Tuesday 17 September 2019

Why we won't get online safety

 Why data breaches won't go away

Why phishing won't go away

"Those who would give up essential usability to purchase a little technical security deliver neither usability nor security."

There is no prospect of us having online safety in the foreseeable future. The diagrams above show the stories around data breaches and phishing.

The infosec world does not have the tools, resources, culture, management, or incentives to fix things. The bad actors carry on getting smarter.

The IT security world as presented to us ordinary users is confusing, inconsistent, and unpleasant.

Several things are clear:
1. The victim-blaming ("silly users with their 1234567 passwords") needs to be challenged at every opportunity. It is unhelpful in the extreme.
2. Digital literacy needs to highlight Michel de Certeau's 'Arts de Faire / Arts of Doing' - ways of reclaiming our autonomy from the panopticon and bad actors.

3. We need tools and resources to fight back / hold our own against the tide of incompetence and malevolence.

4. There is no obvious source for good advice, training, tools, and resources that will be heard above the noise and used at scale.



The Robert Graham Project says "I think the most important security precaution is to lie to computers compulsively". This includes made-up user names, multiple email addresses, fake answers to security questions, and multiple mobile phone numbers. The recent (very good) UK Government guidance gets close but not close enough.

Passwords and Usability

Usability of advice

Much advice on passwords is contradictory, confusing, and context-free. I propose a Scale for Evaluating Password Advice (SEPA)

1. Does the advice give due prominence to haveibeenpwned.com?
2. Is the advice tailored to specific users and contexts (use cases)? (as opposed
    to being generic)
If 'Yes' to question 2:
3. Are there indications that the threat priorities have been based on
    evidence?
4. Are there indications that the risk mitigation actions proposed are
    based on evidence?
5. Are there indications that the advice has been tested with
    representative users?

Password Managers

There are plenty of reviews of password managers. These all seem to focus on technical aspects, with little or no understanding of usability. On the basis of limited personal experience, I suggest the following criteria for password manager usability:
1. The supplier website sets out what use cases it meets, and how, and what use cases it does not support.
2. The manager has a link to haveibeenpwned.com API.
3. The manager generates user-friendly passphrases  like this
4. The manager works without the cloud.
5. The manager helps the user cope with the vagaries of various websites e.g. no paste allowed.
6. The manager is compatible with producing paper storage system.

Use Cases

A collection of not-very-thought-through use cases is below for illustrative (rather than design)purposes:
  • A US Secretary of State who steps out of the SCIF to use her personal Blackberry.
  • A bitcoin miner whose mobile phone account is hijacked to exploit SMS 2FA.
  • A Cambridge Professor of Security Engineering who refuses to use online banking with good reason
"...if you fall victim to an online fraud the chances are you will never see your money again...one of the banks’ most extraordinary feats of recent years has been their ability to shift liability away from themselves and on to the customer – aided by a Financial Ombudsman Service (FOS) that they claim rarely challenges the banks following a fraud."
  • A journalist talking to dissidents in a dangerous country.
  •  Grandma logging into Facebook while staying with her daughter.
  •  Grandma wanting to put her online affairs in order for her estate. 
  • A student wanting to prevent his flatmates using his pr0n account when he is out. 
  • A businessman going to the toilet while doing online business with the free wi-fi in a coffee shop.
  • A Civil Servant wanting to do home banking while at the office.
  • An agency ICU nurse called in at short notice needing to look up patient records. 
  • A homeless person using a mobile phone to claim benefits and pay bills. 
  • Someone on a list entering the USA and being asked to provide their passwords.

Important update from Rachel Tobac: "A useful thing about using a password manager that I don’t always see folks talk about is that my pw manager won’t enter my username and password on malicious lookalike sites. Not the real airline website? Looks real but it’s actually a malicious URL? No credentials entered". So - does the pw manager do this?