Don’t Make it Easy – A Look at Securing Your Data

“You’re password will expire in 5 days. Would you like to change it now?"

Sound familiar? This annoying practice, which inevitably results in you simply incrementing the number at the end of your current password by one, really was meant to bolster security. The thing is passwords are really not the most effective way of securing data. Despite the fact that they seem a corner stone to the current security models, there really are much better solutions. Perhaps the way we understand security needs to change.

The problem begins with the fact that a human have to remember these passwords. This leads to passwords that are not secure, random, lengthy, or difficult to crack at all. Then there’s the presumption that your password is secret, and that it somehow confirms your identity. The whole point of security though is to establish identity, to shake hands. When you speak to someone in confidence there is a trust because you know whom you are speaking to. On the Internet it’s difficult for us, and the servers, to confirm with whom the data is flowing between.

Enter the world of Two-Factor Authentication. First making its appearance in corporate remote computing, then in increasingly difficult to secure Massively Multiplayer Online Games (MMOs), adds an extra step. When logging in, you need both your password, and a number - which is only valid for a minute or so. First there were key fobs, now most have applications for your smartphones. Those text messages that you get from your bank are a similar implementation of this model. Would be attackers will have a tough time even with the simplest of passwords with this additional layer of security. It’s far more unlikely that the same person with malicious intent, and skill, to gather your password, also happens to be able to lift your phone from you while you’re out on the town.

Two-Factor Authentication is no longer just for those wishing to thwart Chinese gold farmers on World of Warcraft (WOW), or corporate espionage. Google implemented Two-Factor Authentication a number of years ago, complete with both the text message solution, mobile apps for both Android and iOS, and backup codes for you to stash at home in case your phone is lost or stolen. I strongly encourage you to turn this on1! It’s requires a little bit of effort, but secures what is easily one of the most crucial parts of your personal data – your e-mail. If someone can gain access to your e-mail it’s literally a Pandora’s box… The ability to reset all of your passwords is just the start. In most cases all someone would need is access to your e-mail and the ability to answer some simple questions (using information which is most likely publicly available) to change your password and lock you out of your online world, with very real world complications.

Yet another piece of the puzzle are those ‘security’ questions we just talked about. Answering, “What is your mother’s maiden name?” may be the easiest way to get to the continue button, but it’s also the easiest way for someone with nefarious intent to gain access. There are many strategies for making these answers more secure, though I must admit these schemes seem a bit hard to adhere to, and leave one scared that they will be locked out of their account.

I’ve made several mentions of Blizzard’s security protocols and that is because they are presented with a very serious security problem. Play them or not, their massively multiplayer games are an important part of many peoples lives. So important in fact, it is a lucrative business for many oversees hackers to exploit customers’ accounts and sell them for real money. When someone has spent years building his or her account and then it is stolen and sold the highest bidder, people get upset. Aside from the authenticator and text messages, if you loose access to your account somehow, you will be sending blizzard your drivers license and various other information to confirm your identity before they let you back in. This is a painful, yet important piece of the puzzle. Resetting your password is often the weakest link in the chain. Don’t take my word for it, check out the eye opening hack of Matt Honan of Wired.

What’s the solution?

Well, for one, make every password you have completely unique, as long, complex, and random as possible… but how does that work when you have 100 different accounts? I’ve been using a solution called 1Password for a number of years. You can store your passwords all in one place, along with various other login information, secure notes, and personal data, using one overriding password. 1Password has the ability to store this in the cloud via an encrypted file, and has plugins for all the major browsers making it possible for you to have passwords so complex, even you don’t know them. This is a bit scary, I admit, but take the leap; your security is worth it. There are several alternatives of course, most notably LastPass – an open source solution with a very similar feature set. Each of these programs has generators to create completely unique and random passwords for you and recognize when you’re at a login screen, and fill in all the fields appropriately.

You’ve secured your passwords, enabled Two-factor Authentication wherever possible, what’s next? Encrypt your hard drive. OS X makes this incredibly simple. Just turn on File Vault, and if you’re worried about performance dings, don’t be. Especially with SSDs, it’s completely seamless. Many don’t realize how much is stored ‘in the clear’ on their hard drives. This becomes even more important for laptops, or any computer that is leaving your house. Unless your hard drive is encrypted, they won’t need to login to your computer to pull all your personal data off.

If you don’t have a password on your phone, or laptop you are insane - completely bonkers.

A password on your phone means, in most cases (e.g. iOS), that it is then encrypted. More importantly your phone has so much personal data, countless other accounts, not to mention unprotected access to your e-mail. Forget the time delay, make in instantly require a password! It may require a few extra milliseconds to respond to a text, but the security gains are far to great to ignore. Also, why people set their phone down without hitting the lock button is beyond me (I’m looking at you 40+ year old). The button is there for a reason; do yourself a favor and click it before you set it down or throw it in your purse. Your screen is the largest battery killer. I understand that it’s a bar phone, and you can’t flip it closed when you’re done, but the lock button performs the very same function. Press it. All the effort in the world wont make a bit of difference if they can just pick up your phone and take over your life.

All of the above are good solutions, but they certainly add an extra layer that most people fail to see the importance of. The trick is to make security easy. Consumers are inherently lazy, they don’t want another road block between them and what they want to get done. This is why Apple’s new iPhone 5s and its fingerprint identity sensor is so important. Sure the tech has been around for a long time – I remember visiting the tanner and using my fingerprint back in ‘05, but making it easy to identify that you are who you say you are is a game changer. Especially because of the reach of their iPhones, Apple has the critical mass to make it work.

I hope it takes off. I hope an API is released allowing you to authenticate with all of your apps using the touch of your finger. Fingerprints are a fairly good biometric, worse than DNA, better than hand geometry. Biometrics are really just a more natural form of Two-Factor Authentication – no random number generator required.

Tin Hat

The real solution would seem to be some encrypted key that is stored in your body; similar to PGP, but a biotech implementation. Forget wearable, I want implantable! Frankly, the lack of progress on that front is disappointing to me. Much like self driving cars, I fear the ‘creepy’ factor gets in the way of true innovation, simply because we’re not willing to think about things differently.

Things are getting better though. One of the most basic problems in security is obtaining a truly random number (the basis of all encryption schemes) – which is a surprisingly difficult task. Though quantum computing may seem like science fiction, Intel is now shipping a new, processor level, random number generator that your computer can call. It takes advantage of the on processor entropy source… Yes, I am talking about that shifty concept you learned about in physics. Essentially, we’re talking about the random emission of electrons, that the processor usually ignores, being used to generate random numbers at blazing fast speeds.

I’m still waiting for the stuff of science fiction to materialize. Considering that computers were invented inside the lifetime of some of societies’ oldest members, it’s difficult to speculate on where we’ll be in 50 years.

The Last Computer

We’ve been saying that for a while haven’t we? A year and a half ago, when I bought my iPad, I was sure I would never buy another laptop… well, turns out I was wrong.

Last weekend I bought the new 13’ MacBook Air Haswell i7.  All the benchmarks put it either at, or above, the current MacBook Pro lineup, which is due for an update here shortly.  I was had previously convinced myself that I was going to be waiting for the new MacBook Pro Retina.  But, then I came to my senses.  Who am I kidding…?  My need for processing power has diminished exponentially in the past few years.  I certainly don’t have the time for gaming, nor the skill for video editing and creation.  Every once in a blue moon, I find myself on a photography kick again. 2D images however, RAW or not, require more RAM than CPU, and after all, anything would be a vast improvement over my ’09 iMac.

A confluence of circumstances led me to actually pull the trigger last weekend – not the least of which being my want to buy something, anything.  I had found myself using my desktop less and less, and I wasn’t sure if it was because it was so restrictive – stationary that is – or because it was slower to navigate to web pages than my iPad.  I was eventually able to convince myself that I was no different, required no more computing power, than the average user.  The vast majority of my time is spent either at work, or working on work… neither of which requires a great deal of computing power.  Whereas in my undergrad I found myself being thankful that I had one of the first dual core processors and was able to make use of multithreaded processes to run my reactor core simulations with expedience over the computers in the library, today I do little more than word processing and web browsing – all perfectly ordinary.

I did it.  I bought a new computer, even in the face of the impending future updates to the MacBook Pros.  As we shift more and more to cloud computing, the processing power of your own personal computer becomes less and less valuable.  We are shifting back to the earlier explored, and subsequently abandoned, model of the terminal and the mainframe.  The only difference being, that instead of the horrendous ‘HP thin clients’ and crappy remote desktops of your workplace, we’re using Google, Apple, and Amazon’s semi-infinite computing power and spare computing cycles, to do the hard work for our perfectly capable, but comparatively underpowered, machines.

Even the harder work of video and photo editing can now be done in the cloud.  Google+ is doing some amazing things in the cloud with your photos these days.  And these on demand computing resources increase the possibilities and usefulness of the thing that can be done with your photos.  Beyond the normal ho-hum import, algorithms can now determine which of the 15,000 photos you took last year were of the best quality and of the most interest.

Perhaps more importantly, this model, as it has always been, appears cheaper to the user.  One can now buy a Chromecast for $35 - an ingenious device.  The Chromecast is essentially a 35$ computer terminal that interfaces with the cloud.  Your computer sends the demand for content to Google, which then handles all the processing and encoding, and relays it down to the cheap device which is presumably connected to your very expensive display (i.e. a large TV).  Until now, at least personally, the advent of “Smart TVs” has been relatively uneventful, chiefly because of the incredibly underpowered TV processors that were handling the mess of a user interface.  No one wanted to use that shit… it was messy, clunky, and slow.  Google can do that all in the cloud for you now... it’s gorgeous, and you don’t even have to buy a new TV!

Do we really need all that processing power in our homes, or can we leave it to the cloud?

Just as more and more users are getting used to the idea that more and more of their personal data is stored in the cloud, we hear the stories of the NSA downloading the Internet in its entirety.  Now, my lack of confidence in the cognitive ability of most Americans means that I think the implications escape most, but for the savvy the implications are vast. 

“Big Data” is awfully similar to “Big Brother”.  This Orwellian scenario isn’t that far fetched though… even as a miscreant youth of 10, I was aware that the NSA would begin recording my calls if I mentioned certain key words, or that I might expect to see strange tracks in the carpet if my conversations were anything other than on the up-and-up; perhaps I saw too many movies.

Regardless of your feelings on who is, or is not, monitoring the Internet, a more basic question bothers me.  What if the cloud goes away?  What if access is somehow revoked…? Do you want to have the ability to process data regardless of the charity of large corporations?  Should such circumstances arise though, I’m sure my ability to share and crunch data in the cloud will be the least of my worries.

I am currently reading a Sci-Fi book – a genre that I do not often find particularly interesting: Pandora’s Star, by Peter Hamilton.  The book is incredible.  As with most Sci-Fi though, I find myself confused.  Confused that we have not yet arrived at an already conceived of, and in many senses, fully developed way of living.  Why am I not browsing the web via neural inserts?  Why is my e-butler not handling all communications and alerting me of any pertinent information?  Why am I not connecting to the ‘unisphere’?  Why is my entire life’s memory not being continually backed up in the case that I meat a demise, untimely or otherwise?

So many questions, so few answers, but yet despite the declining computer sales of late, the landscape remains relatively unchanged from my days a child, longing for my first laptop so I could SSH into some remote Linux server and IRC chatting with geeks around the globe.