But I’ve been thinking beyond passwords lately to the broader subject of authentication, which I think is where the real issues are. Take online finance. I use Quicken, which I hate. However, I have more than 15 years of data in Quicken that won’t easily move elsewhere, so I have few choices as to where I can go. One popular alternative finance site is Mint.com, which has a pretty strong following online. It allows you to pull in data from all of your banks so you can have a centralized view of your finances, much like Quicken. Unlike Quicken, it’s web-based, and it can send you alerts based on balances, fraudulent activity, and so forth.

To get this information, Mint obviously needs to be able to access your banking information. They do they by storing your bank login credentials, although they say that they only have read-only access to your banking data, so even if your Mint account was compromised, criminals couldn’t move your money anywhere. Of greater concern is that they (or, more accurately, a third party) has that data. Mint claims that it is super-secure, encrypted, all that jazz, and I have no reason to doubt them. All the same, though, it makes me uncomfortable, which is one of the reasons I won’t use it and instead rely of credentials stored securely just on my computer instead of in the cloud.

The problem is with authentication, and frankly, it’s with the banks themselves. Mint shouldn’t need to have access to my all-powerful banking logins. I should be able to create additional logins with my banks with differing privilege levels that are completely unrelated to my “superuser” account. That way, I could expressly create a read-only login and use that with Mint, Quicken, and wherever else necessary. I shouldn’t have to rely on the proper storage of my credentials at Mint or anywhere else to protect me; I should be able to limit rights directly. Sadly, as far as I know, few if any banks allow this, even though technologies are available to allow this.

So yes, change your passwords. Stop reusing them. But unique, strong passwords are not enough. We need more granular control over the access we have online, so we can put up stronger firewalls around our data while still allowing it to be used.

• Current Mood: Healthy
• Currently Listening To: "Ship of Fools", The Doors

There are a few things still not known about the Zappos breach, such as how they were compromised and, more importantly, whether the password hashes (it’s presumed that “scrambled” means hashed) were salted. Important questions, true, but I am not worried in the least. Why? Because I used a password manager, and so I don’t care about the password being compromised. In fact, here’s my old Zappos password: “TaH8pcEloWsb8R1nrol2”. It’s useless now, because it’s been changed, and more importantly, it’s unique and random.

Hackers can do a lot of things with this data. They can take the email address and do phishing attacks against you, such as sending out an official-looking email purporting to be from Zappos asking you for your password, credit card number, and so forth. What they really hope for, though, is to get the plaintext password and see if it works on other sites. Even if passwords are hashed, they can sometimes be recovered, especially if they aren’t complex enough. And once they have that password, they’ll try to log onto banking sites, credit card sites, and anything else they can think of. Because so many people reuse their passwords, it sometimes works, and now that Zappos breach has drained your bank account.

A password managed (I use KeePass) stops this in two ways. First, it can generate very complex, random passwords. It is orders of magnitude harder to figure out a complex password from a hashed value than something like “password”. More importantly, though, even if they do somehow get the password, perhaps because the website has broken every security rule by storing the password in plain text, it’s unique. They may be able to log onto that website, but that’s it. The password is not shared with a banking website, or any other website.

Using a password manager is a bit of a chore. It’s somewhat cumbersome and inconvenient. However, the extra 30 seconds it takes to use a password manager is well worth the peace of mind I get from knowing that even if the password to a website I use once a year is compromised, the damage is limited only to that site.

• Current Mood: Meh
• Currently Listening To: "Under My Thumb", The Rolling Stones
• Just Watched: True Grit

• Current Mood: Hungry
• Currently Listening To: "Thunder Road", Bruce Springsteen

I’m a big fan of crypto and secure email. Too bad I so rarely have need to use it.

• Current Mood: Full
• Currently Listening To: "Roadhouse Blues", The Doors

Since I use Google, I decided I’d turn it on to take advantage of the increased security. As reports have indicated, it takes about 15 minutes to set it up, but it wasn’t difficult at all. Since I have an Android smartphone, I was able to install Google’s app that generates verification numbers by simply scanning the QR Code that Google gave me. Once that was installed, I was able to use two-factor authentication to log into my email account. You can configure it to require two-factor authentication every time you log on, or you can remember the login information for 30 days.

Google’s two-factor authentication is not without its issues. Although it works great for any of Google’s products that you access from a browser, like email, Google Docs, Google Reader, and so forth, for stand-alone programs like an IM client, or Gmail on your phone, the extra verification code will not work. For these uses, Google allows you to generate passwords in lieu of your typical password. You need to do this for each service, so if you have a lot, it’s going to be a hassle. Since I don’t use my Google account to log on to other websites, I only had to configure passwords for Pidgin and my phone. If, however, you do use your Google account to log into dozens of other websites, getting that configured is going to be a pain.

All in all, I’m glad Google has made this available to users. I’d like to see it spread to other logins, especially for my financial info. Neither ING Direct nor U.S. Bank have this feature; my credit cards are also similarly lacking. Now that the widespread prevalence of smartphones makes adding this functionality much cheaper than handing out actual physical tokens, there’s no reason not to implement this.

• Current Mood: Inspired

Why did I switch? Well, essentially because I like the interface and functions better in KeePass. The UI looks a bit better, and there is a graphical representation of how strong a password is. Other than that, though, it’s almost identical to Password Safe. Password Safe is even a bit easier to use for the novice, as it doesn’t have quite as many options to fiddle with as KeePass. One issue with KeePass 2.x is that is requires the .NET architecture, which isn’t always available, especially if you plan on using it on a computer that you don’t have control over.

I’d unhesitantly recommend either of the two for your password manager needs. Play with both of them and decide which one you like better. But pick and use some kind of manager. Using strong, random passwords is an important part of security, and password managers help make doing so simpler.

• Current Mood: Cyber-educated

One alleged benefit of such a system would be to “eliminate the need to memorize a dozen passwords”. To me, that’s like saying that carrying around a dozen keys is a problem, and instead I should just have one key for my car, home, office, safe, and everything else. A single point of failure, such as using one key for everything or one ID for everything, is very poor security. Especially when there are no details as to who would control such an ID, where it would be required (don’t think that “opt-in” means that the largest e-commerce sites like Amazon wouldn’t soon require them), and most importantly, how it can be revoked in case it is compromised.

Supposedly, e-commerce is hampered by people feeling insecure on the internet. I’m not sure I follow this. By creating separate, complex passwords for every site I visit (and then keeping track of those passwords in a password manager), I feel much more secure than if I had just one “Internet ID” I had to protect. If somebody gets my Amazon password, for example, they won’t have my banking password because they are different. I also feel fairly confident about my online activities because I check my credit card activity on a daily basis; personal finance software like Quicken makes this easy, as does a website like Mint. In all the years I’ve been buying things online, I’ve had a problems on maybe two occasions, and the day I found the fraudulent activity I called the card and took care of it immediately, before it spiraled out of control.

You may argue that using a password manager, and checking your credit card activity every day is an inconvenience. And yes, it is. So is locking your door and having separate keys for everything. Once you get used to taking these steps to protect yourself, though, they become pretty inconsequential. What would really be inconvenient is having a single ID for everything you do online, and waking up to find that somebody has stolen it and now has access to everything. That’s not my idea of improving e-commerce.

• Current Mood: Monday
• Currently Listening To: "The Crunge", Led Zeppelin

As for the MSST program itself, it’s going very well. Our first course, dealing mainly with the psychology of terrorism, is already over, and it was very interesting. Ron Krebs, the instructor for the majority of the class, handled the class exceptionally, with a very good balance of lecture and group activities, as well as engrossing readings. I and several of my classmates were interested in taking a course he is teaching in the fall, but the workload just isn’t something I could handle while working, planning a wedding, and electioneering. Our current two courses, on critical infrastructure protection and science and technology in security, are also very interesting. They are pretty broad courses with a number of guest speakers lecturing on their particular expertises (cybersecurity, biosecurity, food security, pandemic preparedness, and so on) and they will provide for a good base upon which we can expand in later classes. They are also great at scaring the crap out of us.

In a little more than a month, the summer semester will be over and I’ll be 25% done with my degree. Not bad. Next on the to do list: thinking of a capstone project.

• Current Mood: Hump day
• Currently Listening To: "Let It Bleed", The Rolling Stones

I don’t think it’s horrible because black boxes shouldn’t exist, or that they infringe upon privacy. On the contrary: my major problem with this is that it is far too private: only Toyota has access to the data, despite the fact that the owner of the car paid for the black box and the driver of the car is the one generating that data. Toyota should not store this data in a proprietary format that only Toyota has access to, and only when Toyota wants to divulge the information. The owner of the vehicle should have full access to the data at all times and should be able to control it.

Advancing technology has put a premium on data. In the past, nobody cared where you drove your buggy or what your shopping habits were at the general store, because such information was too unwieldy to be agglomerated and analyzed. Today, however, with inexpensive computing power, ubiquitous sensors, and a hyper-networked infrastructure, such data is incredibly valuable. Where you shop, what your likes and dislikes are, and your demographic information are worth a lot of money to banks, marketers, and other businesses. Credit report agencies and web ad marketers like DoubleClick are just two of the many businesses that make money by buying and selling information on consumers.

What’s lost in the current jungle of regulations, though, is that much of the time consumers are not only not compensated for this data that other businesses are profiting from, they sometimes have no control over the data whatsoever. True, by law credit bureaus have to give consumers a process for disputing erroneous items in a credit report, but what about all the other businesses out there that are accumulating data for sale? The vast majority of the time, consumers have no idea that this data on them even exists, let alone what do do about it.

That’s why I think that taking ownership of this valuable data is going to become a very pressing issue in the near future. There’s nothing wrong with collecting this data, but the subjects of this data should be aware of it, and should have some control over its accuracy and sourcing. Hence my displeasure at Toyota: the data should be available to those that create it, and not just to Toyota themselves. Businesses are going to need to come up with policies for handling, correcting, and securing this data. Governments will have to do so as well.

As for proprietary formats, there’s little use in data that you can’t use, and I’m against their use too. I’m a strong believer in open-source and standards-compliant formats, and again, I think that these issues will become more important as time goes on. Especially when it comes to government archives, data from 50 years ago is completely useless if the file format it is stored in is some proprietary format that disappeared when the company that created it went out of business 30 years ago. Open-source applications can have better security implications as well.

As we surround ourselves with more and more data, these issues grow in importance. This is exactly why I’m excited about studying some of these issues in the MSST program.

• Current Mood: Friday
• Currently Listening To: "Cityscape", Matt Hunstad