Since I've had more than one problem with identity theft, I think it's fair to say that I'm a bit sensitive to the issue of information security. So when no one is entirely sure how thieves stole $700,000 from people's accounts using ATMs, this kind of raises my hackles. If companies cannot secure your basic data, you're not safe. Personally, I feel that software manufacturers should be just as liable for malpractice as doctors, but this is not going to happen any time soon. Microsoft and Oracle alone are enough political muscle to guarantee that the consumers will have no rights. Given that I'm a software developer, even saying something like this is a risk to my career, but I have to stand by my principles.
Heck, at least thanks to the signal-emitting chips in car keys, car thieves were put out of business. You see, if your key doesn't broadcast the right code to the ignition, the car won't start. So my identity or bank account might not be safe, but I'll still have a car to live in.
Um, no. Seems that insurance companies are often not reimbursing owners when their cars get stolen. If they have those special keys, insurance companies are pretending that the cars can't get stolen and are suggesting that their clients arranged to have their cars ripped off. The article I linked to explains several ways that these cars are getting stolen and those ways are, in large part, very similar to how software companies let your data get ripped off: the car companies are sloppy and assume that a thin veneer of security (often with back doors!) will protect your car. Some of these cars can be ripped off simply by pulling the right fuse.
Well, hell. I should keep all my cash at home, sell my car and not use credit cards. Good locks will keep the thieves at bay.
Can you see where I'm heading with this? Watch the following video:
Hideously expensive key locks are just as easy to open as that cheap $5.00 Master lock you bought last week (and those are really easy to open. I used to own lock picks). The video illustrates how anyone who can buy or make bump keys can open virtually any keyed lock. Bump keys have been around for a long time, but now that the general public knows about 'em, expect to see more untraceable house burglaries. Of course, with no evidence of a break-in, don't expect your insurance company to pay for.
Fortunately, you can still still lock your stuff up in a safe.
Can you see where I'm heading with this?
At this point, there's no sense in pretending we have any real physical security and we know that our private goods and information are available to anyone who wants them. For example, let's say you're keen on identify theft. A good place to start stealing identities is acquiring Social Security numbers. Where are those often stored? In spreadsheets. Excel spreadsheets. Excel spreadsheets you can find on Google by restricting your search with "filetype:xls". So, for example, if you search for filetype:xls ssn marzouk, you will find a link to this spreadsheet (HTML version) which lists the following information:
Marzouk , Musa Abu
Leader in Amman, Jordan and Damascus, Syria for HAMAS;
POB Gaza, Egypt;
SSN 523-33-8386 (U.S.A.);
Passport No. 92/664 (Egypt)
I've done more searching and I've been finding out lots of disturbing information, including convicted prisoners social security numbers and a whole lot more. The key is to learn how Google hacking works and then start thinking of what you want to search for. Social security numbers? People's passwords? Credit card info? It's all out there and it's widely available.
So you might ask an obvious question: why the hell am I telling anyone this? Well, for starters, the bad guys know it. The good guys, not thinking this way, often don't. The problem is that if only the bad guys know this information, they'll continue to rip us off and we won't be the wiser. This might seem far fetched, but bad guys are breaking into homes with bump keys. They're stealing "theft-proof" cars. They're stealing from your trash those "convenience" checks your credit card companies keep sending. They're breaking into our servers with heretofore unknown vulnerabilities. They're scouring the Web for more victims. They already know these things and you should know them too.
Yes, as everyone talks about this, more bad guys will know about it. However, you have no way of demanding accountability for problems you don't know about! How can you go to your local government representative and say "what are you doing to make companies liable for their product's flaws" if you don't know what those flaws are?
I suspect that most of you reading this at one time or another are going to be exploited by something I've mentioned today. There is one and only one way to stop this. Start holding companies responsible for the economic damage their flawed products allow. Then, and only then, will they start taking this problem seriously. Of course, this is tricky. If a company makes reasonable safeguards to protect you, it's still possible to find ways around them but there needs to be some legal structure in place to determine if a company has been grossly negligent. And as soon as a simple vulnerability is known, the company should alert their customers and immediately take steps to fix the problem with future versions of their product.
So given all of this, my title "Safety in Numbers" might seem ironic, but it's not. The people vastly outnumber the corporations. We may not have their economic clout and the politicians won't listen, but we have the votes. If we raise enough of a stink, they're going to listen. We were here long before the corporations and we'll be here if they go away. Government is supposed to be for the people, not the corporations, so let's hold their feet to the fire.
The problem, of course, is that we won't. People are apathetic and the politicians know that. Most who read this will be disturbed, but not a god-damned thing will happen. Hell, even the identity thieves I caught who stole my information were let go by the police and the DA never prosecuted.
We have a real crisis right now. We can look at all of the individual pieces and in isolation, they seem bad, but not alarming. But if we look at things a whole, we start to realize that life is becoming so complex and information so readily available that until the government steps in to do something about it, we're all just numbers on the crime roulette wheel. There's no significant way that you and I can individually make a difference unless we can force collective representatives to do something about it. Hell, if you do nothing else, post a link to this essay. Tell people to read it. Get them thinking. That's all I'm asking. We need to find a way out of this problem, but unless we actually try, nothing will be done.
On the off chance you find this information fascinating, please read Bruce Schneier's blog. He even has an LJ feed. Bruce Schneier is one of the most thoughtful security experts out there and he has a keen eye for the economic issues of security (if you know me, you know economics makes my socks roll up and down). Not only is his information spot on, he writes very well, too, so you'll have no problem understanding what he has to say.