As online threats multiply, who’s the hacker now?

March was a tough month for hackers.

First we learned from WikiLeaks that the CIA has an arsenal of code designed to break into the world’s phones, cars and TVs, not to mention old-fashioned computers. Then the US authorities announced indictments in the largest hacking case on record: the breach of half a billion Yahoo accounts in 2014. Two of the men charged are Russian spies.

The Kremlin is becoming particularly adept at blending high espionage and lowdown criminal pursuits like the online theft of other people’s data. The king of that particular castle is Evgeniy Bogachev, the guy opposite with his Bengal cat and matching pyjamas. They say he’s extremely wealthy, and once had upwards of half a million computers under his command. He’s also a criminal standout for having a $3 million FBI bounty on his close cropped head. Back home in his redoubt on the Black Sea, however, Bogachev is a popular asset among intelligence operatives.
Continue reading

Security fatigue: problems in password paradise

________

[5 min read]

A new survey from the Pew Research Center paints a bleak picture of how Internet users feel about their online security. The report starts with bad news about passwords, the high profile tool in the toolkit: “69% of online adults say they do not worry about how secure their online passwords are.”

How does not worrying look in real life?

Consider the findings from Keeper, a vendor of password management software. It recently tallied its annual list of the world’s favorite passwords. The top 10 list opposite, taken from an analysis of 10 million sample passwords, illustrates pretty well what end-users mean by not worrying. These passwords are so terrible that the estimated crack time for the “safest” choice on the list (#6) is about 9/1000 of a second – for the others, the effective crack time is zero seconds. This preference for easy – and insecure – passwords goes hand in hand with a set of attitudes to online security that’s not easy to fathom.

To begin with, Pew notes a tension between lack of trust in institutions and reluctance to take personal action on security:

“[While] they express skepticism about whether the businesses and institutions they interact with can adequately protect their personal information, a substantial share of the public admits that they do not always incorporate cybersecurity best practices into their own digital lives.”

Internet users are right to feel skeptical. Site operators as varied as Target, Ashley Madison and Yahoo! have shown they’re not only lousy at network security, but irresponsible in disclosure and damage control. In December, Yahoo! admitted that hackers had breached its systems and stole information from one billion accounts – and had done so three years before management got around to discussing the attack publicly.

A second and more counter-intuitive finding concerns what people do in response to suffering from an actual online attack:

“Americans who have personally experienced a major data breach are generally no more likely than average to take additional means to secure their passwords (such as using password management software).”

What explains such quick dismissal of self-interest?

Despite being a part of daily life, I think most people find passwords not just difficult but, well, weird. The better they are, the worse they are, since what makes them hard to crack also makes them hard to handle. Unlike, say, car locks and safe deposit boxes, passwords work invisibly on assets that are also invisible. Even as we type them, they dissolve into rows of inscrutable little dots. Plus they’re often stored on remote servers, i.e. in the “cloud” – the perfect metaphor for a tool you can’t see or understand.

Perhaps this abstract quality is what prompts people to manage their passwords in another kind of remote cloud: their brains. Two-thirds of onliners (65%) say memorizing their passwords is their most used strategy, while 86% use memorizing as at least one approach. The way distant second? Writing passwords on a piece of paper, the most used method for only 18% of respondents.

Software developers look at this behavior and think they can put us out of our misery by selling us password management software – 1Password, Dashlane, Keeper, etc – the tools security experts recommend most highly.

The bad news, however, is that almost nobody uses them. A mere 12% of onliners say they use these applications at least sometimes, while those who say they use a password manager most often amount to a tiny minority of 3%. Pew cautions this is not niche behavior, as password software “is used relatively rarely across a wide range of demographic groups.”

There’s a useful lesson here.

People at the selling end of the consumer tech business see code as the solution to everything. If you have trouble remembering your passwords and that makes you unsafe and you’re generally miserable about it all, then you’re gonna love our software. What’s wrong with this logic is not how good the software is or how cheap or how user-friendly. The problem is that it’s software.

This mental fatigue extends far past security. It’s only part of the fallout from how mainstream consumers are taught to behave in the digital world – to expect everything we touch to be effortless, easy and user-friendly, even when it clearly isn’t. Vendors know their customers won’t take lessons, respond to scares or read the manual so they just pretend there’s nothing to learn in the first place.

Same deal with hardware. As a tech at the Apple Genius Bar once explained to me, customers come in with broken, manhandled $1500 machines they’ve never maintained or even cleaned, and leave with their repair ready for more abuse. Imagine treating a $1500 Weber gas barbecue that way.

The only way mainstream consumers are ever going to make peace with their devices – and their passwords – is by getting to know them better. Mystification is a terrible motivator, as I can attest after a decade teaching 20-somethings how their digital world works.

Getting this particular demographic to put down their phones, their ingrained habits and their fear of exploring technology (yep, you heard that right), is hard work for all. Like most people, students have been persuaded there must be an app for that – one that will allow them to learn how a data packet crosses the Internet without any effort on their part. Or while texting. Well, there isn’t and there won’t be.

I see a wholesale change in our approach to understanding digital technology as one of the most important educational missions of the next decade. I’ll be writing more about this educational challenge in the coming weeks and months.

(The Pew survey on cybersecurity is available here.)

D.E.

Continue reading

Smart objects, dumb ideas: your hyperconnected future (Pew/Elon 2016)

crestron-control-panel

We’re all going to hell in an IP-enabled handbasket.

The bland-looking control panel depicted above is the heart of a smart home – automated up the wazoo, so your fingers can play master of the universe with the lighting, audio system, appliances, heating and cooling, sprinklers, pool, spa, garage door – and your alleged security system.

Alleged because smart homes, cars and all the other items you’ll be connecting to the public automated-cat_feederInternet will offer unprecedented opportunites for hackers to infiltrate your life. Most personal devices like computers are already insecure enough. But so-called “smart” devices will be far more difficult for consumers to organize, update and secure than the familiar devices we can see and hold. (If you think any object in our lives will be spared, check out the automated cat feeder adjacent, courtesy Wikipedia.) Continue reading

An uncertain future for higher ed (Pew/Elon 2016)

broadway-tower-b

Last month I wrote about the Pew/Elon experts survey on the future of the Internet. I included comments on the ubiquitous use of algorithms and the costs that entails. That was one of five questions on the 2016 survey. I answered two others: one on the future of education (#2) and the other on the effects of ever-increasing connectedness (#5).

My views on the future of higher education – especially in the liberal arts – have grown more pessimistic over the last year and a half. They’ve been shaped by the research and interviews I’ve done while working on a book proposal aimed at the uses and misuses of technology in the classroom. The working title, Turned off Tech, reflects the long-ago inciting incident: confiscating student phones and all other digital devices, the better to make the classroom a place to learn again.

phones-lab-3

Students adjust nicely to the idea that paying attention is a good way to find out how digital technologies work – as opposed to staring into a screen and expecting some miracle of osmosis. These days they’re much more concerned about what happens after they leave class and graduate. Many tell me that their 4-year degree was a painful necessity that will bring nothing by itself. Continue reading

Why algorithms are bad for you (Pew/Elon 2016)

al-khwarizmi

Statue of al-Khwārizmī, the 9th-century mathematician whose name gave us “algorithm”

~~~

I’ve written a lot about the Pew Research Center. Pew does a great deal of invaluable survey research on the behaviors and attitudes we develop online (okay, “we” means American here). In a departure from the science of probability surveys, Pew teamed up with researchers at Elon University back in 2004 to launch their Imagining the Internet project.

future-pew-elon

About every two years, the team prepares a set of questions that’s sent to a list of stakeholders and experts around the world. The questions reflect current hot-button items – but ask the participants to imagine how online trends will look a decade from now. The topics have ranged from broad social concerns like privacy and hyperconnectivity, to more technology-oriented questions like cloud computing and Big Data.

The 7th version of the survey was fielded this summer; it’s my 4th shot at predicting what life will be like in 2025. (For a look at what the survey tackled in 2014, see my posts starting with one on security, liberty and privacy.) Continue reading

A pig in a poke no more: my students rate the ISPs

151-front-homepage-pic

The carrier hotel at 151 Front St West, Toronto, the meeting point for dozens of ISPs and other network operators

“75% of respondents to PIAC’s survey did not know the speed tier to which they subscribe even though 83% of consumers identified download speed as very important or somewhat important when choosing an ISP for their home.”  –Public Interest Advocacy Centre (PIAC), Ottawa, January 2013 – Transparency in Broadband Advertising to Canadian Consumers (pdf)

~~~

Like the great majority of the online population, even 20-something communications studies majors have little or no clue what they’re buying from their ISP. That’s why we talk a lot about ISPs in my classes. They’re the main contact point for most people with the public Internet. They’re also the key to understanding what broadband is, how regulation works (or doesn’t), and how gatekeeping is exercised.

One challenge in helping undergrads understand how the Internet works (not just the technology, but the policy and business perspectives as well) is that there’s no textbook. Good sources have to be cobbled together, and there’s often a trade-off to be made between what’s topical and what’s authoritative. So when I went looking for a more engaging kind of written assignment a few months ago, I figured why not have the students develop the data themselves. Send them out to the field – well, at least as far as the living room – to find out exactly what they’re getting from their current ISP, then see if they could do better from the competition. Continue reading

Broadband speeding up, broadcast TV slowing down?

sam-knows-map

~~~

This morning brought news that the CRTC has launched a national broadband measurement initiative using the SamKnows platform (“The global leaders in broadband measurement“). The announcement comes hard on the heels of Michael Geist’s Tuesday post entitled Missing the Target: Why Does Canada Still Lack a Coherent Broadband Goal? Ironically, after his well taken lament, the Commission suddenly seems ready to answer Michael’s question – though not in the way some of us might like.

“The CRTC is recruiting up to 6,200 Canadians to help measure the Internet services provided by the participating ISPs. Volunteers will receive a device, called a “Whitebox”, that they will connect to their modem or router. The Whitebox will periodically measure broadband performance, testing a number of parameters associated with the broadband Internet connection, including download and upload speeds.”

On this Commission page, the visitor is offered some details, including how to sign up. In a discussion with some other folks today, there was agreement that the Commission is going to have to work hard to attract mainstreamers who have no technical background. To do so, the project team is going to have to take a more didactic approach, and give up self-congratulatory marketing lingo like a “world-class communication system.” Continue reading

CRTC’s code of conduct for TV providers: too little, too late?

coax-1

The CRTC is moving ahead with its Code of Conduct for TV service providers (TVSPs). The Code was initially announced on March 26, as a by-product of the Let’s Talk TV proceeding (Broadcasting Notice of Consultation CRTC 2015-105). Now, in its best populist spirit, the Commission is asking for public comment on its TV Code:

“Canadians sent us a strong message that they were encountering problems with their television service providers. The CRTC is acting on these comments and has prepared a draft version of a TV Code that reflects what Canadians told us. I invite them to take an active part in the discussions. Now is the time to shape your TV Code.”–CRTC Chair JP Blais, May 12, 2015 (emphasis original)

Less consulting, more research

The Commission may have the substance right, but it has the timing and execution all wrong. The idea that TVSPs provide lousy service isn’t exactly new. Much of the evidence has been anecdotal. A public consultation, however, will not make up for that shortcoming. Worse still, the idea of holding this public consultation arose from the earlier public consultation that was part of Let’s Talk TV. They’re breeding. Continue reading