Tag Archives: data security

Folly

Posted on by

Sigh. This is getting ridiculous.

I’ve complained about the stupid things credit card issuers do before, most recently in April. This week, however, they reached a new low.

I got a new card. Nothing new about that, right? What is new is that it wasn’t because the old one had expired, nor had it been compromised. According to the accompanying letter, the new card “has a new layer of protection” and “For added security, your card has a new number and includes chip technology.” It also has a new expiration date.

Excuse me? My old card also had a chip.

The letter goes on to say “This is simply a preventative measure to improve the security of your card. This is not in response to your account being compromised in any way.”

If the old number wasn’t compromised, how is the new number an improvement? The only possible interpretation I can put on this is that there’s some weasel wording going on here: my account hasn’t been compromised–literally. Nobody has broken into the issuing bank’s system and accessed my account. Good to know. But that doesn’t eliminate the possibility that some merchant I used the card at–or Visa itself–has been hacked and my card information potentially exposed.

What makes this truly annoying is that the old card–which had a new number and expiration date–was four months old. What’s the point in giving me an expiration date four years in the future if you’re going to change it every four months?

The really boggling part about this fiasco, however, is that the chipped cards are no more secure than the old unchipped cards. As I said in April:

It won’t do a damn thing for Internet sales. Give ’em the card number, expiration date, and (sometimes) the code printed on the back, and they can charge the card just as they always have. And store the information insecurely, just as they always have. And get hacked, just as they always have.

But even leaving that aside, the chip technology has been thoroughly and repeatedly hacked in Europe. The reason it’s called “chip and PIN” is that the vendors couldn’t make the chip alone sufficiently secure to protect their profit margins, so the previously-optional PIN was made mandatory to provide an additional level of protection.

Lesson learned, right? Nope. When the technology came to the US, the PIN wasn’t made mandatory. None of my chipped cards came with PINs or any documentation suggesting that I create one. Store terminals don’t require a pin, and many don’t require a signature either.

Not that a signature is an effective security measure. It’s not checked against anything–there’s no reference signature stored at the bank for comparison. At most, the clerk might look at the signature on the back of the card, but odds are he or she isn’t a handwriting expert and has no idea which differences are normal variation and which could be signs of an attempted fraud.

If insanity is doing the same thing over and over again, expecting a different result*, then our credit card system is insane.

* A quote often attributed to Albert Einstein, Ben Franklin, and many others. As is so often the case, there doesn’t seem to be any evidence to support any attribution.

Oh, well. See you in four months when this card gets replaced.

Sigh.

As Predicted

Posted on by

Ha! Nailed it!

Pardon my excitement, but I’m not used to seeing my predictions come true so quickly. Last week I suggested that Microsoft would “encourage” diehard Windows 7 and 8 users to upgrade to Windows 10 by making the upgrade tool a “Recommended” update in Windows Update. And now several reputable technology sites, including ArsTechnica, are reporting that Microsoft will do exactly that.

If you haven’t already upgraded, you’ll see Windows 10 showing up as an “Optional” update soon, and early next year, it will switch to “Recommended” status. Users who let Windows install updates automatically (the default for non-business users) will see the installer prompting them to carry out the upgrade once the flag is flipped to recommended.

Note that you will be prompted–it won’t be a silent install that suddenly drops you into Windows 10–and you can hide the update in Windows Update to prevent it from being installed, but that could certainly change, especially after the “Upgrade free until July” period.

Microsoft is pushing Windows 10 hard. After October 31, 2016, you won’t be able to buy a new computer with an older version of Windows pre-installed. Windows 7 will still get security updates into January of 2020, but which bugs get fixed is completely at Microsoft’s discretion. As we saw with XP, the number of security flaws deemed not worth fixing grows rapidly as the end of support approaches.

Not all of my predictions come true. After last year’s correct call of the Giants over the Royals in seven games, I had high hopes for the Mets this year.

Unfortunately, the Royals had other ideas. Not only did they stomp the Mets into submission, they didn’t even take the full seven games. A true shame.

New York had good, solid pitching, but as I’ve said before, pure defense will only get you so far. You still need to score runs to win. It’s a bit of an oversimplification, but to a significant extent the Mets relied on Yoenis Cespedes to spark their offense for much of the second half of the regular season. When he went cold in the playoffs, Daniel Murphy took over the ignition duties, but nobody (ahem) stepped up to the plate in the World Series after Murphy’s home run streak ended.

Full credit here to KC: they just plain outplayed the Mets–and everyone else they faced in the playoffs–to earn the title. But it’s still disappointing that we only got a five game Series.

Ah well. Back to cooking contests on Food Network to keep me entertained.

Only 108 days until the start of Spring Training.

What Next?

Posted on by

Don’t mind me. I’m feeling the need to indulge my paranoid side today. No, this isn’t going to be about tinfoil hats to prevent the NSA from reading my next novel (or, for that matter, any of the previous ones) before it’s published. It’s about Microsoft’s free Windows 10 upgrade offer.

The offer, for anyone who’s been asleep for the past ten months, is a free upgrade from Windows Vista, 7, 8, or 8.1 to 10. The odd gotcha is that the offer will expire one year after Windows 10 was released, i.e. the end of July 2016. So what happens then?

Presumably, Microsoft figures that everyone who’s going to take advantage of FREE will have done so by August, even the people who take pride in being “late adopters” (the “let someone else find the bugs” crowd).

In January, I suggested that Microsoft might up the ante and try paying users of older operating systems to upgrade, but in reality, that’s unlikely to happen. It would be expensive–for any reasonable incentive amount, the cost of managing the program would probably exceed the total amount of the payouts–and most likely wouldn’t pick up more than a small percentage of the holdouts.

Slight digression: Electronic break-ins are becoming more and more visible. It seems reasonable to assume that large retailers would prefer to shift the liability for credit card thefts to the card services. They, naturally, don’t want to be liable either. I can easily see Visa, Mastercard, and Amex mounting a push to establish software liability, letting them shift costs to vendors who supply software exploited to facilitate break-ins.

At the same time, the argument between personal privacy and law enforcement access is getting louder. My gut says that we’re going to see a period of time where the public by and large becomes increasingly intolerant of security failures.

XP–which, you’ll note, is not covered by the upgrade offer–is no longer supported by Microsoft, and Vista and Seven will become unsupported over the next couple of years. That means no security fixes.

In an environment in which Microsoft could be held liable for break-in that exploits an OS bug (and let’s not forget that huge numbers of ATMs run XP), what’s their best strategy for dealing with old operating systems? Get rid of them.

The Windows 10 upgrade is being delivered through Windows Update, even to computers that haven’t requested it–Microsoft says it’s so the software will be available if users decide to upgrade in the future. It’s flagged as “optional,” which means it won’t be installed automatically, but that can be changed easily enough. In fact, earlier this month it was being pushed by default. It could have been an error as Microsoft says–in fact it probably was–but even if it was, it still serves as a proof of concept.

There are several opportunities to cancel the installation if it starts accidentally, but Microsoft could easily release a new version of the installer that doesn’t have an obvious “Don’t Do It!” button.

Or, if they were really sneaky, they could dispense with the installer completely. What if they included a few Windows 10 files with each update to the earlier OSes and stashed them somewhere on the hard drive? When the switchover date arrives, they could push out a “security update” that updates the bootloader to point to that hidden folder, and presto! After the next reboot, you’re running Windows 10. Granted, I’m oversimplifying the process–among other concerns, some provision would need to be made for machines too old to run Windows 10–but it could be done more or less like this.

Think Microsoft wouldn’t force customers to a new version of Windows? Keep in mind that they’re explicitly billing Windows 10 as “the last version of Windows“. From that perspective, it’s not too big a stretch to consider it the only version, in which case, pushing customers from Vista to 10 isn’t really a version upgrade, it’s just an update, no different from any of the service pack updates Microsoft has pushed out in the past.

So, am I paranoid?

Another Security Oopsie

Posted on by

So perhaps you’ve heard that Avid Life Media, the company that runs Ashley Madison and several other dating (and “dating”) sites, has been hacked.

Ashley Madison, for those of you who haven’t been paying attention, is a site that caters to those wishing to have an affair.

The hackers claim to have grabbed the entire user database–some 37 million accounts–and threaten to release the whole thing online if Avid Life Media doesn’t shut down Ashley Madison and Established Men*. I find it interesting that the hackers apparently have no interest in ALM’s other dating sites. Maybe they have separate user databases, and the hackers didn’t get enough data to make a credible threat?

* Established Men’s focus is on facilitating relationships between “attractive girls” and “successful and generous benefactors”.

To me, the most interesting thing about the whole affair (sorry), is a line from the hackers’ statement.

The hackers’ ire appears to be focused on claims that even if a customer pays ALM’s fee (approximately $20) to have their account deleted, it remains in the database, although it’s no longer accessible online.

The statement says “Too bad for those men, they’re cheating dirtbags and deserve no such discretion.” Obviously, I’m missing something here. What about the women? Do they somehow deserve discretion? Aren’t they also “cheating dirtbags”?

No, it’s not that there aren’t any women on the site. AM doesn’t position itself as a gay dating site–although they won’t turn you down if you are looking for a same-sex affair. The very first question the site asks is your “relationship status” in one of six categories: Attached Male seeking Females, Attached Female seeking Males, Single Male seeking Females, Single Female seeking Males, Male seeking Males, Female seeking Females.

So what gives? Are the hackers suggesting that all of the women on AM were innocents, somehow tricked into signing up to have affairs? But then, what about the women on EM, who are explicitly looking for sugar daddies. Is that more noble than being a sugar daddy?

ALM spent most of yesterday downplaying the hack and declining to address questions about whether the hackers had gotten away with the entire user database and if they were planning to take the sites down.

Both sites are still up (approximately 10:30 Pacific Time) but responding slowly and occasionally timing out. Perhaps they’re overloaded with people trying to delete their profiles (ALM is waiving the fee). A bit of a case of closing the barn door after the horse has been made into glue, but a totally typical reaction.

If the sites stay up, they’ll take a hit in popularity, but I expect them to recover. Even if ALM takes them down, I can’t imagine they’ll stay down–they might come back under other names, but let’s face it, AM and EM fill a couple of very lucrative market niches. ALM is not going to abandon those markets.

People will use those sites, under whatever names they operate. And other people will hack those sites. Politics and social causes aside, a database full of valid credit cards is just too tempting a target.

Bits, Bitches, and Bites

Posted on by

First, allow me to apologize for the late–and brief–post. I spent the bulk of my morning resurrecting a dead computer. Well, more comatose than dead. I could boot Windows, but not Linux, and of course it was the Linux installation that had the information I needed.

I’m still not sure what went wrong, but the forensic evidence absolves the computer of all responsibility and points to the root cause having been something stupid I did.

Key lesson: if you have to keep vital information on a standalone computer instead of a network server, make sure you at least put it on a drive accessible from all operating systems on the machine.

Or write it down.

Moving on, a quick update to Tuesday’s piece about Kris Bryant.

Over at FanGraphs, Nathaniel Grow has an explanation of the legal constraints the MLBPA would have to overcome in order to successfully challenge the Cubs’ action.

Unsurprisingly, there’s an arbitration clause–what legal agreement this days doesn’t include mandatory arbitration?–and at least two different dispute resolution processes, depending on whether MLBPA wants to start from Bryant’s current status as a minor league player or his future status as a major league player.

Well worth a read–I won’t spoil Grow’s conclusions about the MLBPA’s eventual actions.

And, with that out of the way, I promise I won’t say another word about baseball.

Until next week, anyway.

Finally, I have to comment on the latest weirdness coming out of Google’s Trends page.

Did you know they’re tracking calorie searches? Neither did I. As I write this, the top five “How many calories are in X?” queries are:

  1. A Banana
  2. Pumpkin Pie
  3. An Apple
  4. An Egg
  5. An Avocado

Am I the only one who finds this list more than a little disturbing?

I mean, a banana? Seriously? More people are worried about the calorie counts of bananas than any other food? The only proper place for a banana is in a banana split, and if you’re eating one of those, the calorie contribution from the banana is hardly significant.

Why is pumpkin pie so high up on the list? Are people still trying to finish off their Thanksgiving leftovers? If so, the number of calories should not be their major concern.

Apples? OK, what kind of apple? With or without the skin? Fresh or dried? Google’s answer, for what it’s worth is that there are 95 calories in a “medium (3″ dia)” apple. Presumably that’s for a standard apple. Note that a Google Standard Apple is not the same as a NLEA* apple. Nor, I presume, an Apple Standard Apple (these days, I believe that’s an iPhone 6).

* Nutritional Labeling and Education Act, the law that establishes the rules for the nutritional information you find on food packages in the United States. An NLEA apple offers 126 calories.

“An egg”? Does anybody really eat a single egg? As a standalone food item, eggs are almost as bad as potato chips for traveling in groups. That aside, I have to think that the cooking method will have a major effect on an egg’s calorie count. The number of people eating raw eggs has to be too small to matter.

I am pleased to see avocado make the list. I’m sure the avocado growers are delighted as well. But again, “an avocado”? Nobody eats a whole avocado as a standalone food item. Half, sliced on a sandwich or in a salad, sure. Several, mashed in guacamole, absolutely. But peel, de-pit, and munch? Uh-uh. Go ahead, tell me I’m wrong. I won’t believe you, but go ahead and tell me.

(I’ll leave the commentary on the rest of the list as an exercise for the reader. Feel free to use the comments to share your reaction to the second five: “a cheeseburger,” “a Big Mac,” “watermelon,” “an orange,” and “a slice of pizza”.)

Mind you, if the contents of the list are disturbing, the fact of its existence is at least unsettling. Remember: if Google is collecting this information, they’re sharing it with advertisers. Keep asking for calorie counts for bananas, pumpkin pie, and eggs, and its only a matter of time before your browser starts showing you ads for stomach pumps.

Oops!

Posted on by

How refreshingly meta. The fourth-most popular search on Google yesterday was “Google Drive”.

That’s right: The Internet swarmed to Google in an effort to confirm that Google Drive was down.

It’s actually not as silly an idea as it sounds at first blush–Google’s various services are largely independent of each other. Google even hosts its own service status page. According to the status page, yesterday’s outage lasted five and a half hours: more than half of the business day for those on the West Coast. Pretty significant for heavy users of Google Drive and Google Docs.

So checking Google for information on their own outages isn’t crazy, but I still find it amusing that it was so popular a reaction to the outage that it made Number Four on the daily list of searches.

I have a sneaking suspicion that a significant number of those 200,000+ searches were from people trying to find ways to get their work done without their documents, spreadsheets, and word processors.

I also suspect that a fair amount of regular work isn’t getting done today as teams rush to update their disaster recover plans.

Remember, folks: no cloud services are 100% reliable. Always have a Plan B. Keep a local copy of all business-critical, cloud-based documents–and local tools to open them!

Keeping life in perspective, though, it’s instructive to note that football is still much more important to Americans than some weirdo technical thing. “NFL” racked up over a million searches yesterday, five times as many as “Google Drive”. Add in “Green Bay Packers,” “Cleveland Browns,” “Peyton Manning,” “Baltimore Ravens,” “Arizona Cardinals,” “New Orleans Saints,” “Minnesota Vikings,” and “Nfl.com” and we’re left with two conclusions: Google could be much more aggressive about consolidating search results and nobody was getting any work done yesterday.

I am pleased to see Jonas Salk at Number Two on the search list. It’s a nice change from the usual round of sex, celebrities, and sports that usually dominate the rankings. On the other hand, it’s a little depressing to realize that more than half a million searchers apparently had no idea who Salk was.

Well, if one of those 500,000+ people was inspired to make sure his vaccinations are up to date, it’s a victory. With anti-vaccination hysteria on the rise, we need all the help we can get.

Hey, if someone comes up with a vaccine for Ebola, will Robert Kennedy, Jenny McCarthy, Representative Bill Posey, and Donald Trump take their shots?