The Lorem Ipsum Conspiracy

 

As a linguistics geek, I have an unnatural love for the words ‘lorem ipsum’. So I was fascinated to read this account from security researchers who found that the phrase ‘translated’ through Google Translate to some key phrases that definitely didn’t exist in the original Latin:
A table showing the words 'lorem ipsum' and their 'translations' from different capitalisation. Translated words include 'China' 'Internet' and 'The company'.I’m not sure if I should read this as a clever modern-day spy story or a fascinating conspiracy theory, but it’s entertaining either way.

 

Advertisements

Experience with password managers

Edit: a ‘feature’ in WordPress publishes anything written from a draft (anything that takes more than one bite to write, ie) as though it was published on the date the draft was started. Thus, this was published earlier this week, but disappeared back through time into my archives as soon as I hit ‘publish’. Apologies to anyone who was bereft at the lack of blogging on my part.

A couple of months ago, I mentioned that I was looking into using a password manager instead of relying on my memory to store all 184 of my passwords (or thereabouts).

It was a good choice.

I ended up choosing LastPass for my trial. Web research and the experience of a work mate suggested it was easy to use and offered all the functionality I wanted.

What it does

LastPass (and similar companies like 1Password) store your passwords in a secure location, pasting them into forms when you ask for them. Practically, this means you need to remember just one password (the one to open LastPass) instead of scores of them. It also generates new passwords when I ask and offers to autofill forms with details ranging from my address (which it has) to my credit card number (which it doesn’t).

The screen shot below show how it looks when I log in to Facebook now. The asterisks at the end of the username and password field show that I have saved information for those fields; the number shows how many different identities (handy if you’re sharing an account).

The Facebook log in screen showing an asterisk with the number '1' in front of it, both on the far right of the username and password fields.

I chose LastPass for my system because it works well on my phone, is web based so I can use it at work, and is well priced – $12 a year. You can get it for free if you only want to use it on computers, but I encourage users to pay even then. $12 is a tiny amount to pay for something like this.

What I have to do

Adding a site to LastPass is really easy – when you log in for the first time, it should already be running in the browser. It will ask if you want to save that password, and you can just answer ‘yes’. Total time: 3 seconds.

My process is a bit more complicated. I’m moving from an insecure generic password for all my second and third-tier sites (e.g. stuff that isn’t completely disasterous if it’s hacked) to unique, unmemorable passwords for all of them.

Each time I log in to a site for the first time since starting to use LastPass (or the second or third time if I’m busy), I’ll stop and change the password to a newly generated random set of characters. It takes about 30 seconds to change the password all up. That would be a burden if I tried to do them all at once, but doing it gradually has worked well and barely affected my timetable at all.

So far, I’ve literally had no trouble with LastPass. 90% of the time I’ll be logging in to sites from my home or work computers and the passwords will come up automatically.

The rest of the time, I’m either using my mobile, or someone else’s computer. If I’m using my mobile, I can use the LastPass browser to access the site that needs a password. The browser on my phone can’t have plug-ins, otherwise I expect I would be able to do it in there.

If I’m on someone else’s computer and can’t install programs, there’s still a fix – I can go to the LastPass website and log in to their web service, then copy and paste the relevant password without it showing on the screen.

Risks

The obvious worry in doing something like this is that LastPass could a) be hacked or b) steal my password and then use it to steal my stuff. There’s a few reasons I’m not worried about that:

  • My old system had a single password or similar passwords being used all over the place, so there was a single point of weakness either way. So far, there’s no loss.
  • There’s also a gain in security: the single point of weakness in my system is now protected by a company that stakes its entire ability to exist on being able to protect my passwords. Their whole company literally relies on beating anyone who tries to crack their security. That means their system is going to be much safer than if I went around giving my password to all the sites I want to use, from Facebook to http://www.cutekittenpix.com. If you’re interested in thinking more about this, Lifehacker have already applied their braincells to the same problem.
  • At that point, the weakest point in the chain is the staff at LastPass – they could decide that the contents of my accounts is worth more than the $12 a year I give them to protect my information. But that’s going to be hard to pull off – aside from the fact that stealing my passwords would probably result in their staff being arrested for theft, the entire system is set up so that only I can see the plain text versions of my passwords – everything at their end is encrypted and salted.

And if all that fails, it’s still not a world-ending problem for me. I’ve kept the passwords for my key email account, my bank account and my work system completely separate from my LastPass use, so that my core services will be safe even if LastPass fails. Plus, those passwords are easier to remember now that I only have four to keep in mind.

Which is why I’m not too concerned about the biggest risk of all: forgetting the master password. Article’s like Lifehacker’s Choose (and remember) great passwords have helped me craft a password for LastPass that I haven’t forgotten yet, despite not using it often.

How it’s changed things

Using LastPass has done one simple thing: remembered my passwords so I don’t have to. While it’s pretty simple, it’s made a big difference for me. I can now:

  • Log into sites automatically, or with a single click rather than having to go through a password reset on every third visit to Amazon.
  • Stop stressing about which variation of my mnemonic I’d used.
  • Remember my four key passwords more easily, since there’s no other passwords for them to get tangled up with.
  • Save time logging in! Now I’ve got the system up and running, I know I won’t have to stop and fuss with a password reset to use a site that’s outside of my daily routine.

If you’re interested in taking a look for yourself, check out the LastPass website, take a look at one of its competitors like 1Password or KeePass, or see what other clever people have to say about getting a strong password system.

Big advertising or big surveillance: you choose

Around August last year, Janet Vertesi began hiding the fact that she was pregnant. Not from her husband, family and friends, but from the internet and every marketer who uses the internet to influence the product choices of new mothers.

Vertesi, an assistant professor of sociology at Princeton University, used her experience as a mother-to-be to examine the way that the bots and cookies that track our online actions can affect our political and social interactions with the world.  She was particularly interested in what happens when offline tracking systems (e.g. supermarket loyalty cards and branded credit cards) come together with online systems (e.g. cookies, bots, Amazon recommendations), leading to interesting combinations like the way her use of Facebook could affect the way that real-world shops in her area would interact with her.

(See Vertesi from 1:30)

To start, Vertesi banned all mentions of her pregnancy on social media, both in text and pictures. To be sure, she phoned all her family and friends with the good news (an old-fashioned action in itself) and asked everyone to avoid mentioning her pregnancy online. Interestingly, this ban didn’t translate well for some of her family members, who were unfriended to make sure they couldn’t spoil the project.*

The other big change Vertesi and her partner made was to make sure all their baby-related browsing and buying was untraceable, which meant they had to avoid all the ways that purchases can be analysed. These included obvious incentives for people to consent to having their data analysed – like company loyalty cards – but also larger buying systems, like credit cards and franchises’ analysis of purchases based on name, location, pattern of internet use and other identifiers that can be used to pinpoint an individual.

To make their purchases completely anonymous, they used cash for everything, from vitamins and maternity wear to a pregnancy cast. For online purchases, they created a new email address, disconnected from their other affairs, which they used to create an equally anonymous Amazon account. They then bought their baby goods using Amazon gift cards they’d bought with cash, having the products delivered to local parcel lockers. Needless to say, it was a lot of extra work.

Browsing for information on pregnancy and raising a baby was equally hard. As Vertesi quipped in the presentation “I’m actually here today to win a ‘most creative use of TOR’ award”. It’s a funny idea, but also really serious, as Vertesi and her partner realised when they went to buy yet another slew of Amazon gift cards and discovered a sign saying the company “reserves the right to limit the amount of pre-paid card purchases and has an obligation to report excessive transactions to the authorities”.

This was just one of the ways that Vertesi realised their behaviour could have raised alarms. Looked at objectively, Vertesi and her partner were making significant cash withdrawals across the city (including one withdrawal of thousands of dollars for a pram), frequently using TOR** and using items like gift cards to obscure their purchasing habits. While in this case Vertesi was hiding her pregnancy, these could also have been read as signs of her involvement in organised crime, political rebellion or any one of a number of illegal activities.

As Vertesi points out, this connection can be drawn only as a result of simplifications that conflate ‘unusual activity’ with ‘suspicious activity’. This has huge implications for people who have legal reasons for their unusual activity such as legal protest against the government, hiding their pregnancy or, in the case of a friend of mine, hiding the fact they were transexual until they were in a position to come out on their own terms.

The implications of data mining for privacy is also worth considering here. When I’m writing this blog, I am very aware that it’s a semi-permanent record which will be available for the rest of my life. Anything I say here, I need to be willing to stand by for the rest of my career (or at least willing to laugh it off as a 20-something’s indiscretions).*** However, I’m very aware of the staying-power of my words because of my study and work around internet issues. In contrast, the public conversation about online accountability has only come as far as the importance of not sending naked selfies and other teen-related indiscretions (though there have been plenty of examples of adults missing that lesson). We haven’t yet had the hard examples of early online actions having long-term implications. These watch-your-actions-early-in-life lessons have been common in some circles for a while (e.g. student politicians’ arguments being re-published decades later {See The Deadly Newt for the original audio}), but most people do not live their lives with the expectation that their every action is up for analysis.

XKCD on embarrassing pictures on the internet

It pains me to disagree with XKCD, but those pictures can be awfully significant.

To most people, the internet is – and should be – a place to talk comfortably and casually, with no expectation that their discussions about gardening, fitness or politics could have wider significance in the next five years, let alone the next 50. However, individuals’ comments now exist as searchable, contextualised information that can be found decades later – after someone has changed their stance on an issue – or used for a purpose that the individual would never have given their permission for.**** I have no solution to suggest to this – opting out of the online sphere has implications, and limiting one’s speech, especially on political subjects – has even bigger implications in the long run, as we lose the benefits of robust political discourse.

Ultimately I’m taking two lessons from this:
1. As an individual, I should think before I speak/type/share data/tick the box on a EULA.

2. As a public servant, I should know the potential consequences of my policies; even those that are a stretch at the time.

Both of these seem self evident, but this research has taught me that they’re awfully important.

—//—

*An aunt and an uncle (who lived on different sides of the world) both sent private Facebook messages to Vertesi congratulating her on the good news. When she deleted the messages and explained to them that this counted as ‘mentioning it online’, one commented that she “didn’t realise that a private message wasn’t private”. While it was true that individuals wouldn’t be able to go through that conversation, the aunt hadn’t realised that the information from the conversation could still be used by Facebook for data analysis.

**TOR is free software that people can use to increase their chances of being anonymous on the internet. It’s not a perfect anonymiser, but it’s widely available and very effective.

*** The European ruling about an individual’s right to be forgotten is significant here – if it becomes a widely applicable rule, all bets are off.

**** The Economist’s article about American healthcare companies using social media updates to determine whether someone is too active to be offered health insurance is a perfect example. Among the details, the article mentions the head of an American company that produces insurance underwriting software who has shifted purchasing fast food with cash, so that the choice of junk food can’t be factored into his health insurance premiums.

Hashes and blogging

…which are two separate topics for today.

Blogging

I’ve been frustrated recently with my drift towards simple link-based posts drawing attention to a topic instead of presenting (and thus forcing myself to do more) original thinking.

I’m planning to sort that by writing on:

  • topics I need to understand better
  • things I find fascinating, and
  • topics where I’m annoyed by my ignorance.

While I’m broadly planning to use it for that attempt to study more history that I’ve mentioned before, Daniel has also pointed out Reddit as a good place to look for all three.

Unfortunately, I got distracted by an article that gave me the last piece of the puzzle for understanding how encrypted passwords (and the hacking thereof) works. I’d share that with you, but it depends a lot on the idea of hashes, so let me tell you about hashes instead.

Hashes

Hashes are* a way to check encrypted information (read: information in code) without decrypting it.

To get a hash, start by encrypting your message, then run it through a complicated maths equation – an algorithm – to get a number that was created from the original information, but can’t be used to work backwards to get the original information (at least, not without a lot of work).

For example, imagine your unhashed information is “3922 X 7290” (where that X is a multiplication sign, not part of the encrypted information), and your hash is the resolution of that sum: 28591380. From the unhashed information, it’s very easy to create the hash. But it’s really difficult to work it in the other direction – there are so many equations that could result in the number 28591380 that it would take a ridiculous number of hours to find the right one.

This is enormously valuable for ensuring people can keep information (like their bank password) secret while still communicating it over the open internet. If anyone tampers with your message, the resulting hash will be dramatically different, just like if you try changing one digit in the sum above – you’ll get an answer that’s obviously different.

However, this is also the reason why you need to avoid passwords like “password” or “123456” for any information you want to keep at all safe. There are only a few secure encryption systems around, and the systems themselves aren’t that hard to get hold of. This means an enterprising coder can run common passwords through an encryption system and find out what the hash for “password” looks like. Hey presto! If they can intercept the hash for the information, anyone using “password” has just given away their password**. This isn’t especially rare – it’s possible to buy hash tables online.

The moral of the story: take the extra three seconds to think of a proper password! Or use LastPass or a similar password management system. I’ve got an evaluation of LastPass on the way, but the short version is: do it.

—//—

*While I’m writing this in the definitive, I’m also learning as I write. Keep in mind that
a) it’s entirely likely I’ll get some details wrong. If you need to be definite, do your own research. 😉
b) in six months, this post will be useless as an indication of what I know about the topic.
** Wikipedia does a pretty good job of explaining this.

Password pains

The Heartbleed hack has made me very aware that my passwords need an overhaul, stat! Because they’re getting hard to remember with enough variety between services, I’m planning to move to a password management service at the same time.
The Lifehacker crowd give some great advice on how to manage passwords, but I’d love to know what your experience is. Have you used a password manager before? How convenient are they? Is something extra like Yubikey worth the effort?
And if you’re a friend or family member who’s thinking about doing something similar but you’re finding it intimidating, let me know. I’m happy to spend an hour or two working it through with you once I’ve figured out how this all works. Plus, you can expect a write-up on here, of course.