Basic Security is Broken

A co-worker of mine is currently dealing with the possibility of identity theft. He has been doing some online trading of commodities and told me that he had experienced some login issues stating that he was currently logged in when he wasn’t, furthering his suspicion of identity theft. When I asked if his platform used two-step authentication, he asked “what’s that?”

When I logged into my investment site, I decided to change my password. First problem: 6-12 characters, use of non alpha-numeric characters was prohibited. That’s a weak password to me. Even with the multiple security questions (which, if you do some research could be easily answered), there are no other initial security measures. Second problem: after looking for advanced security, such as two-step authentication, I found none.

To my dismay, it is not just trading platforms that are broken (from a security standpoint), but a good majority of other platforms and systems as well. Today I filled out my NCAA bracket for my group of friends. When I was sent the group invitation over email, I was rather peeved that the password was in plain text. After clicking the link, it appears that the outside site provides a redirect to the NCAA site, which issues a GET request as so, where XXX is the group ID, and YYYY is the freaking password.

http://bracketchallenge.ncaa.com/#group?group_id=XXXX&password=YYYYY

Even under the assumption that group passwords are not important, you should still not issue them as a parameter in a GET request over HTTP.

I think any site/platform that has actual money invested or access to bank accounts should at least allow for stronger passwords and two step authentication. A lot of these systems are older, but these companies have the resources to accomplish these tasks. Blizzard does it and so does Google – and they really don’t hold a direct line to financial and completely personal information. Steam works great as well, storing and requiring computer authorization through email, adding a layer to what systems can actually be authenticated.

I think there is a lot that can be done and a standard baseline that should be established for security. We exist in a time when such systems using archaic passwords requirements and lack access security should be brought up to speed, especially from companies that can afford to.

“Salvation through creation”

“Salvation through creation” – those are the words inscribed on the beer cap of the first Magic Hat #9 beer I ever drank. That was a few years ago, yet I still keep that bottle cap on my desk.

Not long ago I read a blog post where the author’s basic point was: don’t consume, create. Sounds simple right? Yet, in today’s society, much of what we ‘create’ is actually consumption. Some people would argue that services like Facebook and Twitter allow them to create content for their followers, or their friends. But they’re not. They’re consuming – just as if they were sitting in front of a television for hours on end, browsing through every channel to see what’s up. Same thing with Facebook.

This is where this little quote comes in. Say it in your head, slowly. “Salvation… through creation.” On the rare occasion I might have free time, I’ll often sit at my desktop wondering what to do – and then I remember this quote. Unfortunately after that, I’ll probably have spent all night creating some programing project. And I love it. Mindless consumption activities like leveling your Guild Wars character make it easy to cut ties and run when your creating hits a wall. But there’s no real satisfaction in that. There’s no salvation for your sanity in that mundane activity. Creating what you envision is something truly special, whether it be code, art, music, etc. Through that, you’ll be ‘saved’ metaphorically speaking.

It’s so simple, yet dripping with meaning. Just remember,

Always be creatin’.

One of the very few reasons of allowing the NSA snooping that’s not being exploited

Pedophiles.

If you told me that the NSA was leveraging their snooping in an attempt to end actual crimes in the process of them being committed, maybe I might be more in favor of it. But they’re not. It’s a slippery slope once you start to claim that your actions are to ‘protect  children’ but it would at least give the impression that it was accomplishing something good. There have been laws introduced that require recording of peoples online lives for this very reason (can’t recall the one I’m thinking of at the moment, but it required telecom companies to record all traffic for 2 years in case a suit by the state was leveraged against the person. It was called something along the lines of ‘child pornography act’ – but I’m scared to even type that into Google).

This also begs the question: if the NSA and other agencies record everything you do, then surely they have recorded information and content from pedophiles, which means that they’re likely in possession of child pornography. If that’s the case, then they themselves are breaking the laws of possession and distribution of pornographic material involving a minor – people have been convicted for less.

And now, I’m sure this post will get me flag me with ridiculous titles in my dossier at the NSA. Go figure.