Visit Your Local PBS Station PBS Home PBS Home Programs A-Z TV Schedules Watch Video Donate Shop PBS Search PBS
I, Cringely - The Survival of the Nerdiest with Robert X. Cringely
Search I,Cringely:

The Pulpit
The Pulpit

<< [ Getting to Know You ]   |  There is No Free Lunch  |   [ Bursted Dreams ] >>

Weekly Column

There is No Free Lunch: Change your password NOW!

Status: [CLOSED] comments (75)
By Robert X. Cringely

My mobile phone rang this week as I sat in the car rental bus at Baltimore-Washington International Airport. The Caller ID information read only "202." I get a lot of calls that say "unknown" or "restricted," but "202" was a new one for me. Who could it be? Why the Department of Homeland Security, of course, wondering how I seemed to know so much more than they did about the exact number of illegal aliens in the U.S.? Now "Department of Homeland Security" doesn't have the ring of, say, "FBI," but it does make one watch one's words. Surprisingly enough, I was actually able to help the guy.

My position on inquiries of this type, which I actually get a couple times per year, is that I don't reveal sources unless the sources want to be revealed. In this case I went back to the sources of last week's column, asked if they would mind speaking with the DHS, and to my surprise they were perfectly happy to do so. Usually I end up saying "no," but this time was different.

I have written many times about how government is reactive when it comes to technology. We don't make laws in anticipation of emerging technologies but to cope with problems supposedly raised by technologies that have recently appeared. Government is always behind this curve. On some level I find that reassuring. It tells me that despite the NSA listening in to everything I type or say, they'll probably misuse it, or lose it, or chalk up my babblings to some other guy named Cringely or Bob. And this view can only be confirmed by my now knowing that the DHS -- the folks who are supposed to know all about who is in or out of this country -- have less data to work with than does the local credit bureau. The fact that the department has been in existence for six years and didn't think until now to try this line of research, well that astounds me.

With this fact in mind, then, I'll take another stab at improving the data security of all Americans. CHANGE YOUR DAMNED PASSWORDS!! Most people don't do this -- ever. They have one or two passwords they use for everything, often associated with one or two user names. If a system forces a password change they'll move to password B in hopes that when the next move is forced they can move back to password A. If you have an eight-character password that mixes numbers, letters, and non-alphanumeric characters in various combinations of upper and lower case -- in other words a REALLY GOOD password -- I can pretty much guarantee you've been using that exact same password since 1998. People are lazy. People don't want to learn arcane eight-character passwords on a regular basis.

But identity thieves aren't so lazy, especially when they have technology to help them. They can start a sweepstakes website that requires only free registration to win that cruise of a lifetime to Bora Bora. And in doing so the thieves can know that a majority of registrants will use a username and password combination that they also use at a lot of other sites, like bank and brokerage accounts. Not only don't they need to actually award the cruise, they don't even have to break into your bank account in order to benefit from the username/password combo. They just sell that information to another crook.

That crook knows your name, address, and likely username and password. Forty percent of the people in your town use the same bank. Fifty percent of his stolen usernames and passwords are valid. Forty percent of bank customers use online banking. Add this all together and that crook has more than enough information to raid the bank accounts of enough folks to make his day and ruin theirs.

It doesn't take just a fake website to accomplish this kind of phishing expedition. There are thousands -- probably tens of thousands -- of web operations that require user sign-ons but don't do anything to protect the user database from being stolen by employees. "We're not selling anything," they tell themselves, "so it doesn't matter."

It matters.

Half my credit card accounts now require me to go through an elaborate e-mail validation scheme if I try logging in from a new IP address or from a computer lacking the proper cookie. Half don't require this. The half that do were probably the targets of some huge and successful crime spree -- a spree we never heard of because it was never made public. Billions of dollars are ripped off this way each year from banks and other financial institutions but we never hear about it because that might encourage more crime.

So CHANGE YOUR DAMNED PASSWORDS and put an end to this kind of scam. Perhaps remembering new character strings will help to stave off Alzheimer's.

Another thing I am upset about is ITAR, the International Traffic in Arms Regulations, which is putting a real crimp in Team Cringely's attempt to put a rover on the Moon.

ITAR works on the basis that non-U.S. citizens should not have access to your rocket data (rockets are viewed as weapons) unless you request an export license for them. This includes legal aliens living in the U.S. This also includes any information transported in a laptop when visiting a foreign country. By extension, I could see that any design information transported over the Internet might also require an export license.

I'm not being pro-terrorist here, just expressing frustration because I need U.S. government permission to send a rocket to Brazil for launching, to launch a rocket IN Brazil no matter where it was made (this is on top of getting permission from the Brazilian authorities), and my rocket had darned-well better been built using only U.S.-born or naturalized citizens. The irony here is that I can copy rocket designs off the Internet and have them built in machine shops all over the world, but that is somehow different, or is at least viewed differently.

In terms of the Google Lunar X Prize, which Team Cringely is going to win sometime in early 2009, ITAR means I can't have non-U.S. citizens working on technical parts of the project without an export license. It also means potential foreign competitors for the prize can't use U.S. labor -- or data -- without an export license.

How do you enforce THAT?

This wouldn't be such a big deal if ITAR permission were given fairly easily. "I'm going for the Google Lunar X Prize, we need to launch from Brazil so we can use equatorial acceleration to put an extra 28.6 kilograms on the Moon, please." Alas, it is MUCH harder than that. ITAR licenses are given slowly and -- this is probably the worst for us -- there is simply no precedent for ITAR clearances being granted at all for what is, essentially, a recreational project.

Perhaps reassuring, though, is the fact that it is also much harder than I thought for Google to acquire a credit bureau and plunder its data. It turns out that data providers and the occasional government put restrictions on how that data can be used, so the best Google could probably do is statistically categorize us. But hey, that may be good enough.

Comments from the Tribe

Status: [CLOSED] read all comments (75)

lots of spam comments on here bob. I'd guess your filter needs updating.

Daniel | Nov 27, 2007 | 4:52PM

extra message to scroll the spam off the screen

Daniel | Nov 27, 2007 | 4:56PM

third comment to scroll the spam right off the page

Daniel | Nov 27, 2007 | 5:02PM