We’ve Done Our Passwords All Wrong

Passwords are one of our favorite villains. We have long advocated the use of hardware dongles. And Apple, among others, have created various technologies that scan fingers or faces. Most recently, shipments of their iPhone X are being delayed because of problems with critical components (cutely named Romeo and Juliet). There is even a novel by Scott Allan Morrison, “Terms of Use”, in which the hero invents a way to scan an eyeball.

But the conventional wisdom, originally spelled out by NIST (the National Institute of Standards and Technology) to make them complicated (and thus virtually impossible to remember) has been replaced by NIST itself. Now, long but simple phrases that are meaningful to the user are advised, because they are easy to remember but hard for hackers to break.

Live by the Sword, Die by the Sword

GoogleDorking5 550x330

But it’s already too late to put the sword back in its place. The Internet, the Worldwide Web, Google Search, social networks, and other on-line miracles have given billions of people capabilities they never had dreamed of. But in their haste the makers of these tools have also enabled evil-doers capabilities beyond the masses’ worst nightmares. History is full of other technological advances that have been used for both good and evil purposes, but more recently cyberattacks have permitted individuals or small groups, sitting in safety at their personal computing devices, to wreak havoc on millions of innocent victims. These cyberattacks appear to be increasing in frequency and scope of havoc. Most recently several news sources reported the charging of an Iranian hacker on March 24 of his 2013 attack on a dam in Rye Brook, NY, which he found vulnerable using a technique called Google Dorking. (The wheels of justice certainly turn slowly … especially compared with the speed of computers and their hacker masters!)

Apparently he did not use his knowledge to operate the sluice gate of this small dam (perhaps because it was disconnected from computer control at the time). And although this dam is in a rather backwater community (pun intended) and not much of a threat to national security or even significant injury to people or damage to property, the ability of the hacker to infiltrate the computer system demonstrates a capability to attack a much bigger and more dangerous dam or other strategic infrastructure such as an electric power grid.

The really scary thing is that almost certainly many other sectors are under similar attacks. One such sector is hospitals. Within the last two months the computer systems at the Hollywood Presbyterian Medical Center, the Methodist Hospital in Henderson, KY, and the MedStar Georgetown University Hospital in Washington, DC were crippled by cyberattacks. These were not minor incidents; the overall MedStar 10-hospital group has 30,000 staff and 6,000 affiliated doctors. And patients in critical condition could die from the delays caused by inoperative computer systems.

Another sector is financial. On March 29 hackers breached the security at two large law firms whose giant Wall Street banks and corporate clients are constantly dealing with confidential matters, knowledge of which could net hackers millions of dollars through insider trading.

The general populace can only hope that the responsible governmental agencies are working hard to identify strategic facilities throughout the U.S. and its allies, and alert vulnerable ones so they can take steps to minimize the dangers from Google Dorking and other hacker nastiness. And also hope that “white hat hackers” (the good guys)–the modern-day equivalent of yesteryears’ vigilantes—step up their activities. It would help considerably if these strategic facilities would reward these hackers for their efforts.

Bloopers Beyond Technology: Theft of Bangladesh Funds is a Comedy of Errors and Law-Breaking By Humans

BangladeshMoneyLaunderedinPhilippines2snip 550x330
Technology does not exist in a vacuum. It is created by humans of varying degrees of ability and honesty. And technology involving the Internet is generally so complex, and created under time pressure, that it is more error-prone than more cautious and patient people would like.

According to the New York Times, slack security at the New York Fed (that’s the Federal Reserve Bank of New York), which most folks would consider a bastion of safe-keeping, allowed a bunch of money ($81 million or $100 million or some such sum) that rightfully belonged to poverty-stricken Bangladesh to be misappropriated by Chinese hackers and transferred to the Philippines, where in turn it was apparently transferred by above-the-law banks to putatively money-laundering casinos, who made it vanish beyond any chance of recovery. We’re not making this up. Mere prose and still images can’t do it justice. And no fiction writer could have imagined a more twisted tale.

The comedy continues if one reads the Zero Hedge blog, which apparently specializes in spreading misinformation of all sorts, including calling a spade a spade when it might not be. Entertaining to most of the world, but not to a few officials during whose watch this debacle occurred or to starving citizens of Bangladesh.

Stupid Password Tricks

password tricks 450x225

Even the most TV-averse person in the USA has likely heard of Late Show host David Letterman’s “Stupid Pet Tricks” which ran for 30 years. So there were probably as many people who watched at least one episode of it as have had some sort of trouble choosing and/or using passwords on the Internet. Unfortunately, the formats of passwords have recently become a lot more demanding and the organizations forcing us to have passwords have made us run a truly nasty gantlet (look it up!). The nastiness seems to be a recent phenomenon, perhaps a result of all the major hacking attacks in the last few months. One of the latest dirty tricks is to provide two boxes, one for entering the password (which blanks out your entry) and another for confirming it (which also blanks out your entry), as well as a third alternative of letting the organization create the password for you. As you make the first entry, you get nasty comments that your password is not strong enough, forcing you to make changes until you have satisfied the demand. Even if you have carefully noted the approved password, by now it is a challenge to enter it exactly in the confirmatory box. And people are now finding that, in fact, these organizations do not want you to select your own password, and you MUST let the organization chose one for you. It is not the end of the world, but (a) if you have your own system for creating passwords you will NEVER succeed in getting one, and (b) why bother to offer to let you create your own? At least David Letterman’s Stupid Pet Tricks was funny, while this latter-day password game is definitely NOT funny. Sadistic maybe. Even worse, the possibility of using a hardware “dongle” continues to be remote, in large part because there is no apparent convergence to a standard.

We Have Met the Enemy and He Is Us – Redux

Murphys Law Composite 600x472

If something can go wrong, it will. And in the millions, nay billions, nay trillions (or more) of lines of code that comprise the Internet and its many websites (the total reached 1 billion in September 2014) that  there are countless opportunities for errors or loopholes that let the bad guys (AKA hackers) wreak havoc. And that havoc can affect millions of innocent victims. The extent of the hacking during the past few years is enormous as can be seen from an interesting infograph.

In another recent episode that demonstrated the increasing ease of hacking, shady securities traders stole announcements from Business Wire, PR Newswire, and Marketwired after it was uploaded by the companies but before it was released to the public, and made millions by trading ahead of the public. (The former, harder method was to recruit company “insiders” to get advance tips.)

And there may be some recent disasters that were self-inflicted, e.g., the outages at the NYSE and United Airlines. Absent an identified villain, we would attribute those to faulty code that is so complex it is impossible to test thoroughly and to change as the environment changes.

Hacking has even become so widespread, and apparently so easy, that one of the leading anti-hacking software companies, the Italian company Hacking Team was recently hacked itself.

Even more scary is the almost certain hacking by unfriendly nations’ government-sponsored hackers (China, Russsia, etc.). Some of it is stealing commercial intellectual property, which can undermine the US’s economic strength (and directly or indirectly its military strength). Other of it can be military secrets, the loss of which can compromise the national security.

In the ultimate irony, The Wall Street Journal pointed out that while the giant tech firms like Apple, Facebook, and Google encrypt their data they don’t cooperate with the US government to searches that are legal under the Fourth Amendment of the Constitution.

We Thought That CAPTCHA’s Were Obsolete, But …

CAPTCHA GOTCHAS 550X113

We recently suffered through a spate of websites at which we wanted to leave our valid queries in order to be contacted and provided additional information. In fact, we sat here with money in hand, ready to spend it if the goods or services were the ones we sought. Instead, we were blocked, or at least delayed, from proceeding further by the need to squint at some weird-looking letters or numbers (or solve some dopey riddle). For the uninitiated, these inconveniences are called CAPTCHA’s, something that was invented to prevent robotic spammers from filling our email InBoxes or Contact Us databases with unwanted messages (mostly ads). Aha, we thought: an opportunity to collect some of the worst of these and post them for the enlightenment or entertainment of visitors to our website. Alas, this was truly old news, as already in 2008 there was someone chronicling the worst of the worse. Fast forward to 2014, when Google has put an end to this with its No-CAPTCHA aproach, which uses information it already has about a user’s behavior to separate the valid visitors from the spammers. For us, the bottom line is that if you are presented with a CAPTCHA it is a good bet that the site was developed a long time ago, and you may well want to suspect the currency of the rest of its information.

The Wall Street Journal’s Readers’ Most Annoying Technology Failures

WSJ Tech Nuisances Composite Chart 761x286

Two of The Journal’s technology writers led off with their own “Dirty Dozen” of most annoying technology failures in the March 11, 2015 issue, then followed up a week later with their analysis of readers’ comments. Thanks to our long background in surveys and statistics we at Technology Bloopers are well aware of the limitations of this data, but its high-level source and its “essay” type answers (as opposed to the all-too-frequent cookie cutter “multiple choice” questionnaires that flood everyone daily) were too tempting to pass up. (Note: Some commenters provided two or more unrelated comments, and we counted them separately, so strictly speaking the data we analyzed was about comments, not commenters.) We well realize that the sample is highly biased, but it is a very useful sort of bias; these commenters should be somewhat more knowledgeable, more powerful, and more well-paid than a random sample. So their comments, thoughtfully analyzed, should be very useful. But we can even further separate the comments into above-average and below-average knowledgeability by whether or not their comment was accompanied by a “gravatar” (i.e., “global avatar”, the little picture they use as a graphical representation of their Web presence, kind of an online logo). We were surprised that only about 28% of the responses came from the below-average-knowledge group.

The charts immediately tell a lot of the story: Passwords are the #1 most annoying technology failure (and this is true whether we’re talking about the whole group or only the above-average-knowledge subgroup). The combined complaints about the Wall Street Journal itself (bad technical support, bad advertising, bad comment system, bad mobile device app, and bad website) was #2 for the group as a whole but was mainly for the below-average-knowledge subgroup. Bad documentation/(technical) support and bad logic/user interface tied for #3, but the former had numerous above-average-knowledge commenters while the latter had very few. Two other annoyances that fell just below the top 6 shown in the chart were “Too Complex” and “Facebook is Not Essential”.

Let’s Replace Passwords by Hardware Dongles

080714-toon-luckovich-ed 615x447

Passwords are not only a pain in the butt, but they don’t work very well to keep the bad guys from accessing your private data. As witness all the recent blackmailing of individuals to prevent their data from being destroyed and the millions of dollars being stolen from banks, stronger measures are needed. Better passwords, e.g., ones based on the suggestions of a columnist in the Bay Area, may prevent some of this theft. But we continue to campaign for the development of hardware dongles that are far more secure, and continue to wonder why more progress is not being made on them.

Heartbleed Fiasco Reminds Us of Password Deficiencies

While it was impressive to see how rapidly Internet giants and other denizens took steps to close the gaping hole in security caused by a long-existing bug in OpenSSL (a key piece of software that is used on servers to protect people’s privacy), this event reminds us once again how weak a safeguard our passwords are. Even the giants of the Internet, with their large resources and strong motivation to make sure that all is secure, were affected. And during the first few days a lot of companies claimed that they had fixed whatever weaknesses they had, but disinterested third parties who checked found the those weaknesses had NOT been fixed. For millions of people who had numerous passwords (the owner of Technology Bloopers has over 100 passwords), it must have been a nightmare to figure out what was going on, whose sites were secure, which passwords urgently needed to be changed, and what to change them to. Shouldn’t we get a lot more vocal about replacing this antiquated and ineffective system with something modern, secure, and easy to use?