terriko: (Default)
Cross-posted from my security blog, Web Insecurity.


Should you really change your re-used passwords after a breach? Maybe not.




DiceThe news is reporting that 453,000 credentials were allegedly taken from Yahoo, and current reports say that it's probably Yahoo Voice that was compromised. If you want to know if yours is in there, it seems like the hacker website is overwhelmed at the moment, but you can search for your username/email here on a sanitized list that doesn't include the passwords.

Probably unsurprisingly, the next bit of news is that people haven't changed their hacked passwords from previous breaches. To whit, 59% of people were re-using the passwords that had previously been hacked and released to the public in the Sony breach. Which seems a bit high given the publicity, but I'm not as surprised as I maybe should be.

What I'd really like to know is how many of those people actually suffered from this password re-use. Did anyone bother to try re-using their credentials?

I'm reminded of one of my favourite security papers, "So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users," by Cormac Herley. In it, he claims that many security "best" practices like changing passwords frequently are actually a waste of time for the average user, when you take into account the risks involved.

So, is changing a password after a breach one of those things that we can skip without much incident? Sadly, I don't have any definitive way to analyze how many folk were inconvenienced by their password reuse in the Sony and subsequent Yahoo breaches, but I can make a guess: If those accounts were compromised on Yahoo after the Sony breach, we'd be seeing a lot more people changing their passwords between the two. So probably at least those 59% were not inconvenienced enough to change their passwords subsequent to the breach.  That's a lot of people.

Of course, it's possible that the accounts were breached and used in a way that the owner never noticed. But if they're not noticing, are they really being inconvenienced? Probably in a global sense (i.e. spam) but maybe not in a short-term decision-making sense. Of course, we could assume that the alleged hack is a hoax using many of the previously hacked passwords from Sony, but given how easy it is to compromise web apps I'm currently assuming that the hack itself is a real thing.  In which case, that's a lot of no-change. It looks suspiciously like you're likely to be more inconvenienced taking the time to change your password than you would if you did nothing, statistically speaking.

So, should you change your password after a breach? It depends on how much you feel like rolling the dice. Failing to change their breached passwords doesn't seem to have hurt that many of the Yahoo Voice denizens, but with numbers on re-used passwords hitting the news today, it's possible we'll see more people trying this avenue of attack in the future.  Still, rather than assuming those 59% are foolish for keeping the same credentials, it's worth considering that they might have just been savvy gamblers, this time.
terriko: Evil Soup (evil soup)
Cross-posted from Web Insecurity

I often get into discussions about whether people really do care about privacy, given that they give away personal information regularly when they share with friends via Facebook or other services. A recent report suggests that people do care, at least when it comes to banking and shopping:


The Edelman study released in February 2012 shows that consumer concerns about data privacy and security are actively diminishing their trust in organizations. For instance, 92% listed data security and privacy as important considerations for financial institutions, but only 69% actually trusted financial institutions to adequately protect their personal information. An even sharper disconnect can be seen with online retailers, with 84% naming security of personal information as a priority but only 33% trusting online retailers to protect it.


The blog of the Office of the Canadian Privacy Commissioner (from which I drew this quote) sums it up in the title: Privacy: Not just good business, but good for business.

But I have to wonder, do these numbers indicate that privacy-preserving businesses will be winning customers, or will we simply see claims of privacy that aren't backed up by carefully constructed systems? Do consumers really care about privacy or do they just say they care? How will consumers evaluate potentially spurious privacy claims? In Canada we at least have the privacy commissioner who brings issues to light, and worldwide we have the Electronic Frontier Foundation, but while both organizations are astute and do their best, privacy claims are something that will need to be evaluated by organizations like Consumer Reports that are used by consumers when making decisions about where they spend and keep their money. Right now, by and large, we only hear about the relative privacy of an organization when a breach occurs.

I attended a talk on Internet voting yesterday and the speaker quoted an official in DC who claimed that, "voters like internet voting, so it must be secure," which is really quite a terrifying quote if you think about it. The speaker joked, "does this mean that because my kid likes cake, it must be healthy?" It really clearly demonstrates first that users of the system have very little understanding of its safety (despite strides in the area, internet voting as currently implemented is rarely secure) but also that officials who roll out such systems have little understanding of the flaws of the system and are much too willing to overlook them for convenience sake. If this is the case with voting, it's hard to believe that business would avoid such cognitive mistakes.
terriko: (Default)
I'm re-reading Richard Hamming's talk on You and Your Research because I felt like I needed the kick in the pants to do great work this month after some very busy months of doing necessary but not necessarily great things.

In this reading, I was struck by this anecdote:

John Tukey almost always dressed very casually. He would go into an important office and it would take a long time before the other fellow realized that this is a first-class man and he had better listen. For a long time John has had to overcome this kind of hostility. It's wasted effort! I didn't say you should conform; I said ``The appearance of conforming gets you a long way.'' If you chose to assert your ego in any number of ways, ``I am going to do it my way,'' you pay a small steady price throughout the whole of your professional career. And this, over a whole lifetime, adds up to an enormous amount of needless trouble.


On a surface level, I've long believed this is true. I've been long primed in the art of social hacking, first by my father and more recently as a security researcher/hacker. Anyone can watch the subtle variations on how I dress on teaching days or days when I'm going to the bank and you'll note that I pay attention to fitting in to the environment and manipulating the way in which I'm perceived. But as a child of the Internet, more or less, my experimentation hasn't limited to physical presentation. Especially as a teenager, I spent a lot of time grossly mis-representing my age and gender as well and watching how that changed my interactions with folk.

But what gets me this time is the end of that quote: "[If you don't appear to conform,] you pay a small steady price throughout the whole of your professional career. And this, over a whole lifetime, adds up to an enormous amount of needless trouble." Sometimes it's important to change the system, but sometimes you just want to get stuff done.

I can dress the part, but I don't generally change my gender presentation in real life. Is my female-ness adding up to an enormous amount of needless trouble over my lifetime given that I work in a field where that's going to make me non-conforming? I suspect it is, although I'm fortunate enough that my gender presentation is often canceled out by my racial makeup (Asian girls are totally good at math, don'tcha know?) so I can console myself by saying maybe it's not as enormous as it might have been. But not every person who doesn't fit the norm for their field has that consolation prize. Are we all paying the price of being different?

It's easy to get a little saddened by this. All that time explaining that no, I really am a techie, has added up to a lot of time I'm not having amazing conversations and doing great work. But before you get too saddened about how your hard-to-hide features like race/age/gender are affecting your ability to Do Great Things, you should stop and listen to Duy Loan Le's excellent 2010 Grace Hopper Celebration Keynote. In it, she talks about what she does to fit in to environments where she felt that letting go of her ego made it possible for her to get more good work done. I think it's really worth a listen, especially if fitting in isn't just a choice of what suit to wear for you.

terriko: (Pi)
Honestly, I think I make more resolutions after GHC than I do at new year's. I'm always so inspired!

Thing 1: Pushing the development of the GNU Mailman UI



Two things came together for me at the conference:

1. One thing I heard frequently while working the free and open source software booth is that there are plenty of folk interested in getting involved with open source, but they're not sure where to start.

2. I came home with a suitcase full of paper prototypes and pictures from the Mailman 3.0 part of the codeathon for humanity on Saturday. I was looking at spending my evenings digitizing them and turning them into functional prototypes.

So... I asked for help! Transcribing paper prototypes isn't the most glamorous of work, but it's a great place for a beginner to start, and given that we're hoping to have a Mailman 3.0 release as soon as possible, new contributors would have a chance to ramp up to doing real code commits very quickly. Plus they'd be able to see their code go out and be used in the real world sooner rather than later!

I posted to the Systers list knowing I wasn't the only one feeling the post GHC rush, and I posted to the Mailman list knowing we had a would-be contributor who wanted to help.

What I wasn't expecting was that I'd have talked to NINE volunteers in less than 24 hours. How awesome is that? And most of them are women as well!

Now I have the problem of making sure I have enough for everyone to do, but with a variety of skill levels I'm sure we won't have any trouble finding stuff for everyone. I'm so excited, and I hope they are too!

Associated goals:
- Allocating more of my time to serious Mailman development.
- Getting more women involved in open source.
- Improving the usability of Mailman 3.0
- Speeding up development of the Mailman 3.0 UI.
- Doing some teaching/mentoring since I love it but won't be doing it at work this year.

Thing 2: e-textiles



The first thing I did after I got home from GHC11 was sleep. But when I woke up in the middle of the night, the second thing I did was order stuff from SparkFun. :)

I've ordered a couple of simple e-textiles kits and the goal will be to play with them. I made an awesome monster at the GHC e-textiles workshop and I was eager to do more. The end goal is to build a set of lights into my new coat that respond to my movement in some way (See the tentative wishlist), but for now I'm going to make a lit cuff/armband for walking at night and experiment with the neat little aniomagic chip 'cause it looks like so much fun!

Associated goals:
- meeting more people in the local community
- actually becoming a member of a hacklab to support my projects
- making it safer for me to walk home in my beautiful-but-not-visible new black coat
- experimenting with e-textiles
- doing some more hardware-oriented projects
- making sure I had a project that would take me away from the computer

Not-quite-a-Thing 3: Not biting off more than I can chew



A common theme at GHC is reminding people that we have to really be careful about time management so that we don't get overloaded, so I'm choosing those two things that cover lots of my personal goals, and I'll aim to do them well and save the other things I want to try for later. Wish me luck!

I'd love to hear how other people are using what they learned at GHC11!
terriko: (Default)
In the past few days, I have wrapped up whatever I could, flown something like three thousand kilometers and changed countries and time zones, got woken up repeatedly by an alarm clock that appeared to be switched off (and thus couldn't be turned off, either), dealt with my insurance company and two banks, obtained new credit cards and a new driver's license, looked at some of my water-damaged stuff, failed to finish my thesis defense slides, caught up with half of my family who I haven't seen in a month...

Needless to say, I have not written a post for Ada Lovelace Day. But you can click on that link and read other people's posts, and you can still write your own post about someone awesome. I mean, you don't need a special day for that, you know?

I, meanwhile, have unplugged the haunted alarm clock and am going to try to actually get some sleep.
Page generated Dec. 18th, 2014 07:26 pm
Powered by Dreamwidth Studios