As online threats multiply, who’s the hacker now?

March was a tough month for hackers.

First we learned from WikiLeaks that the CIA has an arsenal of code designed to break into the world’s phones, cars and TVs, not to mention old-fashioned computers. Then the US authorities announced indictments in the largest hacking case on record: the breach of half a billion Yahoo accounts in 2014. Two of the men charged are Russian spies.

The Kremlin is becoming particularly adept at blending high espionage and lowdown criminal pursuits like the online theft of other people’s data. The king of that particular castle is Evgeniy Bogachev, the guy opposite with his Bengal cat and matching pyjamas. They say he’s extremely wealthy, and once had upwards of half a million computers under his command. He’s also a criminal standout for having a $3 million FBI bounty on his close cropped head. Back home in his redoubt on the Black Sea, however, Bogachev is a popular asset among intelligence operatives.
Continue reading

Who wants to be safe? Online protection as a black box

~~~

[6 min read]

Hacking that affects individuals is very widespread. The Pew Research Center reports nearly 2/3 of online Americans have experienced some form of data theft. A total of about 50% of onliners think their personal data are less secure than five years ago (see previous post for other details).

What does “data theft” look like? Pew examined seven types, and found that only two – fraudulent credit charges and stolen tax refunds – entailed direct financial loss. The others involved some less definable harm, such as an attacker getting his hands on social security numbers or login credentials for social media accounts. We call it “compromising” the data.

This amorphous concept of “compromised data” is growing into one of the chief barriers standing in the way of advances in cybersecurity for end-users. It takes what’s already invisible and annoying (see: strong passwords), and adds a hefty dose of abstraction. Exactly when can we say a piece of data has been sufficiently “compromised” to start worrying and take action? What kind of action?

WhatsApp: how secure?

Let’s look at WhatsApp to see how a popular messaging service handles security for a billion users – and how adding security can actually lead to trouble as well as safety.

Last year WhatsApp announced deployment of end-to-end encryption (E2EE) for all messages and media crossing its systems. Their FAQ assures users that everything they send is “secured from falling into the wrong hands” – right from the sender’s device all the way to the recipient’s (hence “end-to-end”). Marketing wants to be reassuring, not to mention emphatic as to why their platform is better than competing platforms. Continue reading

Security fatigue: problems in password paradise

________

[5 min read]

A new survey from the Pew Research Center paints a bleak picture of how Internet users feel about their online security. The report starts with bad news about passwords, the high profile tool in the toolkit: “69% of online adults say they do not worry about how secure their online passwords are.”

How does not worrying look in real life?

Consider the findings from Keeper, a vendor of password management software. It recently tallied its annual list of the world’s favorite passwords. The top 10 list opposite, taken from an analysis of 10 million sample passwords, illustrates pretty well what end-users mean by not worrying. These passwords are so terrible that the estimated crack time for the “safest” choice on the list (#6) is about 9/1000 of a second – for the others, the effective crack time is zero seconds. This preference for easy – and insecure – passwords goes hand in hand with a set of attitudes to online security that’s not easy to fathom.

To begin with, Pew notes a tension between lack of trust in institutions and reluctance to take personal action on security:

“[While] they express skepticism about whether the businesses and institutions they interact with can adequately protect their personal information, a substantial share of the public admits that they do not always incorporate cybersecurity best practices into their own digital lives.”

Internet users are right to feel skeptical. Site operators as varied as Target, Ashley Madison and Yahoo! have shown they’re not only lousy at network security, but irresponsible in disclosure and damage control. In December, Yahoo! admitted that hackers had breached its systems and stole information from one billion accounts – and had done so three years before management got around to discussing the attack publicly.

A second and more counter-intuitive finding concerns what people do in response to suffering from an actual online attack:

“Americans who have personally experienced a major data breach are generally no more likely than average to take additional means to secure their passwords (such as using password management software).”

What explains such quick dismissal of self-interest?

Despite being a part of daily life, I think most people find passwords not just difficult but, well, weird. The better they are, the worse they are, since what makes them hard to crack also makes them hard to handle. Unlike, say, car locks and safe deposit boxes, passwords work invisibly on assets that are also invisible. Even as we type them, they dissolve into rows of inscrutable little dots. Plus they’re often stored on remote servers, i.e. in the “cloud” – the perfect metaphor for a tool you can’t see or understand.

Perhaps this abstract quality is what prompts people to manage their passwords in another kind of remote cloud: their brains. Two-thirds of onliners (65%) say memorizing their passwords is their most used strategy, while 86% use memorizing as at least one approach. The way distant second? Writing passwords on a piece of paper, the most used method for only 18% of respondents.

Software developers look at this behavior and think they can put us out of our misery by selling us password management software – 1Password, Dashlane, Keeper, etc – the tools security experts recommend most highly.

The bad news, however, is that almost nobody uses them. A mere 12% of onliners say they use these applications at least sometimes, while those who say they use a password manager most often amount to a tiny minority of 3%. Pew cautions this is not niche behavior, as password software “is used relatively rarely across a wide range of demographic groups.”

There’s a useful lesson here.

People at the selling end of the consumer tech business see code as the solution to everything. If you have trouble remembering your passwords and that makes you unsafe and you’re generally miserable about it all, then you’re gonna love our software. What’s wrong with this logic is not how good the software is or how cheap or how user-friendly. The problem is that it’s software.

This mental fatigue extends far past security. It’s only part of the fallout from how mainstream consumers are taught to behave in the digital world – to expect everything we touch to be effortless, easy and user-friendly, even when it clearly isn’t. Vendors know their customers won’t take lessons, respond to scares or read the manual so they just pretend there’s nothing to learn in the first place.

Same deal with hardware. As a tech at the Apple Genius Bar once explained to me, customers come in with broken, manhandled $1500 machines they’ve never maintained or even cleaned, and leave with their repair ready for more abuse. Imagine treating a $1500 Weber gas barbecue that way.

The only way mainstream consumers are ever going to make peace with their devices – and their passwords – is by getting to know them better. Mystification is a terrible motivator, as I can attest after a decade teaching 20-somethings how their digital world works.

Getting this particular demographic to put down their phones, their ingrained habits and their fear of exploring technology (yep, you heard that right), is hard work for all. Like most people, students have been persuaded there must be an app for that – one that will allow them to learn how a data packet crosses the Internet without any effort on their part. Or while texting. Well, there isn’t and there won’t be.

I see a wholesale change in our approach to understanding digital technology as one of the most important educational missions of the next decade. I’ll be writing more about this educational challenge in the coming weeks and months.

(The Pew survey on cybersecurity is available here.)

D.E.

Continue reading

Smart objects, dumb ideas: your hyperconnected future (Pew/Elon 2016)

crestron-control-panel

We’re all going to hell in an IP-enabled handbasket.

The bland-looking control panel depicted above is the heart of a smart home – automated up the wazoo, so your fingers can play master of the universe with the lighting, audio system, appliances, heating and cooling, sprinklers, pool, spa, garage door – and your alleged security system.

Alleged because smart homes, cars and all the other items you’ll be connecting to the public automated-cat_feederInternet will offer unprecedented opportunites for hackers to infiltrate your life. Most personal devices like computers are already insecure enough. But so-called “smart” devices will be far more difficult for consumers to organize, update and secure than the familiar devices we can see and hold. (If you think any object in our lives will be spared, check out the automated cat feeder adjacent, courtesy Wikipedia.) Continue reading

Et tu, Reed? Big media’s war on privacy (3)

hastings-privacy-2

Netflix CEO Reed Hastings tells investors what he thinks of privacy advocates

~~~

Back in March I wrote two posts to express my surprise and frustration that Netflix would no longer let its customers gain entry through a VPN or virtual private network. Turns out the problem hasn’t gone away. Also turns out Reed Hastings is still every bit as dismissive of our privacy concerns – and our customer experience – as he was in January.

A lot of the recent coverage of the Netflix vs privacy phenomenon was prompted by my colleagues at OpenMedia, and in particular Laura Tribe, who acts as the advocacy group’s digital rights lead. When I spoke to her this morning, she pointed to the large number of media outlets that have covered the OpenMedia campaign against the Netflix VPN blockade (OpenMedia pays me from time to time as a policy consultant).

In an email letter to supporters last Friday, Laura and her team laid out the case, opening thusly:

Is protecting your privacy and security “inconsequential?” That’s what Netflix CEO Reed Hastings seems to think, based on recent comments reported in WIRED magazine.

It’s time to remind Netflix that privacy and security matter to us. Yesterday your open letter made international headlines.

If you want to throw your name in the ring, the OpenMedia campaign page for Netflix is here. Continue reading

Why is Reed Hastings bent on killing my privacy?

netflix-vpn-error-collage

“I don’t think we will see any impact.” — Reed Hastings, January 19

“The VPN crackdown is meeting fierce resistance from privacy activists and concerned users, with tens of thousands calling upon the streaming service to reverse its broad VPN ban.”Torrent Freak, Feb 26

~~~

Since Netflix came to Canada in September 2010, I’ve written 51 posts carrying the Netflix tag. I’ve sung the praises of Reed Hastings; objected to the anti-Netflix manipulation of data caps by our incumbents; defended Netflix’s right to operate in Canada over the self-serving protests of our media establishment; and sympathized with Netflix for the archaic treatment meted out to streaming services by the CRTC.

Netflix-6.0-for-iOS-app-icon-smallThe longest pair of posts I’ve ever written (about 6,000 words) was on the attempt by the CRTC and selected media barons to make life as difficult as possible in Canada for Netflix. That was 2011: Get yer grimy paws off my Netflix: Ottawa’s big OTT scam (part 1, June 16; and part 2, June 18).

There was a single exception. I fell off the wagon when Netflix linked arms with Facebook and produced one of the worst privacy policies I’ve ever read: Netflix showing way too much love – for your Facebook data (Oct 2011).

Which brings us to the much bigger privacy problem Netflix has created for itself. Continue reading

Updating the Sony hack: FBI story not selling to crypto experts

sony-hacked-again

***

Here in a nutshell is how things stand a week after my original comments on the hack and Sony’s culpability:

  • Sony Pictures chair Michael Lynton has even more pointedly dodged any responsibility for the damage caused on November 24.
  • FBI director James Comey insists more than ever that North Korea engineered the hack.
  • A high-profile crypto expert, Marc Rogers, has just published a detailed critique of the claims made by the FBI and Sony.

Lynton’s lapses. In an interview last week for ABC News, Chairman Lynton said the following:

“We are the canary in the coal mine, that’s for sure. There’s no playbook for this, so you are in essence trying to look at the situation as it unfolds and make decisions without being able to refer to a lot of you’ve had in the past or other peoples’ experiences. You’re on completely new ground.”

Talk about revisionist history. In case you haven’t read my previous post, I lay out the michael-lynton-sony-2sordid 10-year history of Sony’s experiences in the so-called “coal mine.” Needless to say, Lynton has a vested interest in getting the audience to believe the November 24 attack came out of the blue. That makes him look less like a failed leader, and probably prevents him sinking even further into legal liability. Here are three highlights of the backstory he conveniently overlooks:

  • Sony Pictures itself (not the parent company) was hacked – with many of the same awful results – in the summer of 2011. No, November 24 didn’t happen without any “playbook.”
  • IT consultants hired by Sony Pictures in the summer of 2014 warned of numerous security vulnerabilities in their netwok, which management apparenty ignored.
  • Sony Corp’s fight with the hacker community began all the way back in 2005, with the Sony rootkit scandal, which produced years of conflict and plenty of guideposts to refer to, if the Lynton squad had been paying attention.

Continue reading

The GOP hack: making Kim answer for Sony’s 10-year online war

theinterview-rogen-franco

***

Sony Pictures, the White House and the FBI should get a medal for the greatest political marketing triumph of 2014.

kimjungununiformAfter the horror show following the November 24 hack of Sony Pictures by the Guardians of Peace (GOP), America rallied behind Washington’s theory that Sony was the hapless victim of a Cold War cyberattack. Kim is certainly an easy guy to dislike and no friend of the Americans – no friend of anybody but Kim for that matter. (He comes by it legitimately. His dad and predecessor once had an actor hired to play grandpa Kim Il-sung in a movie role, for which the actor underwent plastic surgery to more closely resemble a Kim; once the shoot was over, the actor was shipped off to a concentration camp.)

The triumph of Cold War marketing over any hint of Sony’s bad behavior is all the more remarkable given the nasty quarrels that have embroiled US stakeholders, press and critics of all stripes. Not to mention the fact that as recently as New Year’s Eve, cryptographer Bruce Schneier and others were still casting doubt on the official claim that the hack was carried out by the Kim regime.

_____________________________________________________________________________

Lining up for The Interview as an exercise in patriotism

“The fact that they’re showing this movie shows that America still has a backbone regardless of the critics,” said Jay Killion, a golf pro who caught a screening at Tower City Cinemas in Cleveland.

Continue reading