Changes to Website Logons -- Improve security? Or make it easier to hack?

 In the early 1970s, everyone in the military had a "service number."  Officer's numbers were a slightly different format than NCOs, Reserve officers had different prefixes than regular officers.  Then, at some point, the military decided to get rid of Service numbers and replace all of them with SSNs.  Not clear what that did for our security, but I think it reduced it.  Our SSN was used by banks and income taxes, but was not seen by anyone else.  Our service number was known by the service member and printed on our ID cards.  Of course, everyone probably loses their ID card somewhere during their tour of duty -- so who knows who gets those "private" numbers?

Back in the late 1970s and 80s, the military required everyone to have their SSN printed on their checks.  Of course, it wasn't a "military" requirement to do so.  We just could pay for anything at the Commissary, Base Exchange, Non-appropriated Funds etc, unless we presented a check with our SSN printed on it.  So if we wanted to cash a check, we had to have them printed with SSN.   Of course, then every business we paid with checks had our SSN and unscrupulous workers in those businesses could use them to hack our accounts.

I never understood the rationale behind making either of those changes, or what the Government gained by doing it!  It was a big transition, and it cost a lot of administrative labor to make it.  It took another decade until the 1990s before both of those requirements were changed and the SSNs were no longer on our military ID card.  It took pressure on Congress from military members and at least one General who had his account hacked.  

Now, it seems that websites are doing a similar inexplicable thing.  They are changing logon names to "valid email addresses."  A couple of the big businesses recently making that change are AT&T and Rocket Mortgage.  Before this change, a user could have a unique combination of numbers and letters as a logon -- and have a different one for each website.  That makes it much more difficult for a hacker.  Now, since email addresses are somewhat public, all hackers have the logon.  Half of their work is done -- all they have to do is then figure out the password!  All of these websites already have our email address in their database -- so they aren't doing it so they can collect our email address.  They are apparently doing it for some reason -- maybe to "simplify" their database?  They are saving one "field" out of hundreds at a time where digital storage is almost free!  

It is always interesting when such a change is made, the rationale for making the change is never explained, and the companies never seem to ask for any feedback.  They think they know best --and do not want to hear from any of their annoying customers.  

Credit Bureau's are organized crime and need to be regulated by Federal Government

I've always thought that our three credit monitoring bureaus (Experian, Equifax and Trans Union) were sort of a criminal enterprise.  They collect up information about us, sell it to anyone who is willing to pay, and charge us to even see what they collect.  I've always been concerned about the security of the data they collect about us.  How do they protect our data?  What happens if they don't protect it?
Last week we learned that Equifax "experienced" a massive data breach.  The NY Times said that the data breach could affect from 143,000 to 209,000 US citizens.  It has always been clear that the data bases maintained by these credit agencies is probably the most valuable, richest target in the cyber world for hackers.  So you would think they would have some of the absolute best security in the world.  But obviously, they didn't.  We also learned from Yahoo News that the hack took place over 9 years, was known about in July, but not announced to the public until September.  Between the discovery of the data breach, and the release of the news to the public in September, several Equifax executives were able to sell their stock before the stock price plummeted down.
The company then set up a website to supposedly tell citizens if their data was hacked.  It appeared to me that they used this data breach as an opportunity to get a whole lot of more private data from millions of more potential customers that they can market to.  Of course that new data now also could become vulnerable to hackers.  They also tried to get everyone who inquired to sign up to never being permitted to "sue" equifax and try to get everyone to sign up for their $30/month credit monitoring service.  

Location Sharing Applications -Privacy concerns? Or-Business vs. Fairness

My family used Google's Latitude app for location sharing.  We find it to be a very useful tool, and can use it as part of daily planning.  For example knowing when to start cooking dinner when we see where a family member is on the freeway coming home.  We also enjoy seeing where family members are located when they are on trips or vacations.
Then a few years ago, Google eliminated Latitude and moved everyone to Google + for family location sharing.   For several years, location sharing worked OK --although Google+ gradually made it more and more difficult to access using a computer browser.  It requires multiple steps to find the individual, find the profile, then get to the bottom of the profile where the location is hidden.  It seems that Google didn't want users to find that feature on Google+ Location sharing worked OK on android and iphones for a year or so.  Locations were relatively easy to navigate to, and the GUI seemed well designed.  With the latest update to Google+ on iphone the capability of pinpoint location sharing was eliminated for iphone users.  So now the family can only see my wife's iphone "city location" -no pinpoint location-- Family members with android can still share pinpoint.locations.  iPhone users are shown on the street at the major city-center intersection.    

The Google+ team has not told users if the disabling of pinpoint location sharing from iphone is permanent. Is it possible that the next version of Google+ for iphone will enable that feature again?   If it is permanent, maybe we all need to get the same brand of phones (all iphones or all android) --or all sign up for one of the pay subscription location tracking services.  But meanwhile, it seems to be a mysterious change.

Why is Google trying to gradually eliminate the location-sharing capability?  I could believe that they have concerns about privacy.  Some people feel it is "creepy" to let others track where they are.  I agree, we don't really want strangers (people outside of our Google+ circles) to know where we are at all times.  However when we voluntarily offer up our location tracking to our friends and family it seems different.  Users do have the capability of turning off the sharing --which was easy to do on Latitude, but is more difficult to do in Google+.  I can imagine that if I had a mistress, I probably would want to turn off my location tracking when visiting her to hide that fact from my wife?  But for most normal family functions, it seems natural and fun to share locations with our family and close friends.

Is it possible that Google and Apple do not want phone users to realize that they are being continually tracked by their advertising applications?  Are Google & Apple trying to shut down the capability of users being able to track people "for free" because they are trying to sell that information to businesses?  If so, they don't want to let them get it for free!  At any rate, it seems totally unfair for business (and Government probably) to be able to track the location of everyone all of the time, while they gradually elminate the capability for individuals to share our locations among our friends and family.  Yes, location sharing has value, but the cost to provide that service is very low with current technology.  I think the cost of providing that service is worth the "payment" by phone owners of sharing their location to businesses. That allows businesses to target advertising.   The idea that each family member must pay $5/month for location sharing services seems very expensive.  

Snowden calls for whistle-blower protection

The Guardian Published an article entitled "Snowden Calls for Whistle-Blower Shield"  by Spencer Ackerman and Ewan MacAskill.  The implication is that the country may have been spared the embarrassment of the exposure of the classified documents he released, if there had been a good, protected process for whistle-blowing that would have protect him from retaliation and  actually do a serious investigation into the accusations. John Crane, a former pentagon IG investigator also revealed that he thought the whistleblower protections were also not effective.  He revealed a specific example of Thomas Drake who blew a whistle, and then was retaliated against.

I'm skeptical if Snowden would have actually used a whistle-blower channel, even if it did protect him, and initiate an effective investigation.  However I do agree it it VERY difficult for someone to report a problem.  It is particularly difficult for someone with enhanced security clearances.  When someone is briefed into a particular security compartment, only a very few people are allowed to know that secret.  So, from a security standpoint, it would be a violation (subject to fine and imprisonment) to tell anyone outside of that small group of compartment-briefed individuals about fraud, waste, or abuse related to that compartment.
Also, if a contractor (as Snowden was), the whistleblower would not be just risking retaliation to him/herself, but would also be putting the contractor's whole company at risk.  In the "best case" result for a whistleblower in a classified program, the individual would "only" lose a security clearance.  However, in reality, that would kill the person's career in the Government and/or with the contractor.  And it would probably prevent the person from ever being hired again.  That is a terrible price to pay for doing, what should be considered to be, a public duty.  There were several times in my military career, and also while working as a contractor, that I firmly believed I could have (should have?) reported waste or abuse concerning programs, but, at the time, I thought that someone at a higher level of command must have, from a higher perspective, saw justification of some sort in continuing what appeared to me to be an unnecessary plan of action.  In hindsight, it is clear that in several of those cases, my concerns were shown to have been valid, and programs were cancelled--but not until immense amounts of money had been spent/wasted.

This article also pointed out the problem of retaining documentation that substantiates the fraud waste or abuse.  Whistleblowers are told to hang on to documentation of the problem, but then could be accused of inappropriately handling classified information.  If whistleblowers concerns are found to be true, the individual could still be retaliated against for mishandling the material...even if it wasn't made public!

I do believe that NSA had exceeded their authority in spying on Americans.  Snowden was probably correct and it was appropriate for him, or someone else to report the violations.  James Clapper did, in fact, lie to congress in the hearings.  But, as he said, he was in a very difficult position.  The "government" was, and still is, monitoring the phone calls, emails, and physical location (metadata) of suspects at all levels of government, not just the Federal government.  The Federal Government is aiding city, state, and county agencies and police in doing it with license plate readers, cell phone "stingray" systems, and other devices.  While using those systems, the government(s) inadvertently collect similar information about millions of "non-suspects" at the same time.  While the agencies may not use or catalog that information, it has been collected and could be used against a citizen.  A huge amount of the information that is collected, seems to be in support of our Government's war on drugs.  That whole war could be considered another form of fraud, waste, and abuse.  And I still think it is being waged to line the pockets of the many who believe they are  helping our country, but who are also earning a lot of money from the "war" as currently being waged.

I've often thought that the Government needed a separate agency to act as an overall inspector-general to whom whistleblowers could make secret reports without fear of retaliation.  However would it be part of the administration?  part of congress?  or part of the Judiciary branch of government?  None of those options sound like they would work!   The best we have is the "4th branch" -- or dedicated corps of journalists!

Cracked San Bernadino iPhone

Apparently the FBI has successfully "cracked" the San Bernardino Shooter's iPhone, as has been stated in many news reports, including this one:  Now, as predicted, the FBI wants to crack more phones, and many other agencies want to do it also.  Since everyone is now aware that the phones can be cracked, it is probably just a matter of time until other countries agencies and "bad guys" around the world figure out how to do it also.  So now our phones aren't safe from our own government, foreign governments, and soon from hackers.
It is interesting that the FBI has not mentioned that they were able to obtain any useful information from the County-provided iPhone used by the San Bernardino shooters.  

Hacking Your Phone -- 60 Minutes Program April 2016

On April 17, Sharon Alfonsi on 60 minutes had a segment called "Hacking Your Phone"   She reported that hackers have discovered a flaw in the "SS7" system that controls all phones throughout the world that allows anyone with knowledge of the flaw to gain complete access to a phone.  The hacker can listen to our calls, copy all of our emails and texts and see all of our passwords.   She arranged a demonstration where hackers John Herring and John Oberheide hacked Congressman Ted Lieu's phone.  They could even remotely install malware onto the Congressman's phone that would allow them access to the phone's camera and were able to see everything his camera was pointing at without the Congressman's knowledge the phone was active.

So this shows that even with encryption and all of the modern security features of our phones, "bad guys" can get into our phones.  What should we do?  Should we stop all internet activity from our phones?  This remarkable revelation may put a serious damper on the movement to do everything using our mobile phones. That could, in turn, affect the overall economy.
It appears that phone companies are aware of the flaw, and have known about it for a long time. They were quoted as saying that it is a vulnerability in Europe, but not the US ---but the demonstration was, in fact, done in the US with US carriers.  So we know our US system is vulnerable.

I am suspicious that our Federal Government agencies:  FBI, NSA, CIA, Treasury Dept, Homeland Security etc may be aware of the flaw, and if so, are actively exploiting it both within the US and around the world as well.  I also suspect that the US Carriers are forbidden by those agencies from revealing that fact, or the fact of the SS7 flaw, because those agencies would like to continue to use it against the organizations and individuals that those agencies believe are "bad guys."   Those agencies do everything they can to protect their secret access to our phones.  Today's USA Today had a column by Brad Heath entitled "FBI Urges Agents to Keep Secrets - From Each Other .  I also suspect that what they are hiding is the fact that they can hack into our phones and our car's "On-Star" type systems and don't want citizens and defense attorneys to know they can do it.

Near the end of the 60 minutes report, Congressman Ted Lieu said that if our intelligence agencies know about this flaw and didn't report it, that they should be fired.  I believe Congress should investigate to find out if, in fact, agencies are exploiting this flaw.  If they are using it, some leaders should be fired.

I also think Congress should push immediately to close the "flaw" in SS7, and if necessary should appropriate resources to do it.   We really need some sort of independent agency to test all such communication systems and devices for serious flaws and make sure they are, in fact, secure. 

FBI vs Apple

The FBI selected the San Bernardino shooting as a "poster child" for their cause to open up encrypted phones to Government snooping.  FBI for the past year has been complaining about the need for access to encrypted phones.  This situation looked like the perfect Trojan Horse for them to use the horrible nature of the crime as leverage to build public consensus to force companies to provide the Government a back door to our phones.

Other than the horror of the shootings, there is probably little merit to getting into the phones.  The two shooters, Syed Rizwan Farook and his wife Tashfeen Malik, are dead, and they made sure that their personal phones were totally destroyed.  That certainly makes it appear that those phones were probably the location of any information that might incriminate others.  This phone is a county government phone.

Also, in this case, the Government made two serious mistakes.  First, San Bernardino County should have paid the small additional amount for the Apple-provided service that would allow the County to always be able to track and open the employee's phone.  Second, the Government shouldn't have changed the iphone cloud password (see this Wired link).  That made it impossible with the current technology to get into the phone in question.  So, the Government made 2 serious mistakes, and now wants to put all phone owners at risk to be able to get into that phone and possibly find that there might have been someone else partially involved with the crime.

Of course, the FBI knows that as soon as Apple would create the capability to break into this phone, they would be following up with hundreds of more requests.  Other US police agencies would also want to get into our phones.  Every country where Apple sells it's phones (probably all countries) would also demand the same capability or they would "ban" apple from selling in their country.  Apple, of course, would have to comply.  From then on, nobody who travels to those countries would be safe from foreign government snooping through their phones. Worldwide privacy would be gone!