Tag Archives: hackers

The Downside to Smart Cities

I read almost daily about another smart city initiative somewhere in the country as cities implement ideas that they think will improve the quality of life for citizens. I just saw a statistic that says that over two-thirds of cities have now implemented some form of smart city technology. Some of the applications make immediately noticeable differences like smart electric grids to save power, smart traffic lights to improve traffic flow, and smart streetlights to save electricity.

But there are a few downsides to smart city technology that can’t be ignored. The two big looming concerns are privacy and security. There was an article in Forbes earlier this year that asked the question, “Are Privacy Concerns Halting Smart Cities Indefinitely?” Citizens are pushing back against smart city initiatives that indiscriminately gather data about people. People don’t trust the government to not misuse personal data.

Some smart city initiatives don’t gather data. For instance, having streetlights that turn off when there is nobody in the area doesn’t require gathering any data on people. But many smart city applications gather mountains of data. Consider smart traffic systems which might gather massive amounts of data if implemented poorly. Smart traffic systems make decisions about when to change lights based upon looking at images of the cars waiting at intersections. If the city captures and stores those images, it accumulates a massive database of where drivers were at specific times. If those images are instantly discarded, never stored and never available for city officials to view then a smart traffic system would not be invading citizen privacy. But the natural inclination is to save this information. For instance, analysts might want to go back after a traffic accident to see what happened. And once the records are saved, law enforcement might want to use the data to track criminal behavior. It’s tempting for a city to collect and store data – all for supposedly good reasons – but eventually, the existence of the data can lead to abuse.

Many people are very leery of systems that capture public video images. If you look at smart city sales literature, it’s hard to find sensor systems that don’t toss in video cameras as part of any street sensor device. I just saw a headline saying that over 400 police departments now partner with Ring, the video cameras people install at their front door – which allow police to have massive numbers of security cameras in a city. It’s incredibly easy for such systems to be abused. Nobody is uncomfortable with using surveillance systems to see who broke into somebody’s home, but it’s highly disturbing if a policeman is using the same system to stalk an ex-wife. Video surveillance isn’t the only sensitive issue and smart city technology can gather all sorts of data about citizens.

What I find scarier is security since smart city systems can be hacked. Security experts recently told Wired that smart city networks are extremely vulnerable to hacking. Municipal computer systems tend to be older and not updated as regularly. Municipal computer systems have the same problems seen in corporations – weak passwords, outdated and ignored security patches, and employees that click on spam emails.

Smart city networks are more vulnerable to attack than corporate networks that sit behind layered firewalls because a smart city network can be attacked at the sensor edge devices. It’s well known that IoT devices are not as rigorously updated for security as other components of computer networks. I’ve seen numerous articles of hackers who were able to quickly defeat the security of IoT devices.

While there might be a concern that city employees will abuse citizen data there is no doubt that hackers will. It’s not hard to envision hackers causing mischief by messing with traffic lights. It’s not hard to envision terrorists paralyzing a city by shutting down everything computer-related.

But the more insidious threat is hackers who quietly gain access to city systems and don’t overtly cause damages. I have one city client that recently found a system they believe has been compromised for over a decade. It’s not hard to envision bad actors accessing video data as a tool to use for burglary or car theft. It’s not hard to imagine a bad actor selling the data gathered on city networks to players on the dark web.

I’m not against smart city technology, and that’s not the point of this blog. But before a city deploys networks of hundreds of thousands of sensors, they need to have planned well to protect citizen data from misuse by city employees and by abuse from hackers. That sounds like a huge challenge to me and I have to wonder how many cities are capable of doing it right. We’ve seen numerous large corporations get hacked. Smart city networks with huge numbers of sensors are far less secure and look to be an open invitation to hackers.

Do We Need International Digital Laws?

German Chancellor Angela Merkel said a few weeks ago that the world needs international regulation of digital technology, much like we have international regulation for financial markets and banking.

She says that without some kind of regulations that isolated ‘islands’ of bad digital actors can emerge that are a threat to the rest of the world. I am sure her analogy is a reference to the handful of islands around the globe that play that same maverick role in the banking arena.

We now live in a world where a relatively small number of hackers can cause incredible harm. For instance, while never definitely proven, it seems that North Korea hackers pulled off the major hack of Sony a few years ago. There are accusations across western democracies that the Russians have been using hacking to interfere with elections.

Merkel certainly has a valid point. Small ‘islands’ of hackers are one of the major threats we face in the world today. They can cause incredible economic harm. They threaten basic infrastructure like electric grids. They make it risky for anybody to be in the Internet at a time when broadband access is becoming an integral part of the lives of billions.

There currently aren’t international laws that are aimed at fighting the nefarious practices of bad hackers or at punishing them for their crimes. Merkel wasn’t specific about the possible remedies. She said that the US and Germany have undertaken discussions on the topic but that it hasn’t gone very far. There are certainly a few things that would make sense at the international level:

  • Make certain kinds of hacking an international crime so that hacker criminals can more easily be pursued across borders.
  • Create a forum for governments to better coordinate monitoring hackers and devising solutions for blocking or stopping them.
  • Make laws to bring cryptocurrency under the same international auspices as other currencies.

But as somebody who follows US telecom regulation in this blog I wonder how fruitful such regulations might be? We now live in a world where hackers always seem to be one step ahead of the security industry that works to block them. The cat and mouse game between hackers and security professionals is a constantly changing one and I have to wonder how any set of rules might be nimble nimble enough to make any difference.

This does not mean that we shouldn’t have an international effort to fight against the bad actors – but I wonder if that cooperation might best be technical cooperation rather than the creation of regulations that might easily be out of date as they are signed into law.

Any attempt to create security regulations also has to wrestle with that fact that a lot of what we think of as hacking is probably really government sponsored cyberwarfare. How do we tell the difference between cyber-criminals and cyber-warriors? In a murky world where it’s always going to be hard to know who specifically wrote a given piece of code I wonder how we tell the criminal bad guys from the government bad guys?

I also see a dilemma in that any agreed-upon international laws must, by definition filter back into US laws. We now have an FCC that is trying to rid itself of having to regulate broadband. Assuming that Title II regulation will be reversed I have to wonder if the FCC would be able to try to require ISPs to comply with any international laws at a time when there might not even be many US laws that can be enforced on them.

It makes sense to me that there ought to be international cooperation in identifying and stopping criminal hackers and others that would harm the web. But I don’t know if there has even been an issue where the governments of the world engage in many of the same practices as the bad actors – and that makes me wonder if there can ever be any real cooperation between governments to police or control bad practices on the web.

2017 Technology Trends

Alexander_Crystal_SeerI usually take a look once a year at the technology trends that will be affecting the coming year. There have been so many other topics of interest lately that I didn’t quite get around to this by the end of last year. But here are the trends that I think will be the most noticeable and influential in 2017:

The Hackers are Winning. Possibly the biggest news all year will be continued security breaches that show that, for now, the hackers are winning. The traditional ways of securing data behind firewalls is clearly not effective and firms from the biggest with the most sophisticated security to the simplest small businesses are getting hacked – and sometimes the simplest methods of hacking (such as phishing for passwords) are still being effective.

These things run in cycles and there will be new solutions tried to stop hacking. The most interesting trend I see is to get away from storing data in huge data bases (which is what hackers are looking for) and instead distributing that data in such a way that there is nothing worth stealing even after a hacker gets inside the firewall.

We Will Start Talking to Our Devices. This has already begun, but this is the year when a lot of us will make the change and start routinely talking to our computer and smart devices. My home has started to embrace this and we have different devices using Apple’s Siri, Microsoft’s Cortana and Amazon’s Alexa. My daughter has made the full transition and now talks-to-text instead of screen typing, but us oldsters are catching up fast.

Machine Learning Breakthroughs will Accelerate. We saw some amazing breakthroughs with machine learning in 2016. A computer beat the world Go champion. Google translate can now accurately translate between a number of languages. Just this last week a computer was taught to play poker and was playing at championship level within a day. It’s now clear that computers can master complex tasks.

The numerous breakthroughs this year will come as a result of having the AI platforms at Google, IBM and others available for anybody to use. Companies will harness this capability to use AI to tackle hundreds of new complex tasks this year and the average person will begin to encounter AI platforms in their daily life.

Software Instead of Hardware. We have clearly entered another age of software. For several decades hardware was king and companies were constantly updating computers, routers, switches and other electronics to get faster processing speeds and more capability. The big players in the tech industry were companies like Cisco that made the boxes.

But now companies are using generic hardware in the cloud and are looking for new solutions through better software rather than through sheer computing power.

Finally a Start of Telepresence. We’ve had a few unsuccessful shots at telepresence in our past. It started a long time ago with the AT&T video phone. But then we tried using expensive video conference equipment and it was generally too expensive and cumbersome to be widely used. For a while there was a shot at using Skype for teleconferencing, but the quality of the connections often left a lot to be desired.

I think this year we will see some new commercial vendors offering a more affordable and easier to use teleconferencing platform that is in the cloud and that will be aimed at business users. I know I will be glad not to have to get on a plane for a short meeting somewhere.

IoT Technology Will Start Being in Everything. But for most of us, at least for now it won’t change our lives much. I’m really having a hard time thinking I want a smart refrigerator, stove, washing machine, mattress, or blender. But those are all coming, like it or not.

There will be More Press on Hype than on Reality. Even though there will be amazing new things happening, we will still see more press on technologies that are not here yet rather than those that are. So expect mountains of articles on 5G, self-driving cars and virtual reality. But you will see fewer articles on the real achievements, such as talking about how a company reduced paperwork 50% by using AI or how the average business person saved a few trips due to telepresence.

Productizing Safety

padlockThe Internet is becoming a scarier place by the day to the average user. It seems like a week doesn’t go by when there isn’t news of some new and huge data breach or other nefarious use of the web. But as much as those big events might create a general industry sense of unease, these announcements also make people worried about their own individual Internet security.

The big ISPs like AT&T crow about recording and monetizing everything that their customers do on the web. And with a likely weakening or elimination of Title II regulation by the FCC this is likely to intensify. Every web site parks cookies on the computers of their visitors, and the bigger sites like Facebook and Google gather every fact fed to them and peddle it to the advertising machine. There are hackers that lock down PCs and hold them hostage until the owner pays a ransom. There are smart TVs that listen to us and IoT devices that track our movements inside our homes. There was news this week that smartphones with a certain Chinese chip have been sending every keystroke back to somebody in China.

All of this has to be making the average Internet user uneasy. And that makes me wonder if there is not a product of some sort that smaller ISPs can offer to customers that can make them feel safer on the web.

Savvy Internet users already take steps to protect themselves. They use ad blockers to reduce cookies. They use browsers like DuckDuckGo that don’t track them. They use encryption and visit sites using HTTPS. They scrub their machine regularly of cookies and extra and unidentified files. In the extreme some use a VPN to keep their ISP from spying on them.

Small ISPs are generally the good guys in the industry and don’t engage in the practices used by AT&T, Comcast and Verizon. I know some small ISPs that try to communicate to their customers about safety. But I think safety is now one of the biggest worries for people and I think small ISPs can do more.

Customers can really use the help. It’s easy to assume that customers ought to understand basic safety procedures, but the vast majority of them load some sort of virus protection on their PC the day they buy it and never think of safety again. They repeatedly do all of the bad things that lead to trouble. They open attachments on emails. They don’t update their software to have the latest security patches. They use social media and other sites without setting basic privacy filters.

I think there is an opportunity for small ISPs to be proactive in helping to make their customers feel safer, and in the process can create more loyal customers. I think there are two possible ways to undertake this. One is an intensive education campaign to inform customers about better web practices. I’m not talking about the occasional safety reminder, but instead a steady and concentrated effort to tell your customers ways to be safer on the web. Brand yourself as being a provider that is looking out for their safety. But don’t pay it lip service – do it in a proactive and concentrated way.

I also think there is a space for a ‘safety’ product line. For example, I have clients who run a local version of the Geek Squad and who repair and maintain people’s computers. It would not be hard to expand on that idea and to put together a ‘safety’ package to sell to customers.

Customers could have a service tech come to their home for a day each year and you could ‘fix’ all of their safety weaknesses. That might mean installing ad blockers and a spyware scrubber. It would mean updating their browsers and other software to the latest version. It could mean helping them to safely remove software they don’t use including the junkware that comes with new computers. It might include making sure they are using HTTPS everywhere. It also might mean selling a VPN for those who want the highest level of security.

I have clients who have been selling this kind of service to businesses for years, but I can’t think of anybody who does this in any meaningful way for residential customers. But since the web is getting less safe by the day there has to be an opportunity for small ISPs to distinguish themselves from larger competitors and to also provide a needed service – for pay of course.

The Battles for the Internet

The InternetIt’s always interesting to think about how the Internet might change in the future and what it might become. It’s likely that the outcome of several current industry battles will determine the Internet we have five and ten years from now. Each of these conflicts is important in its own right; taken together they add a lot of uncertainty about where we are headed.

Ad Blocking vs Advertisers: One fairly recent battle is between ad blocking technology and those who make a living through web advertising. Today much of what we think of as the free internet is paid for through advertising placed on web pages. Very few people like the ads on the Internet, particularly as they get more customized and individualized and are aimed at each of us personally.

But a really large portion of the things that most us like on the web are paid for by ads. That includes things like social media sites and news services. Right now the ad blockers are gaining the upper hand. I saw a recent report that over 200 million users worldwide are now using ad blocking software, and it’s growing fast. And companies like Apple are building ad blocking into their OS, probably in an attempt to poke a stick in the eye of some of their other large rivals.

If advertisers don’t figure out a way to fight back, then the revenues that can be made on the web will be on a fast and downward spiral, and that is going to effect a lot of web businesses. But advertisers are already working on ways to punch through ad blockers and so this is likely to morph into a continuous cat and mouse game as the two sides each get the upper hand at times.

Hackers vs Web Security: For the last several years large companies have sat nervously in the crosshairs of the hackers who are working hard to take them down. But to a large degree a lot of the tactics used by hackers in the past have been defeated by web security companies and it’s no longer easy to breach firewalls by brute force. But hackers are probably more successful than ever today because they have shifted tactics and now concentrate on tricking insiders to let them into a network.

This is a critical battle, and big companies look at what happened to Sony and they now understand how devastating it can be to lose control of their network. The companies that fight hacking are getting better all of the time and they will find ways to beat the current tactics deployed by the hackers. But unless we someday migrate to a web run by a superintelligent AI, it’s likely that this battle is going to go on for a long time.

Surveillance vs Encryption: The NSA revelations opened a lot of eyes about how vulnerable we all are to surveillance. We now know that governments can gather huge amounts of information about us, and many people are worried about how access to our data is going to lead to a government abuse of power. But perhaps even worse is that large corporations are gathering data about us, too, and unlike the government they are more likely to immediately put that knowledge to use.

But there is a counter-movement working to make us safer against surveillance. This involves encryption but also in developing safer ways to communicate such as through bit-chains. Surveillance relies on being able to capture data at central nodes, and so perhaps having an Internet that no longer uses centralization will reduce the amount of knowledge that can be gained from us. Ideally, the outside world would only learn what we choose to give out about ourselves, but for now the surveillance forces are winning this battle.

Open Internet vs State-specific Control. Sparked by those same NSA revelations we now see governments looking at ways to protect their citizens and themselves from outside surveillance. China has already done this in an extreme way and it looks like Russia might be headed down the same path as China. But half of the countries in Europe are looking at ways to keep the data generated in their country safe within their country. If we end up with an Internet that is different in each country, with pockets behind different firewalls, we will have killed much of what is great about the current Internet.

I don’t think anybody can predict where each of these trends are going with any certainty, and it’s hard to say how the various battles affect each other.  There is a big chance that the Internet of ten years from now will be a very different place than today. There will be some ugliness along the way and we are going to keep seeing major hacker success bringing down companies. But none of these issues is insoluble and there is also the chance that over time we will end up with an Internet far safer than today’s.

Security and the IoT

One of my regular readers, Zora Lopez, created the document below that lists a lot of interesting facts about the current state of security and the Internet of Things. Her diagram stands pretty well on its own and so I won’t describe it, but there are a few facts on the diagram that I find very interesting:

  • Looking out to 2020 is shows that consumer IoT is only a small slice of the total market. I’ve seen comments asking if the IoT industry can be successful by selling smart thermostats. The answer is that they don’t have to, and the industry is much larger than that and mostly driven by businesses.
  • There are already almost 5 billion IoT devices connected across the world, nearly one for every person on the planet.
  • One scary thing on the list is the black market value from stealing personal data. An older credit card number is worth $5 on the black market while a newly issued one is worth $32. Bank accounts and Paypal account info is worth $27. These numbers show why it pays to be a hacker.

Security and the Internet of Things
Source: ComputerScienceZone.org

Latest on Security Breaches

DARPA_Big_DataIn one of the more interesting reads this year, Verizon recently released its 2015 Data Breach Investigative Report, which can be downloaded at this link. Verizon works with seventy security firms from around the world to compile and document major security breaches. This report is fascinating and provides both the big picture of how the bad guys are attacking us, as well as interesting statistics about the details of the attacks. I highly recommend the report if you have a spare hour.

The report looks at nearly 80,000 security incidents including 2,122 confirmed security breaches in the last year, many of which hit the news. One thing that Verizon saw was that almost all of those breaches (96%) were the result of nine different types of attacks used by hackers. Those nine types of attacks are: point-of-sale intrusions, payment card skimmers, crimeware, web app attacks, denial-of-service attacks, physical theft, insider misuse, cyber-espionage, and miscellaneous errors.

The most common external cause of major breaches last year was from attacks by web applications (things like phishing and malware), which caused 458 breaches. This was followed by attacks on point-of-sale systems in stores which caused 419 breaches and attacks by state-sponsored espionage units which accounted for 290 breaches.

Some of the statistics in the report are really interesting:

  • A little more than 20% of breaches come from inside an organization where an employee or trusted contractor steals credit card numbers or corporate secrets. This percentage has remained consistent since 2010.
  • In 2010, over 95% of attacks came from compromised credentials (somebody stealing login information from employees and using it to gain entry to systems) or spyware of some sort. In 2014, the threat from direct spyware has largely disappeared as a corporate threat and companies are getting good at combatting common malware from the web. But the bad guys have changed tactics and the two new major malware threats are from RAM scraping and phishing. (RAM scraping is using malware to steal unencrypted credit card data in the few milliseconds between the time that a credit card is swiped at a retail location and the data is encrypted).
  • Verizon’s study shows that 23% of recipient employees in businesses open phishing messages and 11% click on the infected attachments. Nearly 50% of phishing emails are opened within the first hour of receipt. The three big groups within companies that fall prey to phishing are communications, legal, and customer service. Unfortunately it often only takes one phishing breach to infect a network.
  • Hackers are really good at what they do and in 60% of the breaches they were inside company systems within minutes of the onset of the attack.
  • Sadly, almost all of the exploited vulnerabilities happen after the industry as a whole has found a way to block or patch against the threat, with many of these breaches coming a year or more after a patch was created. There is obviously a big gap between the fixes being developed by security experts and the time it takes to get these fixes into business systems.
  • The shelf life of the vast majority of malware is about a month. Within that time a way to block the malware is developed and distributed to the companies that scrub web traffic on the Internet before it gets to end users. But there are always tons of new malware, and it’s a constant battle between hackers and security companies.
  • There are still very few effective hacks against cell phones. Verizon estimates that only 0.03% of cellphones are infected with truly malicious software.
  • There is a big difference in the amount of malware aimed at different industries. For instance, the average financial institution sees 350 malware attempts per day, the average retail location sees 801 and the average education location sees 2,332. A lot of malware is very specific to an industry or even to a specific location.
  • The industry has touted the cost to a business for a compromised record at $0.58 per record. This was calculated by looking at insurance claims and is conservative since very large companies often self-insure. Verizon estimates that the true cost to a business is between $52 and $87 per compromised record. The bigger the breach, the larger the cost per compromised record.

The main thing I get from this report is a reminder each year of how many bad guys there are in the world trying to steal credit card numbers, corporate data, and other valuable information. It’s also interesting to see over time how the methods of attacking networks change in the never-ending cat and mouse game between hackers and security systems. It’s also interesting to look through the list of the companies who participate in this report since they are the Who’s Who of Internet security around the world.

Can There Be a Safer Internet?

Supporters hold yellow umbrellas as Hong Kong student leaders arrive at the police headquarters in Hong KongI probably feel very much like most people in that the Internet is feeling less and less safe to use. Viruses have been around a long time, but once you learned to not open emails you didn’t recognize, that risk became somewhat minimal. But now you can get viruses just by opening a web site that has corrupted ads. I know this because I got three such viruses a few weeks ago.

But that’s not even the scary part since I can generally scrub viruses from my computer. There are far worse risks than viruses today. To start with, there are the people who are sending malware and then holding your computer hostage until you pay them (and who then, apparently, still don’t fix your machine).

And it appears that everybody is spying on us. Edward Snowden has shown us numerous ways that the NSA is watching us. I literally get dozens of new tracking cookies on my computer every day from commercial companies that want to track me somehow. And every large web company is apparently gathering data on us, including companies like Facebook and Google along with most of the apps we put onto our smartphones.

But since my work depends on using the Internet, and since it also has become one of my major sources of entertainment, I am not likely to abandon the Internet due to lack of safety. I do what I can to be safe, but I doubt it makes much difference. I scrub my machine every day from tracking cookies and I use browsers that supposedly don’t track me. But my guess is that those two things make almost no difference for protecting my computer or my privacy.

The biggest problem, aside from every web entity trying to build a profile on me, is that the entire web is based upon a model where everything we do winds up somewhere at end points that cannot be made safe. Everybody is touting encryption as a way to stay safer on the web, but every encrypted message end up at a machine somewhere that decrypts it, and it is the end computers and servers that are the weak points in the Internet. Your data is stored on servers that are out of your control, and your safety relies on the people running those servers to be safe. And we all know that hackers are breaking into servers every day, and it may even turn out that there are back door spying keys built directly into most server software.

There are experts who say that the lack of safety might kill the Internet. We are incredibly reliant on companies that we don’t know to keep our data safe – and we have seen that both hackers and nefarious insiders can compromise almost any company. If the hackers win the war then it will become too unsafe to buy anything over the web (or even give your credit card numbers to vendors in some other manner if they are going to keep the info on their servers).

But there are alternate models of the Internet that might offer solutions. One of these is known as a block chain. Block chains are a decentralized system of communication that lets end users communicate directly with each other without having to go through the normal centralized servers. The block chain technology is most well known as the basis of Bitcoin and other cryptocurrencies. There have been numerous articles and papers written about the wild swings in Bitcoin pricing, but that has to do with basic economics rather than the underlying technology that allows the transactions.

In a block chain network, each member of the network has a copy of the software that identifies them as part of a particular block chain. Before communication is allowed between any two members of a block chain the identity of each party must be verified by somebody else who is part of the chain. With such verification the communication is allowed. The process is slow compared to normal web transaction, perhaps 10,000 times slower than a normal text or email. But it is safe. The steps needed to operate a block chain are as follows:

  1. New transactions are broadcast to all nodes.
  2. Each node collects new transactions into a block.
  3. Each node works on finding a difficult proof-of-work for its block.
  4. When a node finds a proof-of-work, it broadcasts the block to all nodes.
  5. Nodes accept the block only if all transactions in it are valid.
  6. Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash.

There are already some examples of block chains being used for communications other than financial ones. For example, the protesters in Hong Kong last year established a block chain so that they could communicate with each other without Chinese government oversight.

There are new companies that want to use block chains to bring safety into other types of communications. For example, Codius is using block chains to provide safe online legal transactions. This provides a way for parties to safely sign contracts without having to exchange paper. Ethereum is working on a block chain technology that could be used as the basis for any kind of communication. They think their platform could be used for things like private chats, private emails, and even safe web searches.

One can envision many other uses for using block chains to create safe communications among specified groups of users. That might be a corporation and its employees, all of the students in a given dorm, or just about any group that wants safe communications. Such a closed system would provide for secure and private communication within the block. It’s not a total solution, but it’s a start.

I Hate Passwords

123456I honestly hate passwords. It seems like every site that I register with has some slightly different rules for what constitutes an acceptable password. Having different passwords drives me crazy because my brain can remember things like phone numbers, but passwords seem to elude my memory.

And now I have been reading that the rules on the various sites having to do with password safety are largely in vain anyway since it’s now pretty easy to crack the kinds of passwords that most sites require you to create. I suspect that these sites all know this, but they put you through the effort to come up with an acceptable password to give you a false sense of security.

We all know what good passwords are supposed to be. They must be eight or more characters, with a mix of upper and lower case letters, numbers, and symbols. They should not include any word used in a dictionary including silly substitutions like using ‘!’ instead of the letter L. And you are not supposed to repeat passwords on multiple sites.

And so we sit at each new web site (and it seems that everybody wants you to create a password these days) and we cook up some dumb new combination that we are never ever going to remember just so we can shop for tea or read a news article. We try combinations until the site takes it and also shows us a nice green bar to prove that our new password is a safe one.

But this is more or less a waste of time. The bad guys who crack passwords also know all of these rules and the rules actually make it easier for them to crack your password. It doesn’t seem like somebody ought to be able to crack a password like aN34%6!bJ, but they can, and fairly easily. (Have I mentioned yet that I also hate sites that make me pick stupid passwords?)

Of course, it’s even easier to crack the really stupid passwords. For yet another year ‘123456’ is still the most commonly found password followed closely by ‘password’. But let’s face it, anybody using those is not really caring too much if they get hacked or if somebody deletes their Pinterest page or sees the news articles they have saved.

So how do hackers crack our passwords so easily? They get a surprisingly large number of them directly from people through phishing. People type their passwords into fake websites all of the time and then are dumb enough to also type in credit card numbers or bank account numbers when asked. There is not much more advice about that other than – don’t do it! You are much better off if you are like me and you don’t even know your bank account number! (But luckily my wife does).

But hackers also get millions of passwords by breaking into commercial sites and stealing their password and account files. This lets hackers get access to huge numbers of passwords at the same time. Almost all websites save passwords using an encryption algorithm. A simple password like dog might be saved as a 30-digit mix of letters and numbers called a ‘hash’. When web sites are hacked and the bad guys make off with millions of passwords, they don’t get your actual passwords, but a file of these encrypted hashes.

Hackers then attack the pile of hashes with computers that can look at billions of cracking attempts per second as they try to reverse engineer the algorithm used to create the hashes. They start with all of the easy-to-crack passwords like ‘123456’ which will turn up multiple times in the pile. Eventually they figure out the algorithm and then they can figure out many of the passwords in the file they have stolen.

I say many passwords, because it turns out that there is one set of passwords that is harder to crack than most. It comes from stringing together long chains of nonsense words that you can remember but that are not commonly used together. For instance if your password is ‘frogflatchevydog’ to memorialize the day you ran over a frog and then your dog sniffed it, then such a password is much harder to crack than a normal one. No password is impossible to crack, but the amount of effort required to crack the above password might take somebody a hundred hours more effort than cracking easier passwords, and it’s likely that nobody will put in the effort unless they really want you specifically.

Keep in mind that you can’t string together any common phrases that can be tested easily. For example, allmimsyweretheborogoves’ is relatively easy to crack because it’s all over the Internet since many people love Lewis Carroll books. Cracking programs search for billions of common phrases that they find on the Internet, meaning you probably can’t now use my great password suggestion about the flat frog.

Hopefully we are soon moving to a day when we won’t need any passwords. There has to be something better, which would be a combination of multiple biometric readings from your own body. Hackers have already shown that they can crack a one-layer biometric password like a fingerprint. But it gets mathematically nearly impossible to crack a system that uses multiple biometric readings simultaneously. So the ultimate password is eventually going to be you. That is a password I can finally like.

Should an ISP Offer Fast Upload Speeds?

Speed_Street_SignOne question I am often asked is if clients should offer symmetrical data speeds for residential customers. I’ve noticed lately a number of fiber networks that are advertising symmetrical speeds, and so this option is gaining some market traction. This is not an easy decision to make and there are a lot of different factors to consider:

The Competition. Most fiber networks are competing against cable networks, and the HFC technology on those networks does not allow for very fast uploading. The number one complaint that cable companies get about upload speeds is from gamers who want fast low-latency upload paths. But they say that they get very few other complaints from residential customers about this issue.

So this leads me to ask if residential customers care as much about upload speeds as they do download speeds. I know that today that household use the bulk of their download capabilities to view video and there are very few households that have the desire to upload videos in the same manner or volume. One of the questions I ask clients is if they are just trying to prove that their network is faster. Because to promote something heavily that most customers don’t care about feels somewhat gimmicky.

Practical. At the residential level there are not many users who have enough legal content to justify a fast upload. There are a few legitimate uses of uploading, but not nearly as many as there are for downloading. Some of the normal uses for uploading include gaming, sending large files, sharing videos and pictures with friends and family, doing data backup and other related activities into the cloud. But these uses normally do not generate as much traffic as the download bandwidth that is used by most households to watch video. And so one must ask the practical question if offering symmetrical bandwidth is just a marketing ploy since customers are not expected to use the upload nearly as much as they download.

Cost. Another consideration is cost, or lack of cost. A lot of ISPs buy symmetrical data pipes on their connection to the Internet. To the extent that they download a lot more data than is uploaded, one can almost look at the excess headroom on the upload side as free. They are already paying for that bandwidth and often there is no incremental cost to an ISP for customers to upload more except at  the point where upload becomes greater than download.

Technical. One must ask if allowing symmetrical bandwidth will increase demand for uploading over time. We know that offering faster download speeds induces homes to watch more video, but it’s not clear if this is true in the upload direction. If uploading is stimulated over time then there are network issues to consider. It requires a more robust distribution network to support a network that has significant traffic in both directions. For example, most fiber networks are built in nodes of some sort and the fiber connection to those nodes needs to be larger to support two-way traffic than it would be if the traffic is almost entirely in the download direction.

Bad Behavior. One of the main arguments against offering fast upload speeds is that it can promote bad behavior or can draw attention from those with malicious intents. For example, fast upload speeds might promote more use of file sharing, and most of the content shared on file sharing sites is copyrighted and being illegally shared.

There has always been the concern that customers also might set up servers on fast connections that can upload things quickly. And one of the few things that requires a fast upward connection is porn. So I’ve always found it likely that having fast upload connections is going to attract people who want to operate porn servers.

But the real concern is that fast networks can become targets for those with malicious intent. Historically hackers took over computers to generate spam. That still happens today, but there are other more malicious reasons for hackers to take over computers. For instance, hackers who launch denial of service attacks do so by taking over many computers and directing them to send messages to a target simultaneously. Computers are also being hijacked to do things like mine bitcoins, which requires frequent communication outward.

One would think that a hacker would find a computer sitting on a network that allows 100 Mbps or 1 Gbps upload to be worth a whole lot more than a computer on a slower network. And so they might well be targeting customer on these networks.

What this all means to me is that if you offer fast upload connections that you ought to be prepared to monitor customer to know which ones upload a lot. If such customers are operating server businesses they might be directed to use business products. Or you can help them find and remove malware if their computers have been hacked. But I find the idea of allowing fast uploads without monitoring to be dangerous for the ISP and for customers.