne). Oh, and the $159 billion in cash it has lying around. Apple’s now so big and so successful that it’s scaring off growth investors who want to see a hit product every six months. Continue reading

Get yer grimy paws off my Netflix, again (the dance mix)

***

 Last week the Wire Report ran a story by Nick Kyonka headlined “CRTC vertical integration rules encourage OTTs to buy sports rights: Gourd.” No prizes for guessing where the chair of the Online Broadcasting Working Group (OBWG) was headed with that worrisome observation:

The CRTC’s new regulatory framework governing vertically integrated companies may have given too much of an advantage to online content providers such as Netflix Inc., Google Inc., [and] Apple Inc.

As I explained in a pair of posts last July (“Get yer grimy paws off my Netflix”), the OTT cabal has shown they will stop at nothing to persuade the CRTC and political friendlies that new, innovative online competitors must be stomped out. They’re bad for the broadcasting system, bad for Canadian culture, bad for Canadian citizens. The group’s claims would be laughable if they weren’t part of a deadly serious attempt to win concessions. To say nothing of the fact they’re doing all this with the publicly acknowledged support of the CRTC. This time, however, the OBWG is trying to put the public interest in double jeopardy.

***

***

Continue reading

One more Pew question: Apps vs Web – the winner? (4)

***

_____

IV. Apps vs Web: Winner?

[option #1 – my pick] — In 2020, most people will prefer to use specific applications (apps) accessible by Internet connection to accomplish most online work, play, communication, and content creation. The ease of use and perceived security and quality-assurance characteristics of apps will be seen as superior when compared with the open Web. Most industry innovation and activity will be devoted to apps development and updates, and use of apps will occupy the majority of technology-users’ time. There will be a widespread belief that the World Wide Web is less important and useful than in the past and apps are the dominant factor in people’s lives.

[option #2] — In 2020, the World Wide Web is stronger than ever in users’ lives. The open Web continues to thrive and grow as a vibrant place where most people do most of their work, play, communication, and content creation. Apps accessed through iPads, Kindles, Nooks, smartphones, Droid devices, and their progeny – the online tools GigaOM referred to as “the anti-Internet” –  will be useful as specialized options for a finite number of information and entertainment functions. There will be a widespread belief that, compared to apps, the Web is more important and useful and is the dominant factor in people’s lives.

Continue reading

Americans still invading, broadcasters still in charge

Last week Interactive Ontario hosted its first iLunch of the season, entitled “What is broadcast?” (I was involved in some of the planning.) Buddy Brady Gilchrist moderated in his usual immoderate, provocative and enlightened way. Two things kept jumping out.

First, I was surprised to hear a current of old-fashioned jingoism running through much of an otherwise useful discussion. After radio, TV, movies and magazines, now it’s apparently the turn of Google, Apple and the other US cyber-behemoths to be pouring over the 49th parallel and… messing with our digital media? Apparently we have to face up to this menace or… all is lost?

Apple is a menace because it’s taking money out of the country and creating its own new brand of walled garden. Yes and yes. And so what? Where is the biggest concentration of Canadian movies, TV, music and podcasts on the Web, in one place? If it’s not the Canadian iTunes Store, somebody point the way. There was complaining about rev share (is there another system?) and about the tilt to success for artists who get on the iTunes homepage. Yes, and other artists will be suffering in the background, not doing quite as well. That’s show biz. Continue reading