« | Home | »

Internet Insecurity

Topics: Technology | Add A CommentBy admin | March 24, 2011

After the recent breaches of ultimate, top-level security resources like RSA and Comodo, giving sites like Facebook twice as much info for “enhanced security” seems like a faulty strategy.

Earlier today I had an experience that reminded me that – like many of us – I should really get more on top of managing my various internet accounts and their passwords better than I do. I was trying to log in to my YouTube “Director” account, and YouTube was trying to link the account to a Google acccount. I wouldn’t have minded this, except when I tried to link the Google account and the YouTube account – which had the same username, by the way – YouTube would tell me that the account was already linked to another Google account, which it wasn’t. After twenty minutes of password resets and cookie deletions, I finally managed to log in to my own account. And then GMail suggested I add additional user information as part of Google’s interpretation of Two-factor authentication. I opted not to do so. Why? Because I simply don’t believe that either Google or Facebook (which is trying to do the same thing by asking for your phone number as part of your account verification) is enacting these programs strictly for security purposes. Both Mark Zuckerberg of Facebook and Eric Schmidt of Google are on record as saying that they don’t believe that privacy is in your future, that anonymity is intrinsically bad (Zuckerberg has hilariously said “Having two identities for yourself is an example of a lack of integrity”), and that we all need a verified identity on the web. This would make a lot of sense if you could in fact trust any web service to absolutely protect the information you gave them, but you can’t. In just the past week, two of the web’s ultimate sources of security verification – RSA and Comodo – have been hacked, a breach that Comodo’s own CEO Melih Abdulhayoglu likened to a web version of the September 11 attacks. And this of course is all hot on the tail of the well-publicized “Anonymous” attack of security firm HBGary. I’m no security expert, but I’m perfectly capable of thinking like a criminal. And my criminal mind tells me that giving twice as much information to an entity I can’t trust – i.e. any web-based service – really leaves me twice as vulnerable in the event that the entity is compromised. Which it almost certainly will be some day. I have made a casual but consistent effort to keep my online identity usefully accessible, without sharing my entire identity in one place, and will continue to do so. Common sense tells me that one-point interactions with services like Google, Facebook, banks, and other services, with a variety of e-mail accounts and varied passwords, is a decent strategy. But I think I need to ramp things up a bit. This article about password usage on Lifehacker – while screaming with irony because Lifehacker was one of the sites hacked when Anonymous went after Gawker – does hit on some key points. The author says he has 90+ accounts to manage. I’d put my number closer to 30, although if I add the accounts of clients, it may be more like 50 or 60. I’m beginning to do a bad job of managing them all, but plan to tighten things up where I can. At least I don’t use any of the 500 most common passwords. What about you? Do you trust sites like Google and Facebook with your full name, phone number, and other personal details? Or do you keep things closer to the chest?