Postcards in Pencil

In light of the Cambridge Analytics incident and the loss of privacy on Facebook, people have been going around deleting their Facebooks, left and right, for fear that their information has been released to the world. Never mind, of course, that they willingly gave up that information. This is all Facebook’s fault, and Facebook must pay.

Take a deep breath, world. This is nothing new. We’re dealing with postcards in pencil again. For those unfamiliar with the phrase, that was the analogy used to describe email to people. It was a postcard because anyone could read what you wrote. It was in pencil because anyone could change what your wrote without leaving much of a trace. Thinking of email as postcards in pencil, would you put sensitive information there?

The issue with Facebook isn’t a new one. It was there in the days of Livejournal. It was there in the days of My Space. If you don’t think of your web space as a postcard visible to all, even with controls, you are giving your information away, not the website.

Further, if you are participating in all these memes and quizzes that ask for personal information, and just think they are fun, you are naive. Why would a free quiz want personal information?  Why would a free quiz want access to your data and information? Remember the key adage: If you are getting it for free, you are not the customer, you are the product that is being sold.

The problem is not with Facebook, per se. It is with users who did not understand what they were doing, and had the belief that there information was security … that had the belief that those applications weren’t going to use their data. They gave away their data due to their stupidity and lack of knowledge, and now want to blame someone else.

Facebook is perfectly safe to use, if and only if you treat it as 100% public. If and only if you only put information on there that can be publicly disclosed. If and only if you are constantly alert for what information you are giving out. Oh, and be forewarned, there is information you are giving out even when you aren’t entering data. Everytime you linger on an image, every time you visit a website, everytime you click to open an article, you are giving away information about your interests that will be sold. Facebook is a free service. Remember what I said about getting stuff for free.

Delete your Facebook if you want, and run away and make the same mistakes on another service. Alternatively, just perhaps, you can understand the online world and how it markets you, and be much more careful about what you say and do online.

[ETA: Of course, society and Facebook itself make it difficult to leave Facebook. Just think of all the data you would need to reenter, all those logins to third-party sites you do via FB that you would have to recreate anew (including their data), all the relationships you would need to reestablish on other services. There’s just too much inertia and friction to deal with.]


Be Careful Out There

As I continue to clear out the news chum, here are some articles related to security, trust, safety, and cyber. In short: be worried, be suspicious, and everything is not as it seems:

  • Can You Believe Your Eyes? We’ve all been taught that “seeing is believing”. But is it? We live in an era of forgeries: email can be faked (and has been), and videos can be doctored. I’m sure you’ve all heard about “deepfakes”: Where AI is used to put a different face on a body in a porn video, creating celebrity porn without the real celebrity. The LA Times has an interesting article on the rise of fake videos and their implications. Just think about this: What damage could a faked video do when it spreads on the internet? How could a fake be used for propaganda purpose? We’ve been given the blessing of technology, but its misuse could be the downfall of society (as the 2016 election has shown, with the Russian manipulation of the US electorate through technology).
  • Financial Scams. The last few years have seen the growth of person to person online financial exchanges like Venmo and Zelle. But the scams are growing as well.  The services were intended for use between transfers between people that know and trust each other. There are no safeguards for scammers and fraud, unlike services like PayPal. This is starting to bite people in the butt. Remember: Only Venmo/Zelle funds to someone you know and trust in real life. Once the funds are gone, they are gone.
  • The Green Padlock. Starting in July, the Chrome browser will mark all sites using the original web protocol, HTTP, as insecure. This is because the protocol does not provide end-to-end security. I initially believed that was overkill: there are many static sites with no forms, that only serve as information providers. Why do they need encrypted transport? But a discussion of the issue highlighted the reason behind Google’s actions. Even for such sites, moving to HTTPS provides assurance that the data coming from the site is what is being received by the consumer of information. In other words, it prevents man-in-the-middle attacks to insert false data, advertising, or malware. I’ve taken the steps to secure my site for the highway pages, and will be doing it for subsidiary pages in the coming months.
  • Paying for Security. One of the biggest problems that security has is that it is often invisible. If the mechanisms work, nothing bad happens, and you don’t know it is there. It is like high quality building codes, that you don’t discover saved your house until everyone else’s house burned down. As such, consumers haven’t wanted to pay for security; they want new features and whells and bistles, Software and hardware vendors couldn’t justify costly new releases that just added security. Luckily, that’s all changing — a new survey shows that consumers now prefer security over convenience. Will things stay that way? Will the convenience of a simple facial recognition overtake the security of two-factor authentication? Stay tuned.
  • Fixing Vulnerabilities. Vulnerabilities are on the rise, and keeping up can be hard. Here’s an interesting article that highlights the fact that not all vulnerabilities end up in the CVE/NVD database; and thus relying on that database as your sole source of vulnerability information is a bad idea. For those of us who assess for obvious vulnerabilities, this is an important observation. It is also vitally important to understand that a vulnerability is not the same as a risk. Sceptre and Mindfuck (no) Meltdown are good examples. They are vulnerabilities, and their patches are causing incredible slowdowns, but how easy are they to exploit, and what can they leak? A determined adversary will find a way to exploit anything, but the casual “script kiddie” hacker may not find much utility. The same, by the way, is true of gun laws. Gun control will affect law abiding folk, but the determined adversary will find a way. That’s why it is important not only to address the symptom of the problem — the gun control, the identified vulnerability — but to address the source of the problem. We need to engineer-in safety and security in all of our systems — human and technical — from day 0 to identify and prevent problems BEFORE they happen.
  • Safety While Traveling. Here’s an interesting article from the folks at Lastpass on how to use your password manager to make your life safer while traveling.  There are some interesting notions here, including keeping copies of important travel documents in your password vault, so that if you lose them, you have that information. Other ideas include storing the credit card loss and fraud department phone numbers in your vault with your credit card form fills, so if you lose the physical card, you can easily call and report it.
  • Pre-Register to Prevent Fraud. An interesting reminder to register and create your account at, before the bad guys do it for you.
  • Securing the Internet of Things. One increasing risk is the Internet of Things. More and more, everything is being connected to the Internet. Often, what is connected are low-criticality devices (solar panels, refrigerators, light bulbs, dishwashers) with poor security protocols. Miscreants can then use those devices as stepping stones to get a trusted position in a network to jump to a more critical site, or to host a bot net or cryptocurrency mining operation. Luckily, NIST is working on standards for IOT security — and those standards are out for draft and comment.



CyberSecurity News of Note

Here’s the last of the news chum collections for this morning. This one has to do with safety and security.

  • Tiny Dots and Phish. Hopefully, you’ve been getting trained on how to recognize phishing threats, and how to distrust links in email or on websites. But it’s getting even trickier, as this article notes. Miscreants are using characters in other character sets that ļȯоķ like other characters. Hint: Always look at how addresses look when you hover over them, and even then be suspicious.
  • Complex Passwords Don’t Solve All Problems. So you’ve gotten smart: you are using complex passwords everywhere. But every solution contains a problem: reusing complex passwords can give your identity away. Research showed, the rarer your password is, the more it “uniquely identifies the person who uses it. If a person uses the same unique password with multiple accounts, then that password can be used as a digital fingerprint to link those accounts.” Although this is not something previously unknown, there seems to be a lack of awareness about the practice. Remember: complex passwords, never reused, and use a password manager.
  • Two Factor Authentication. Using 2FA can also help. Here’s a handy guide on how to set it up on most major websites. Here’s a list of all major websites, and whether they support 2FA.
  • Protecting Your Social Security. This article from Brian Krebs explores abuse of the social security system, and contains some advice I hadn’t known: go create your account at now to protect yourself.  That’s something I need to do; I tried to do it this morning but it wouldn’t accept the proof for the upgraded account, and I have to (a) find a previous year’s W2 and (b) wait 24 hours to try again.
  • Predicting Problems. A few articles on predictive algorithms. One explores whether predictive algorithms should be part of public policy.  Essentially, should they have a hand in shaping jail sentences and predicting public policies? Government agencies are now using algorithms and data mining to predict outcomes and behaviors in individuals, and to aid decision-making. In a cyber-vein, there are calls to add prediction to the NIST cyber-security framework. The argument: With AI and machine learning, companies should now be considering how to predict threats before they even appear. Speaking of the NIST Framework, Ron Ross tweets that it is being incorporated into FIPS 200 and the RMF.
  • Building It In. The NIST effort — especially with SP 800-160 — is to emphasize the importance of engineering in and designing in security from the very beginning, not bolting it on at the end. Good news: The government is finally coming around to that realization as well. The link is a summary of the recent updates to the NIST pub. It’s an area I’ve been exploring as well, and I’ve been working on some modifications to the process to make it even more accepted. The first report on the effort is under review right now; I hope to publish something soon.



The Importance of Visualizations

Visualizations and charts make our lives easier, and sometimes can give us insights we hadn’t considered before. Here are three examples:



It’s a Sign of the Times: The Spectre of a Security Meltdown

Perhaps it is telling that my first post of the year is one dealing with recent articles on cybersecurity. Perhaps it is a recognition that 2018 may be the year when cybersecurity come even more to the fore, both from the protection of our personal systems, to the protection of our voting systems, and to the tampering that occurs in our systems. But it may also be reflective of the fear, uncertainty, and distrust that is growing in our society today, where every risk is super scary. Part of the problem is that people either confuse or don’t understand the terms. So, let’s be clear (and these are from NIST SP 800-37 Rev 1):

  • Risk [FIPS 200, Adapted]. A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
  • Threat [CNSSI 4009, Adapted]. Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
  • Vulnerability [CNSSI 4009]. Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

There is no such thing as a “mega-vulnerability”. “Mega” is a risk assessment, and requires not only the weakness from the vulnerability, but a high likelihood of exploitation by a likely threat, and a likely adverse impact of that exploitation. You can have a vulnerability in a system that is easy to exploit, but doesn’t get you much information. You can have one that is hard to exploit, but can get you a lot of information. Risk depends not only on the vulnerability and the likelihood of exploitation, but the context of use and the likely attackers (threats), in order to determine the overall risk.

With that, let’s look at some news:

  • Meltdown and Spectre. You’ve heard about these (makes air quotes) mega-vulnerabilities (end air quotes). They can impact almost any processor that does predictive execution. That includes Intel, AMD, and ARM processors. They can look into memory and expose data. Fixing them will slow down your system. There are emergency Windows updates being issued for Windows 10. But beyond the fear, what do you know? What is the risk? Here are the gory details on the problem. If you read through this, you’ll see that these aren’t they easy to exploit. You need to get someone to run a specially crafted program, and it needs to be on a system that might have some information you need. For most people, the risk from this is low. That doesn’t mean you don’t want to patch it as soon as you can — the longer a vulnerability is out there, the more it will be exploited. But this isn’t the world coming to an end. It does, however, demonstrate a few key rules: (1) complexity is your enemy — the larger and more complex a system it, the more likely that there will be undiscovered vulnerabilities; (2) because it is hardware/on a chip, doesn’t mean it is secure — we make the assumption that because something isn’t obviously software, that it isn’t security. But today’s firmware can be equally complex, and the hardware circuit designs even more so, just being on a chip doesn’t make it secure.
  • Secure Your Router. Whereas Meltdown might be lower risk, here’s a greater risk — and one that you likely can’t do much about: Your router. You need to secure your home router. Absolutely, positively. This is the router that connects your ISP to your home systems. You need to (at minimum) change the administrator passwords, set up the appropriate NAT, and ideally use a DNS other than your ISP’s DNS. You also need to update the firmware regularly, although you might not be able to do that. If you can’t, you need to consider that router a compromise zone, and put something more secure behind it for your use. Let the guest’s you don’t care about use the ISP’s wireless.
  • Ransomware. An emerging trend (unfortunately) is ransomware. Ransomware doesn’t steal your data; rather, it demands money so you can access it. It is insidious and evil, and far too easy to run into with all the hidden drive-by-downloads. So bookmark the following site: No More Ransomware. It is a clearinghouse of information on how to remove ransomware infections.
  • Attacking Hard Disks. Meltdown and Spectre can only get to information in memory. What about your hard disk? What about an attack that could cause the disk to crash? What if that attack didn’t require you to get on the system at all? Scared? Such an attack exists: Gizmodo is reporting on attacks using sound to crash hard disks by exploiting resonant frequencies.
  • Voting Machines. Of course, it isn’t just home machines and businesses that get attacked. Our voting systems get attacked, as we saw in the 2016 elections. But just as a broken clock tells the right time twice a day, the GOP-led Congress actually has a reasonable bill proposal regarding secure voting. Learn about this bill, and if you agree with its approach, work to secure its passage. The bill creates earmarks to help states get rid of their paperless electronic voting machine in favor of voter-verified, machine-readable paper ballots, and institutes a system of randomized post-election audits that use good statistical techniques to spot systemic anomalies. This may become even more important as states move away from precincts and to voting centers.
    • Edited to add: I pointed out the above to a friend who is very concerned about cybersecurity and elections, and she had this response — which I think highlights something important: “The congressional initiative on secure voting does advance the use of paper, but it does nothing to end the imposition of vulnerable expensive private architecture on public record management. In fact it serves to continue it. “Trusting” states to hire impartial auditors and to conduct audits is a stretch. A sponsor, Kamala Harris’s lack of discernment has so far been a big disappointment. First Franken. Now this.”

Internet / Security

The never ending task of paring down my saved chum list brings you this collection of articles related to the Internet and Internet security. Pay attention folks — there’s some good stuff here. Also, remember the key adage: If you get a service for free, you are the product, not the customer.

  • Be Alert for Phishing. I’ve always opined that the key risk from the Equifax and other breaches is not identity theft, but phishing. Help Net agrees: they view phishing as a bigger threat than keyloggers or third party breaches. They researched the subject, and noted that “victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user. In comparison, this rate falls to 10x for data breach victims and roughly 40x for keylogger victims. Keyloggers fall in between these extremes, with an odds ratio of roughly 40x”. The reason for this is that phishing kits also actively steal additional authentication factors (secret questions, phone number, device-related information, geolocation data) that can be used to impersonate the victim and bypass protections put in place by email (and other online service) providers.
  • So What is Phishing/Spearphishing? Here is a wonderful infographic/cartoon on how to protect yourself from Spearphishing. Along the way, it explains what spearphishing is, how it influenced an election (and potentially gave us President Trump) . It also contains some good tips about how to protect yourself from phishing. Note that, depending on where you work, this may be NSFW.
  • Lava Lamps and Security. Entropy. That’s “N”-“Tro”-“Pee”. Say it with me. Entropy is the property of how random your random numbers are. These numbers are usually generated by computers, and depend upon a random seed to start the process. A big issue is: how do you get the seed? Cloudflare does it in a very interesting and analog way: Lava Lamps. A lava lamp is a great way to generate randomness. Cloudflare videotapes its wall of colorful constantly morphing lava lamps and translates that video information into unique cryptographic keys.
  • Facebook Privacy. Remember my adage about getting a service for free? One such service is Facebook, and they don’t care about your privacy (and neither does that minx, Wendy). But you care about you, and that’s why you’re going to read this article about how to lock down your privacy settings on Facebook. Yes, you can make it so that when you go out searching for such-and-such for a friend (you know, that NSFW such-and-such), you aren’t suddenly deluged with ads on FB for that product.
  • Objectivity of Blog Sites. You’re probably familiar with them: all those blog sites that review this product and that product. Mattress blogs. Makeup blogs. Theatre blogs*. But there’s often a story behind the story about how manufacturers subtly influence them. Remember: if you get a product for free, what are you? Here’s a story I’ve been saving for a while about the Mattress Wars, where a bunch of new mattress stores started a war with mattress bloggers. *This, by the way, is one reason I do not accept free theatre tickets. I choose what I want to see and write about. I follow the ethical model of Consumers Reports. I will pay for tickets what I would have paid through the various discount ticket services I know about.



Caught With Your Pants Down

I’ve been reading a lot today about the Equifax compromise, where, you, the person whose data Equifax collected, were caught with your pants down because — although you buckled the belt as you should — the manufacturer forgot to secure the buckle to belt. When you bent over to pick up that hot dog that landed on the floor — whoops, your privates, and those of 143 Million other Equifax individuals about which Equifax had data (about 44%) were put out there for all the world to see, to point at, and to laugh.

Don’t you feel embarrassed? Don’t you feel like you should lock yourself up in a dark room and hide forever?

You don’t need to. Equifax has provided a complicated checking procedure and registration approach that, ultimately, puts you in a queue for a paid year of credit monitoring, while you give up your rights to arbitration and class actions suits¹. Doesn’t that make you feel better? Oh, and that credit monitoring. I think you still need to give a credit card, so they can start billing you after the free year is over.² Still feel better? Remember, this is monitoring — it doesn’t stop anything and lets you know after the information is used. Of course, you can have confidence in Equifax that they will protect you after the breech, given how they have handled it. [ETA: Oh, and Equifax was sending people to a fake phishing site.]

¹: [Update: They later clarified this wasn’t the case, although initial language made it appear to be the case. Translation: Sloppy response to the situation; poor contingency planning.]
²: [Update: They since removed the requirement for a credit card; it was there when this article was written]

Of course, there are security folks proposing other solutions. Some suggest the easy solution of just giving everyone new, more secure, social security numbers. Alternatively, we could start using our RealID Drivers License, and have one national identity number.

More sane folks are recommending a two pronged approach that doesn’t requiring using Equifax’s protection: the most common approach is suggesting a fraud alert on your records, and paying to have a freeze to prevent new accounts. All good ideas.

As for me, I’m going to wait and see. With 143 Million pieces of data, their odds of picking me are, well, 1 in 143 million. That’s pretty small.  Plus the information has been out there for months — and with information like this, you have to use it quickly or it loses its value. Have we seen an uptick in identity theft? I haven’t heard of anything. I strongly suspect that this was a nation state, just like the OPM breach, and only select data will be used, for sophisticated spear phishing attacks. After all, why do they need to do the fraud when they can get you to unlock the door? Further, this isn’t the only attack: you’ve likely already had your information released (see this site).

Oh, and before you get scared about using the Internet, think about this: You don’t have to be an Internet user to have your information in the Equifax data. You just have to have had credit as some point in your life. The fault was with Equifax, the company you trusted to protect your data. Oh, that’s right. You didn’t choose Equifax. The fault was with Equifax, the company other companies trusted to give them accurate credit data. Equifax didn’t care about you or your credit. And neither did that little minx, Wendy*.

It is not in Equifax’s business model to protect your data: well, they’ll protect it only until they can sell it to the highest bidder. Remember the adage: If you get the service for free, you’re not the customer, you’re the product. [Translation: Equifax and other credit reporters make money by selling your data. Until their customers — the financial organizations that buy their data — demand accurate information, nothing will change. They won’t demand as long as it doesn’t cost them. They don’t pay the cost of the identity theft — you do.]

Feel better now? If not, wait I bit. I’ll be posting something this evening that will make you feel much better, even if your pants are down.

P.S.: Speaking about phishing, my favorite theatre about spam is having performances on 9/10 and 9/17. Go see it. It had Gene Spafford rolling in the aisles.

*[Paraphrasing my favorite Alton Brown quote, long since removed from his website:]

Here’s what it comes down to kids. Equifax doesn’t give a damn about you. Neither does that little minx Rachel from Card Services or any of the other icons of finance. And you know what, they’re not supposed to. They’re businesses doing what businesses do. They don’t love you. They are not going to laugh with you on your birthdays, or hold you when you’re sick and sad. They won’t be with you when you graduate, when your children are born or when you die. You will be with you and your family and friends will be with you. And, if you’re any kind of human being, you will be there for them. And you know what, you and your family and friends are supposed to watch out for you too. That’s right folks, protecting someone else’s information is an act of caring. We will always be protected best by those that care, be it ourselves or the aforementioned friends and family.

We are having our information exposed and exploited and exploited again because we have handed a basic, fundamental and intimate function of life over to corporations. We choose to value our information so little that we entrust it to strangers. We hand our lives over to big companies and then drag them to court when the deal goes bad. This is insanity.


Sesame? Says Me!

Over the last few days, my newsfeed has been filled with people gloating over the fact that the fellow who came up with that original guidance — make complex passwords and change them often — admitted he was wrong. But, if course, as with most people, they are misinterpreting things. Here are some key takeaways:

  • Complex passwords are still critical, but the answer is not an unpronouncable mix of letters and characters — because you can’t remember that. You can get equal or stronger passwords by choosing random words from the dictionary (passphrases) because although the “string” is shorter, the alphabet is larger. Math is math.
  • Frequent changing of passwords defeats the strength not because frequent changing is bad, but because human nature is. If you change things frequently, you’ll go to patterns that make things easier to remember — and to break.

In reality, the best solution is still a high-quality Password Manager, with a strong master password. In the password manager, you can create strong passwords for all your sites — unique for each site — and not have to remember them. This is something recommend (and not using my Facebook authentication for everything, which is not only weak but gives FB far too much information). I’ve recommended Lastpass for a long time for this purpose. It can keep track not only of passwords, but all that information you fill into forms — such as credit card info — so that you are storing it in your encrypted password vault, not on another machine where you depend on their encryption.

Recently, Lastpass changed their charging model: they upped the price (without notice) of Lastpass Premium from $12 to $24 a year. Everyone was up in arms! Heaven forfend! Doubling the price! (Never mind the fact that we’re talking $1 a month, which is noise, but hey, it’s the percentage!). It’s a concern for me: we have three Lastpass Premium accounts. However, I plan to move to the Family pricing model (which is worth it for 2 or more family members); hopefully, Lastpass will provide a way to consolidate existing Premium accounts into a single Family account with prorata balances applying towards the fee.

In the larger world, NIST is simplifying their password recommendations. The folks at Lastpass believe that will make things easier, but I believe that the fundamentals still remain: pick a unique password for each site, make it suitably complex, ideally gaining complexity through words vs. characters. How to do that? Use the password generator in your password manager, use the nonsense word generator, or use the XKCD Password Generator, XKPasswd.