OUCH on Passwords

One of the “Useful Links” in the sidebar here is to the SANS Internet Storm Center [ISC].  The site, staffed by volunteer “handlers”, a group of highly skilled and experienced security professionals and systems/network administrators,  is a very valuable source of the latest security news.  It is, however, a site aimed at IT professionals, and tends, understandably, to be fairly technical, and to assume a fair amount of basic IT knowledge for starters.

However, to their credit, the folks at ISC have not neglected the ordinary user.  It has had, for a couple of years now, an initiative called Securing the Human, which attempts to address security policy issues considering the users’ perspective.  (In the interests of honesty, from personal experience, I am bound to say that this is probably not entirely from altruistic motives — better educated users are, on the whole, less likely to make terminally stupid mistakes.)    The Securing the Human initiative has also involved publishing a newsletter called OUCH!, which is oriented toward end users.

The latest issue of OUCH! has a short (three-page) article on good password practice [PDF].  It has some good, common sense advice that will help you use passwords securely.  If you are a systems admin person, you might want to consider giving copies to your users.

I’d just make one final suggestion: using a password manager, such as Bruce Schneier’s PasswordSafe, can be a big help in managing your passwords, and using them well.

Dotty Security Arguments

Bruce Schneier has an excellent opinion piece over at CNN, in which he discusses the criticism directed at security and intelligence agencies for not discovering and stopping the Boston Marathon bombing.  The litany of complaint is familiar enough:

The FBI and the CIA are being criticized for not keeping better track of Tamerlan Tsarnaev in the months before the Boston Marathon bombings. How could they have ignored such a dangerous person? How do we reform the intelligence community to ensure this kind of failure doesn’t happen again?

Just as after the atrocities of 9/11, the agencies are being criticized for failing to “connect the dots” and uncover the plot.

Now, there have been specific incidents in connection with terrorism that one might think would raise some suspicions (for example, the 9/11 hijackers who took flying lessons but didn’t want to learn how land the plane).  But for the most part, as Schneier points out, “connecting the dots” is a bad and misleading metaphor.

Connecting the dots in a coloring book is easy and fun. They’re right there on the page, and they’re all numbered. … It’s so simple that 5-year-olds can do it.

After an incident has occurred, we can look back through the history of the people and things involved, and attempt to piece together a pattern.  But that is possible only because we know what happened.  Before the fact, real life does not number the dots or even necessarily make them visible.  The problem, generally, is not that we have insufficient information.  It’s that we don’t now which tiny fraction of the information that we do have is relevant, and not just noise.

In hindsight, we know who the bad guys are. Before the fact, there are an enormous number of potential bad guys.

I heard a news report a few days ago saying that Tamerlan Tsarnaev, the elder of the two brothers, had taken part in a monitored telephone call in which the term ‘jihad’ was mentioned.  Lumping together telephone calls (including those by reporters, of course), radio and TV broadcasts, and other forms of electronic communication, how many times per day would you guess that word might be mentioned?

As Schneier goes on to point out, this is an example of a psychological trait called hindsight bias, first explained by Daniel Kahneman and Amos Tversky,

Since what actually happened is so obvious once it happens, we overestimate how obvious it was before it happened.

We actually misremember what we once thought, believing that we knew all along that what happened would happen.

Telling stories is one of the primary ways that people attempt to make sense of the world around them.  The stories we construct tend to be a good deal tidier and more logical than the real world.  There is a strong tendency to adjust the “facts” to fit the story, rather than the other way around.  (This is one reason that science is hard.)

You can observe this tendency regularly in reporting on financial markets.  For example, whatever the stock market did yesterday — go up or down, a little or a lot — you can be sure that some pundits will have an eminently plausible explanation for why that happened.  You are very unlikely to hear anything like, “Well, the S&P 500 went down 500 points, and we don’t have a clue why it happened.”  (I have been saying for years that I will start paying attention to these stories when they are published before the fact.)

It is certainly sensible, after any incident, to look back to see if clues were missed, and to attempt to learn from any mistakes.  But it is neither sensible nor realistic to expect prevention of any and all criminal or terrorist activity.

Update Tuesday, May 7, 17:05 EDT

Schneier’s essay has now also been posted at his Schneier on Security blog.

The Internet Surveillance State

One of the hardy perennial issues that comes up in discussions of our ever more wired (and wireless) lives is personal privacy.  Technology in general has invalidated some traditional assumptions about privacy.  For example, at the time the US Constitution was being written, I doubt that anyone worried much about the possibility of having a private conversation.  All anyone had to do, in an age before electronic eavesdropping, parabolic microphones, and the like, was to go indoors and shut the door, or walk to the center of a large open space.  It might be somewhat more difficult to conceal the fact that some conversation took place, but it was relatively easy to ensure that the actual words spoken were private.

Similarly, before the advent of computer data  bases, getting together a comprehensive set of information about an individual took a good deal of work.  Even records that were legally public (e.g., wills, land records) took some effort to obtain, since they existed only on paper, probably moldering away in some obscure courthouse annex.  Even if you collected a bunch of this data, putting it all together was a job in itself.

People whose attitudes date back to those days often say something like, “I have nothing to hide; why should I care?”  They are often surprised at the amount of personal information that can be assembled via technical means.  The development of the Internet and network connectivity in general has made it easy to access enormous amounts of data, and to categorize and correlate it automatically.  Even supposedly “anonymized” data is not all that secure.

Bruce Schneier, security guru and author of several excellent books on security (including Applied Cryptography,  Secrets and Lies, Beyond Fear, and his latest book, Liars and Outliers), as well as the Schneier on Security blog, has posted an excellent, thought provoking article on “Our Internet Surveillance State”.  He begins the article, which appeared originally on the CNN site, with “three data points”: the identification of some Chinese military hackers, the identification (and subsequent arrest) of Hector Monsegur. a leader of the LulzSec hacker movement, and the disclosure of the affair between Paula Broadwell and former CIA Director Gen. David Petraeus.  All three of these incidents were the direct result of Internet surveillance.

Schneier’s basic thesis is that we have arrived at a situation where Internet-based surveillance is nearly ubiquitous and almost impossible to evade.

This is ubiquitous surveillance: All of us being watched, all the time, and that data being stored forever. This is what a surveillance state looks like, and it’s efficient beyond the wildest dreams of George Orwell.

Many people are aware that their Internet activity can be tracked by using browser cookies, and I’ve written about the possibility of identifying individuals by the characteristics of their Web browser.  And many sites that people routinely visit have links, not always obvious, to other sites.  Those Facebook “Like” buttons that you see everywhere load data and scripts from Facebook’s servers, and provide a mechanism to track you — you don’t even need to click on the button.  There are many methods by which you can be watched, and it is practically impossible to avoid them all, all of the time.

If you forget even once to enable your protections, or click on the wrong link, or type the wrong thing, and you’ve permanently attached your name to whatever anonymous service you’re using. Monsegur slipped up once, and the FBI got him. If the director of the CIA can’t maintain his privacy on the Internet, we’ve got no hope.

As Schneier also points out, this is not a problem that is likely to be solved by market forces.  None of the collectors and users of surveillance data has any incentive, economic or otherwise, to change things.

Governments are happy to use the data corporations collect — occasionally demanding that they collect more and save it longer — to spy on us. And corporations are happy to buy data from governments.

Although there are some organizations, such as the Electronic Privacy Information Center [EPIC]  and the Electronic Frontier Foundation [EFF], that try to increase awareness of privacy issues, there is no well-organized constituency for privacy.  The result of all this, as Schneier says, is an Internet without privacy.