Consumer Rage Won’t Kill Equifax, but Business Rage Might

Equifax leaked your personal data. It is now even more likely than before (and it was already trivial for it to happen) that you will be the victim of identity theft. We say with software that if you don’t pay for the product you are the product. But with the credit monitoring agencies, that is literally true. You are the product that is being sold. The customers are business, banks, and credit card companies.

So it is important to remember that Equifax, Experian, and Transunion do not care about you. Your social security number getting leaked is, to them, kind of like a whole row of milk spoiling is to a grocery store. They don’t care and they won’t.

There are really only two ways that these companies will ever pay for their crimes. The first is if people get mad enough to push our government to actually do something about them. But if you have been paying attention to our government, you are probably not holding your breath right now.

But there is another way to punish them, and it may very well happen. Businesses, and really the entire industry that relies on credit, are going to take a hit as a result of this. Credit freezes were always available, but this is the first time I can remember that people have been freezing their credit in massive numbers. So many people are doing it that the credit monitoring company websites are crashing, and their customer service lines are overwhelmed (more on that soon, because wow was it terrible).

The retail sector, already nearing the point of collapse, basically relies on easy, immediate credit. Car loans, store credit cards, zero percent cards, all of these have increasingly become the backbone of consumer purchasing. Even iPhones are now sold on lines of credit more often than outright. All of these require credit checks. If you froze your credit, this is much harder to do.

Expect this to become a major problem for stores, dealerships, and banks. Even if customers are able to easily unfreeze, that can take a few days. There will be lost sales, hours of additional overtime, and frustrated shoppers. This may well become a permanent state.

Am I saying you shouldn’t freeze your credit? Absolutely not. You definitely should do a credit freeze. You have no obligation to make things easy for an industry that would sell your identity to Satan to get a bump that quarter. Protect yourself, that is your priority, and a credit freeze is really the only good option (and it still isn’t enough so long as social security numbers are used as identification).

But to businesses, if you suffer because of this, remember that it was Equifax’s fault. And if you still do business with them, ask yourself why?

We the Writers Must Do Better

Whenever a tech company gets caught doing something sketchy, the response is almost always something along the lines of “We need to do better”. This week it was unroll.me issuing the “Sorry not sorry you are upset / we need to do better” statement after it came to light that they were straight up selling your data out to the highest bidder.1

It is common wisdom in tech circles that if the product is free, then you are the product. And yet, these business keep popping up, offing free services with not a hint of a business model in sight. And they keep growing. Why?

While running a search for more about unroll.me I got the following result in Google, which brilliantly demonstrates the problem.

And it is not just CNET. Searching for results from 2013 (when it became prominent) brings up dozens of articles glowingly covering the service, including LifeHacker, PCWorld, and mainstream news such as ABC and Newsweek.

People use these services because they hear about them. And they are free. So what do you have to lose? Turns out what you have to lose is your every thought, every business transaction, and any hint of privacy you may still have. Because we keep telling people to go ahead and try it out.

So we need to do better. I need to do better, and everyone else who writes about technology needs to do better.

Those of us who write about tech need to start taking this into account. From now on I won’t review any app or service unless I have a reasonable understanding of its business model. If it doesn’t have one, that is a huge red flag. And yes, I will even start reading terms of service and privacy policies. This does not mean I won’t ever recommend an app that allows advertising or tracking. But it needs to be reasonable, and I will be sure to highlight it.

I can’t promise to never lead a reader down there wrong path2, but I will at least make sure they are properly informed. And the Slices of the world can find someone else to push their invasive services. I want no part of it.

  1. Uber in this case. Because there is no rake on this earth that they cannot resist stomping on.
  2. Companies can lie, or at best tell partial truths.

Pokémon Go Failed at Security, but Google Failed Harder

If you downloaded Pokémon Go (and there is a good chance that you did as it is at the top of the App Store charts), you may have tried to create a Pokémon trainer account, only to find that the servers were overloaded and that you can’t. So you likely moved to the other option, which is to use your Google account. If you happened to be using iOS, what you ended up doing was giving Niantic full access to your Google account. This means that short of deleting it entirely or spending money, they have almost limitless access to your Google data. This includes your emails, you contacts, your documents, your photos, and more.

Full Google account access granted to Pokemon

This is extremely bad. Any rogue employee at the company could potentially access any users personal data if they could gain high enough credentials. That is to say nothing of a potential server breach, which just became infinitely more valuable. While this is likely a mistake, it is a pretty major one.

But even worse is that Google allowed this to happen in the first place. At no point during the login is it ever presented to you that you are giving this high a level of access. Most other apps present a dialog explaining the permissions that you are about to grant before allowing you to confirm. But in this case, nothing. Full access is silently granted. This is a malicious hackers dream come true.

Not only should it never be possible to skip the permissions screen, but anything requesting full access should pop up a big, scary warning to make it painfully clear that you are about to sign over the keys to the kingdom. Especially considering how many Google accounts are being used in education and business. I question whether this should be an option at all for anyone other than a properly vetted and trusted partner. This is inexcusable both in that this is being allowed to happen, and that Google has not as of this writing blocked access. They should take their users account security far more seriously than being an inconvenience to Niantic.

And Niantic needs to issue a statement on this whole mess beyond “No comment to share at the moment.” No, sorry, the correct answer is “Holy crap we messed up and we have our engineers working to sort this out yesterday! All hands on deck.” This is a major security error that requires an emergency patch.

For now at least, revoke the app’s authorization. This will cut it off completely (that’s what is nice about OAuth, your password is not sent to the other company, so you can revoke access without having to change it).

Authenticating through a third party, especially one that is (normally) as secure as Google has its benefits. It means a hack on the third party won’t disclose your passwords, preventing the massive data dumps we have seen time and again. But I can’t help but feel we have allowed ourselves to become way too comfortable granting this access to our most important repositories of information. Google needs some serious quality control over what it allows to access your data. Say what you will about Apple’s app review. They may be heavy handed, but their demands to developers that they explain their reasons for requesting your data goes a long way to prevent this kind of error.

Let’s Encrypt (Our WordPress Blogs)

Websites hosted on WordPress’s commercial service are now encrypted using certificates from Let’s Encrypt, the free certificate authority that removes both the cost and complexity from HTTPS. If you host a site on wordpress.com, this is already available too you with no additional effort required on your part.

If you have your own hosted WordPress site and you can install software to your server, it is fairly easy to get the Let’s Encrypt software up and running. I recently migrated this site to a VPS and had no issue getting Let’s Encrypt up and running. Many shared hosting services such as DreamHost have also added support.

HTTPS is moving closer and closer to the default state of the web, and that is a good thing. A notable holdout at the moment is SquareSpace, which has never allowed custom certificates, even paid ones. I had an exchange with them on Twitter not that long ago but they did not commit to any timeframe on support for secure connections. I would urge them to move on this before it becomes a competitive disadvantage.

If you are just starting out with creating a website, I would make support for free and easy HTTPS a requirement when choosing your host.

Ad Blockers are the new Firewall

When iOS 9 launched the sky fell, dogs and cats moved in together, and there was mass hysteria. At least if you listened to advertisers. It was this release where Apple created an officially supported, system level content blocker function. This would, the industry argued, destroy content on the internet, which is largely ad supported. I would argue that if the ad industry thinks that it is being destroyed, the call is coming from inside the house.

I don’t have a problem with ads, I really don’t. So long as they are respectful to me, I fully understand the need to make money from content online, and appreciate the difficulty in doing so. I resisted ad blockers for years because I felt that I should support the publishers.

This is no longer the case. I am now an evangelist for ad blockers. I consider them as essential to your security and safety as a firewall. And to be very clear to the ad industry – this is your fault.

We have seen these things happen before. In the 90s a barrage of intrusive, and often explicit pop-up ads were making browsing the internet a nightmare. It became so bad that browsers began adding pop-up blockers as an on by default feature, which all major browsers retain to this very day. For a while thing got better, aside from some sites insisting on auto play video ads.[1]

But in the last year or two things have taken a very dark turn. Malvertising, the unholy alliance of malicious software with advertising, is becoming an every day problem on the internet. At first it targeted the more sketchy sites. The thinking was if you stayed on the light side you would be fine. This is no longer true. Any site that run third party ads has become a potential point of infection. Just a short list of the sites that have fallen victim to this include the New York Times, MSN, AOL, the NFL, and NewsWeek. Hardly the dark side of the Internet. Read this from Ars Technica if you want to be scared.

At first the malware was merely pop-up scams. I saw several served to me through MyFitnessPal a while back. These were harmless so long as you did not fall for the message. Just quit the browser and start over.

Malicious popup trying to get me to call a number for tech support.
A sample of the Malvertising I have seen.

But the problem is worsening. We are now seeing advertisements that are capable of executing code on computers that merely visit a website. The most disturbing payload these can carry are ransomware – software that encrypts your personal files and demands payment to get them back. Users have no idea they have been infected, and have done nothing wrong. They just got unlucky in the ad network that happened to serve them on that visit.

On a personal note I briefly tried ads on this site. It was terrifying. I think I literally lost sleep over the thought that I was unknowingly infecting my visitors. True that this page is not where I make my money, so I am fully aware of my privilege in being able to do this. But that does not change my position when the ramifications are so serious.

If the ad industry is attempting to address this problem, they are not doing well. It is getting worse. Usually if you contact the website or the ad network about these ads, expect them to point their finger elsewhere. “It’s someone else doing it. Don’t bother us.” It is painfully clear that this is not a priority for the industry. They are either unwilling or unable to solve this. Whichever it is, the result is the same. I will protect myself. I want publishers to make money, but not at the expense of my personal safety.

Ad blockers have gone from a convenience to required security software. I have installed it on all my browsers and will be installing it on every computer I have within my sphere of influence. Friends, family, and colleagues. If the publishing and advertising industries see this as a breach of contract, so be it. Get your own house in order before complaining about everyone else. If you choose to block access to your site for ad blockers, then I guess I will not view your content. I will leave your page with my data security intact. I don’t trust you.[2]

On desktop browsers I recommend Ghostery. On iOS I recommend 1Blocker. Install them everywhere. Consider them part of your anti-malware protection. Because they are.

All this ignores the other offensive behavior of ads, such as pervasive tracking, ridiculously high data usage, loud auto-play videos, and scam messages. It’s a side benefit that these are blocked too. But the thing that pushed me over the edge is the malware. No one else’s business model is worth my personal security, or of the security on systems I am responsible for.[3] I will choose security every time.


  1. MacWorld  ↩
  2. Forbes had a particularly embarrassing incident where they anti-Adblock software convinced people to turn off their blockers, only to then get infected with malware. Nice.  ↩
  3. And that is a good number of systems.  ↩

In Defense of 1Password

Dale Myers made a splash last week with an article explaining that 1Password had a flaw causing it to leak the URLs that are stored in the default .agilekeychain format. A lot of people have reacted by freaking out and either switching to the newer OPVault file format, or leaving the app all together. My approach is a different one. I am going to relax and wait for the Agile developers to solve this issue. I still absolutely trust 1Password with my data.

To be clear, I am not saying what happened here was not a mistake, nor that 1Password should not fix it. They absolutely should. No app should leak data, and this is even more true of a security app like this.

But here’s the thing, the data 1Password is leaking is not very personal, it is not easy to get, and it is more or less useless without the data that 1Password is still protecting well. From Dale’s article there are three major issues with the data leak.

Issue one is the leaked data may contain URLs that are sensitive. Of course the example is a porn site, which seems to be the big, scary login that everyone is afraid of other people knowing they have. Personally I would much rather see a porn URL than a login for the NRA, but I guess that is just me.[1] But point taken, this is probably the biggest concern since it’s hard to predict how this kind of data leakage could be used nefariously.

But I am not too worried about this since in order to get to this file you would already have to compromise my Dropbox account. Not impossible, but with a strong password and two factor enabled I am not overly concerned about this. It’s a lot of work to go through to get questionably useful data. I would be concerned about a lot more in my Dropbox account than this.

Issue two is that the URLs themselves could potentially be dangerous. The way 1Password works is it stores the address you use the first time you login to a site. Fine if you log in through the normal login URL, but what if you end up storing a password reset URL? This is the kind you get in your email when you click the Forgot Password link. It turns out that some of these URLs continue to work long after they are have been used.

This is a huge problem, but is it not really 1Password’s problem. The web developers responsible for these sites are the ones who should be freaking out over this issue. A password reset URL must only work once, and only be valid for a short period of time. Anything else is a huge vulnerability. Yes, having one of these poorly managed addresses leak from 1Password is a problem, but these things are in email, which is just as likely to be compromised. I will, however, be going through my 1Password data and changing any of these URLs that may have snuck past me to just the base login URL.

Problem three is that this information may be available in Google. This is obviously extremely bad, but in order for this to happen the users would really have had to have done something silly. Specifically, you would need to have shared your 1Password data as a publicly available file in your Dropbox account.

This is not default behavior. Do not do this. You don’t have to share your 1Password file to sync it. 1Password for all platforms will allow you to authenticate that instance of the app to grab the data. This will not expose it to anything else other than the 1Password app. You should never, ever share files in your Dropbox publicly unless that is the specific purpose of the file.

The immediate answer to solve all these issues is to switch to the OPVault format. This is a new format Agile has created to succeed the agilekeychain file. You can do it now, but 1Password will be updated soon with an automatic migration tool. I intend to just wait for that rather than go through the trouble of enabling it now via command line. Why potentially mess up my sync data for an issue that is very unlikely to be a problem for me in the near future?

In summary, this was an error that 1Password made, yes. And it needs to be fixed. Data leakage is bad. But the main purpose of 1Password, storing your passwords securely, remains intact. I agree with Dale, I will continue to use this software. I still feel safe and secure keeping my passwords there. Every other alternative is weaker.[2]


  1. See my piece on Coming Out as Sex Positive for more on this. I don’t find consumption of legal, sex positive porn to be anything to be ashamed of.  ↩
  2. I guess there is LastPass, but I do not trust LogMeIn at all. And they now own it.  ↩

Apple Making Two Factor Less Terrifying

I highly recommend that everyone use two factor authentication on as many accounts as they can, but there has always been one particularly scary aspect to Apple’s implementation of this. When you enable two step verification on an Apple ID, you are essentially cutting off Apple support from ever being able to help you with you account ever again. According to Sophos, this will be changing with OS X El Capitan and iOS 9.

With the new 2FA system, Apple customer support will work through a detailed recovery process with users who lose access to all their trusted devices and phone numbers.

The company will review your case and contact you at the number provided when your Apple ID is ready for recovery. After that, an automated message will direct you to iforgot.apple.com to complete the required steps and regain access to your account.

The company says it will take a few days – or longer – to recover accounts this way, depending on how much information you can provide to verify that you really are the account owner.

I feel much more comfortable with this method. While locking an account forever had the advantage of preventing social engineering attacks like the one that hit Mat Honan, it had a pretty extreme downside. Any issue that locked you out of your Apple ID meant that your Apple ID was lost forever. No force on earth could get it back. Given the amount of important data tied to Apple IDs (purchases, cloud storage, device registrations), this was too heavy a hammer. Having a process to recover access to an account that is slow and methodical is a more appropriate balance between security and good customer service.

Bad Advice from Business Insider

For the most part I do not like Business Insider. While they certainly have talented people on staff, and some of their original reporting is good, a lot of it is lazy clickbait. An article from yesterday bemoans the Apple Watch app that is installed as part of iOS 8.2. The app, like most of Apple’s own, is unremovable. You can argue the merits of whether this is the right move or whether it should be a store app that is removable, but this throwaway line from the piece really bothers me:

“If you don’t want the Watch app to be stuck on your phone forever, just don’t update to iOS 8.2.”

No no no. Wrong wrong wrong. They completely ignore that while some may find the watch app annoying, 8.2 also brings a really important security fix for the FREAK vulnerability that was disclosed last week. If given the choice between having to move the watch app to that folder of things you never use and remaining exposed to the possibility of having your secure traffic snooped, I choose the former.

Bad Advice Masked as Security

John Gruber makes an excellent point over on Daring Fireball about the rather extreme overreaction to the iCloud celebrity photo theft.

Don’t trust Apple “with any of your data” isn’t just wrong because it’s a hyperbolic overreaction, it’s wrong because it’s potentially dangerous. What has been mostly overlooked in the reaction to this photo leak scandal, and completely lost in Auerbach’s argument, is that backups are a form of security — in the same sense that life insurance is a form of security for your children and spouse.

Exactly right. I see this happen all the time. iCloud backup has been the single most effective tool against data loss I have ever seen. The chances of losing or breaking your phone are orders of magnitude greater than the chances of someone brute forcing their way into your account, unless you happen to be very high profile.

But I will go a step further. Many articles I have read instruct users to simply turn off iCloud entirely, all in one move. This not only removes the security of the backup, but it potentially can lead to data loss itself. Turning off iCloud can cause a user to lose their address book, calendar, notes, documents, and other important data. It has very far reaching consequences. For the most part those stay in iCloud, and can be added back later. But it is entirely possible (again, I have seen this happen) for things to go wrong. Even if not data loss, it can result in duplicates, conflicts, and other issues if iCloud is then reenabled later. Not to mention other cloud syncing (Google, Exchange, etc) may take over and split the data, which is very confusing for regular users to figure out. And many may not realize that turning off iCloud has any of these effects and will just assume that their apps are suddenly broken.

But this is typical of our media culture. Issues that are really bad but unlikely to happen to you are reported breathlessly, while the real dangers go unmentioned. I guarantee you that more people lost their iPhones this weekend than celebrities had photos released. Then again, more people died driving to work than on roller coasters, but guess what gets reported. FUD is alive and well.