Protect Your Passwords, an Encore Performance

A while back I mentioned that if someone got hold of your email password, that all your other passwords, no matter how cryptic or “safe”, would soon follow. To recap, it goes like this: If someone can get your email address, they can go to every bank and hit “reset my password” and get to the automatic email before you do.

A friend of mine recently put up a post that reminded me of another way hackers can get into your accounts (including primary email), one that I’ve been meaning to mention. You know those security questions they ask you, so they can confirm your identity? Those questions aren’t very secure. Questions like, “Where did you go to elementary school?” Pretty easy to find out stuff like that these days.

Say I want to hack into a celebrity’s yahoo account. I just need to answer a few questions, most of which are probably answered in imdb. Then I’m in. There’s a GQ article linked in my friend’s post that illustrates just how easy this all is.

The problem is, lots of places force you to set up these questions – making it mandatory that you provide a huge hole in your own security. A lot of people call these “insecurity questions”.

Security questions can work, but only if you choose to answer them incorrectly. Where did I go to school? A fish. What was the name of my first pet? 4e$RE*Plaster. Of course, in the rare event that I actually need to be able to answer the questions, there’s no way I’m going to remember what I said the first time.

While pondering that I had a thought for a method of answering these questions, one that removes any worry about remembering much of anything. Let a machine do the work. Imagine if you could select the question with your cursor, push a button, and paste your own personal complete gibberish into the answer field. Then, whenever confronted with the same question, you can generate the same gibberish. No remembering and no chance of anyone ever guessing your answers.

This would actually be pretty easy to do. It might even just take GnuPG and a bit of scripting. All it has to do is take the selected text, add a little secret extra bit that you set, then put the MD5 hash onto your pasteboard. It would be better as a browser plugin, so it was ready and waiting whenever you needed it. A little gizmo like that could go a long way toward tightening up one of the biggest security holes in the interwebs.

I’d build it except for two things: I just don’t have time right now, and a major technology company would end up owning it.

While we wait for someone to step up and build that little beauty, take a moment and reset your “insecurity questions” to something no one can guess. Perhaps for each question that asks for a name, you have one ridiculous answer (that you never tell anyone) and for locations you have another, and so forth. It’s not as good as a different answer for every site (who knows how securely each place stores them?) but it’s a hell of a lot safer than the truth.

Authority vs. The Web of Trust

Almost every security system on the Internet has at its core an element of trust. When you point your browser to Bank of Money, how do you know you’re talking to the real Bank of Money and not some impostor? Once you’re certain that the machine on the other end is genuine, your browser can set up a secure connection and keep others from listening in. But that first step, when they have to prove they are who they claim to be, is a problem.

The way Bank of Money proves their identity is by passing to you a special encrypted file that says who they are. But how do you know that certificate file is genuine? Because someone else made the file and they can verify that it’s legit. That “someone else” is a Certificate Authority, and your browser is trained to trust a handful of these companies implicitly. You might have heard of VeriSign, for instance. Bank of Money can go to VeriSign, provide information (and money), and after VeriSign carefully screens the application to make sure it’s really coming from Bank of Money, issues them a certificate.

When you connect to Bank of Money, your browser goes, “oh, hey, VeriSign says this certificate is the real thing,” and you’re good to go.

Unless, of course, the Certificate Authority is controlled by an evil government. Or if a CA gets hacked. Or if a CA is just sloppy. And the crazy thing? If any one of the Certificate Authorities trusted by your browser is compromised, you can’t trust any connection, no matter where the original legitimate certificate came from.

And, well, that has happened. The two cases I know about seem to have been aimed at Iranian dissidents, but it is no exaggeration to say that all of e-commerce depends on the integrity of the Certificate Authorities. That integrity has proven to be shaky lately. Each CA is a separate point of catastrophic failure for e-commerce.

And the pain goes both ways. Let’s say for a moment that Bank of Money got their certificate from DigiNotar. DigiNotar got hacked, wasn’t forthcoming, and lost their ‘automatic trust’ status in most browsers (which is a reason to accept all those annoying browser updates – they might be quietly blacklisting known fraudulent certificates). Even though Bank of Money did nothing wrong, now none of their customers can make a secure connection. The browsers don’t trust their DigiNotar certificate anymore. For good reason. They lose, you lose, I lose.

Is there an alternative to Certificate Authorities? Practically speaking, probably not. But there is another way to establish the legitimacy of Bank of Money’s certificate. If someone you know personally and trust says that BofM’s certificate is valid, then you can choose to trust it, too. Once you decide it’s legit, and confirm it for yourself, you can put your own stamp on it, and then people who trust you can feel confident as well. It’s not about some central authority, it’s about people you know and trust.

If some bogus entity tries to jump in with their own certificate, it won’t have the endorsement of you or your pals on it. You won’t be fooled, and neither will anyone else.

This model is called the Web of Trust. A certificate is only as good as the collection of endorsements it has built up. Bogus certificates (theoretically) have a much more difficult time taking hold. If I was an Iranian dissident, for example, I’d be very, very conservative about which certificates I accepted and endorsed. There’s a pretty good chance that people died as a result of DigiNotar being hacked. The major browsers accepted the false certificates without blinking, and the government read everything the dissidents said.

Bank of Money would love an alternate system that didn’t cost them a lot of money, and protected them from blacklisting because someone else messed up. The problem, if you’re an institution like that, is getting started. You can’t just wait for your certificate to gain acceptance organically before your Web portal becomes useful. To get going quickly you need one powerful, trusted person to vouch for your certificate, someone everyone else will believe. That’s what a Certificate Authority is, and they’re built into your browser, so that you have to go out of your way not to believe them.

Yet, if the Web of Trust were well-developed, new certificates would spread very quickly. If we all had three or four people we trusted, and a bunch more we sort-of trusted (so that if several of them said a certificate was legit, we’d be OK with it), then BofM’s certificate would percolate through the WoT pretty quickly.

But what if none of your trusted people used Bank of Money, so never endorsed its certificate? You can extend your search for endorsement further, and decide for yourself how comfortable you are. This is where a centralized Certificate Authority can come in — you can choose to accept their endorsement if your personal Web of Trust doesn’t cover that certificate. It’s entirely up to you. Not like now.

And, sure, at first people would get fooled. There will be people who endorse certificates lazily. There will be fake people created just to endorse certificates. Iranian dissidents will not be fooled, however. When something inevitably goes wrong, the sloppy people will no longer be trusted, and will learn not to trust people they don’t know. Speaking personally, I already know who my trusted folk would be — I have friends who would take responsibility for their endorsements very seriously, both out of pride and a sense of social responsibility. Shit, I can think of five without even breaking a sweat, and that’s plenty. You know a couple of people like that, too. Ask yourself: Would you rather trust them or a big company in it for the money and subject to political fiat?

This might be the definition of ‘neighbor’ for the information age.

So, people of planet Earth, we have a chicken-and-egg problem. Bank of Money isn’t going to depend on a Web of Trust that doesn’t exist yet. Most of their customers aren’t going to bother building the WoT, because none of the institutions they interact with use it. I talk about the Web of Trust, but I haven’t done much about it myself. We need a catalyst. I just hope it’s not the collapse of the Certificate Authority system, and the disruption that would cause.

I’ll talk more about how we can all work together to build the Web of Trust in a later episode. The takeaway today: We need it. Prepare to do something about it. It won’t be as simple as it ought — something I plan to bring up at work.

They ARE Watching You

Near the beginning of the novel 1984, Winston Smith is in his apartment, doing his state-mandated exercises in front of the TV. Suddenly a voice blares from the speaker and reprimands him for not making more of an effort. We learn at that moment that the telescreen is a two-way device; it watches you as you’re watching it.

Now we call that machine Kinect for XBOX Live.

Some of this is old news in privacy circles; it was more than a year ago that Microsoft first bragged to investors that the Kinect platform could be used to gather data on people using their product — what people are wearing, and things like that. This is what happens when you have a Web-cam in the house that’s always connected to the Internet, and someone you don’t know is on the other end.

Well, as you might expect, these revelations raised quite a kerfuffle. Microsoft very quickly and very loudly promised not to use data gathered through the camera in your home for targeted advertising. In the articles I read, journalists took two approaches:

  1. Whew! I’m sure glad Microsoft promised not to be evil!
  2. You know, targeted advertising isn’t as bad a people keep claiming. Relax and get information tailored to you.

The commentary, and Microsoft’s reassurances, miss the point entirely. With the government pulling flagrant rights violations like National Security Letters, how long before the video feed in your living room is handed over to the FBI? Hell, it might have happened already. Microsoft would be legally barred from telling anyone it even happened. This is the state of our constitution these days.

(If the government really thinks this is all cool and the public wouldn’t mind, why do they work so hard to keep it secret?)

There are ways to prevent the video feed from reaching the outside world, but as I understand it, the default is always on. Not only can it report what game (or political convention) you’re watching, it can report when you cheer. Better think twice about that Che Guevara poster on the far wall from the TV. My video-game playing, dope-smoking neighbors may not be too concerned about privacy anyway (judging by the clouds drifting through the neighborhood), but I doubt they’d feel great about knowing they have a live video feed that any government monkey with a frightening letter will be able to watch.

Let me repeat that just so I’m clear: Any government monkey with a frightening letter will have access to a live video feed from your living room, as well as every email you’ve ever sent and what you checked out at the library. Things are bad enough without handing them the most invasive tool yet to pry into your lives.

I would LOVE to see a big company like Microsoft stand up to the government and publish a policy that states that they will not surrender the feed without a legal warrant signed by a judge. The chances of that actually happening are zero — unless Microsoft thinks it’s losing a very large amount of business due to those privacy concerns. That’s not an indictment of Microsoft, I doubt any major US corporation is ready to go to the mat with the Feds on this one.

Microsoft once more finds itself in the very familiar position of creating something that sounds really cool without considering all the consequences, much like when they put into Microsoft Office a system specifically tailored for adding executable code to Office documents. Office automation, they called it. A great time-saver. “Capital idea!” shouted the virus writers with glee. Now once more Microsoft has come up with something that is almost magic in how it works (e.g., parental controls based on the metrics of the people in the room), but those things require the camera to be on, even when you’re just watching TV.

If someone gave me a free Kinect and XBOX, I’d probably use it. But I’d be very, very careful about when the Internet connection is active. And, while exercising I’ll be sure to give it my all.

Call me g2-587217eb4d0b8b1710372695336f2a58

The other day I got an email notification that someone had requested a password change for my wordpress.com account. WTF? I almost never even log into wordpress.com. But, if someone knew my member name, they could try to hack my account and I assumed that this message was a result of such shenanigans. I figured an actual change of my password was in order, just to be safe.

Then I noticed the user name on the account: g2-587217eb4d0b8b1710372695336f2a58

That’s actually not my user name at wordpress.com. Someone (a robot, obviously) created an account with my email address. Huh. I logged into the fake account, changed its password so whoever created it wouldn’t get access to it, and looked around for a way to delete the account entirely. I couldn’t find one.

I know you had a snafu that led to people’s passwords being stored less securely, and therefore a spate of “reset your password” messages issued forth, but this message was absolutely not the same as those. I am fanatic about protecting my email password (as I write about here), and I have changed it recently. There is no other sign that my email account has been compromised.

I logged in as the bogus user and checked to see if any comments or posts had been made; it appeared not. So, I set the password to something ridiculous and promptly forgot it.

The only problem is, when I leave comments on people’s wordpress.com blogs, after I put in my email it auto-fills the rest with data from the bogus account.

So, two things:
1) how did there come to be an account with an email address the bad guy almost certainly didn’t have access to?
2) how can I make that bogus account go away entirely, and never bother me again?

Your Most Important Password

I’ve mentioned passwords before, but today I’d like to tell you about the most important password in your possession, the single password that keeps the hordes at bay.

Take a moment to think about the passwords you use for your various secret stuff. If you’re like me, you have your ordinary password for unimportant stuff, then you ratchet up the entropy for sites that involve money. For a long time I had two passwords, my ‘secure’ one and my ‘other’ one. Now I’ve started taking my passwords a lot more seriously, which means keeping a file of all my passwords, itself protected with massive encryption and the most awesome passphrase ever. No one’s getting into that file.

But here’s the thing: they don’t have to. There’s another password I have that’s just as powerful and easier for a bad guy to use. My primary email password.

How does that password drop my trousers universally? Simple: if someone had access to my email, they could click “I forgot my password” on every site in the world and harvest the responses. If the evil robot cleared out the emails before I read them, I’d be none the wiser. And I’d be fucked.

You might think your online banking password is the one you must protect most diligently, but your email password will hand them your bank account along with everything else. This is the password to protect and change regularly.

As an aside, you can make things a little tougher for bad guys by modifying your email address when you register for stuff. For instance, if I register at xyz.com, I might use vikingjs+abc@mac.com for my email address. The cool thing about ‘+’ is that it doesn’t change the delivery (the above will go to vikingjs@mac.com) but you can sort your email based on the suffix, and you can track who gave your email address away. Most significantly, if some wrongdoer has your email password, they still have to guess the +suffix part for each site before they can use the “I forgot my password” feature. If your email password gets out, that second line of defense could really save your ass.*

Also, know that if your email provider gets hacked, you could be hosed. There is one major company (rhymes with achoo!**) that seems to have a hard time keeping the wrong guys out of your account (although I think it’s the address book that has been compromised, and not direct access to your emails). There are likely others that do a better job keeping their names out of the press when they spill your information.

So, to flog the horse: If bad guys gets access to your email, they own you. Protect that password diligently. Change it fairly often. Use email+suffix@whatever.com when you sign up for stuff. In databases around the globe, your email is quite literally your entire identity.

* I read somewhere that hotmail and some others don’t support the + in emails. I haven’t tested personally, but if your provider is one of those, drop them immediately and find a better service.

** I’m pretty sure I have stock in a company that ends oo!, so I’m not just slinging mud here.