The road Most Traveled: Good Intentions, Catastrophic Results

A Federal judge has just ordered Apple to unlock the phone used by one of the two San Bernardino shooters so it could access the phone’s records. Apple’s CEO Tim Cook has said the company will fight the order, stating that it has neither the ability to bypass its own strong encryption and that this would set a dangerous precedent. Although I’m not an Apple user, I’m 100% with the company on this and applaud their decision.

The question here is a simple one of the road to hell. It all begins, as usual, with good intentions: we want to stop terrorism. But as Apple CEO Tim Cook said, “building a version of iOS that bypasses security in this way would undeniably create a back door. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.”

Yet we continue to jog blissfully into an Orwellian future in which the state (the UK is no different) not only insists but has also persuaded a good many of its citizens that their lives are in dire and imminent danger from foreign threats, and that any violation of privacy or individual freedoms is secondary to fighting that threat. Politicians of course make huge capital on this, and the media does nothing to bring some perspective and reality to the actual real threats to our daily lives, which for most people are to do with poor education, debt, poverty, ill health, unaffordable housing, the criminal cost of healthcare, and long-term insecurity—not terrorism.

The US has been in a state of perpetual war for over thirteen years, and continues to be. Its misguided foreign policy actions have destabilized a huge region of the world by trying to impose Western notions of government on nations utterly ill-equipped to embrace democracy (you have to have an Enlightenment before you can consider democracy, and when you still think tribally, corruption and self-interest are going to quickly corrode and ruin any attempt at forging a new state).

Saddam was undoubtedly a brute, and Bashir-al Assad (still in power today) not much better; Gaddafi was mercurial and unreliable. But although some individuals and/or sections of those societies were persecuted during these leaders’ rule, the vast majority of people in Iraq, Syria, and Libya had jobs, food, and a reasonable, often happy and secure standard of living. Today they’re straggling across Europe by the millions like beggars, taking handouts and desperately looking for places to settle—and that’s if they haven’t drowned in the Aegean or Meduterranean after having been fleeced by a whole new class of local criminals our good intentions have benefited: people smugglers. In the process, the rest of Europe is being destabilized.

I fully understand that government has a primary mandate and responsibility to keep its people safe. But in reality, the risk from terrorism is infinitesimally small: if you live in the USA, your chance of dying in a terrorist attack is about 5,000 times less than that of being shot by a US citizen (and even that’s not something that keeps most of us awake at night). The simple act of getting on a plane has already become a tedious, time-wasting hell despite the fact that study after study has shown TSA checks to be up to ninety-five percent ineffective at detecting threats. If you live in a city, your actions while out in public are already recorded on countless cameras; your cellphone and the plastic in your wallet provide extra layers of tracking and monitoring. But government insists it needs a further backdoor into everyone’s lives, and argues tooth and nail that any level of  inconvenience and curtailment of individual privacy and liberty is justifiable.

Every day we see evidence of how the well-intentioned use of electronic records ruins lives. The undiscriminating and poorly-thought-out register of sex offenders is one: is it—to take just one example—really okay that because an eighteen-year-old had consensual sex with a seventeen-year-old, he should be viewed as a sexual predator in the same data bucket as a child molester? How many of my readers didn’t have underage sex of one kind or another in their high school or college days? And let’s not even talk of the teens whose lives have been upset by the (silly, but, hey! these are kids) practice of sexting one another.

The argument of course is that an honest citizen has nothing to fear from all this. Really? Try telling that to someone who’s been accidentally put on a no-fly list because of some data entry error or some other innocent reason (it happens). And although China’s new Social Credit System—a data-driven rating system similar to our own credit rating systems but with the emphasis on your status and trustworthiness as a citizen—isn’t likely to be replicated in the US  anytime soon, the reality is that all kinds of aggregated data, including your online browsing and shopping habits, are already finding their way into databases that can affect your ability to rent a home, get a job, obtain credit, and a great deal more.

Nor is it just government. PayPal has just clamped down on allowing account holders to use its system to pay for VPN (virtual private network) subscriptions, presumably on the grounds that VPNs, which are used to mask a user’s real computer identity (IP address), may be used for terrorist communication or other illicit activity. What about the many hundreds of thousands of people who use VPN for entirely legitimate activities such as researching sensitive subjects (journalists do this all the time), getting around censorship in countries under authoritarian rule, or simply  avoiding being tracked by advertisers. (PayPal are of course doing this not out of any noble motives but simply to forestall any possible future heat from government over enabling the masking of criminal communications).

Consider the slew of new voice- and audio enabled devices that are appearing in your home, like the Amazon Echo, which “hears you from across the room with far-field voice recognition, even with music playing”: do you really want that in your house? Even if it doesn’t come with a backdoor or a camera, what do we think happens to all the data it collects about our and our family’s daily habits? You don’t think that’s mined? Increasingly sophisticated AI can do that with ease and extract every ounce of commercially  valuable information about us.

You’ve already been carrying around a tracking device (your phone) for years. Within the very, very near future, your home is going to be bursting with microphone- and camera- equipped devices which are all connected to the net as part of the IoT, or Internet of Things. If you’re not concerned about this, you should be. Quite apart from any government surveillance, just about anyone can hack in to these devices. For a single, chilling example, the camera on the monitor in your childrens’ room is ridiculously easy to hack, its IP address quite possibly already on a website. Think about it.

Everything—everything—that takes place in your home and car will—unless tech companies hold a hard line, and good luck with that one—be available on production of a court order. Right now the bar is terrorism; but other, more everyday, criminal activities will soon qualify. How long before all that data becomes available to your ex’s divorce lawyer? What if your current prospective employers can one day gain access to the data mined from these devices? Because you can bet that it’s all going to be for sale, legally or otherwise. And don’t forget that security on the current IoT is just about non-existent (this is in fact a big concern with self-driving cars, which can currently be hacked with such ease that a person with a laptop can take control over the car with very little difficulty from anywhere in the world).

In conclusion, I believe that tech companies have an absolute responsibility to protect the rights and privacy of their customers at every level. Not only should devices not come with a backdoor, ever, but every possible measure should be taken to ensure that networked devices, from our phones to our cars, refrigerators, baby monitors, and home thermostats are protected against intrusion and hacking by strong encryption and security measures. The emphasis and primary focus should be on the inviolability of the consumers’ privacy and individual rights. And we should demand that of them.

After all, it is we, and our hard-earned dollars, that have made Apple, Google, and Amazon what they are today.

 

Heartbleed Password Blues

The most commonly used password in 2013 was 123456. That’s a change from the previous most commonly used password, which was… password. Facepalm? You bet!

Long before the Snowden revelations, I was always fascinated by the issue of internet security. I also have several close friends who work in the field. Most of them are pretty cutting about not only the average web user’s lack of awareness of the problems of safeguarding data, but also the reluctance of executives in industry, including banking, to get serious about data protection.

The Heartbleed vulnerability, while not necessarily an immediate threat to any of us, does raise the risk that one or more of your inline accounts will be hacked. Some accounts are more important than others. If your Goodreads or NYT account gets compromised, it isn’t the end of the world, but someone getting access to your banking, email, or Facebook page can wreak havoc.

The ease with which a hacker can get into 99% of people’s accounts is hard to believe—we’re talking seconds and minutes. Even if your password is a bit better than those mentioned above, a great many people use easily researched and identifiable personal data, such as their birthday, wedding anniversary, kids’ names, etc…many of which can be conveniently found on, say, your Facebook page. And people often use a single password across several accounts, resulting in a nice domino effect bonanza for someone who gets hold of it. Two-thirds of internet users only use one or two passwords across dozens of accounts.

There are services now that will manage your passwords for you, typically using the cloud—which is fine except that if they suffer a breach, you’re in trouble. Biometric data, such as fingerprint ID (Apple and Samsung are using them, and apps are out there) are more secure, but the stakes, should they be compromised, are huge—you can’t change your fingerprint or iris.

At its worst, someone getting into your key accounts can ruin your life.

The good news is that it’s actually not hard to secure your major accounts without having to remember many complex and meaningless alphanumeric and symbol combinations: think in terms of passphrases. While a “brute force” or “dictionary” attack—a computer crunching every possible combination or trying the most common words—can crack many passwords in minutes or days, a passphrase comprised of three common words like, say, one happy camper, will take in the order of centuries to break using these methods—and you can remember it far more easily than, say, J_15v0*As2, as pointedly and memorably illustrated in the classic xkcd cartoon, “Password Strength”.

A passphrase, as the word implies, is more than a single word—it’s a string of them, a short sentence. Here are some easy rules:

• Don’t use obvious ones (iloveyou was the 9th most popular in 2014; letmein was #14)
• Don’t include personally identifiable data (birthday, pet’s name, etc.)
• Don’t use keyboard patterns (e.g., qwerty)
• Use at least three words
• Do pick a phrase that has meaning to you, but that even someone who knows you wouldn’t automatically associate with you
• Don’t put capital letters at the beginning
• Incorporate some numbers and at least one symbol
• Use a phrase that you can easily associate in memory with a site or adapt to different sites

Let’s look at this last item, which is especially important and interesting, and generate some examples.

To create a strong passphrase for an email account, you might start with an idea like, cursive is lost—there’s the association with writing, but it’s not a phrase with meaning to anyone else, or a common one; yet it’s super easy to remember. Remove the spaces (most sites don’t allow them) and you have cursiveislost.

Now start to adapt it to meet common system requirements. Put in a capital or two (not in the obvious place), so we have cursiveISlost. The trick is to create a rule and stick to it—in this case, caps will always be used for my middle word.

Add in a symbol or two…hey, you could even use an emoticon that connects with how you feel about the passphrase! If I think of the loss of cursive (or “joined-up-writing”, as we called it in the UK), that would be an unhappy face. Now you have cursiveISlost:(

Finally, most sites will require a number. Pick a favourite; more than one would be great, but this passphrase is already complex enough that a single numeral would do, maybe your lucky number, or something that has meaning to you. So we’re now at cursiveISlost:(9. A bit more complicated…but if your email account doesn’t require symbol or numerals, you could dispense with these and your passphrase will still be very strong.

And guess what—you’re done with your email passphrase. Type it a few times and think about it for a few moments, retracing the reasons you chose each item, and you’ll never forget it.

Now move on, using a similar process for your banking password. Here you could begin with, say, if i were a rich man; first lose the spaces, then proceed as above.

Another, easier still, strategy is to use a single phrase but have a way to customize it for different sites.

So I could begin with a line from a song—I fear earthquakes and lightning would work; but it’s a little long to type, so I might pare it down to earthquakes and lightning…it’s still three words not commonly used together. I add in my caps, numbers and symbols and get to 9earthquakeSandlightning! (notice a new rule…I put the capital at the end of the first word. Again, create a rule and stick to it for easy retention).

To modify that passphrase for different sites, you could do something as simple as take the first letter of the site name (say, “B” for your Bank of America account) and add it to the end of your passphrase. Your BoA passphrase is now 9earthquakeSandlightning!B. The same phrase applied to, say, Facebook, would now be 9earthquakeSandlightning!F. This simple rule—on which you’ll create your own variation—makes it possible to adapt the same passphrase across a variety of accounts.

Now, although it’s true this violates the “domino effect” advice above, the chances of the original phrase being cracked are so remote as to vanish. But passwords don’t have to be hacked; they’re typically simply stolen or intercepted. So let’s add in one extra tweak. Instead of using the first letter of the account site for your variant, use the second.

If you’re thinking, “this is so complicated”, trust me that it’s not, and here’s why: because when you create your own ruleset and passphrase following the methods outlined above, it’ll have personal meaning to you, and will be easy to remember. Again, make up a system and rules that have meaning to you. Try it—you’ll be surprised. Just set a rule, be consistent, and do change your passwords for key accounts once every few months.

And—if you have a really rotten memory and all else fails—you can always make a paper note of the core phrase(s) and your rules, and keep it somewhere far from your smartphone and computer!