Kill the Password

This week I would like to draw readers’ attention to an article that appeared in Wired at the end of last year. Written by Mat Honan and entitled Kill the Password: Why a String of Characters Can’t Protect Us Anymore, it makes for really interesting and alarming reading.

The author starts by explaining that he lost all of his digital life last year as his accounts were hacked, an event that lead him into investigating online security and how it is breached.

What he discovered is not for the faint hearted. The linking together of different accounts using an email as username means that any seriously interested party with a little time on their hands and very little money can relatively easily get into a single account, and from there into the others.

His conclusion is that the culture of using passwords for security is outdated, a thing of the past and that anyone who tells you otherwise is either deluded or trying to convince you of something that is not true.

The worst password choices

Worst passwords of 2012

The availability of information is a problem because of the personal question access to resetting your password. Mother’s maiden name, place born etc. are easy things to find out about anybody through ancestry sites or other documents. Once you have somebody’s email address, you try to reset the password using the personal questions through the provider’s website. The answers might be on Facebook, or on their blog, or maybe intuitive, but they are out there.

Then to the customer services rep that you speak to by phone. They are people and can be misled. The article contains a transcription of a conversation between a hacker and one of these people. As the user needs to be able to reset the password they are offered a series of questions that get easier and easier to guess. Names of best friends is possible using Facebook or other social network publications, but if not try favourite food or others, but the example given is name of one of the files in the account. Try Google, Amazon, Personal, one will be right.

So the problem is that the system needs to be flexible and easy enough to use, so we must be able to easily change our passwords, but this makes security impossible.

How can this problem be addressed? Here the trade off is privacy. If the company knows you, through your search histories, places you have been, where you work and what you like to do they might better be able to tell if the password reset-er is you, but you lose any privacy you think you might have.

Voice recognition can be tricked using recordings, biometrics and fingerprints too. Once a system uses these things that cannot be changed or reset the problem is magnified. If I have a fingerprint lifted from a screen I can use it to get anywhere and new fingers are hard to come by these days, so what do you use next?

The article poses these problems from the point of view of somebody who has been hacked, but the author also looks at who these hackers are and even meets a couple. It is big business in certain circles, particularly in the Russian speaking world where organized crime has a large stake and makes a lot of money through stealing identities and all that follows. In other circles they are just “kids” having some fun wreaking havoc.

There are a few simple strategies outlined in this (not short) article that are worth following but none are foolproof, and that is a lesson we could all learn from. Just a word of warning, it contains some harsh language.

On a lighter note happy new year to everyone, and my mum’s maiden name was Windsor (no relation to either Barbara or Elizabeth).

Instagram (AKA Facebook) in the News

Instagram hit the news with a bang today, and for all the wrong reasons.

They changed their privacy policy so that they have permission to sell any photos that users have posted to third parties. This means that maybe one day you might see that photo of your dog driving a toy car on TV advertising the said toy.

Dog Driving

A Dog driving a Toy Car

Great, you get famous. Not so great, you don’t get paid for it.

Yes our friends at Instagram have the right to sell the photo and keep the money. They may also “share your information as well as information from tools like cookies, log files, and device identifiers and location data with organisations that help us provide the service to you… (and) third-party advertising partners.”

They are not doing it for the money of course, but to “help us deliver interesting paid or sponsored content or promotions, you agree that a business may pay us to display your username, likeness, photos, in connection with paid or sponsored content or promotions, without any compensation to you.”

They just want to make your user experience more fun. “This means we can do things like fight spam more effectively, detect system and reliability problems more quickly, and build better features for everyone by understanding how Instagram is used,” it said in a statement.

If you don’t want to give them the right to do this you have a choice of course. You can withdraw all your pictures and delete your account by 16th January and never use them again.

I have written various articles about Facebook and their fluid privacy policies, you can find one here.

One of the most incredible things to me is reading the comments that these articles have provoked. Some people do not care about privacy, it seems to be a thing that only we oldies ever think about. This is a massive change in culture and opens a myriad of possibilities for exploitation in many forms.

Many of my friends use Facebook, probably all of them, but I am the odd one out. I do not use Facebook. A choice that has consequences, I could not register for Spotify the other week, they want your information. But I don’t want to share mine! And recently I applied for a job as a journalist but they wanted a breakdown of my social networking, so if you don’t do social networking you must not be a very good writer.

So make sure that your Instagram friends know what is happening so they can make an informed decision, think about what you post and where you post it, and remember, nothing comes for free, not even social networking.

Facebook site governance vote – what you need to know

If you use Facebook, I highly recommend you read this article.

If you have an active Facebook account, then in the last week you should have received an email from the social network that looks a bit like the one below.

Our Global Site Governance Vote

The email that Facebook sent out to all users about the vote on its global site governance.

Facebook is planning on making some major changes to the way it operates, specifically concerning its Statement of Rights and Responsibilities (SRR) and Data Usege Policy.

Since Monday of this week, until next Monday (10th of December) users of the social network get to vote on the proposed changes.

Which documents should govern the Facebook site?The ‘ballot paper’ gives you two options, to vote for:

  1. Proposed Documents: The proposed SRR and Data Use Policy
  2. Existing Documents: The current SRR and Data Use Policy

The vote will only be binding if one third of active users (around 300 million) vote, so your vote is very important!

So, what you probably want to know before you vote is what do the top options mean.

Option 1 – The proposed SRR and Data Use Policy

The proposed SRR and Data Use Policy, in a nutshell want to remove users voting rights. To make major changes to the site, Facebook in theory is currently obliged to ask users to vote on proposals. Facebook wants to stop this, giving itself complete control. It will instead ask users for their comments and feedback, and then (it claims) it will act on these to make changes to the platform, which the company believes are beneficial to users.

Option 1 also allows the network to share user data with its affiliates, across all its brands – like FriendFeed and Instagram. This is similar to what Google did earlier this year, when it changed its privacy policy. Google’s changes were much disputed, because of the ’empire’ of brands it owns. Facebook isn’t quite as big, but the changes are still important if you use more than one of its services.

The other major change that Option 1 would bring is that it would allow more people to message you, so if you like to have a more private and personal account, it could be harder to keep yourself as private on the network. It will do this by setting new ‘filters’ on the messaging service.

Option 1 will also see a change in how Facebook refers to certain products.

Option 2 – The current SRR and Data Use Policy

Option 2 votes to keep things as they are currently. To make any major privacy changes to the site, Facebook need to get approval via a vote, which must have a percentage of active users participate.

If you don’t like the current system, but are even more worried about the proposed changes, then Option 2 is more favourable, but really you are stuck between a rock and a hard place, as there are only two options.

Impartiality – In Facebook’s Defence…

As you can probably tell from the way I have been writing, I am more in favour of Option 2 than the proposed changes of Option 1. However, I try to ensure my writing remains as impartial, so I should give Facebook their say.

Facebook claim that the updates would be in line with what is currently “standard in the industry” in which it operates. It feels the changes would promote the “efficient and effective use of the services Facebook and its affiliates provide.”

Facebook also says that the current system favours the quantity of comments over their quality, which I can’t argue with. Currently a majority vote is needed from at least 30% of users to decide something, however were Facebook to better act on individual users opinions, and focus on what individuals are saying, rather than forcing people to vote for one option over another, should, in theory create a better social network.

That said, Facebook is likely to only act on the comments that will gain it users (or stop it from loosing them) and make it a profit. After all, it is a public limited company with a responsibility to make profits for its shareholders.

My counter argument is, if high-quality feedback is better than voting, why do many arguably successful and democratic countries around the world (like the UK, Australia, USA, all EU members etc.) elect their leaders? Why does the ballot paper have candidates on and not a ‘suggestions’ box? Then again in Facebook’s favour I suppose one could argue that 30% turnout from an online community is quite high, and could stop things moving forward, but then why not lower this to a more reasonable figure – say 15% or 20% of active users?

Enough waffling from me, it’s time to vote. To find out more about the vote, and to cast yours, head over to the official Facebook Governance Vote page.

Which option gets your vote?