Just read about this on The Guardian before popping on here. They say that fortunately, HTTPS protocols are their own layer on encryption, so accessing e-mail and bank accounts should still be relatively safe. That said, these days it'd be hard for a family to turn off wi-fi and use networking cables for everything, because phones and tablets are primary devices for a lot of people these days and there's no networking ports on those things. This has been a great year for security. Not sarcastically speaking. Off the top of my head . . . - We had the whole fiasco with Yahoo being hacked years ago and their not being straightforward with it. - Equifax had a massive shit storm of a data leak only to turn around and be embarrassed again by the one-two punch of their own incompetency and the absolute security joke that is adobe flash and third party add networks. - Deloitte got hit pretty hard, embarrassing their asses and if I remember right, the American government used some of their services so they were potentially affected. - There's this vulnerability and the whole bluetooth thing which goobster so diligently shared, showing that even on the hardware level we still have to be careful I honestly know like ten other events and I'm wracking my brain trying to remember them and it's just not working. My point is though, that not only are we seeing that we still have a long way to go with securing our devices and data and privacy, we're also discovering that we have a long way to go with patching the holes in our regulatory systems and the more this happens, the more people will be educated to protect themselves and hopefully the more companies, governments, and other organizations realize they gotta step up their game. Right now, the internet is like bear country and here we all are just starting to discover the true importance and the best ways to bear proof our campsites.What a great weekend this was for security.
To me, your argument sounds like the same argument that's been discussed here before - the user / company is dumb and should know better / protect themselves better. I'd say a more realistic (and cynical) view of this is that we have almost no good method of arming ourselves and that this year has unearthed just how deep the abyss goes. It's all bears and no bear spray, so to speak. There are a bunch of things nerds can do to protect themselves but how the hell am I supposed to teach my mom what WPA even is, let alone how to update a router?My point is though, that not only are we seeing that we still have a long way to go with securing our devices and data and privacy, we're also discovering that we have a long way to go with patching the holes in our regulatory systems and the more this happens, the more people will be educated to protect themselves and hopefully the more companies, governments, and other organizations realize they gotta step up their game.
I'm mostly with you on this, @veen. @rd95 and @kleinbl00 make excellent points, but I think they are trying to put the worms back in the can, at this point. Defensive security doesn't work. We have proved this since castle sieges in the 15th century. No matter what defenses you build, the baddies will innovate a way around, and get in. The thing is, that these security breaches happen with services. Every single one of these data breaches have one thing in common: The user of the data has abdicated responsibility for the data to a disinterested third party. 1. Equifax. This is just an intermediary who tells you data about a person, that you are too lazy to look up yourself. You want a loan? OK. Show me what you own. Show me your bank statement and pay stubs. Ok, sure. You look like a safe bet, here is your loan/credit card. Instead, people pay Equifax for a "rating", which is just elementary-school level math applied to the data points above. This provides the lender with plausible deniability in the event you default on your loan. "But Equifax said they were a 720!" 2. Deloitte. Covering your ass is Deloitte's entire business. You hire Deloitte to investigate data, or build a system for you. They are a consulting firm, and their entire reason for existence is that you won't spend the money to have in-house experts to do the data analysis. So you hire Deloitte (or PWC, or The Heritage Foundation, or ,or, or...) to do the analysis FOR you, so that - if it is wrong - then you can blame someone else for it. 3. Yahoo/Hotmail/Gmail. Instead of saving your email on your computer, and having to sort it, back it up, recover it if your computer dies, etc., you go to a cloud service for your email. It is YOU washing your hands of the responsibility for doing software updates, defragging your hard disks, updating your RAM, managing server loads, etc., and "paying" someone else to do it for you. 4. Target. Target's credit card data was hacked, because Target knew they were protected by the CC companies, and didn't actually issue the CCs themselves, or protect the data themselves. If they had issued their own CCs, instead of purchasing the service from a third party, they would have been much more careful. Anyway, this premise can be extrapolated to just about any "service" out there. They are monetizing the transaction, and therefore interested solely in transmission. WHAT they are transmitting in immaterial, and of no real interest or value to them. And that's why the hackers target service providers, because it is a choke point, where the orgs are not motivated to protect the data, only enable the transaction. What's the alternative? Figure it out. Go back to base principles: Do it in-house. Hire the skills and talent you need to deliver your product, rather than outsourcing to the lowest bidder. We KNOW that defending from attackers doesn't work in the long run. So maybe we need some radical new thinking about the entire system. If your Target data is only useful for getting you a Target credit card, then it has no value to a hacker. Because you already have a Target credit card, and if another one gets created, then flags go off. Or the creation of a second one is simply impossible. If a bank uses their own internal logic to determine who is worthy of a home loan, then all the data can be public. It has no value to a hacker, because they can't use that data for other systems. (Broadly speaking.) Remove the service providers, and suddenly security looks very very different.
Are you though? If I understand you correctly, you argue that users should take responsibility for their own security because services can't be trusted to do this for you. Defensive security doesn't work when you outsource it, so you have to take responsibility for your own security. In the abstract I think I agree, but I don't think that principle holds up in practical situations. You make the assertion that users can choose these services, when the reality is that they don't know they are part of a service, are forced into a service, have to choose the lesser of evils or aren't aware of their data being shared. You're not putting agency into the equation here. So as soon as you get to practical situations like Equifax and IRS breaches, I don't think it's fair to say to the users "stop crying, you fool, you should've been responsible for your security." Because those users usually can't do that. Take email for example: Are you really suggesting that people should run and configure their own email server just to be able to communicate? To take your argument to its logical extreme, should they also run their own internet cables then, because that would be more secure? Should they build their own ISP to prevent their internet from being tapped? Should I run my own NSA instead of paying for the current service through taxes? Offloading difficult tasks and abdicating responsibility to a third party is how society works. I don't know how to run a bank myself, so I pay a bank a fee under the very reasonable expectation that they protect my data. I don't know how to protect myself against foreign enemies, so I offload that task to the government through taxes under the expectation that they protect me. Your 'radical new thinking' sounds an awful lot like libertarianism to me.I'm mostly with you on this, @veen.
It is YOU washing your hands of the responsibility for doing software updates, defragging your hard disks, updating your RAM, managing server loads, etc., and "paying" someone else to do it for you.
The user of the data has abdicated responsibility for the data to a disinterested third party.
Ah. I see where I was unclear. Thanks for taking the time to explain how you read my post, because I did not mean what you read. This isn't a problem for the USER to solve. My problem is with the BUSINESS. It is the BUSINESS that washed their hands of the responsibility for your data, thereby endangering you in the first place. To take my Target breach example; If Target had their own credit card that they underwrote, issued, and processed, they would be FAR more careful with your data. Because any breach hits them directly in the bottom line. Instead, they offload the responsibility to a credit card issuer/processor (Visa, MasterCard, etc), who do not have as much skin in the game, and are therefore less interested in maintaining the highest level of security around YOUR data, because YOU are not their customer: Target is. And Target is paying them for TRANSACTIONS, not for fabulous security. If you think about the tech used in a CC transaction, there are 5 companies handling your data, and only ONE of them has any real motivation to protect you, as an individual. To all 4 of the other intermediaries, you don't even exist: you are just a packet of data within gigabytes of data they transfer every day. The parallel I tried to draw with email is that we choose offload the responsibility to someone else, when we choose to use a service (Gmail, Hotmail, Yahoo, etc.), instead of configuring our own server. Things were a lot more secure when you had to give a shit and actually understand how all the parts and pieces fit together, from hardware to software. Now it takes 10 seconds to set up an email account, and all you need to do is come up with a 4-letter password. Offloading all the responsibility for the infrastructure and security onto a disinterested third party is the risk we decide to take. The key place where you took my words off in a new direction, is when you moved away from my conjecture - that services are the problem - and abstracted to armies, cable companies, etc. And yeah... libertarianism to me is the domain of 13-year old keyboard jockeys who have never had to pay rent. It is stupid to its core. The bone I want to pick is with SaaS, which, incidentally, pays my considerable wages. Everyone is so quick to invent a new middle-man service, that streamlines a process and takes a half-a-penny per transaction... but every middle-man "service provider" is one more incredibly weak link in the chain. From the 1500s up to about the 1920s, a business took care of itself. Everyone from the janitor to the CEO worked for the company, and all customer processes were handled in-house. But that is expensive. Having your own Credit Department that has to research every new application for a credit card is expensive. And it SHOULD be! It is a critical, important, and delicate function of the business. But then Johnny McStartup shows up and says that he can do all that for you for 1/10th of the price, so you fire all your skilled people and pay McStartup to do all your credit accounts. Why does McStartup cost less? Because they are less rigorous. Or hire junior-level researchers and analysts. Or whatever. They cut corners. That cuts costs. But McStartup's customer is the Company, not the Individual. So they keep the Company happy by providing a service that Company used to do in-house, and they do it for a fraction of the price. And hey... if they fuck it up, who cares? It isn't Company that takes the blame! And McStartup is one-step removed from you, Mr Customer, so they are insulated from you as well. THIS is my problem with the way businesses are structured today, and why it is so easy for hackers to ALWAYS get the data they want, with little effort. There are too many middle-men, with too little respect for the data they handle, and hackers always find a way through. Hell... they don't even need tech to do it... they can just call up Customer Service and social-engineer them, to get the info they want. Yeah. So, fuck Libertarianism. And security is ALWAYS going to be a problem, when you create choke-points in the data stream that are lucrative to hack. If every single retailer had to issue their own credit cards, instead of using Visa or MasterCard, there would be little to no reason for hackers to target that data. And maybe now that we have sorta unlimited bandwidth, RAM, and disk space, maybe widening the choke points is a better way to reduce the tastiness of the data to hackers...
I did understand that you were talking about businesses, but I don't think that's a useful or necessary distinction. Businesses and users are both facing the same security problems. Businesses try to protect their proprietary data, their passwords, their sensitive information, but so are you and I. There's B2B services, and there's B2C services, and security revolves around the same question for both: can I offload some difficult aspect of my work without jeopardizing that work? My disagreement was mostly with your suggestion that businesses should tell services to GTFO and develop those services in-house instead. I don't think that's a reasonable think to ask of businesses: the ocean of sensitive data has become so incredibly wide (from passwords and pdf's to credit card info and blockchain keys) and deep (big data). It's not the 1920s anymore, which is why SaaS is such a vital part of modern business and why it is incredibly inefficient to have every company and user reinvent the wheel. Just to give an example, my last gig and my current internship both run everything on Citrix thin clients. Is that safe enough? Maybe not.... Should hundreds if not thousands of companies develop their own OS-integrated remote client solutions just so they have their data back in control? I don't think so. SaaS is pretty much unavoidable these days even though its incentives are misaligned. My solution, for both users and businesses, is to be way more strict about security in what kind of services they demand. To vote with their wallet and pick the more expensive, more secure option over the bargain hacked together startup solution. I think that's a much more attainable goal for security problems, even though it will never be a perfect option.This isn't a problem for the USER to solve. My problem is with the BUSINESS.
I hear ya, but this requires defensive security, which has been proven to be ineffective for centuries now. I was hoping to open the conversation to radical new ways of thinking about data and security. The only reason why CCs and personal data are under constant attack by hackers, is because they are broadly valuable. A "simple" solution to that problem is to go back to having a Macy's card, and a Shell card, and an Amazon card - essentially a card-per-business - because then hacking your personal and CC data has no value to the hacker. They get ONE person's info, which can be used for ONE store, and is, in fact, already in use, so any attempt to use that data to establish a NEW account, would immediately be flagged. "That user already exists in the system." I dunno. It's just a different way to think about security. Remove the choke-points that hackers love to target, and suddenly hackers won't be cracking your system, because there is no big financial gain to be had. It was just a thought experiment... "My solution, for both users and businesses, is to be way more strict about security in what kind of services they demand. To vote with their wallet and pick the more expensive, more secure option over the bargain hacked together startup solution. I think that's a much more attainable goal for security problems, even though it will never be a perfect option."
That's not my argument at all, well, kind of. My first argument would be that it's the responsibility of organizations to do their best to secure their products (looking at you Equifax) and that they should be held to high standards of accountability as well as transparency. What I'm trying to say is that A) I don't think organizations are trying hard enough to be proactive, accountable, and transparent and I think that we're reaching a point where the public, and hopefully lawmakers, will really start to demand that. B) Every time this kind of thing happens, there's someone new that reads these articles, and hopefully they discover how vulnerable they can be and start adjusting their behavior to protect themselves. I know I learn something new almost every time something like this comes up and I keep security an active part of my conversations when talking to other people, people who are savy so I can learn more and people who aren't savy so I can give them tips to protect themselves. For example, whenever banking comes up I always tell people to get mobile alerts and two factor authentication activated whenever possible. C) We're on the tech frontier here. We have to understand that, know that we're at risk, and realize we're really just starting out in finding ways to protect ourselves. We need back up plans, just in case the metaphorical bear spray we're given to protect ourselves turns out to be nothing more than compressed water in a can. I mean, hardships in this area are all around right now, but literally every time something like this happens, it's in the news (even on local television news) and it gets people talking and aware and awareness is the first step in addressing a problem.To me, your argument sounds like the same argument that's been discussed here before - the user / company is dumb and should know better / protect themselves better.
It is great that people are becoming more and more aware of this. But I genuinely don't think it's enough. I mean, I agree with A). I'm right here with you hoping for a better world. And slowly but steadily, more people seem to care about privacy and security. Just a few days ago the 300,000 signature milestone was reached for initiating a referendum about a new mass surveillance law. Public awareness is growing and I love that. But I don't think it is enough. Public awareness means that the low hanging fruit of insecurity is getting caught: I don't know anyone my age who isn't careful about their social media presence, and most people know not to connect to any WiFi network that looks free. The main reason I linked to that discussion and the core of my argument is that we're now seeing fuckups so massive, so far-reaching that there is nothing you or I can do about it. Awareness is futile against an entire WPA protocol being insecure. Similarly, there will be companies that have your data, and they will at some point fuck up royally, and there is no researching or 'adjusting your behaviour' or bear spray that can stop it. Take Equifax: it's an oligopoly of three credit agencies, so there isn't enough pressure on any of those to get them to change their behaviour. Especially not since their real customers are the companies that buy their data. Maybe the government manages to break the market up or sets strict rules, and I really hope they do for the sake of everyone involved, but I highly doubt it. I mean, it used to be just email / credit card data, like when Target or Adobe messed up. Now it's home addresses, SSNs, full names. Identity thefts are going to have a field day. What can normal people even do against that? Bear spray doesn't do shit against a tsunami.
It's gonna be truly dope when the biometrics get out. You can change a password but if Google or Apple leak your fingerprint... and I know that Google and Apple don't "have" your fingerprint. They have a hashed cipher of markers of your fingerprint. But nobody realized Sony was storing user data and passwords in plaintext until it got out and I've seen no reason to trust either organization implicitly. Eventually, there will come laws for improper data hoarding and breaches of secure information. There will be civil and criminal penalties for mishandling sensitive data - I mean, if you forced anyone that works with credit card or social security numbers to be HIPAA-compliant you'd see an instant sea change. But this will not happen until it is too late and there has been substantial damage done, and our legislators will fight it tooth and claw, democrat and republican. And the NSA will still get it, and the NSA will still leak it, and we'll be right back where we started except the lawyers will be rich.What can normal people even do against that? Bear spray doesn't do shit against a tsunami.
Emphasis on "relatively." The folks who found this vulnerability to WPA2 note in their explanation that plenty of vulnerabilities in the implementation have been found in HTTPS, too. So it's a case of a single point of failure rather than redundancy.HTTPS protocols are their own layer on encryption, so accessing e-mail and bank accounts should still be relatively safe.
However, all of the vulnerabilities found in HTTPS have been fixed, and the TLS specs (the security layer of HTTPS) are regularly updated to remove insecure cryptographic algorithms and add new, improved algorithms. Don't get me wrong; internet security is still a shitshow in many ways, but you should be confident in the encryption provided by HTTPS.