security

The Latest Breach of Your Privacy - The FBI

For a nerd like me, one of the most frustrating aspects of politics is the mutual technological ignorance of both parties.  The Republicans and Democrats are remarkably similar in matters of information gathering, data sharing and surveillance.  Our National Security and Law Enforcement communities request more and more access to our digital activity, and the Congress supplies it.  These organizations argue that this access is needed to protect us.  While I am sympathetic and supportive toward those who keep our nation and communities safe, my background in technology won't allow me to be at ease.

Forget for a moment the potential abuses that are possible when an organization has access to your unencrypted communications across commercial data stores.  That's something that would terrify our founders, but I want to talk about something more practical.  The government can't be trusted with your data.  They've proven themselves inept.  The latest example is an intrusion into FBI data where as many as 12 MILLION iPhone Unique Device Identifiers (UDID) have been gained by the hacking group Antisec.  They've released one million of these UDIDs to the public to support their claim, and they report that that have personal information like user names, device names, notification tokens, cell phone numbers and addresses to match.

FBI Seal

I can't imagine what the FBI was doing with that much information, but I don't think all 12 million of those devices belong to suspected criminals.  This breach tells us that our government is collecting data on ordinary citizens, and worse they can't even protect that data.  This is not a party issue!  Bush and Obama are both offenders here.  Likewise, check the voting records for your local Senators and Congressmen.  You'll find both parties frequently vote with enthusiasm to compromise your privacy in the digital world.

This has to stop.  Private companies aren't much better.  I read about a new major breach with frightening regularity, but at least companies only have access to their data.  The government is collecting and federating data across multiple companies and in doing so they are making it easier for bad actors to attack your identity and devices.

Call your representatives and let them know that this breach is unacceptable and that the US policies toward data collection and storage are unacceptable.  Demand legislation that supports the privacy of American citizens.

You wouldn't accept government monitoring in your home, and there's no reason you should allow it on your phone, computer, or Internet access.

Your Password Sucks and You Are Going to Get Hacked

Admit it: you basically have one password you use for everything.  Maybe sometimes you get clever and switch a number or two around.  Maybe you are really advanced and have two or even three different passwords you use in different places.  Whatever your password strategy, unless you have a completely unique password for every site and service you use you are a juicy target for fraud.

I know you're thinking, "It could never happen to me."  After all, how common are major site compromises anyway?  Today Sony announced that their entire PlayStation Network has been compromised.  This includes names, addresses, email addresses and password for every person with an account.  It may also include credit cards.  Here we see a non-academic danger of shared passwords.  If one of these hackers has your email address and a password, why not try that password to access your email.  Once they have access to your email, why not start using the "Forgot Password" function of different websites to start reseting your passwords to other sites, like Facebook or even your bank.  Of course, reseting those passwords isn't even needed if you use the same password everywhere.

Sony's massive failure of IT security clearly illustrates the need for unique, high-entropy passwords for every account you have.  The problem here is that good passwords are very difficult to remember.  A more secure password will contain more characters, and more types of characters.  For example:

 

  • "111" is a terrible password.  It's short, and is nothing but repeating characters of a single set.  It's also one of the most used passwords used because people can remember it.  That doesn't make them lazy or stupid.  It just means they think a short password they can remember is a gamble worth taking.
  • "JT3GJEYzLmd4<hq6^K{64F}L=pzRCg" is a terrific password.  It has lots of characters.  Those characters are diverse (lowercase letters, uppercase letters, numbers and symbols).  It's also basically impossible to remember.  Even if you could memorize it, do you think you could memorize a password of that complexity for every account you have?

So what do we do?  None of us wants to be a victim of identity theft or fraud, but we also can't mentally process the best, easiest solution we have to many common security vulnerabilities–unique, high-entropy passwords.

There was a time when I generated unique, high-entropy passwords for every account I used and memorized them.  For frequently accessed accounts, I also changed these passwords often.  As I've gotten a little grayer in the beard, I've lost that ability to commit so many complex passwords to memory.  In the last two years I'd fallen into the habit of reusing passwords.  They were good passwords, but a password isn't good anymore if it is reused.  Remember Sony.

I now use a tool called 1Password.  It's become as near and dear to me as my beloved Dropbox.  1Password is a an application that creates a secure. encrypted database to store information in.  The primary purpose is password storage, but financial data, software licenses and even notes can be stored.  When you use 1Password, you create and memorize one lengthy, high-entropy but memorable password.  From then on, you use 1Password to create and store your passwords for every other account you use.

1Password is flexible enough to handle the different requirements regarding password length and character set different organizations will mandate.  It's also easy to search and categorize these passwords.  1Password is available in Mac, Windows, iPhone, iPad and Android versions.  Best of all, you can use Dropbox to sync your password database across all your computers and supported devices.

Stop gambling that companies will protect your privacy and information.  Take matters into your own hands and try 1Password today.  You won't regret it.