FX has a new limited series about the hunt for the Unabomber, Theodore John Kaczynski. I didn’t pay much attention to the story when it was going on; I just thought it was one more Harvard-grad-turns-serial-killer episode, and that was that. I certainly didn’t pay attention to his “manifesto.” The series, however, enlightened me. As I understand it, Ted believed that technology was destroying society, making us all slaves to it, and taking the joy out of life. I have yet to see how blowing people up addressed this problem, but then he shouldn’t have to be right about everything. The evidence has been mounting since 1995, when he killed his final victim,that the Unabomber wasn’t quite as crazy as we thought.
I could bury you in links, but will not. We are slaves, for example, to passwords. I teach lawyers that their devices containing client confidences should, to be properly protective of them under ethics standards, have passwords of at least 18 random letters, characters and numbers, with the password for every such device being different, and all of them changed every month. Or you can go the John Podesta route, use “password.” and get hacked, and eventually disciplined by your bar association, once they decide to get serious.
[CORRECTION: In the original post, I relayed a link to a site where you can check your password to see if it’s been compromised. I had been forwarded the link by another tech-interested lawyer. But as I was just alerted by a commenter (Than you, Brian!) It’s apotential trap and an unethical site, making you reveal your password to check it. I apologize for posting it. See how dangerous and tricky this stuff is? See? SEE?.I fell for the trap of depending on technology to protect us from technology! Ted warned us about that, too.]
Then there is this feature in The Atlantic. An excerpt:
The advent of the smartphone and its cousin the tablet was followed quickly by hand-wringing about the deleterious effects of “screen time.” But the impact of these devices has not been fully appreciated, and goes far beyond the usual concerns about curtailed attention spans. The arrival of the smartphone has radically changed every aspect of teenagers’ lives, from the nature of their social interactions to their mental health. These changes have affected young people in every corner of the nation and in every type of household. The trends appear among teens poor and rich; of every ethnic background; in cities, suburbs, and small towns. Where there are cell towers, there are teens living their lives on their smartphone…
Rates of teen depression and suicide have skyrocketed since 2011. It’s not an exaggeration to describe iGen as being on the brink of the worst mental-health crisis in decades. Much of this deterioration can be traced to their phones.
Even when a seismic event—a war, a technological leap, a free concert in the mud—plays an outsize role in shaping a group of young people, no single factor ever defines a generation. Parenting styles continue to change, as do school curricula and culture, and these things matter. But the twin rise of the smartphone and social media has caused an earthquake of a magnitude we’ve not seen in a very long time, if ever. There is compelling evidence that the devices we’ve placed in young people’s hands are having profound effects on their lives—and making them seriously unhappy…iGen teens have more leisure time than Gen X teens did, not less. So what are they doing with all that time? They are on their phone, in their room, alone and often distressed….
The number of teens who get together with their friends nearly every day dropped by more than 40 percent from 2000 to 2015; the decline has been especially steep recently. It’s not only a matter of fewer kids partying; fewer kids are spending time simply hanging out. That’s something most teens used to do: nerds and jocks, poor kids and rich kids, C students and A students. The roller rink, the basketball court, the town pool, the local necking spot—they’ve all been replaced by virtual spaces accessed through apps and the web.
You might expect that teens spend so much time in these new spaces because it makes them happy, but most data suggest that it does not. The Monitoring the Future survey, funded by the National Institute on Drug Abuse and designed to be nationally representative, has asked 12th-graders more than 1,000 questions every year since 1975 and queried eighth- and 10th-graders since 1991. The survey asks teens how happy they are and also how much of their leisure time they spend on various activities, including nonscreen activities such as in-person social interaction and exercise, and, in recent years, screen activities such as using social media, texting, and browsing the web. The results could not be clearer: Teens who spend more time than average on screen activities are more likely to be unhappy, and those who spend more time than average on nonscreen activities are more likely to be happy.
Now let me tell you my story from this week, as I rush to get a post up on my blog to the neglect of my family, friends and career.
I have some accounts at a financial investment firm that buries me in paper. Some of the accounts are custodial, for my son; some are tiny; some were set up by my parents. I received in the mail an “alert,” requiring my immediate attention. It said that I hadn’t designated a beneficiary for one of the accounts, which it described using only the last four numbers and letters. I could fill out a form and mail it back, but that would require all the numbers. I couldn’t find the account. I could go online to their easy-peezy website, I learned, which I was dead sure would NOT be easy-peezy at all.
So I called the handy 800- number provided. After being asked for an account number, a pin, a password, none of which I have, and my social security number, which I DO have, and waiting 20 minutes for a live person, during which wait I was pounded with ads, promotions and bad music that would make Montovanni turn punk rocker, I finally reached an agent, who asked me again for all of the same sets of numbers I was just asked for. Then he told me that he had to have my account number for the account in question. I told him I don’t have it, and he explained that the easy-peezy website will just list them for me once I log in. Perfect! I exclaimed. (Actually I exclaimed, ” I’ll believe it when I see it.”) He said he’d lead me through the process. I went to the website, which asked for my password. I don’t have a password, I said for the fourth time in the last half hour. No problem! He giave me a temporary password. I put it in and clicked. Oops! I didn’t enter my Username. “Just enter you name,”, he said. I did. The site rejected it. “It has to be without spaces,” he said. “Sorry.”
“Why doesn’t the site say that?” I asked. “It should,” he replied. “Sorry.”
I finally got to the screen where I was asked to create my own password. It had to be be 8-12 figures, use at least one number and upper care letters and not use any one letter or number more than three times. There were other requirements too. Doing the best I could, being an idiot, I meticulously typed in a password that seemed to comply, and the repeat for confirmation. As you know, I can’t type, and this site would not show me what I had typed. It took me three tries to get the two new passwords to match. Then I clicked on “enter new password.”
Rejected. It didn’t say why it was rejected, it just was. I tried the same oassword again, as instructed by my agent. It failed. “Try another,” he said. I did. I tried about ten, in fact, following the requirements, and they were all rejected.
“Look,” I said. “Why don’t you pick a password that works, and give it to me. I don’t care about the password. I just want my damned account number!”
“We can’t do that, sir. Security.’
My wife, who can type, tried to enter a new password, one that she has used for our bank. Nope.
“I think the best thing to do would be to log out, then start again. I don’t know why you are having such trouble,” I was told.
“This has taken almost an hour and you want me to start over? The hell with that! Tell me my account!”
“I can’t do that over the phone, sir!”
“E-mail me the documents with my account number!”
“That’s not secure, sir!”
“Can you overnight me the documents with my account number, so I can fill it out and return it to you?”
“I can do that, sir.”
Wonderful.
I thought.
The papers arrived as promised, but without the required account number, just the last four numbers and letters. For security. Foaming at the mouth, I did exactly what I had done the day before. Phone tree. Promotions, Bad music. I reached a different agent who sounded exactly the same, and told him the whole story, mentioning the Unabomber for the first time. He also gave me a temporary password. THIS time, my new password worked. Then he led me through the online security procedures, stalling on the three “security questions.”
Each of the three had to be picked from a different list of about 25 alternatives. Once I had entered the answers to my three chosen questions, I could finally be approved TO SEE THE ACTUAL ACCOUNTS I OWN.
I was not approved, however. Why? “Oh, it doesn’t say this, but each answer has to be a single word, and to be at least 8 letters.”
“Wait, are you kidding? So if I pick ‘what was the name of my first pet,’ and my first pet’s name was Fluffy, I can’t use that question?
“Or you have to give a different name with 8 letters,”
“BUT THAT WOULDN’T BE THE NAME OF MY FIRST PET!!!”
(This was the second time I mentioned the Unabomber.)
“Try six letters.”
At this point I gave him my favorite quote from “Wargames,” a 1986 film about technology horrors…
“Dr McKittrick? After very careful consideration sir I’ve come to the conclusion that your system sucks.”
He laughed.
“I apologize, sir. Please try six letters.”
That worked. I got in. I found the account. I entered my wife as beneficiary. Wait for iiiiiiiiiiiiiiiiiiiiiiiiiiiit…
“Mr. Marshall, my records are showing that she was already the beneficiary. You didn’t need to add her.”
“WHAT? This has taken me three hours over two days, and now you tell me that? Why did I get this alert?”
“It must have been a scheduled mass mailing that our computers sometimes send out. I apologize for the inconvenience, That shouldn’t have happened.”
And this post is the THIRD time I’ve mentioned the Unabomber.
I’m a believer.
Ethics Alarms 
I have play password ruolette so many times mostly when I get an alert that they have turned off my account for my own security what is the killer is most of these sites that do this to me are one that there only purpose is to pay my bill. I frankly don’t care if someone else wants to go on and pay my bill. Now occasionally it is a site that they can order something but those are normally sites that our concerned when my orders triple on a costume or make up site at Halloween. I own a costume shop for blessed sake. Of course I order more stuff in September and October.
Sounds eerily similar to the experience I had a week or so ago trying to set up a new wifi router. I got so frustrated I had a shower with loud music on just so I could yell out loud without my husband hearing me and being alarmed.
As I have mentioned before, I used to work for one of the big tech companies writing software. It used to be mostly good (as in “We have good intentions, it’s only our implementation that sucks”) on the customer facing front. Months before I left that attitude changed: customer focus stopped being a goal and was treated as a buzzword, quality assurance was gutted, and spending time on it became a career killer. This change (among others, more related to strategy) was one of the major reasons I started looking outside, and things were so bad that I even started looking outside the traditional software/tech industry. I was lucky to find a job in aerospace, because quality *is* a focus here (when a software bug will blow up a few hundred thousand dollars worth of equipment, senior management cares). I’m happier and once again I’m proud of the “product” I’m creating.
What will it take for the software industry to care? I don’t know. Will this become a “law steps when ethics fail” scenario? I hope not, because the tech issues that have been attacked this way have turned out worse after the well-intentioned intervention. My only proposal is the long game: make software engineering a profession in the same sense that Medicine, Law, and Civil Engineering are: Have actual licensed software engineers lead and manage projects. You can still have your workforce of coders that do not require licensing, but have someone’s name on the line who’s actually taking responsibility. Will it work? Maybe, but as long as we’re ok with systems that barely work, with diffuse responsibility where no one is accountable for failures, and where low-cost beats high-quality in the boardroom, there will be no enthusiasm for my proposal.
Sadly, you are 100% right. I wrote COBOL on an IBM 360 and a Burroughs 5000, back in the late 60’s. Both machines had 64K (yeah, you heard right…K ) of memory. We had to write EXTREMELY tight code, and use things like over-lays to get our programs to fit. We also had solutions that I can only describe as ‘elegant’. Not only are the programs not user-friendly now, and becoming less so, but they are sloppily written and exhibit little or no elegance. And, no-one cares. As I said, sad.
Among a certain subset of developers (e.g. the ones I work with) there is a certain appreciation for running in resource restricted environments. It is more an aesthetic rather than anything practical, which I love. One example is that we have an annual “4k competition” where we write code for a memory restricted machine so that you can’t use more than 4096 bytes of memory. Last edition’s chosen machine was the PDP-10, and we had a blast just figuring out how the thing worked. The most encouraging part is that the thing is organized by a guy in his mid-20s. Just this morning we were also playing with Multics running on CP/M on a very old “portable” (some of the advantages of working with one the curators of the Computer History Museum)… I was proudly able to get the “sum” formula working on that. 🙂
Just a wild guess…was that CP/M “portable” an Osborne? I bought one of those and nearly went bling trying to read that little green screen.
Make that “blind”, rather than bling.
Circa 1989, we called such machines ‘lugables’ rather than portables.
“Both machines had 64K (yeah, you heard right…K ) of memory.”
Learned on Apple Basic and PET Basic (Commadare Vic-20) when the entire RAM was 20k… this was mid 1980s. I saved my programs on a tape recorder… floppy disks were brand new and expensive. In college I worked in a computer store that sold IBM clones. The full height 5 Meg hard drives were standard, and I wondered what they did with all the storage space.
Today I scratched something off my bucket list: I held in my hand a Seagate Barracuda 10 TB (terabytes, or 10,000 Gigs) drive at work (it arrived while I was visiting this morning.) 5 years ago my company did not have 10 terabytes if you added every hard disk up together.
Whar is thr deal with these restrictions on passwords. And why have a limited selection if security questions instead of being able to type your own question?
That limitation on security questions has always alarmed me. A friend shared with me that he provides random, intentionally nonsensical answers. The challenge, of course, is to remember the answers AND their associated questions. Example: What is your oldest sibling’s middle name? Redherring. (Watch that name climb in the popularity charts! And forget using THAT answer!)
Or use the same answer no matter the question?
I use a heavily encrypted password vault with a 23 character master password to store all the ridiculous access we have to have today. I add the two tier authentication answers to that as well.
Or ask a question that would only make sense to the user.
“who is the legendary twin?” is such a question, as only the user would understand the context of the question.
That was much larger than expected.
I love when I click on the link to reset my password (‘forgotten your password?’) and the first thing the ask me for is the old password….that I forgot….can’t count how many times I’ve yelled at the computer ‘if I knew it I wouldn’t be here!’
Maybe this will help:
Jack, Can I ask that you take down the link to the website where you can check your password. The simple act of checking a current password on that site makes it unsecure, and I am afraid people may try to use the site. It’s an unethical site.
Good idea. I will. Skynet…
Also, do not play the little Facebook games that start with ‘Which Harry Potter character are you?’ or ‘What type a cat would you be?’
These can be found everywhere online, and it has been discovered that many of the are actually phishing sites. Your answers are stored in a database somewhere (I know of China and Russia, but assume there are others) to be used to hack your accounts. Verification questions can be guessed from the questions using statistical analysis.
My dad actually paid ransom ware once (web site locked up his iPad, and he did not call me but instead called the number that said they were Apple. I could have given him the simple steps to stop the problem in seconds…)
He gave them his debit card number to pay $39.95 and got a lot of information from him. The next day I had his bank account frozen and the card destroyed, but he instructed the bank to ‘allow the $39 charge’ as a lesson to himself, over my protests. Never pay these people! They later tried to drain his account.
Well, he has been paying for this ever since. Since he paid, his name was sold to all sort of criminals who think he is a stupid patsy. He got 800 emails a day from robots trying to sell, steal, or otherwise take advantage of a senior citizen. He get faux Apple emails asking him to verify purchases he never made, with convenient ‘click here to review your account’ buttons to get his credentials. He has called me several times with notices that his Apple ID is shut off (or will be unless he logs in) and I have showed him how to spot bad grammar and such (Apple DOES know how to spell) and how to access the account directly to see if he is cut off… at least he asks me now 🙂
The online world is a nasty place.
Sho’ nuff, buddy. My cousin, a West Point graduate, has been burned a couple of times. He apparently either never heard or didn’t believe “If it sounds too good to be true, it isn’t”. He also had to develop a healthy dose of cynicism.
https://www.publicintegrity.org/2017/07/31/21027/saving-face-facebook-wants-access-without-limits
Facebook=Crazy evil
Yep.
I would like to note that given the nature of passwords, the length and character set are more important than the actual password itself. If your password were ‘paSsw0rd#,’ you could check the savety through such a site by substituting another password with the same complexity.
My example uses 9 characters, with a capital (and additional 26 character set,) a number (10 more characters) and a non alphanumeric symbol (complexity depends on system used and what is acceptable for a password.)
Since order is not important for such calculations, I could replicate this for testing using 6 lower case letters, 1 uppercase, 1 number, and 1 non alpha: ‘c@tsPaws1.’ This is a good way to play with the numbers without revealing your password.
Note: if you use a word from the dictionary as a base term, it is much easier to crack your key as those combinations are tried first by modern algorithms. My ‘catspaws1’ example is inherently more secure than any iteration of ‘password’ since it is not a word or commonly used phrase in the first place.
I agree with Brian, the site is a bad idea. You are literally giving someone your password to add to their list to try when hacking.
This XKCD comic should be mandatory reading for anyone writing a password interface. It may not be perfectly accurate, but the core idea that length is better than complexity is sound. It’s worth adding at least a a little complexity, but doing so consistently retains the easy to remember benefit while making brute force checking against just a list of common words hard. Personally I like adding a special ASCII character like π (ALT + 227 on keypad) because cracking tools generally assume only normal keyboard characters and it gives you a structural advantage. A pure brute force checker which didn’t make that simplifying assumption would still find actually typing those 3 numeric digits more of a problem until about 19 characters or so. Unfortunately many password validators ALSO make that assumption, and won’t let you use the extended ASCII list.
Can you get those extended characters on a laptop with no numpad?
I believe, but cannot confirm since I don’t currently have a laptop, that if you enable numlock and use the numbers which correspond to letter keys it would work. Previous laptops I’ve worked with had equivalents to the number pad which replaced normal keys when numlock was on. See http://fsymbols.com/keyboard/windows/alt-codes/laptop/
You can always try ASCII substitutions… they word on about half of the systems
…but not on passwords, come to think of it, so never mind!
I had a credit card “migrate” to a new owner and couldn’t access the new institution’s website to validate the account. After hours of trying to talk to and then discussing with their tech support, we were in the middle of disabling my security features so that their security features wouldn’t block then, when the call was dropped (of course).
While walking my dog and muttering, I developed a new strategy. I have a 15 year old computer that has no security on it, because it’s not connected to anything. I scrounged an old cable (no wireless) and plugged it into my router, and in about ten minutes it accomplished what the up-to-date technology had failed miserably.
I still use my HP48sx calculator… faster than a spreadsheet on some things
A password trick. Pick one of your favorite books and bookmark a page. Have your password be a line from that book (no spaces) with a number and exclamation point at the end. Absolutely unhackable (is unhackable a word?). Next time you have to change your password, go to the next line on that page. Assuming you trust your partner, this is the way to go. If you don’t trust your partner, you have other problems.
Can it be an ebook currently residing on the device you are using?
I wouldn’t do that. Plus, your device itself should have a password, so that’s like locking the password in your safe. 🙂
Small nitpick: the claim that Podesta was hacked because his e-mail password was “password” seems to be a myth. Gmail, which he was using as his hacked account, doesn’t even allow it. It seems it was the password to access his work computer, but that’s not how he was hacked.
http://www.politifact.com/punditfact/statements/2017/jan/06/jesse-watters/claim-john-podestas-email-password-was-password-la/
Small point of order: Gmail used to allow ‘password’ as a password, and would not force a legacy account to change that credential (if the user never upgraded for new features, etc. like Podesta likely never would have done, given his age and lack of tech boy savvy.)
It is plausible that his gmail password was exactly as Julian Assange said, but not if he upgraded his Google account in the past 6 to 7 years.
My father still uses a twenty year old password on his gmail that violates current policies. He uses it the way he first learned to use it, and has no interest in change.
Back to the subject of kids, depression and screen time, a friend who works with children and computers told me, “If your 10-year old has unrestricted access to the internet, he has probably watched people having sex with animals. If your teenager has a computer in his bedroom and unrestricted access to the internet, he is probably spending most of his free time masturbating to pornography.”
Even aside from the poison of pornography, putting a smart phone into a child’s hand or a computer into his room strikes me as irresponsible parenting, but most teenagers today seem to have both. My son is only 6 years old, and some of his classmates already have them.
Jack, the server puked when I posted my password methodology, and the same post went twice. Could you remove the later posting?