Internet Insecurity
Aug. 7th, 2014 12:43 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
koganbotThird major security breach in a year — Target, Heartbleed,* and now CyberVor — and for this one, like Heartbleed, what consumers need to know are:
(1) What sites are potentially compromised,
(2) Of these, which sites employed a fix, and
(3) If they did, when did they employ it
— ’cause if you change your password before the fix, you'll need to change it again.
As with Heartbleed, most companies aren't going to tell you they've been compromised,** and the situation is complicated this time by the firm that uncovered the breach — Hold Security — only being willing to give this information out to companies that pay for it.***
In the case of Heartbleed, someone developed a tool allowing us to test a site ourselves, but I doubt info on that tool reached more than a miniscule portion of the people potentially affected; and the tool didn't work for all sites.
The journalists I've read are rarely clear on any of this: the info that people need and how to get it to them. What the story is. Articles on how to strengthen your password are useful but beside the point when it comes to the recent breaches: Once the hackers break into a company or site and have access to your user name and password and likely your email address, it doesn't matter how strong your password is. They've got it. It's the company's defenses that are at issue here, not yours. And there's submerged ideology in some of the reporting, the press in effect saying it's up to you, the individual, to take care of yourself, not up to the institutions or governments that, in instances like these, are the only ones who can take care of us.
A couple more thoughts:
(i) To the extent that security is up to individuals, it's just not going to happen. We can't expect people to remember multiple passwords or to choose ones that are hard to remember, or not to use the same user name and password on multiple sites, or to wait for authentication on their mobile every time they log in. It's like demanding that everyone be a tech version of a survivalist, when we've actually got other stuff to do.
(ii) I'm hardly an expert on technology and government, but (a) I fear that even firms that want to invest in the security of their sites may decide that in the short run they can't afford to, especially if their immediate competitors aren't investing, (b) even if governments and voters wanted to force them to and were willing to devote tax money to such oversight and enforcement, policing this stuff is probably a lot more complicated than inspecting a building for fire exits or demanding a bank hold assets in reserve, and (c) at times, the hackers will run ahead of the security people, no matter what. And the "if" in Point b is a very iffy if.
So, pessimism. I remember back in college a teacher saying that in the early 1900s Teddy Roosevelt's progressive agenda had the support of many big businesses, who really did think that regulation was in the best interests of their industries. We hardly seem to be in such an era now, and even if techies get behind regulation, we need businesses to do so across the board. Not to mention voters. And we need the right regulations, whatever those might be.
*The Heartbleed bug wasn't strictly speaking a breach, rather a vulnerability that may or may not have been exploited.
**Tumblr was an admirable exception, last time.
***That Hold Security is in it for the money and isn't releasing data is raising doubts and eyebrows. But the New York Times report says the paper got an independent security expert to authenticate Hold Security's list. I'm not the one to know here. The NY Times has a reputation for being careful. The paper has botched some things, but it doesn't like to.
(1) What sites are potentially compromised,
(2) Of these, which sites employed a fix, and
(3) If they did, when did they employ it
— ’cause if you change your password before the fix, you'll need to change it again.
As with Heartbleed, most companies aren't going to tell you they've been compromised,** and the situation is complicated this time by the firm that uncovered the breach — Hold Security — only being willing to give this information out to companies that pay for it.***
In the case of Heartbleed, someone developed a tool allowing us to test a site ourselves, but I doubt info on that tool reached more than a miniscule portion of the people potentially affected; and the tool didn't work for all sites.
The journalists I've read are rarely clear on any of this: the info that people need and how to get it to them. What the story is. Articles on how to strengthen your password are useful but beside the point when it comes to the recent breaches: Once the hackers break into a company or site and have access to your user name and password and likely your email address, it doesn't matter how strong your password is. They've got it. It's the company's defenses that are at issue here, not yours. And there's submerged ideology in some of the reporting, the press in effect saying it's up to you, the individual, to take care of yourself, not up to the institutions or governments that, in instances like these, are the only ones who can take care of us.
A couple more thoughts:
(i) To the extent that security is up to individuals, it's just not going to happen. We can't expect people to remember multiple passwords or to choose ones that are hard to remember, or not to use the same user name and password on multiple sites, or to wait for authentication on their mobile every time they log in. It's like demanding that everyone be a tech version of a survivalist, when we've actually got other stuff to do.
(ii) I'm hardly an expert on technology and government, but (a) I fear that even firms that want to invest in the security of their sites may decide that in the short run they can't afford to, especially if their immediate competitors aren't investing, (b) even if governments and voters wanted to force them to and were willing to devote tax money to such oversight and enforcement, policing this stuff is probably a lot more complicated than inspecting a building for fire exits or demanding a bank hold assets in reserve, and (c) at times, the hackers will run ahead of the security people, no matter what. And the "if" in Point b is a very iffy if.
So, pessimism. I remember back in college a teacher saying that in the early 1900s Teddy Roosevelt's progressive agenda had the support of many big businesses, who really did think that regulation was in the best interests of their industries. We hardly seem to be in such an era now, and even if techies get behind regulation, we need businesses to do so across the board. Not to mention voters. And we need the right regulations, whatever those might be.
*The Heartbleed bug wasn't strictly speaking a breach, rather a vulnerability that may or may not have been exploited.
**Tumblr was an admirable exception, last time.
***That Hold Security is in it for the money and isn't releasing data is raising doubts and eyebrows. But the New York Times report says the paper got an independent security expert to authenticate Hold Security's list. I'm not the one to know here. The NY Times has a reputation for being careful. The paper has botched some things, but it doesn't like to.
