Pew should evolve its cybersecurity survey

Pew should evolve the questions they are asking and the advice they are giving based on how the threat environment is changing. But they should keep asking.

Last year, Pew Research surveyed just over 1,000 people to try to get a feel for how informed they are about cybersecurity.  That’s a great idea because it informs us as a society as to how well consumers are able to defend themselves against common attacks.   Let’s consider some ways that this survey could be evolved, and how consumers can mitigate certain common risks.  Keep in mind that Pew conducted the survey in June of last year in a fast changing world.

Several of the questions related to phishing, Wifi access points and VPNs.  VPNs have been in the news recently because of the Trump administration’s and Congress’  backtracking on privacy protections.  While privacy invasion by service providers is a serious problem, accessing one’s bank at an open access point is probably considerably less so.  There are two reasons for this.  First, banks almost all make use of TLS to protect communications.  Attempts to fake bank sites by intercepting communications will, at the very least produce a warning that browser manufacturers have made increasingly difficult to bypass.  Second, many financial institutions make use of apps in mobile devices that take some care to validate that the user is actually talking to their service.  In this way, these apps actually mark a significant reduction in phishing risk.  Yes, the implication is that using a laptop with a web browser is a slightly riskier means to access your bank than the app it likely provides, and yes, there’s a question hiding there for Pew in its survey.

Another question on the survey refers to password quality.  While this is something of a problem, there are two bigger problems hiding that consumers should understand:

  • Reuse of passwords.  Consumers will often reuse passwords simply because it’s hard to remember many of them.  Worse, many password managers themselves have had vulnerabilities.  Why not?  It’s like the apocryphal Willie Sutton quote about robbing banks because that’s where the money is.  Still, with numerous break-ins, such as those that occurred with Yahoo! last year*, and the others that have surely gone unreported or unnoticed, re-use of passwords is a very dangerous practice.
  • Aggregation of trust in smart phones.  As recent articles about American Customs and Border Patrol demanding access to smart phones demonstrate, access to many services such as Facebook, Twitter, and email can be gained just by gaining access to the phone.  Worse, because SMS and email are often used to reset user passwords, access to the phone itself typically means easy access to most consumer services.

One final area that requires coverage: as the two followers of my blog are keenly aware, IoT presents a whole new class of risk that Pew has yet to address in its survey.

The risks I mention were not well understood as early as five years ago.  But now they are, and they have been for at least the last several years.  Pew should keep surveying, and keep informing everyone, but they should also evolve the questions they are asking and the advice they are giving.

* Those who show disdain toward Yahoo! may find they themselves live in an enormous glass house.

Removal of privacy protections harms service providers

Removing privacy protections harms consumer security AND service provider business prospects.

As the media is reporting, the administration has removed privacy protections for American consumers, the idea being that service providers would sell a consumer’s browsing history to those who are interested.  Over time, service providers have looked for new and novel (if not ethical) ways to make money, and this has included such annoyances as so-called “supercookies”.

Why, then, would I claim that removing consumer privacy protections will harm not only consumers, but telecommunications companies as well?

In the new world that is coming at us, our laptops, cell phones, and tablets will be a minority of the devices that make use of our home Internet connection.  The Internet of Things is coming, and will include garage door openers, security systems, baby monitors, stereos, refrigerators, hot water heaters, washing machines, dishwashers, light bulbs, and lots of other devices.  Many of these systems have been shown to have vulnerabilities, and the consumer does not have the expertise to protect these devices.  The natural organization to protect the consumer is the telco.  They have the know-how and ability to scale to vast quantities of consumers, and they are in the path of many of communications, meaning that they are in a position to block unwanted traffic and malware.

The consumer, on the other hand, has to be willing to allow the service provider to protect them.  Why would would consumers do that if they view the service provider as constantly wanting to invade their privacy?  Rather it is important the these companies enjoy the confidence of consumers.  Degrading that confidence in service providers, therefore, is to degrade security.

Some people say to me that consumers should have some choice to use service providers who afford privacy protections.  Unfortunately, such contractual choices have thus far not materialized because of all the small print that such contracts always entail.

What is needed is a common understanding of how consumer information will be used, when it will be exposed, and what is protected.  The protections that were in place went a long way in that direction.  The latest moves reverse that direction and harm security.

Yet another IoT bug

Miele could have benefited from MUD, as well as the experience of the Internet security community.

The Register is reporting a new IoT bug involving Miele PG 8528 professional dishwashers, used in hospitals and elsewhere.  In this case, it is a directory traversal bug involving an HTTP server that resides on port 80.  In all likelihood, the most harm this vulnerability will directly cause is that the dishwasher would run when it shouldn’t.  However, the indirect risk is that the device could be used to exfiltrate private information about patients and staff.  The vulnerability is reported here.

Manufacturers expect that it will be very simple to provide Internet services on their devices.  To them, initially, they think that it’s fine to slap a transceiver and a simple stack on a device and they’re finished.  They’re not.  They need to correct vulnerabilities such as this one.  They apparently have no mechanism to do so.  Manufacturers such as Miele are experts within their domains, such as building dishwashers.  They are not experts in Internet security.  It is a new world when these two domains intersect.

We need MUD

And yes, Manufacturer Usage Descriptions would have helped here, by restricting communication either to all local devices or to specifically authorized devices.

Taxing Bitcoin? IRS gets involved

Once again: is bitcoin a currency, and do currency rules apply? Or is it a capital asset and do those rules apply?

The Wall Street Journal is reporting that a large Bitcoin exchange Coinbase has been served with a so-called “John Doe” warrant in search of those people attempting to evade taxes.  A number of privacy advocates are upset at the breadth of the warrant, because it demands access for an entire broad class of people, and not specific people.

Bitcoin is used for all sorts of nefarious purposes, including online ransoming.  Tax evasion would be the least of its problems.  Were Coinbase a bank, they would be required to inform the federal government of transactions greater than $10,000 or of those individuals believed to be structuring transactions to avoid the $10,000 filing requirement.  These are anti-money laundering provisions that go hand in hand with tax enforcement.

And so my question: if it is wrong for the federal government to make such a demand of Coinbase, is it also wrong of them to make the same demand of banks?  If it is not, then why should Coinbase be treated differently?  And if Coinbase is not treated as a bank, is Bitcoin then not a currency?  If it’s not a currency, should it be treated as a capital asset for taxing purposes?  If that is the case, how would the IRS be able to enforce the reporting requirements associated with assets?

The alternative seems to be to trust people to not launder through Bitcoin.  If history, including recent history, is any measure, that’s a bad idea.  Either way, Bitcoin has already shown that privacy has its downsides.

Trump and Ryan’s healthcare failure doesn’t mean they will fail in the future

Just because President Trump and and Speaker Ryan lost the Healthcare battle doesn’t mean they’ll lose the coming tax overhaul battle.

Over the last twenty-four hours many people have been talking about who should take the “blame” for the failure of the Republican healthcare bill.  Some say it is President Trump, others say it is Speaker Ryan, others say it is the so-called Freedom Caucus and yet others astonishingly others blame Democrats.  They are all wrong.

It is the American people who did not want the Republican healthcare plan.  According to at least one poll, only 18% of Americans wanted the bill to pass.  Many of the rest of us were vocal in our opposition on the Internet, in town halls, writing letters, and calling our Congresspeople because the bill would directly affect us and those who we love.

The pundits are saying that the failure President Trump’s and Speaker Ryan’s plan will complicate their agenda, moving forward.  They say this because the healthcare plan was supposed to pay for the massive tax overhaul that the president has in mind.  These people who say these things are underestimating both the president and the speaker, and in particular Steve Bannon.

There are two forces in play.  Speaker Ryan and many Republicans want to see the tax system overhauled.  While Speaker Ryan would like to see overhaul come in revenue neutral, when push comes to shove, he will be willing to deficit spend in the short term, and make cuts later, with the logic being that the government has swam in red ink before, and a little more for a bit longer won’t hurt; and that Republicans will eventually stem the bleeding by simply forcing the issue.

Steve Bannon has a different logic.  He would just assume see the government bleed to death.  If destruction of the federal government is brought about faster due to the tax overhaul, that would be more than fine with him.  Those same Republicans in Congress who nearly caused the government to default might play this game.

The reason this is likely to work is that the tax overhaul will be a gigantic give-away, and everyone will make money in the short term.  Nobody will be screaming at Congressmen in town halls.  Nobody will be worried about how this will hurt them personally.

It will be our children and theirs who pay for this policy.