Do we like giving out our email addresses?
No, because we don’t like spam.
Do we like risking our email accounts being stolen?
No, but how do you protect your email and use it?
Let’s talk about a service you never knew you desperately needed.
Threat #3: Stealing your tax refund
What if an identity thief decided to steal your stimulus check or your tax refund?
He’d have to have your name and social security number–that costs about $4. One of the easiest ways to interfere with this theft is to create your own account with the IRS. Most people haven’t but it’s easy and keeps the thief from stealing information from the IRS and then your money.
Updated 220629
Threat #2: Stealing your credit
A friend of mine recently had to spend substantial chunks of his week dealing with credit theft. As such things go it wasn’t all that bad but why not spend 30 minutes to save hours?
That same month I got an email for Privacy.com saying that my “Airport Parking” card was declined at “Sayan” (whoever that is). My friend spent hours. I was automatically protected.
One layer of defense is at the credit reporting bureaus which have had to clean up their act after the 2017 Equifax data breach lost my (and probably your) credit information.
Congress, goaded by irate citizens, required improvements, namely credit freezes. Since credit reporting bureaus make their money selling credit information their interests are somewhat in conflict with yours since you only want your credit score accessed when you want to rent something, get a credit card, etc.
There are several steps you can take to reduce your risk. You don’t have to do all of them or do them all at the same time to get the benefit. A few minutes could save you a lot of needless misery. The credit action links take you to the FTC site which is safer than figuring out the correct websites on your own.
Threat #1: Stealing your password
Did you celebrate May 7th? That was international password day. Even if you didn’t celebrate, the dark web probably did.
It’s quite likely one or more of your passwords have been stolen.
You think not? How much are you willing to bet? If you use the same password everywhere you’re betting…everything. The bad guys take your credentials stolen from one site and automatically try them on other sites.
If your password protects you, who protects it?
While most people have lousy passwords, there’s another problem: Someone can get your password and it isn’t your fault. Worse yet, maybe it isn’t even your bank’s/stockbroker’s/email provider’s fault. What can you do to limit the damage?
Yet Another Password Theft
Here we go again, only more so. Password theft is, unfortunately, a recurrent theme. An increasingly large volume of login credential theft happens every year as seen in this beautiful but appalling graphic of credential theft.
This year’s crop includes a compromise of 3/4 billion accounts. Conservatively, you have at least a 20% chance of having a compromised account. In practice I suspect your odds are even higher.
The good news is that you can find out if your information was compromised and where it happened and change those passwords.
The bad news is that most people use the same password on multiple sites. That means that if it gets stolen for one site, it’s stolen for the others as well. The worse news is that many sites don’t encrypt your password. The worst news is that people prefer using really lousy passwords. See Who’s Got the Password. for more about avoiding bad passwords.
The Biggest Threats to Government Security – 2
Pity the government entities that have to deal with information security. If they get it right, no thanks will be forthcoming. If they get it wrong, they live in fear of mortifying headlines. What are their shrieking eels?
Government has special challenges pursuing modern information security goals.
- Confidentiality – access to information is limited to the right people. Government doesn’t always have the latest and greatest technology, which can lead to system administrators having access to everything.
- Integrity – information is accurate. This is tough. Without the profit motive business has to force correction there’s only indirect feedback from citizens and self-starting conscientiousness of some government employees.
- Availability – information can be accessed reliably. Frankly, I’m not sure why government does as well as it does on this count. Perhaps it’s a combination of dedicated civil servants and more public visibility combined with the enabling platform of the web.
There are some across the board threats against the information security goals.
1. Dysfunctional approval process
- Two bad things can occur. There can be no oversight, producing insecure systems or there can be over the top oversight, which often produces no systems at all.
- For classified information, stringent requirements are supposed to be apply to new systems. That sounds good, but in practice, systems are secured more by generating paper than by testing. Industry, when it cares, cares about real world tests.
- Never done it before x 100,000. Because shared solutions and shared standards within the government are rare, most projects have to be figured out individually, with little benefit of reuse or lessons learned.
2. Wrong Priorities
- The primary challenge in getting a new system approved is fear. Since security folks get beaten up for failures and ignored for successes, some decide the safest approach is “no”. This produces huge time delays and needless expense to deal with a “jump”, “how high”, “higher” cycle that ends by either wearing out the requester, the approver, or by political pressure.
- Myopic focus is on incoming email and network based threats, perhaps because the tools are fairly mature, neglecting insider threats, where big name failures have occurred and neglecting the vulnerability of data.
3. Bad technology approaches
- Buzzwords vs. technology. Multi-tier, Virtualized, Object Oriented, Cloud. All of these are valuable technologies or approaches that every government organization should care about. Unfortunately these concepts often get treated as buzzwords, producing nothing but incomplete or unused systems.
- Kitchen Sink. Seemingly more often than not requirements for security products consist of a compilation of the different capabilities from competing vendors. Rather than buy the most useful option, the purchaser tries to get an all-things-to-all-men solution. Unsurprisingly those systems either do all things poorly, or worse yet, only meet the requirements by creative interpretations.
- Let’s invent the Internet! Closely related to the buzzword problem, some organizations get so enthused about a commercial technology that they decide to invent their own version, competing with man years of testing, development, and feedback. Such only-a-mother-could-love solutions don’t live long.
What’s the future outlook? Not bad, given that improving technology will eventually sweep everyone forward.
Why I Hate Subscription Software, and Why I’m Wrong
There are good reasons to dislike the push to move from perpetually licensed software to subscription software:
1) The primary motivation for the push is greed on the part of software companies who aren’t getting as much of my money as they would like. These are the same companies who (mostly) offer me nothing new that I want but charge me money for the nothing and charge me time to learn and use the new, bloated interface. I say this as a card carrying computer geek.
2) Marginal cost of product should approach marginal cost of production as volume increases. Given the basic materials for a software purchase are a mass produced DVD and perhaps a book, or perhaps just a web download, we’re obviously far from that. So, we’re being grossly overcharged currently, and the price is going up.
3) I won’t be able to escape monthly software charges the way I can easily skip version “upgrades” that give me 1) a slower PC with a new-for-no-reason GUI, and 2) productivity enhancements consisting entirely of features I don’t use, with a new-harder-to-find-things GUI.
4) When I am offered something good, say in improved security, it’s usually just the vendor uncrippling their product slightly. That’s not the way to treat security. If the penny pinching airlines thought like software vendors, they’d charge us for air and flotation devices.
My fundamental objection is that software vendors want to charge me more when they weren’t doing a great job to begin with.
Here’s why I’m wrong:
1) Smartphone app prices (free or fixed price right now) and Google apps (pretty much free for consumers) are serious competition now and will help control the costs.
2) Barriers to entry for new software providers are pretty low, thanks to existing smartphone stores.
3) Monthly charges mean that a vendor has to care whether I keep paying for his software each month. This will punish vendors who traditionally take me for granted,
4) As computer technology becomes increasingly part of our culture, loony lawsuits over copyrighting trivial stuff are less of a problem. I’m not saying the legal system has gotten smarter. Lawsuits still focus on the software equivalent to, “your car can’t have a gearshift on floor/column/steering wheel, I thought of it first!”, but the most basic bad legal decisions about GUIs and file formats already happened and the effects of those lawsuits are fading. Thus, reduced barriers to entry again should help control cost.
So, we’re being overcharged, but the companies overcharging us probably can’t keep us captive for long in the new system.
How is Government Security Accreditation like International Adoption?
Does the title seem like a typo, randomly generated, a joke?
No, it’s deliberate, thought out, and not a joke. Run with me on this.
If a bureaucracy wants to show it cares, how does it do so?
#1: Move slowly: International Adoptions take 3 months to 5 years. Security accreditations? Depends if you average in the people who give up.
#2: Require paperwork: Breathtaking amounts of paperwork. Match again.
What are a bureaucracy’s incentives?
#3: Safety: “No” is safe; you can’t be blamed for something going wrong
#4: Delay: Delay is safer than decision. After all, something could go wrong.
#5: More Delay: Not solving the problem makes good economic sense (for the bureaucracy).
#6: Move the goal: If it’s not clear what perfect safety is, keep coming up with things.
The fact that some of the best people you’ll ever meet are involved in these two industries doesn’t change the fact that in these ways and more, the processes aren’t designed to accomplish the actual goal, nor do the incentives pull toward that goal.
The Biggest Threats to Government Security – 1
A friend read a story claiming the U.S. nuclear system still used archaic 8 inch floppy disks. He didn’t want to get suckered into believing an urban legend and asked, “Can we actually take an article like this seriously?”
Unfortunately, it’s correct. Sounds like an urban legend, doesn’t it? CNN and NPR vouch for its truth. Our nuclear weapons system uses 8″ floppy disks— a technology that had almost vanished before I started my career but that could easily still be in use after I retire.
This is normal for government.
- The Space Shuttle program used 386 computers to run the cockpit.
- The Secret Service uses a failing 1980’s era mainframe.
- U.S. Navy ship radar systems use 1970’s DEC PDPs.
OK, this is normal (and amusing), but is it bad? Yes, because this is very old hardware, the parts are often only available on eBay, and to try keep these systems at high reliability we have to spend a lot of money and time.
There are many reasons why the government spends so much to get so little.
-
- Single year budgets provide an agency little ability to save for big projects.
- “Use it or lose it” government budgeting punishes severely any attempt to save.
- The government is famous for changing requirements so many times that they burn up the budget and wind up with nothing useful.
- There is an excellent level of testing done with critical systems, such that no one is willing to move to a new system.
- The government isn’t short on money, it’s short on the right color of money. In other words, maintenance funds can only be spent on maintenance, never on buying new, better, cheaper, more cost effective stuff. While a business would usually add up the high cost of maintaining, training, & using archaic hardware then throw the money into replacing it, the government CAN’T.
- The best way to get promoted in government is to squeak by, hiding problems, claiming success, and have any disasters occur on the next guy’s watch. I have friends in government and they do a harder, better thing, by insisting on real progress. Unfortunately many people succumb to temptation and go the easy way.
Oddly, the archaic hardware helps with one kind of security problem–fewer hackers are working on finding security problems with systems their grandmothers used. That’s not the only kind of security though, and an increasing likelihood of total system failure is a huge risk to security.
We’ve only just begun, really, so come back for more problems and some choices.