The USS Quad Damage

HBGary and the government

I paranoia out about my security

A keep a lot of stuff on the public internet. I think I may have some privacy rules on the facebooks, but this is more to protect my friends than me. Facebook basically gets a CC of this blog, twitter, and flickr anyway. I really just want to be protected from spammers and their email addresses, haters from knowing where I live, and the government.

The government was kind of low on my list, but since growing my beard, having the wikileaks and HBGary shit go down I’m a lot more worried. Governments seem to be paranoid as fuck. I’m now also worried about corporations — from Mastercard to Paypal to Amazon. Not only has this gotten me to re-think my “OMG CLOUD!” idea of basically shifting all my data online, but also about online security in general.

A long time ago I was the kind of guy who kept the same password for many internet services. In my defense, the password I used was non-trivial, and I used three of them, which I classified as “strong”, “medium”, and “low”. Each password was roughly as strong; the designations were for how strong I thought the security of the site was. Therefore, if someone found my “low” security password, all my low security sites would be compromised, but no biggie. Similarly for medium and I’d be a bit pissed but OK, and for strong I’d be downright angry.

Note that none of this applies for any place where money is involved — in these places security is so terrible none of my passwords are short enough, and most banking sites do not accept all the characters I use. So for banks it’s some ridiculous 4-digit pin or 8-character password. Really quite sad. Also when I ring up and they ask me for my “phone banking pin” I shudder, and pretend that these are “single-use” call center operators, and when I hang up they’ll be taken out back and shot. I’m more relying on the idea that if my money is lost that hopefully many people lose their money than expecting any real security from banks.

This went on for a number of years, and I’d been intending to move on to a password database but was really hoping for one which was integrated with firefox and didn’t keep everything “on the cloud”. I also wanted to be able to use the password program on both Windows and Linux. I used to trust the cloud for other things but not my passwords. I started noticing that I wasn’t signing up for very many web services because I didn’t really trust new sites with any of my passwords, or the data I could keep on there wasn’t in line with the security on the site. The penny dropped when I used a medium strength password for a site I (IIRC) needed to use. The site emailed me my password #inplaintext. Despite the fact that the tool I use now basically doesn’t even work on XP systems, and barely works on linux (mono), I basically felt desperate enough to switch.

However, the password database and program was now a liability. If I lost that I lost everything. Not every site I went to had a “Forgot your password?” option. And they also had a very strong attack vector: My email address. Luckily gmail has patched their vulnerability on cookie stealing, but back then, despite that I thought of the cookie stealing problem, I never really thought “Hey people can just steal my cookie, go to another site and reset my password”. But now I’m against a bigger problem: What if the government or other large corporate entity wants access to my emails? What if they want to reset my passwords? I’m back to a single source of failure.

I could create many mock email addresses, but I’m actually in a situation where I’m nearly “locked out of my own house” as it were. The password safe is in a secure location, and to get to it I need some context. It may be possible that if I lose that context I may lose everything.

Now I haven’t even talked about security vulnerabilities which could pwn my machine specifically. I’ll just leave it at “I don't have a rootkit on my machine, and I don't think I'll get one any time soon”. I also doubt I’ll get hacked so easily. I say this despite the number of bugs in, say, flash and the JVM. I’m mostly careful enough, but who knows. I’m also worried about how IPv6 firewalls will change the scenario. However, I’m far more concerned about external entities with my information that will hand it over either willingly or without a major fight.

As for anyone specifically targeting me, my issue isn’t that they can get at my data, but why. I mean, it’s kind of a dick move. You could go through all my emails, and you could rifle through the garbage, but that would make you a weirdo. So you know things about me. That doesn’t make you less of a wanker.

In conclusion, staying secure is a pain in the arse. And I should probably consider pulling more of my context, like email, off the internet; despite the convenience. I should also stop putting “my life” (the secure bits) on the internet as I have been previously considering. Anyone who hacks me is a dickhead, and just letting me know that will lower my opinion of them.