Opinion/Editorial/Life

Cleaning up My Password Security

encryption-imageIt seems like there is an increasing amount of hacks and leaks lately.  These also seem to be larger and higher profile targets more and more.  Recently I’ve been seeing stories about Last.fm and Dropbox accounts apparently being compromised as well as a vulnerability in vBulleten, a popular Message Board hosting tool.  For the most part, a lot of these hacks are going to be harmless, for now.  Any website that actually matters is probably (they better be) using salted passwords, making a password dump mostly useless.  Though in Last.fm’s case, apparently 96% of the passwords were decrypted because their encryption algorithm was shoddy.  Still, it seemed like a good time to check over my Password Security.

Beware, those music scrobbles you see might actually be the music taste of some Russian or Chinese hacker!  Seriously though, I don’t really see the point with hacking Last.fm, I’m not entirely sure they even have any sort of financial data.  I imagine the email list is sort of useful for spam accounts.  I suppose there is also the issue of people using the same passwords everywhere.

The good side of these hacks, the lists get put on-line, on hacker sites or TOR sites, and there are several places that take these lists of leaked accounts, dump them in a database and allow you to search to see if your account shows up in a list and for which site, if available.  With all of these recent lists I went through and checked my primary email addresses and found about 20 entries between the two of them that had been compromised.  Most of those were vBulleten Boards that I had signed up for 10 years ago, never posted to, and had forgotten even existed.

I mentioned the problem of using the same password repeatedly.  I’ve got several “layers” I use for how much complexity I put into my passwords.  Financial sites, large buying sites (eBay, Amazon, etc), all get unique passwords.  I just remember those.  The next level, things like Facebook and Twitter, also get unique passwords, but I have some basic algorithms I use to generate them, mentally, so I can remember those as well while keeping them unique.  Sites like the ones that were compromised, tiny one off bulletin boards with little risk to me if they get hacked, I admit, I use the same few passwords on a lot of those.  Especially older ones from ten years ago, before I got serious about my online security.

Ironically, these sites are now possibly my most secure passwords.  Because I used Lastpass to generate the passwords.  Lastpass is a plug in for pretty much every browser.  It remembers your passwords, and syncs them across your Lastpass account.  I’ve used it for years to store and sync passwords, but I never really bothered with the generated passwords feature.  The best practice at the moment, for passwords, are long strings of random characters, lastpass can create these, and then remember them, so you don’t have to.  I don’t know what my new password is for the PPCGeeks message board, but I don’t need to, because when I visit, Lastpass will enter it and log me in.  It’s long and complex.  I mostly avoided this feature before because it pretty much meant I would never be able to log in via mobile since I would have to manually type the password in.  Lastpass now has a mobile solution, but I also just sort of accepted that, I’m never going to visit many of these sites on mobile anyway.

The even better solution, when available, is to use 2 Factor Authorization.  Something you know, a password, something you have, an Authenticator.  Every mobile platform has an authenticator App.  If you happen to be one of the 1% using Windows Phone like me, the Microsoft Authenticator works just like the Google Authenticator when setting it up.  When I want to log into say, Dropbox, I enter my username and password, like normal, and then I am prompted to enter the generated code from my Authenticator.  It doesn’t matter if someone else has my password, because they don’t have the Authenticator, which is randomly generated and can’t be duplicated.  I use this for any site that has it, which is almost all of the “big ones”, Microsoft, Google, Dropbox, etc.  I actually get frustrated when it’s not available, like when my Rockstar Games account got stolen 6 months ago or with Playstation Network, which has had like 3 or 4 hacks now.

Encryption and You…

encryption-imageThere seems to be an endless stream of stories about how the UK wants to ban the use of encryption on the Internet.  It’s hard to say what this says about the UK officials, since banning encryption is essentially impossible without completely breaking the Internet.

Well, technically it could be done, but you wouldn’t want to be on this Internet anymore for anything requiring security.

So a quick rundown on just what encryption is.  Let’s say you send data cross the Internet, an email, a tweet, e bank password, a credit card number for buying something on Amazon.  Without any sort of encryption, data is simply converted into bits, and sent from router to router to the machine on the other end.  Capturing this traffic as it flows across the Internet is actually fairly easy.

There was a very famous exploit plug in a few years ago called FireBug.  Firebug would sniff the local network for the log in cookies used by Facebook and snatch them out of the air (so to speak) and allow the user of Firebug to access the Facebook account of anyone else on the local network.  This was before Facebook encrypted the data for it’s log in information, so the cookie was just flowing across the network.  The cookie data basically is a way for Facebook to know “yes, this , but it will person has logged in and this is who they are” so you don’t have to enter your password every time.

Because Facebook switched to SSL Encryption for their log in data, these cookies are now encrypted as they pass through the internet.  You may still be able to snatch the cookie but it will be a garbled mess of gibberish.

Now imagine if your bank or Amazon didn’t use encryption.  The same methods used by Firebug could be used to pull your bank or credit card data.

This is why encryption is important and used every day.

But how does it work.  When you connect to a remote website, your computer and the website exchange keys for translating the encrypted data.  This means the data can only be read by your computer or the remote website.  An extremely simple example, Let’s say the “key” is “13” and the “algorithm” is “ROT13”.  The data would be translated by moving all of the letters in a data packet by 13, hence ROT 13 (Rotate 13).  The phrase “My name is Josh” becomes “Zl nzar vfWb fu”.  Now, this is a very very very simplified example.  Real encryption uses long long keys, complex multi faceted algorithms, often with time based mechanics, and in general, would never be human translatable.  In fact, without the key, depending on how complex the encryption is, it could take the most powerful computer in the world millions of years to break some encryption.

So, why does the UK government (and others) want to ban this important security tool?  It’s simple, they can’t break it.  The world has become aware of how the governments of the world are scooping up and reading all of the data across the Internet, and the world has turned to encryption to keep their privacy.  Websites big and small have started using SSL by default so all traffic is encrypted making reading the contents impossible by outsides.  More people are using things like VPN tunnels, TOR networks, and PGP keys for their emails, these are all useful encryption tools.

The claim of these spying agencies is that it makes it hard or impossible to “find the bad guys”.  This assertion is as ridiculous as claiming say, we need to ban White Vans because kidnappers always and only use White Vans.  Or maybe, we need to ban beards because “Terrorists always have beards”.

“Only bad guys encrypt their data”.

It’s basically applying a false sterotype and getting mad when it doesn’t fit.  Its also blatantly ignorant of the real world uses of encryption.  No one would every shop online since it would be trivial for hackers to harvest credit card data.  You may as well require you to speak your name, card number, card verification number etc out loud to the check clerk at the grocery store every time you want to buy something.

Identity, Privacy, Anonymity

identity I had a short conversation recently over on Reddit that got me thinking a bit about the idea of online identity and, by extension, the ideas behind privacy, and anonymity online.  Privacy is a hot button issue in general lately and there has also been a lot of people causing some fuss over the idea of anonymity online. 

It’s ridiculously easy to be anonymous online.  Ok, let’s rephrase that, it’s ridiculously easy to be mostly anonymous online.  You want to be mostly anonymous, it’s trivial to make "fake" email accounts or identities.  You can even be pseudo anonymous by using a pseudonym.  If you were doing something malicious, it wouldn’t be hard to track you down from a simple pseudonym, especially if some large corporation or government wanted to track you.  Chances are you’re pulling cookies around in your browsing, and you’re connection will have a unique, logged IP address complete with time stamps etc. 

Being actually anonymous is trickier but still pretty trivial, spoofed IPs, TOR browsing, using open WiFi access points, especially public ones, in areas where there are no cameras, etc.  I’m not really here to discuss true anonymity online though, more the idea of pseudo anonymity.  This is the sort of anonymity that many more casual users of the internet greatly dislike.  It certainly has it’s good sides and it’s bad sides.

The complaints often come because of "Trolls" who use the anonymity granted by the internet as a means to be rude or mean.  The problem is that the term troll is often greatly misused or misappropriated.  I once wrote a pretty long essay back on usenet about what a troll is but the short version comes down to a few things.  Trolls and straight bullies are not the same.  Trolls and straight assholes are not the same thing.  Being an actual troll does require some effort, just going and telling someone they are "a stupid fag" on an anonymous board doesn’t make you a troll, it mostly just makes you an idiot.  The real point of trolling someone is to speak contradictory to what is being presented, not necessarily to prove an alternate point of view but to disprove or discredit the original view being presented.  There is a point when trolling turns into idiocy and harassment.

It’s simple, people don’t like being disagreed with or having their viewpoint challenged.  If that person can’t actually defend their viewpoint, they may get called out on it, and they call the person calling them out a troll, a "coward" hiding behind anonymity. 

"You wouldn’t say that to my face in person, why do you do it online?"

This is a tricky question on many levels and isn’t really an exact parallel.  If you put masks on everyone involved to make them "faceless", put them in a room, and had the originator read their originating comment out loud, would people still say "mean things"?  What if just the trolls had masks?  Also, a lot of people do say dumb asshole comments in face to face situations.

However, yes, there is something freeing and liberating about anonymity or even pseudo anonymity.  I’m sure there is some actual psychology behind this concept.  It’s basically the same concept of "dancing naked when home alone".  People act differently when they think no one is watching.  It’s human nature.  We pick our noses, we scratch out but cracks, we dance naked, we make rude comments online.  The main difference is that picking your nose doesn’t really hurt anyone else.  Does a rude comment really hurt anyone when everyone is anonymous and everyone has the option to make rude comments? 

"You wouldn’t say that to my face in person?"  Maybe they would.  But what if you could punch back.

So let’s take a site like 4chan (the website not the "1337 hax0r duud"), where everyone is anonymous.  Yeah, it can fall into a cesspool of filth but it also can lead to a lot of good discussion.  Much of the worst is confined to /b/, and 4chan is much more than just /b/.  Even discussion of places like /v/ (Video Games) and /toy/ (Toys) can be more interesting when people feel more free to dislike what they dislike and speak their minds.  You also don’t have to deal with people trying to be some sort of crazy internet celebrity in their area of interest.  Identity is frowned upon in general, so you just get pure discussion.  No one trying to be pretentious about who they are and what they want people to think of them as, just pure discussion.

Does it lead to arguments and shit slinging?  Of course it does.  Does it lead to idiotic arguments that make no sense?  Yep.  It also leads to acceptance.  Acceptance of ideas, because maybe you actually lose an argument, but because you aren’t saddled with the pride of your identity, you are free to accept defeat, even if it just means quitting the argument in disgust.

Then there is the idea of Psudo anonymity.  Your online handle or username if you will.  You still end up with some level of reputation but it’s one step removed from your private life and personal identity.  Its also pretty easy to manage multiple online online "personas".  Chances are if you are managing multiple identities on any one website that website could easily cross connect them to each other but for basic outward facing use, it can serve a purpose.

Take Reddit.  While similar in nature to 4chan, since it’s full of user generated content that lives and dies by how much support it gets, Reddit has an identity system.  Reddit also has an archive, everything on 4chan drops off eventually sometimes in minutes, sometimes in days, but it eventually dies.  Reddit has an archive, and an identity and everything you post is easily attributed to you.  More importantly, Reddit has the "Karma system" where users can up and downvote good and bad posts.  Granted that a lot of people know that Karma is "useless fake internet points" and there are even people who try to get negative karma instead of positive karma, but it does help by giving a tangible indicator to "how good" a person is.  It’s not perfect of course, some people may be good at things that aren’t relevant.  Someone who posts to Gonewild and has 4000 karma as a result isn’t necessarily going to mean anything when it comes to political discussion. 

Hence, "meaningless fake internet points."

Then there is Facebook.  Facebook is where you connect to friends and family.  People you will know for long periods of time, possibly your entire life.  Many of these people will know you better than you know yourself.  They will know when you’re being fake and call you out when you’re being an idiot.  These are most likely the people you want to know and want to be judged by.  There is also a lot of push for having a "real identity" on Facebook.

Facebook is a place where people go to "be real." 

All of these places have elements of each other, and it’s a very tiny sampling of the endless array of websites on the internet.  Each exemplifies a major component of online identity.  A board like  4chan is all about being anonymous, but you can choose to fill in that name field, and there is even a system in place to keep your identity verified.  Reddit gives you a name and points, encouraging you to behave for the most part, but it’s not required and can one can easily start over if there is a major screw up.  Sites like Facebook, want you to be "the real you" but really, nothing is stopping anyone from making multiple Facebook profiles and fake identities.  Hell I have a Facebook Page for my cat that I rarely post to.

The point is, the closer you get to your true identity, the less publicly open you tend to be, at least about your real feelings.  There is a fear of being judged or shamed.  A fear of upsetting the lifetime friends and family we have.  Anonymity still has a place though.  It’s like a confessional, or the comment drop box.  It’s a way to voice opinion without feat of retaliation.  There are often many reasons to fear retaliation.  Assholishness and trolling aside, opinions are often formed that are negative towards people with power.  People with power often have very strong methods of retaliation at their disposal.  There needs to be a means for people to speak out against real injustices.  The side effect is that sometimes you end up with "trolls" and assholes.

Some people just need to accept that sometimes a difference of opinion is a good thing.

Copyright, Corporations, People, and the Concept of Ownership, The Concept of Things

NOTE: This got a little rambley and random at times but whatever, I don’t care.

So, when a person goes out and buys, say, a desk, they bring it home, maybe they assemble it, they put their computer on it, they sit at it, they use it as a desk.  Other people can come over and use this desk if the need to for all of these activities as well.  There is only one desk here, and when the person is done with the desk, they can do whatever they want with it.  They can throw it out, or give it to a family member or sell it to a stranger.  If they want they can disassemble it and cut up the parts and make a bookcase out of it, or a table, or even a different desk.

If you buy a CD, or a book, you can do many of these things as well (good luck building a book case out of a CD, you may have better luck doing it with the book.)  The thing is, as far as the companies are concerned, when it comes to media, many or all of these activities should be or are illegal.

For example, did you know it is illegal to listen to music publicly in your workplace?  This includes the radio, which, by the way, is broadcast freely to anyone.

The media industry has also tried many times to make it illegal to but used music and games.  This hasn’t worked out very well for them with physical media but these days everything is moving towards digital anyway, which makes the problem moot.  These digital files are often licensed and tied to a particular account and are not transferable anyway.

Which brings up the next side of this.  Digital Content and Copyright.  When something becomes digital, that is, a file on a computer, it immediately becomes infinitely copyable.  There is no way to prevent a file from being copied.  There are ways to make it inconvenient.  There are encryption methods and proprietary formats, that can be used but even with some encrypted capsule of data that can only be opened using a special program to prevent copying, you can still copy the capsule itself even if it meant doing a one to one ghost image of the drive’s data.

The problem is, that history has shown that the more encapsulation, or DRM (Digital rights management) a file has, the more difficulties it creates for normal users to use their files.  Your DRM music file may only work in a specific player on your PC, and only play on an specific brand of music player.  Then that player starts bundling ad banners or toolbars so it becomes a pain to use or maybe the brand of music player is more expensive than the others on the market or possibly just poorly made.  The DRM means you’re locked in to that system so it doesn’t matter how good the software or player is.

Well, it doesn’t matter until you say “screw it” and go to another brand but that’s a story for another day.

And despite all of the DRM a media file may have, the people who want to pirate it, will.  They will crack the encryption and extract the important data.  For movies and music, to enjoy them they have to be played out into the real world, which can always be routed and looped back in to be re-encoded.  This is known as “The Analog Hole”.  Until they start implanting chips in our heads or something, you can’t encrypt natural real world acoustics and visuals.

But this isn’t supposed to be a piracy rant.  I’m not advocating piracy or suggesting that all content should be pirated.  I’m just pointing out that the lengths companies have gone to in the past make it inconvenient for normal people and the pirates will do it anyway.  The music industry learned this and most music you can buy, easily, is DRM free these days.  The movie industry is still learning this as is the ebook industry to some extent, and it’s going to still bite them until they learn.

The point is, why do people pirate this stuff in the first place.  the obvious answer is cost.  Some people simply can’t afford it.  Some people don’t want to afford it.  A lot of people CAN afford it and choose not to.  There is an excellent book on this subject called Free Culture by Lawrence Lessig,  that puts people into four categories and explains it very well.  The book is freely available via Creative Commons Liscence and you can find a copy of the applicable chapter here.  The relevant part is here:

File sharers share different kinds of content. We can divide these different kinds into four types.

A. There are some who use sharing networks as substitutes for purchasing content. Thus, when a new Madonna CD is released, rather than buying the CD, these users simply take it. We might quibble about whether everyone who takes it would actually have bought it if sharing didn’t make it available for free. Most probably wouldn’t have, but clearly there are some who would. The latter are the target of category A: users who download instead of purchasing. B. There are some who use sharing networks to sample music before purchasing it. Thus, a friend sends another friend an MP3 of an artist he’s not heard of. The other friend then buys CDs by that artist. This is a kind of targeted advertising, quite likely to succeed. If the friend recommending the album gains nothing from a bad recommendation, then one could expect that the recommendations will actually be quite good. The net effect of this sharing could increase the quantity of music purchased. C. There are many who use sharing networks to get access to copyrighted content that is no longer sold or that they would not have purchased because the transaction costs off the Net are too high. This use of sharing networks is among the most rewarding for many. Songs that were part of your childhood but have long vanished from the marketplace magically appear again on the network. (One friend told me that when she discovered Napster, she spent a solid weekend “recalling” old songs. She was astonished at the range and mix of content that was available.) For content not sold, this is still technically a violation of copyright, though because the copyright owner is not selling the content anymore, the economic harm is zero—the same harm that occurs when I sell my collection of 1960s 45-rpm records to a local collector. D. Finally, there are many who use sharing networks to get access to content that is not copyrighted or that the copyright owner wants to give away.

The book goes on to explain the pluses and minuses of each of these types of people and really, only the first tier, people who blatant pirate because they want to” are the only ones who are truly being criminals and the only ones truly causing hard to companies.  These are also, for the most part, the minority.

Most people, given an easy, appropriately priced option, will pay for media.

ANYWAY.

I’m starting to fly off the track again…

The point i want to make is, as far as the industry is concerned, you don’t own the media you buy.  When you pay for a CD or an eBook or a BluRay disc, you are paying for the license, to consume that media, in the format you’re buying.  If you want to listen to that CD on your media player, legally, you must buy digital copies of that music and can’t legally rip that CD to your computer yourself.  You paid to listen to the music in CD format.  The same applies to movies as well.  It technically applies to books but digitizing a book is a bit more of a pain than it’s worth doing.

Consumers, people, normal folks, do not “think in legalese” and do not see it this way.  They only see that they already own this music, why do they need to buy it again?  Some of them may even see that they already own the Vinyl and the Cassette and the CD, why do they need to pay, again, to listen to this music?

This is where some of our piracy comes in.  It’s easy to rip a CD, not so much a cassette.  It can be done and it requires the use of the Analog Hole but it’s not convenient.  So people will just download their cassette collection illegally.

Also, on the radio at work point made earlier.  You also pay for this music, so that YOU can listen to it.  The license you buy applies only to you, and letting your friends or coworkers listen to the music is not legal either.  As far as the media industry is concerned, when you buy something, you are paying to listen to it alone, in a silo and you may never share this experience with anyone.  Make them buy their own damn media.

Some Thoughts on SOPA and PIPA

The whole internet is abuzz with SOPA and, to a lesser extent, PIPA talk.  Basically, these two bills in congress, one for the House, one for the Senate.  You can get plenty of information through Google or if you’d like, try the Electronic Frontier Foundation.

The gist of this bill, is that it would allow media companies, through the government, to block websites with “pirated content” through manipulation of the Internet DNS system.  Without proper due process of law.  DNS, is essentially the phone book of the internet.  You could also compare it to a road map.  It’s what computers use to know how to find the websites you look for online.  All websites are in fact a series of numbers called an IP address, however remembering 74.125.227.114 is tricky.  Remembering “Google.com” is not.

Feel free to use that link, it leads to Google.  Which brings up one major flaw with this bill.  Pirates will easily circumvent these blocked DNS entries by using IP addresses.  If say, the Pirate Bay is blocked, people will just use it’s IP address instead.

Also likely there will simply be “rogue DNS” servers.

I am not endorsing piracy, I am saying the bill will not do anything to stop it.  People also may suggest the idea of “if you’re not doing anything wrong, you have nothing to be afraid of”.

The problem with this logic, in every situation, is that the question of “what is wrong” is extremely subjective and often changes.  Guess what, in a world where SOPA passes and becomes law, it starts off simply as it’s told.  Places which host “pirate content” are effectively removed from the internet.  Nevermind that there will also be legal content taken off as well when sites like Megaupload are taken offline.  The block is not single file or even single subsite specific. 

But hey we’re all happier now without The pirate Bay and Megaupload right?

Until people start hosting their content through loopholes on blogger or WordPress.  Sure, it’s against the TOS and both companies work to remove them as they are found but hey, guess what, now they need to be blocked.  Thousands, probably millions, of independent bloggers are now silenced.

Or perhaps the definition of “piracy” and “copyright infringement” gets pushed out even more.  Universal studios puts out a big blockbuster movie, it cost them a shitload of money top make and it gets totally panned by the internet.  Nobody wants to see this movie, all this negative press floating around, well hey look, Blogger Bob used the movie poster in his review.  Nevermind that this may fall under the fare use clause, that’s infringement, let’s close down BloggerBob.com because his negative reviews may be hurting ticket sales.

Just remember, governments generally don’t start off deciding to become repressive totalitarian regimes.  (NOTE: Link will not work 1/18/2012)

I mean hey, we have a precedent now, plus, once a site is “gone” people won’t notice right?  Universal killed BloggerBob, why not suppress a few of those “anti government kooks” out there spreading bad spirits through the country while we’re at it.  We have the mechanism in place after all.  John Q Public doesn’t know what DNS is, he thinks it’s a new sandwich at Subway.

It’s not even that it’s a terribly BAD idea, it’s more that, in an effort to make things “move more quickly” it rejects the idea of due process, and facts, and evidence.

Which also brings up what really is a whole different rant.  The world is changing.  The world is not the US, or Europe, or China, or the Northern Hemisphere.  It’s an entire globe.  The internet is even more-so, and it’s the driving force of the world these days.  Which is the real problem here.  Because despite the best effort to push more crap on what used to be a pretty ignorant and docile public, it’s not working anymore.  Any sort of exaggeration or lie in favor of “marketing” is almost instantly debunked.  People who used to be made to feel better or pushed aside as isolated cases of problems realize that they are not alone.  The internet is the ultimate engine for real democracy.  look at the whole election system, when it took days and months to ride a horse across the country, then things like congress or the electoral college etc were a great idea.  is it even necessary anymore when people can express their opinion and desires to the world instantly?