Your Online Security Questions Probably Aren't Doing Enough
Setting up a new online account often involves choosing and answering security questions. Where did your parents meet? What was the name of your first pet? And the classic: What is your mother's maiden name? You've probably experienced how annoying these questions can be. Either your answers seem pretty easy to figure out or you choose questions whose answers are too tough for you to remember. A new study from Google shows that—surprise!—this tension is exactly what makes security questions problematic.
Researchers analyzed hundreds of millions of security questions and answers from millions of Google account recovery attempts. (Your personal data at work!) They found that answers are often pretty easily guessable, but that when a service asks multiple questions to strengthen security, users are less likely to successfully recover their accounts.
For example, attackers could answer "What is your favorite food?" in one try 19.7 percent of the time. (Pizza, duh.) But with a stronger question like "What is your first phone number?", users could only successfully recall their chosen answer 55 percent of the time.
With a number of questions, like "What is your father’s middle name?" for Spanish speakers, the researchers also calculated how likely an attacker would be to guess the answer after 10 tries (21 percent chance in that case). Many websites limit the number of tries to three or four to try to eliminate this extensive guessing from a bad actor. But that doesn't mean the same attacker couldn't continue guessing on a different account that asks the same security question.
"Secret questions have long been a staple of authentication and account recovery online. But, given these findings its important for users and site owners to think twice about these," the researchers wrote. They suggest that site owners implement other recovery approaches, like authenticating through a secondary email address or texting codes to a cellphone.
Security questions aren't useless, but you probably already knew intuitively that they had drawbacks. It's nice to see some research back that up.
A Makeover for New York’s Iconic, Ancient, Smog-Spewing Food Carts
There are 5,000 licensed food carts in New York, and they’re as much of an urban icon as the MTA’s subway signage or the Chrysler building. Too bad they’re killing the planet.
It’s not the food—the grub is OK, if not exactly slimming; it’s the gas generators powering the carts. Most food carts run off a diesel generator that’s designed to run only a few hours. Vendors run them for stretches of up to 14 hours, leading to a high output of greenhouse-gas emissions such as carbon monoxide, nitrous oxide, and particulate matter. You can see the smoke with the naked eye, but the hard facts are even more frightening: The research and consulting firm Energy Vision found that each cart produces the same amount of nitrous oxide as 186 cars on the road.
A new pilot program between the city and a Queens-based company called MOVE Systems aims to cut down on that pollution by at least 60 percent. For the past year, MOVE has been fine-tuning a new kind of food cart—called the MRV100—that’s powered by a mix of battery-generated electricity and solar energy, instead of dirty gas. The plan calls for getting a fleet of 500 new carts up and running by the summer of 2016, with the first 100 slated to roll out this summer.
The basic design of a food cart—distinguished from a food truck by its size and how easy it is to drive it, operate it, and park it—hasn’t seen much of an upgrade since the 1970s, when the city stopped issuing permits for new carts. (The scarcity of permits has spawned a black market that drives up the price for legit permits, similar to the illegal system of taxicab medallions.) Without new permits, there was little incentive to improve the kiosks. Plus, the EPA didn’t even outline emissions standards for generators until 2000.
For a 40-or-so-year-old design, the typical food cart is actually pretty sturdy and resilient. “The quality is surprisingly good,” says Michael Dubrovsky, a co-founder of Simply Grid, which merged with Mobile Vending Natural Gas a year ago to form MOVE Systems. It’s good enough that MOVE initially planned to retrofit existing food carts with products akin to electric vehicle chargers, rather than manufacturing an entirely new line of carts. Then they took a closer look under the hood to discover that none of these carts has the same design. “Each one is made artisanally in Queens and Brooklyn, at what we call chop shops,” Dubrovsky says. “Each one has different compartments, the plumbing is not up to code, so by the time you rip all that out, all of a sudden you’ve put liability on yourself.” So MOVE had to scrap the magpie carts and start from scratch.
The new MRV100 looks more like a compact, boxy Airstream than a rickshaw. It’s made of stainless steel, has rounded corners, and is about five feet wide by ten feet long. Besides the photovoltaic panels on the roof, the cart has a quieter hybrid compressed natural gas generator that charges an on-board battery, which can power the cart about half the time, giving the generator a break. MOVE plans to issue three different tiers of battery storage, so that a smoothie vendor running an energy-sucking blender can tap into more stored energy than one who’s flipping crêpes.
The MRV100 will also be equipped with small Internet-enabled computers featuring GPS and a range of sensors, including for fuel pressure and food temperature. At the moment, these monitoring stations will be used by the cart owners, rather than the vendors, to make sure things are running smoothly. Down the line, MOVE imagines that the new technology will provide information that vendors can use to tailor their menus and point-of-sale systems. And to preserve the quality of the carts for as long as possible, the chassis of the MRV100 is bolted, not welded, on. Because New York is a coastal city, the salt in the air can easily damage the metal on the trucks. Replacing the bottom on the older, welded-together models can cost thousands of dollars and take days; with the new ones, it’s a quick repair.
One hundred of the first carts will be funded by MOVE and reserved for disabled veterans, and the remaining 400 will go to vendors who sign up—at no cost to them, because the pilot program will be sponsored. (MOVE says they are still reviewing sponsors and advertisers and have yet to make a selection.) Vendors will still have to shoulder the costs of the compressed natural gas fuel (but not Internet connectivity), but Energy Vision’s report also suggests that running a food cart on grid power could save $5,200 a year in energy charges.
Overall, MOVE’s objective is to make the MRV100 feel more like a restaurant than a hot-dog stand. Besides the sheer fact that they’ll be shiny and new, the MRV100 carts will allow for hundreds of kitchen-equipment configurations (the MOVE guys imagine chef partnerships down the line) and make better use of bigger, transparent windows, so customers can see more of the food and how it’s being prepared—upping both their trust and the vendor’s pride in his preparation. “I can’t imagine serving gourmet quinoa out of the older carts,” Dubrosky says.
Also in Wired:
Who Owns the Software in the Car You Bought?
Buying a car is supposed to be a satisfying feeling. You've paid for the thing, and now you can do what you want with it. Right? If only it were so simple.
General Motors and John Deere are both claiming in hearings with the U.S. Copyright Office that even when someone buys a car, the software that coordinates how everything moves is customized and subject to copyright protection. Their argument is that since the vehicles can't run without this special software, customers are subject to an "implied license."
In a hearing about the Digital Millennium Copyright Act on Tuesday, GM attorney Harry Lightsey told the copyright office that, “It is [GM’s] position [that] the software in the vehicle is licensed by the owner of the vehicle.”
John Deere explains it this way:
In the absence of an express written license in conjunction with the purchase of the vehicle, the vehicle owner receives an implied license for the life of the vehicle to operate the vehicle, subject to any warranty limitations, disclaimers or other contractual limitation in the sales contract or documentation.
The big battle here is over who should be able to access the electronic control units that turn software commands into physical actions for things like steering and braking. Not only does access provide people a window into a car company's proprietary code, it also allows independent mechanics and hobbyists to fix the cars. The copyright office is weighing an exemption that would allow these third parties to continue repairing cars. But GM and other car companies are going to great lengths to defeat the exemption.
Proponents of it, like the Electronic Frontier Foundation, argue that restricting access could stifle competition and impede innovation. In Wired, Kyle Wiens argues that vehicle manufacturers could undermine the basic concept of ownership. But there are also safety concerns about letting anyone access and modify car code. People who don’t know what they're doing—or even just make mistakes—could make a car dangerous to drive without realizing it. And if a car were sold used, it would be difficult for the new owner to detect any software changes.
Jacqueline Charlesworth, general counsel for the U.S. Copyright Office, told AutoBlog, "That's a troubling prospect that in an ordinary used-car transaction you have to be worried about whether there's been a software modification."
The copyright office will hold a second hearing on the subject next week and plans to make a determination in July. Car software really is the ghost in the machine.
Pranks on Google Maps Keep Getting More and More Racist
First it was Edward Snowden in the White House. Then it was the Android robot peeing on the Apple logo. For weeks Google has been scrambling to clean up pranks caused by flaws in the open source component of Google Maps. But even now that the company has disabled its Map Maker feature, people are still discovering inappropriate changes.
Searching for the N-word in Maps brought users to the White House, with historically black college Howard University and the U.S. Capitol building as other results. Searching “f--k ni--ers” also brought up the Capitol and “ni--er university” also produced Howard.
Beyond the racial slur, “c--t house” was also redirecting to the White House, and “shit hole” was set to bring users to different places based on their locations. You get the idea.
Meanwhile, searching “why can’t we be friends” brings up American University Washington College of Law.
A Google spokesperson told the Verge in a statement that, “Some inappropriate results are surfacing in Google Maps that should not be, and we apologize for any offense this may have caused. ... Our teams are working to fix this issue quickly.”
The company does seem to have cleaned most of these problems up, but it wouldn’t be surprising if Internet users discover a few more pranks hiding in Maps. Crowdsourcing maps data is a great way to improve accuracy, but it’s also an open door for hate speech and other bigotry. Hopefully Google is working on improving its screening system for submissions.
Update, May 22 2015, 11 a.m.: A post on the Google Maps blog explains that searching for offensive phrases was showing particular locations (rather than just returning nothing) because of the way that Maps automatically uses forums and discussions to make inferences. Based on how people talk about certain places or how often a phrase and a place name show up together, Maps draws connections. As a result, along with the problems with pranks, racist and sexist comments from around the Web were fueling the inappropriate Maps results. Jen Fitzpatrick, Google vice president of engineering and product management, wrote:
Like many of you, we were deeply upset by this issue, and we are fixing it now. ... Our ranking systems are designed to return results that match a person’s query. For Maps, this means using content about businesses and other public places from across the web. But this week, we heard about a failure in our system—loud and clear. ... Simply put, you shouldn’t see these kinds of results in Google Maps, and we’re taking steps to make sure you don't.
It seems pretty obvious that if your algorithms are going to be pulling in data from around the Internet, there should be screening against the hate speech we all know is out there. Other than a few locations with problematic names, there's no reason the N-word should ever even be relevant to a mapping and directions feature.
1.1 Million Customer Records Compromised in CareFirst Insurance Hack
For CareFirst BlueCross BlueShield, the road to hell was paved with good intentions. Recently, while making cybersecurity upgrades, the company discovered that it had actually already been breached—in June 2014.
1.1 million current and former customers were affected by the hack, and CareFirst has 3.4 million current customers. The company, which offers coverage in Washington D.C., Virginia, and Maryland, says that hackers compromised one of its databases and may have had access to user names, member IDs, legal names, birthdays, and email addresses. Medical records, credit card numbers, and social security numbers weren’t affected.
Cybersecurity consulting firm Mandiant did not find evidence of other breaches on the CareFirst network, according to the insurer. The company is forcing all affected users to set up new accounts (new user names and passwords) and is offering two free years of credit monitoring. The incident isn’t on the scale of the Anthem breach, disclosed in February, which affected 80 million customers, but it shows that even companies taking action to protect themselves may be behind the curve.
NSA Wanted to Lurk in Google and Samsung App Stores to Spread Malware, Misinformation
The National Security Agency, working with international surveillance bodies, developed plans to infiltrate popular online app stores so it could covertly install malware on scores of smartphones. This revelation comes from a document obtained by Edward Snowden and parsed by CBC News and the Intercept.
The slide presentation lays out a plan, developed in 2011 and 2012, to track the movement of data on the physical infrastructure of the Internet by determining how and where smartphones connected to the Google and Samsung app stores. The group wanted to use this information to position itself to launch man-in-the-middle attacks (in which the operative lies in wait on the path that data take between an origin server and a receiver). The idea was that as Samsung and Google users downloaded apps, they would also be downloading surveillance malware without knowing it. The program was dubbed "IRRITANT HORN."
Agents working on the covert initiative were part of the so-called Network Tradecraft Advancement Team, and they came from the “Five Eyes” surveillance collaboration of Canada, the United Kingdom, New Zealand, Australia, and the United States. As the Intercept points out, other documents have indicated that the “Five Eyes” developed surveillance malware for broad distribution, but it wasn't clear how the alliance had planned to spread it.
In addition to discussing the propagation of surveillance software, though, the new document also describes efforts to place messages and other communications data on smartphones. The group wanted to send “selective misinformation to the targets’ handsets” to, among other things, confuse adversarial intelligence agencies. The document even describes efforts to access Samsung and Google's app stores as a way of collecting information on the companies' customers.
The efforts seem to have been targeted at preventing “another Arab Spring” by having access to consumers' smartphones, knowing their habits, and being able to spread messages. The slide show describes one of the team's goals as collecting “usable knowledge about how to acquire intelligence FROM the network.”
Netizen Report: Young Political Cartoonist on Trial in Iran
The Netizen Report offers an international snapshot of challenges, victories, and emerging trends in Internet rights around the world. It originally appears each week on Global Voices Advocacy. Ellery Roberts Biddle, Mohamed ElGohary, Hae-in Lim, and Sarah Myers West contributed to this report.
Iranian activist and artist Atena Farghadani is facing charges of spreading propaganda against the system and insulting members of parliament and the supreme leader for a cartoon she drew and published online depicting Iran’s members of parliament as animals voting on a law that would restrict women’s access to contraception. Atena has been held in solitary confinement for prolonged periods since her arrest in August 2014 and went on a hunger strike to protest prison conditions three weeks after her second confinement. Amnesty International is leading a call to action in support of Atena.
Bahraini activist back to prison over tweets
A Bahraini court upheld a six-month sentence for Nabeel Rajab, president of the Bahrain Human Rights Centre, for comments he made on Twitter criticizing police defectors who joined ISIS. He may face a longer jail term pending an investigation for other tweets.
PayPal blocks donations for Russian opposition report
Electronic payment service PayPal has blocked an account that sought to collect donations to print a report written by late opposition politician Boris Nemtsov presenting evidence of Russia’s involvement in the conflict in eastern Ukraine. According to PayPal’s support team, PayPal does not allow “any political parties or political causes in Russia to receive donations due to the complexity of complying with local rules which require validating the identity of users.” It is unclear how it defines “political causes” or whether these rules apply to accounts registered in other countries.
Hacking is illegal in Britain (unless you’re the government)
The British government may have changed its anti-hacking laws to ensure that government intelligence and law enforcement agencies are exempt from criminal prosecution. According to London-based advocacy group Privacy International, changes were made to the Computer Misuse Act shortly after Privacy International and seven Internet service providers began a legal challenge to the government’s use of computer hacking to gather intelligence, claiming it was unlawful under the act. In response, the U.K. Home Office said there have been no changes made to the act that “increase or expand” authorities’ investigatory powers.
Belgium slams Facebook over unauthorized tracking
Belgium’s Privacy Protection Commission lambasted Facebook for disregarding European privacy laws by tracking users without prior consent and for dodging inquiries from regulators. According to Reuters, the commission urged Internet users to install privacy software to protect themselves from Facebook’s tracking systems, whether or not they have a Facebook account (which is good advice all around).
- “Freedom of Expression, Encryption and Anonymity: Civil Society and Private Sector Perceptions”—Web Foundation, CIHR, ITS Rio, Derechos Digitales
- “A Chatty Squirrel: Privacy and Security Issues with UC Browser”—Citizen Lab
- “Inside Google’s Secret War Against Ad Fraud”—AdAge
Delta’s New Safety Video Is Painfully Bad. Here, Watch It.
It’s hard to even know where to begin. Basically, don’t do this. Delta Airlines just released a new safety video to show at the start of its flights, and it’s crammed with meme references. The goal is presumably to get people to listen to the safety instructions while also trying to make the airline seem cool and likable. But it’s all just too much.
The problem is that memes are inherently fickle, and invoking one for corporate promotion is like using someone else’s wand. The sacred means of participating in a meme is simply to share it for the lols. If you clearly have an agenda, you are breaking this unspoken pact.
Slate staff reactions to the video included: “weak sauce,” “how does it take SIX MINUTES to communicate this information” (though the video is actually five minutes long), and “it sullies everything pure about the Internet.” To the second point, even though other successful safety videos have been in the five- to six-minute range, the Delta video does seem to drag. It feels like the meme jokes are just slowing it down instead of keeping things moving.
Another issue is that the meme re-enactments seem off. The “Charlie Bit My Finger” impression is all over the place, the cat on a Roomba in a shark costume looks bored instead of intent on destroying everything in its path, and the screaming goat just has so much unused potential. Also, Delta apparently didn't get the memo about the growing collective desire to never speak of or reference the Harlem Shake again.
It’s always fun to be in on a joke, and it’s occasionally possible for a large corporation to prove that it really does have its finger on the pop culture pulse. But for the most part, being a huge company (especially one that we trust with our lives as our bodies hurdle through thin air) means trading cool points for profits. This is why we can’t have nice things.
Internet Providers Said Net Neutrality Rules Would Ruin Everything. Let’s Check in on That.
The telecom industry has long maintained that it supports free and open Internet and wants to protect net neutrality. But when President Obama came out in support of reclassifying broadband as a utility under Title II of the Telecommunications Act and the FCC planned a vote on proposed reclassification rules, Internet service providers (ISPs) had to draw the line.
“We do not support reclassification of broadband as a telecommunications service under Title II,” Comcast wrote in a November 2014 statement. “Doing so would harm future innovation and investment in broadband.” That month Time Warner said, “Regulating broadband service under Title II ... will create unnecessary uncertainty, lead to years of litigation and threaten the continued growth and development of the Internet.” And a July 2014 statement from AT&T said that Title II reclassification “would actually impose barriers to broadband infrastructure investment.”
Notice any common threads?
It’s been almost three months since the FCC voted in favor of Title II reclassification, so things should be falling apart by now, right? But it seems that the new rules haven't been as big of a deterrent as ISPs said they would be. BGR points to a CNBC interview AT&T CEO Randall Stephenson did on Monday. He said, “We’re going to invest around $18 billion this year. That will allow us to deploy a wireless broadband solution to 13 million homes around the U.S.” Yeah, sounds brutal.
Stephenson wasn’t completely ignoring the Title II debate, though. He said AT&T is confident that the courts will strike down the new regulation, and that’s why the company is comfortable moving forward with infrastructure investment. AT&T did cut infrastructure spending in November 2014 after Obama’s net neutrality statement. But the company is less adversarial now, either because its confidence in litigation is well-founded or because it secretly knows that Title II won’t be the end of its profits. After all, any company that also offers landline phone service (like AT&T) is already familiar with operating under Title II regulation.
Verizon CFO Francis Shammo addressed this, perhaps with more candor than he intended, at the UBS Annual Global Media and Communications Conference in December 2014. “This does not influence the way we invest. We’re going to continue to invest in our networks and our platforms, both in Wireless and Wireline FiOS where we need to,” Shammo said. “I mean if you think about it ... we were born out of a highly regulated company, so we know how this operates.” The man makes a good point!
When Verizon announced first-quarter earnings in April, it said that it was working to migrate customers from the copper network to fiber (presumably for both DSL Internet and phone service). Forty-seven thousand users switched during the quarter, and the 2015 goal is to transition a total of 200,000 customers. Verizon is also purchasing AOL for about $4.4 billion. Though the deal has more to do with digital content than physical infrastructure, it shows that Verizon doesn't seem to be anticipating a lean year.
Meanwhile, Comcast announced in April that it is moving forward with rolling out 2 gigabit–per-second connectivity for 1.5 million customers in Atlanta. The Title II debate certainly isn’t over, but things pretty much seem like business as usual since the FCC reclassification.
Should the Internet Trust You? This Browser Extension Will Be the Judge.
Three years ago, in a TEDGlobal talk, sharing-economy guru Rachel Botsman shared her vision of a “reputation dashboard”—a kind of credit report that tracks your online behavior across services like Airbnb, TaskRabbit, and Dogvacay and compiles it into a portable measurement of your trustworthiness. Amassing that data, Botsman proposed, would make reputation into a kind of currency. “In the 21st century,” she predicted, “new trust networks and the reputation capital they generate will reinvent the way we think about wealth, markets, power and personal identity in ways we can’t yet even imagine.”
It’s a compelling vision, but so far it hasn’t been realized. That’s because, as I noted last year, the companies that have amassed the most reputation data aren’t eager to share it. “We’re in an early and competitive stage,” Monroe Labouisse, Airbnb’s director of customer service, told me at the time. “That asset—the trust, the data, the reputations that people are building—is hugely valuable. So I’m not sure why a company would give that up.”
A new company is trying to do an end-run around that intransigence by scraping publicly available information from various sharing-economy services and compiling it into a trust score between 0 and 100. Called Karma, it works as a browser extension—any time you pull up a supported site (which currently includes Airbnb, Craigslist, Dogvacay, Ebay, Etsy, RelayRides, and Vayable) a pop-up window will ask if you want to link your account to your Karma score. That score is calculated by looking at the reviews you’ve received—both the quantitative ratings (the number of stars, for instance) as well as a textual analysis of written comments. Different services are weighted differently; intimate interactions like those powered by Airbnb and Dogvacay are deemed more relevant than relatively anonymous eBay sales, and more recent reviews also are weighted more heavily. The more services you link, the higher your potential score. (Of course, if you’ve misbehaved on one service, your score could fall—but then, you would probably choose not to link it in the first place.) When you peruse a supported service, you’ll see every user’s Karma score superimposed over their listings. It’s a little bit like the sharing economy’s answer to Klout, that notorious Q rating for social media.
Zach Schiff-Abrams, Karma’s co-founder and CEO, says the company has not contacted companies like Airbnb or Dogvacay. But he thinks they will welcome his service, because it will make it easier for new hosts to attract guests, instead of grinding through the first few months as they attempt to build up a bank of positive reviews. “TaskRabbit’s biggest frustration point is the on-boarding process for new Rabbits,” Schiff-Abrams says. “We think that Karma can act as an arbiter to help these people begin to build a reputation much sooner.”
There’s something compelling and simple about this. It ignores all the complicated behind-the-scenes algorithms and processes that companies like Airbnb use to establish reputation and just collects the publicly available result of those processes. According to Schiff-Abrams, this simple hack—going directly to the users rather than through the enterprise—is what convinced VCs like Great Oaks to support them.
These platforms now represent billions of dollars in commerce, and as such they must be extremely wary of bad actors trying to game the system. And Karma’s system, at first blush, looks pretty gameable. Going through the browser makes it easier for Karma to reach users directly, but it also makes it harder to confirm a Karma user’s true identity; if I’m using a friend’s browser, it would be pretty easy to link his or her Karma score to one of my accounts.
There’s also a weakest-link problem here. It’s easy to imagine using Karma as a Trojan horse—building up a high reputation score on a more easily gameable system and then importing that score into the fortress of Airbnb.
It’s precisely to avoid that kind of scenario that Airbnb has invested so much money in its trust and safety division, an intricate and detailed set of algorithms to sniff out sketchy behavior. (If a new listing is getting a lot of positive reviews from the same account, for instance, the algorithm will flag it.) Of course those algorithms impact what gets posted on Airbnb, so in some ways Karma is freeloading off Airbnb’s expensive and painstaking security infrastructure.
Right now, Airbnb insures its hosts up to $1 million, in part because it trusts its algorithm to guard against the most egregious forms of fraud or malfeasance. But if someone is using a Karma score to determine who to rent to, that means that Airbnb is suddenly assuming the risk for a different company’s security mechanisms. It’s hard to imagine Airbnb will go for that, and I’d expect them to insert some language saying that anyone who uses Karma is no longer eligible for the insurance coverage—which would probably be enough to do serious damage to Karma. (Airbnb declined to comment on a product they haven’t had a chance to use yet.)
If this were earlier along in the sharing economy, Karma might have a bit more time to work all this out. Certainly that’s what happened to Airbnb—as it grew, the company realized it had to get more serious about security, and it had plenty of missteps along the way. But now this is a mature market, and I’m afraid it’s a little late for this kind of experimentation. This is a clever approach to a big problem, and it’s frustrating that competitive pressures are preventing it from getting solved. But ultimately I’m afraid that the problems of identity and trust are too complicated and fraught to be solved with a simple browser extension.
Also in Wired: