By revealing the personal data of 100 Million users (100,000,000 – that’s a lot of zeros), Mr Bowes wanted to highlight the privacy issues associate with facebook. Note that the data he collected was all available to anyone searching the Internet. He just had a fancy tool do the heavy lifting for him. The information was available based on the settings each of the facebook users had for his or her account.

The solution that he and others propose for the issue of data available is to save all the users from themselves. That is, facebook (and presumably other social networks) should by default have all settings set to hide all personal data from view from others.

While this may not in general be a bad idea, it loses sight of the bigger issue which is that most people just don’t make the connection between privacy and the information they make available on social networks. In addition, having all settings switched to ‘maximum secrecy’ is not going to change human nature. It may actually make things worse. Instead of making people think twice about the information they are making available online, they may be upset at the barrier set up to sharing with their friends, and they may simply go and flip all the settings off.

While facebook could do a much better job explaining what it’s privacy settings mean to the user, the task of privacy still remains with the user.

We must be careful with ANY information we put online.

Peter L

Start at the end and move to the beginning. The advice about knowing what programs you use and making sure that they are up to date is easy and huge, HUGE – really big! – in keeping you safe. This applies to programs and your operating system. Even though Microsoft and most software developers encourage their users to automate the update process, most people don’t seem to ‘get around to it’. What is it about leading a horse to water…

While they do seem to have a lot of updates, Microsoft doesn’t up-sell in their updates. There is no excuse to not have the latest security patches on a daily basis – or however often they come out. (Whining about Microsoft isn’t going to help, so just get the updates.)

I do see a problem with updates from a lot of the other software vendors. Large or small, a lot of vendors intentionally blur the boundary between security updates and sales pitches for upgrade. This discourages a lot of users – including yours truly – from paying attention to what is included in the latest update. It is easier to say ‘no’ to an update, then to try to decipher whether this is a payable upgrade or something that I need!

It is up to you to know what you have on your computer so that you will know when something fishy is going on.

Peter L

Two big issues with being active on …the Internet are 1) that people often think that they’ve built a bond with someone they’ve never just because they both play World of Warcraft online. The truth is that you don’t know who is on the other end of the discussion. Just as you wouldn’t share your personal info with a stranger in the subway who was also wearing a Yankees jersey just because you are also a fan, you should never make your info available online. Someone may misuse it. (Getting away with it 9 times out of 10, won’t take the pain out of getting burned that 10th time!) And 2) the idea of anonymity. Somehow, because we are using a computer, we think that there is a veil of anonymity over anything we do. Nothing could be further from the truth. Unless you are careful, that computer can easily reveal anything and everything you’ve entered – all the sites you’ve visited, your personal data and more.

Taking basic precautions may take a few minutes (really, only a few minutes), but it can save you from the anguish and real problems of identity theft. AND, by taking those few precautions, you’ll probably get even better use of your computer as you learn to use it better.

Peter L

The goal of the hacker isn’t always to get your personal data. In the case of appliances and GPS devices, the experts are saying that the device will be used to mislead or distract you, opening you up to an attack. When you take a look at the things highlighted in the article that hackers are focusing on, or will soon be focusing on, you’ll see that there is something very simple that you can do to improve your own security.

Simple yet critical: use the built-in security options of your devices.

Many of the items mentioned in the article have functionality that relies on communication via a wireless network, or in some other way uses computer technology. Just by following basic computer security procedures like getting the latest software updates, picking strong passwords and using the basic security settings, you’ll stand a much stronger chance of protecting yourself.

Going back a few years to when major brand name viruses like Melissa ravaged the Internet, a huge number of the infected computers were vulnerable because users simply did not perform the suggested Microsoft security updates.

Hackers then and now count on users NOT following basic security instructions.

Don’t become a statistic! Take the time to learn how to use the security features. In most cases, you’ll see that it’s just as easy to use the security as not, with the undeniable advantage that you’ll be safer.

Also mentioned in the article is the ‘last frontier of hacking’ – the human brain. The author points out that at least part of this is the realm of social engineering: a con-game tricking you to act in some way. The realm of phishing and other email exploits try to trick you to click on something or to send your information to someone for your share of millions of dollars.

Ah, but that’s a topic for a different blog…

Peter L

A password manager is there to do for you those things that take up your time and really are an effort. Creating strong passwords for each website and keeping them straight in your head isn’t easy. And it does take time to use them. We recommend Sticky Password, but whether you use a password manager or not, you should be aware of the basics of safe passwords: unique strings of letters and numbers that can’t be guessed for each site and purpose. And, of course, don’t share your passwords with anyone.

And, as has been written in this blog before, DON’T believe everything you read. That’s generally true, but on the Internet, you are likely to be overwhelmed by offers. If you wouldn’t accept the offer from someone on the street, then there is even more reason to reject it from a mysterious someone who wants to share riches with you. Your odds of winning the lottery are better than getting ‘your share’ of the millions of dollars.

Review these general security tips and you’ll see that protecting yourself is something that you CAN manage.

The history of mankind: there is always someone out there who is interested in getting access to other people’s ‘stuff’. While many of the examples given in the post focus on government systems, that’s not the rule. Breaking into a military system is always a thrill (and embarrassment to the government), but breaking into company and personal accounts is more lucrative. Systems can be hacked, so it is YOUR responsibility to take care of your personal data. Strong passwords are a requirement for protecting your personal data.

Also very interesting is the type of people who are doing the hacking. You may not have seen your Aunt Sally in the list, but a lot of those teenagers and students could have lived just down the street from you. Make sure that you are securing your passwords.

Peter L

What’s the problem? Your computer can end up in the strangest places.

Your computer = YOUR PERSONAL DATA

Whether you give your computer to a family member or donate it to a good cause, or someone steals it, all that stuff you put in there thinking that no one would ever see has a way of staying around a long time. And, for as long as the data is there, someone can get to it. (I know that computer recycling projects often claim to wipe all the data clean, but I wouldn’t count on someone else doing it for me.)

Identity Finder (cute logo!) does a deep scan of your computer to locate data associated with your identity – social security and credit card numbers, birthdays, unencrypted PASSWORDS, etc. If you’ve had your computer for any period of time, it is going to have information that you’ve forgotten about. Some of that data should not get into the wrong hands!

The author mentions that Identity Finder can ‘shred’ the files to ensure that the data is unrecoverable, which is very good. It brings up the question of whether Identity Finder can find the data in files that underwent a ‘standard’ delete and therefore are still technically accessible on the hard drive. THAT would be a great service to the average computer user.

All the passwords and personal data that are stored in Sticky Password are encrypted – so even if someone gets access to the computer, he won’t be able to get to your information. Passwords stored in your browser aren’t secure. Neither are passwords in that old Word or Excel file that you labeled with the mysterious title: mypasswords.doc. Knowing where your sensitive data are is a big step in protecting yourself.

I’ll be running Identity Finder scan on my computer this weekend!

My only question: what were all those social security numbers doing on the author’s computer in the first place!?!

When you call the IT guy, you’re the one who wants it done quickly; when he comes knocking with some sort of update or network issue, he’s pushing all the more to get you set up – because he has to repeat the same thing for all of your colleagues. Either way, whatever he is doing usually requires a password – one of your passwords.

He starts working with you standing behind him as you explain the problem over his shoulder. He moves aside to let you enter your password.

You BOTH know that the password is a secret – your secret.

You bend over the keyboard to enter the password as he pretends to be interested in some pictures on the wall of your cubical.

He resumes working with you standing behind him. There’s a little small talk. He looks up at you because he needs the password again.

You BOTH know that the password is not supposed to be shared.

You awkwardly enter the password, again.

You discover that standing behind him is boring and that you don’t want to chat with him anymore. You hope that it’ll be over soon. It doesn’t look like it: he needs the password again. You seize the opportunity and write your secret password on a post it note and tape it to the desk next to your keyboard. You leave your cubical in search of something better to do – like getting grilled by your manager about a missed deadline.

This ritual happens over and over in almost every company. It doesn’t matter whether you have an in-house IT team or outsource your IT support. The IT guys and gals have it tough: they’ve got a job to do and they know better than anyone the company password rules. Yet, they bend the rules so that you can get back to work and they can get to the next customer.

This is bad news for at least a couple of reasons. First, your password isn’t a secret anymore. The person to whom you’ve revealed your ‘princess1’ password has access not only to the specific account or application, but also has an idea of your password philosophy, which makes it a lot easier to crack other accounts. Second, and maybe even more important, is that this type of behavior reinforces the idea that passwords and security aren’t important. Somewhere, deep in your subconscious, you slowly start getting used to the idea that sharing passwords isn’t a big deal; you may start to reconsider whether it is even worth it to have different password for different accounts and websites, and pretty soon, you’re using ‘password’ as your password. It’s a slippery slope!

This is a call to IT guys – come on, make it hard on us! Don’t let us tell you our passwords. Make sure we know that that’s not acceptable.

Peter L

PS Check out IT Crowd for a great look at life on the IT rung of the corporate ladder.

The first question asked about the number of passwords. 33% of all respondents said that they have 10 or fewer password-protected accounts (networks, websites, etc.). Mind you that these folks took an online survey. As best as I can tell, they had to login to participate in the survey, which is entirely appropriate, but that would mean that that was one of their passwords – right?! My point is that most people severely underestimate the number of password-protected accounts they have. I’ve mentioned it in earlier blogs – stop someone on the street and ask how many accounts someone has and you’ll get an answer like ‘just a few’, ’maybe 10, or so’, or some small number. But when you think about most people (not technology geeks), you quickly see that even a basic Internet user will easily have 10 accounts, and probably more. Average users will likely have 20, 30 and more. Think about your own password-protected accounts:

1 free webmail (yahoo, gmail, hotmail, etc.)

2 email from your service provider (aol, comcast, earthlink, …)

3 facebook or other social network, maybe multiple networks

4 work

5 Amazon and other online shopping sites

6 Travelocity and other travel sites

7 online subscriptions (newspapers, magazines, newsletters, …)

8 just about any online blog to which contributions are made

That’s not to mention banks, credit cards and other financial stuff like retirement and investment accounts, government sites, libraries and local services, airlines, as well as cell phone accounts, utilities, and so on. This is interesting because a result of this underestimation is likely to be that many people entirely misunderstand the threat to their data, which should be protected by their passwords. If there’s no threat, then you don’t need to manage anything – right!?

The response to question 6 flows from the first: if you don’t think there’s a lot to remember (i.e. that you have only a few passwords), then you’re bound to think you can do it all in your head. 60% of people responding said that their ‘memory’ was their method for remembering passwords. I’ll bet a dollar to a donut that these folks’ passwords aren’t the strongest on the block. Still, quite a few (7%) admitted to storing theirs on post-it notes next to the computer.

Questions 2 and 3 were about choosing passwords. Just over eighty percent (80%) indicated that they recycled or duplicated their password to some extent. This would seem to contradict the 71% of respondents who selected ‘strength’ as one of the most important factors when selecting a new password. I thought the 9% who selected passwords because they were ‘fun or interesting’ were at least a little more aware of what was going on. (In general, this isn’t a good attribute in a strong password.) This is a big aid in remembering your password, but that also creates the temptation to share it with others. And then there’s the risk that others also know that your cat’s name is ‘Precious’.

The detailed results of the survey are worthwhile and so is Kevin’s commentary.

The failure of passwords is because of human nature: we are driven to make things easy for ourselves. Good passwords require the opposite.

Peter L

At the break, after talking about the material she presented, I quietly suggested that she change her password. “What do you mean?” When I explained that there were 9 additional people who now knew her information, she looked surprise. “Oh, that little slip when I started! I’m sure that no one here has any reason to do anything funny.”

We humans are a trusting species, especially when face-to-face contact is involved. Unless we have a specific reason to be suspicious of someone, we usually give people the benefit of the doubt about possible bad intentions. That’s fine and necessary for our daily lives: the local grocer and paperboy don’t want to rip us off; if we didn’t trust the other drivers on the road, then we would never be able to get anywhere. But we still have keys to lock up our stuff.

As for accidentally revealing all or part of a password, I’ve had it happen to me at inopportune moments in the past, and it’s not that uncommon to see it when working with people at a projector or a monitor. The people sitting around may or may not notice what happened, and they probably aren’t interested in your passwords. But you never know. And why would you take the risk? Next time something like that happens to you, make sure you double back at the first opportunity to change that password.

Peter L