SERIES: Security Now!
DATE: June 16, 2015
TITLE: Mozilla's Tracking Protection
HOSTS: Steve Gibson & Leo Laporte
DESCRIPTION: Leo and I discuss the week's most interesting recent security events and a bit of miscellany. Then we examine the revelations about the current state of Internet user tracking arising from Mozilla's Firefox tracking protection instrumentation.
SHOW TEASE: It's time for Security Now!. Steve Gibson is here. Yes, I know you want to know about the LastPass hack and what it means to you. That's coming up. We'll also talk about that horrific hack at the Office of Personnel Management. And Steve will talk about a very controversial new switch in Firefox that turns on tracking protection. Good or bad, Steve and I will debate, next.
LEO LAPORTE: This is Security Now! with Steve Gibson, Episode 2^9, recorded Tuesday, 6/16/2015: Mozilla's Tracking Protection.
It's time for Security Now!, the show that protects you and your loved ones online with the Protector in Chief himself. I raise a glass to Mr. Steven “Live Long and Prosper” Gibson.
STEVE GIBSON: Tiberius Gibson, yeah.
LEO: I can only do it with my right hand. He's doing the…
STEVE: Well, you know, I've been rewatching the Jean-Luc episodes of Star Trek, just because…
LEO: I love him. He's good.
STEVE: It was, I mean, it stood the test of time.
LEO: 'Deed it did. 'Deed it did.
STEVE: They were a great seven seasons of - and we have nothing like that now. I'm just - I'm amazed that there just isn't anything fabulous. There's some horrorful-looking thing - “horrorful,” that's a new word - on the Syfy channel coming up. I made a note of it in the show notes. But it's like, it's one of those low-budget, the people cannot act, and whoever wrote it shouldn't be writing, and, oh, boy. But it's a desert for those of us who love science fiction.
LEO: It is, indeed.
STEVE: So all kinds of stuff. Everybody wants to know about sort of the inside, what does it really mean, this LastPass network breach that just yesterday hit the news. I thought it was interesting that Joe gave PCWorld an exclusive interview yesterday evening.
LEO: Joe, the CEO of LastPass.
STEVE: Yeah, Siegrist, the chief bottle washer, the coder, the original coder and so forth.
LEO: I know. When I read “CEO,” it feels like, oh, he's just a business guy. But, no, he's the guy.
STEVE: Yeah. He's making the technical blog posts. And he's always been my contact person. When I first found LastPass, it was with him that I corresponded. And one of the things that impressed me so much was that he just told me everything I wanted to know, unlike so many other services that hide what they're doing; and, therefore, it's not that I mistrust them, it's that I can't trust them because they're not telling me how it works. And, I mean, so everything with LastPass from the beginning was here's what we're doing. He wasn't embarrassed or shy or ashamed to just say, this is what we're doing. And there was a sense of, if I have any ideas, or if there's anything wrong, we're going to fix it.
I mean, it's very much, well, it's exactly the approach I've taken with SQRL, where the whole protocol has been hashed out and thought through and pounded on in a public forum with a bunch of other smart guys because the goal is let's just get it right. So that's what really impressed me from the start was I was able to describe on this podcast to our listeners why I had chosen it as mine, how it was truly TNO technology, and how they made it as strong as it was clearly possible to do. So we'll talk about that.
We did get even more bad news from the Office of Personnel Management. We discussed the bad 4.1 million record or individual hack last week. Turns out there has been another one, and it's much worse, and much bigger. Then there's this question, I guess it was a newspaper in the U.K. claimed that China and Russia had obtained and decrypted Snowden's entire document store and that, as a consequence, people were being pulled from the field. So we'll take a look at that. I saw with a little tear that our browsers may be losing native FTP. So for some set of users, that'll be interesting.
There was a mistake made with border gateway protocol, a big one a couple days ago that affected the whole Internet, I want to cover briefly. Some Wikipedia news. A really interesting reliability report about SSDs that was performed by Carnegie Mellon and Facebook, using Facebook's massive datacenter servers and the nature of SSD failure. We learned a lot from that. And then the main topic is I listened to you, gosh, I guess it was maybe last week's This Week in Google?
LEO: Oh, yeah, about Safari ad blocking?
STEVE: A lot about - you and Jeff and the rest of your panel, really interesting discussion about ad blocking, the ethics and morality.
LEO: Mike Elgan was there, as well, yeah.
STEVE: Right, right, right, right. I mean, and great comments, I thought, from everyone. But from a technical standpoint there were some things that I wanted to add. And I already had on my list, because I'd been mentioning it for a couple weeks, that Mozilla, back with Firefox 35, they added something called tracking protection that's been on my list to talk about. And I thought, okay, now is the perfect time because, thanks to the instrumentation they have in Firefox, they've been able to learn a great deal about what websites are doing. And so I just want to have a discussion about that issue a little bit, but also from a technology standpoint, the degree to which I would argue, first of all, the incentives are wrong, that is, they're perverse incentives in the industry as it is now. And that it's beginning to get a little out of control. So I think a great podcast for everyone.
LEO: So excited.
STEVE: And on the first page of my show notes, of course, I try to do something that's fun or interesting. Last week was a screenshot of all the guys from “Silicon Valley.” And of course this was on the following Sunday. Last Sunday was the second season finale.
LEO: Did you not love it? Was it not great?
STEVE: Oh, yes. This year, this year was just so fun. I mean, and the idea that this guy is dying on a mountainside on a webcam, and they could care less.
LEO: [Crosstalk] says, “Oh, we are so lucky he fell. It's such a great test.”
STEVE: And then he announced he was going to have to start drinking his own urine. And they said, “Oh, my god, this is going to drive our traffic.”
LEO: Fantastic news. Oh, I hate to even laugh at that. So you put an image of, well, let's see, shall we zoom in on it so - it's a cartoon; isn't it?
STEVE: It's a cartoon. It's a great computer-based cartoon showing a boxing ring. And the announcer's holding a microphone saying, “And in this corner, we have firewalls, encryption, antivirus software, et cetera. And in this corner, we have Dave.” And there's this goofy-looking Dave with a T-shirt that says “Human Error” on it.
LEO: Human error.
STEVE: So it's like, yes, despite all of our best efforts.
LEO: Not much you can do.
STEVE: And in fact, reading between the lines of what Joe said to PCWorld about what they found on their network, I'm thinking it was some guy, someone there got - an individual's machine was the entry point because he talked about some anomalous traffic on the network when no one was working. Well, okay, that connection says that it would be traffic driven by someone working, meaning, like, someone's workstation. So anyway, we'll talk about that in a second. Oh, and I did want to also say Merlin Mann is a fabulous guest.
LEO: We love him.
STEVE: I mean, just whenever you can drag him out of hiding. I remember the evening you and I and Amber and he spent together.
LEO: Oh, in Toronto, yeah.
STEVE: In Toronto.
LEO: I love Merlin, yeah.
STEVE: Just hanging out for a nice evening. He really brought a lot to the show, I thought.
LEO: Agree, agree, agree.
STEVE: So I just wanted to say, you know, Sunday was a great show.
LEO: Good, thank you.
STEVE: Okay. So LastPass's network breach. Of course the press went crazy, and my Twitter feed was literally useless yesterday because, I mean, I thank everyone for making sure that I knew.
LEO: Steve, did you know? Had you heard? Did you know? There was a problem. Did you hear that?
STEVE: Yeah. And in fact what Joe said to PCWorld was they dramatically underestimated the media's reaction to his blog posting and the email they sent out. Turns out that they have - LastPass has grown so popular, and they had so many people to notify, that it became very difficult to get the mail out.
LEO: Oh, dear. Oh, dear.
STEVE: And so they're now - they used an Amazon service, and they're going to use Amazon's scalability moving forward. And I can attest to the fact that people went crazy because I was unable to change my master password, as the good advice was, until later in the evening, when the initial wave of just everyone attacking the server hit. And in fact another thing that's interesting is that, as a consequence of their security being so good, which I'll describe in a second, but there's one point where they do a hundred thousand iteration PBKDF2, Password-Based Key Derivation Function.
LEO: Isn't that amazing?
STEVE: Well, yes, except that that means there's substantial overhead for them any time a user changes their password.
LEO: Which means, uh-oh, everybody's changing their password.
STEVE: Yes, which means, I mean, so they did this deliberately to strengthen against exactly the attack that they are worried may have happened. And it's necessary, I'm being very careful with the way I phrase this because they don't actually know there was exfiltration. They don't have evidence or knowledge or logs.
LEO: That's interesting. They're just assuming it because that's prudent.
STEVE: Yes. They're being that overly cautious. So again, this is another reason why…
LEO: We love them.
STEVE: …they're a model for the way you do this. And they said, we routinely survey our network because that's the way you do it these days is you look for anything that seems suspicious, and then you go figure out what it is. So something seemed suspicious, some traffic that they didn't expect should be there. And so that's why I'm guessing - and specifically what Joe said was “when no one was working.” So it was like, you know, after hours. Workstations should have been idle. But if someone's workstation…
LEO: Ah. That's a giveaway.
STEVE: Yeah, I sort of think so. So that was probably the port of entry, so to speak. And so something was there. Then they looked at what the traffic, where the traffic was. And they already have a very segmented system. So, for example, they were absolutely able to determine that none of the data, none of the bulk-encrypted data, which is the reason we have them, for synchronizing through the cloud our password databases, none of that was ever at risk. But where the anomalous traffic was on their network could have exposed a subset of what they're keeping. And, unfortunately, they are keeping secrets.
So, for example, the password side stuff was where this anomalous traffic appeared, which were the email addresses, the password reminders, the per-user salts, and the authentication hashes. So let's remember the way this system works. The reason I like it so much is that the user's email address, after case is removed - so it's case-insensitive because email is case-insensitive, and they don't want to confuse their hashing because they combine the email address and the user's password, and then they hash it iteratively. And I don't remember now what the default is because I had cranked mine way up. Advice on this podcast a year or two ago was, when they added - okay, now, you've got it set to 100,000.
LEO: The default is 5,000.
LEO: Which is probably enough. I mean, they were doing 100,000. What do you recommend?
STEVE: Okay, so what I recommend is a number with no zeroes.
STEVE: So everyone should choose - and you don't want to show it to us, Leo, because that would be a nice thing for no bad guys to know.
LEO: Why would they want to know that?
STEVE: Because that really foils them. I already had, like you, a five-digit number. But it was completely random, a random five digits. And they caution not going higher because this is done browser-side.
LEO: They say don't go below 20,000.
LEO: It says it's recommended that you keep the number - this is the message I'm getting from LastPass when I change it. It's recommended you keep the number of password iterations, oh, below 20,000. Otherwise you may experience a significant delay. And of course that's the point of all this extra computation, right, is to slow down brute-force attacks.
STEVE: Correct. And if the bad guys assume that the users have followed that advice, then they won't assume that we're using a larger number. And they will also assume that we chose something with a lot of zeroes. My point is it matters what you choose here. It should be random, and it should have five digits, and the first digit should be greater than two. So what happens is your email address and your passphrase are essentially hashed iteratively that number of times, that crazy number of times.
Now, none of that may actually matter, that is, the secrecy of that. I shot a note off to Joe, but he's just been underwater since this happened, because there were a couple of things I needed to find out. So it may well be that that number is part of the data that they are keeping and would have been attacked anyway. So keeping it a secret may not matter.
But the point is we're doing - one of the reasons I immediately knew this was the right architecture was that our browser does that locally. And the result of that hash is our identity. So it's an anonymous identity which we are providing to them. And then it's hashed again to provide the key. I think that's the order. It's been a long time since I've thought about this. But that provides the key for our decrypting the data that our browser stores locally, so that it's a very strong local store. Then they get that thing, that blob from us, which has already had the crap hashed out of it, and they do it another 100,000 times because they've got big iron servers. And, I mean, and they want to take responsibility.
Oh, and also remember that I don't think that local hashing was - it either wasn't there, or it wasn't as strong. I don't know if they - they may have had a fixed number in the beginning, in order to produce a strong hash. Or maybe it was a smaller number. I don't quite remember the history of how this evolved. But they're accepting something that they want to protect. And they figure, hey, we've got big, strong servers. We're going to further hash it. So they take what they get from us and do it another hundred thousand times. Okay. But the point of this is, what may have been exfiltrated is all of that data. The email address, which they do have in the clear, they have that because that's how they send us notices.
LEO: They have to, right.
STEVE: Yes. And so the email address is half of the secret, which is not a secret. Obviously it's known. Then the passphrase is what's added to that. And then it goes through all this hashing. The point is bad guys could perform a targeted attack. The other thing that they've done right is they have what's called a “per-user salt.” And many of our longtime listeners know all about what that is. The idea is you don't do the same algorithm, exactly the same algorithm, to every account on a big server because that allows you to create tables, the famous rainbow tables, which could be used as lookups, where you would only have to do the computation of, like, a hundred thousand hashes once for all possible passphrases. And that would give you the result, which then you look for the result in the database, and then that tells you what the passphrase was.
Instead, every single one of these uses a random, it's called a “salt,” which is mixed in for that one account, which means there's no way to do anything for everyone. The only attack then would be for a bad guy to take the email address, which assuming that anything got out at all, to take the email address of the account - and notice that, I mean, there's some information there. That tells them probably who that account is. And there are no doubt many powerful and famous people who are using LastPass. So if this got out, the record is identifiable by that high-value person's email address. So that tells them who's worth attacking. So they would then have to take that email address and that user's salt, that user's account salt, and start making guesses of what their password may be. Now, here is why a strong password is important. Hopefully, you know, this isn't Paris Hilton, and she's used her dog's name again, because that would be very bad.
LEO: That would be wrong.
STEVE: Yes. They would emulate what the browser does and make - if the number of browser iterations is part of what got taken, then they would know what the browser is doing. But so they would emulate what the browser does. Then they would emulate what LastPass's servers do, that is, the 100,000 additional PBKDF2s using SHA-256. Now, SHA-256 is, unfortunately, the bitcoin hash. So we now have incredibly mature, ultra high-speed SHA-256 hashing ASIC hardware, which is in the terahashes per second range. I mean, it screams. So this is acceleratable to a great degree. And if the guess for the password was right, then they would be able to determine that.
Okay, now, LastPass has protected us such that you cannot log in from a new device or IP as of before the announcement, unless you do an email confirmation. So they would not have compromised this person's email also, almost certainly. So that wouldn't help. That would probably not help them. And we should all have just changed our master LastPass password so that, if the worst happened, and data actually escaped, and an individual was targeted, and that individual had either a weak password or just brute-forcing finally found it, then it wouldn't help them anyway because you would have changed your password for LastPass, and they're out of luck.
But if you used the same master password anywhere else, that is, if your LastPass master password was something you reused on other sites, this breach could theoretically give bad guys a way of obtaining the password you used for LastPass and knowing who you are. They would have your email address and could potentially use that to log into other sites. Which is why the advice in Joe's blog entry and in the letter that went out was, if you used your LastPass master password somewhere else, you really need to change those sites because, again, so everyone should now have a good sense for the tremendous amount of effort that stands between bad guys and actually getting anything useful, if in fact there was a breach that did exfiltrate this information. We have to assume they had reasonable cause to believe it.
I don't know, we don't know in detail what evidence LastPass has because this has obviously been a big inconvenience. There's been some reputation cost to them. And we know that, I mean, their servers were completely, virtually offline, essentially, under the load, while everyone was frantically trying to change their master password. Although there really wasn't any hurry.
Now, I've seen some online, actually, Simon Zerafa tweeted me a link to some of the work that had been done over in the high-speed hashing projects. And I saw a number that looked like maybe 8,000 guesses per second, with strong GPU-based technology. Now, again, ASICs have blown GPUs away in terms of SHA-256 hashes. So even that is low. But for what it's worth, the only attack that is feasible is a targeted attack based on what your email address for LastPass is. So if that was anonymized or a separate Gmail account or something that doesn't look tasty, then you probably, you know, it'd be unlikely you'd be a target because there's no way to do a mass crack of this, thanks to the per-account salting.
So again, we know that it is incredibly difficult to defend a contemporary high-value network against bad guys. It's hard to imagine a higher value network today than LastPass because it's known that they literally have the keys to the kingdom. They have deeply encrypted, well protected, but still there, everybody's cloud-synced master cross-website Internet identity, essentially, everybody's usernames and passwords that are being used to log in. So it creates an incredible target. I mean, incredibly valuable.
And I can't resist the opportunity to mention that this is another one of the many things that completely disappears with SQRL. There is no cloud-based database in the sky. There's no need to synchronize independent copies of password databases because there's no more password databases. And in fact this is a complete SQRL identity. That's a SQRL identity. And all clients are able to use that QR code in order to clone that identity between SQRL clients. So my client for Windows can display that, and you just snap it, you scan it with your phone, and now your phone has your identity. And they're automatically all synchronized among all your devices and all the websites you ever go to, and there's nothing for anyone to steal.
LEO: Okay. But just to be practical, it's not available now, and nobody's using it now, and who knows how widespread SQRL will be. So let's give some practical information here. What do you recommend for people to do who are LastPass subscribers? Should they change their email?
STEVE: No. Okay. So the point is, only by being a target of an attack are you in danger. So you want to do two things. You absolutely need to change your LastPass master password because, if this data got out, if you were targeted, if you had a weak password, and if they could figure out how many iterations to use, then they would be able to confirm the password that you were using on LastPass and have your email address, therefore being able to impersonate you to LastPass and get all of your LastPass login authentication. So you absolutely want to change your master LastPass password. The second thing…
LEO: Right, and I did that. And of course I promptly forgot what I changed it to, but that's another matter entirely.
STEVE: And, you know, that happened to many people.
LEO: It's really easy to do, especially because you're using a long - the real challenge is you want to come up with a really nice random long password, but you also want to be able to kind of recreate it. And I use poetry, the first letters of lines of poetry. But I misremembered the poem, apparently, so now I have very - but that's okay. Others have had this problem, too, I'm sure.
STEVE: For what it's worth, many people had the problem. There are instructions at LastPass for reverting to your previous forgotten password if that happens.
LEO: Is that a safe thing to do? I'm surprised he even offers that, to be honest.
STEVE: I am, too. But I think, unfortunately, I mean, these are all the problems that we have. Last week, when I demonstrated clicking the QR code, someone in the chatroom said, “How is that better than the browser memorizing my password?” And it's like, oh, my lord. What we're doing is we're shoring up an existing horribly broken system with one attempted solution on top of another. And so this whole issue, you know, we've gotten to the point now where we have to use different passwords for every site. So no one can remember those, so we have to use a password manager. But we're also using different computers and different devices, so we need synchronization. So that means that synchronized database needs to go into the cloud. And now, you know…
LEO: That's the problem, by the way. If you didn't need synchronization, you could just have an encrypted file on your desktop. If you didn't care if anybody else saw it, you wouldn't need to do that.
STEVE: Right, right.
LEO: But synchronization is what we want, and that's the problem.
STEVE: Yes, and how many times have we been saved by LastPass keeping things synchronized? Because we do change a password over on some device on some site, and it's like, it's almost a miracle. I mean, it's wonderful that then you later go to a different computer, and it knows how to log you on there.
LEO: You know, I'm kind of lucky because I have two LastPass accounts. We have an enterprise account, and I have my personal account. And I had merged my personal account into the enterprise account, which you can do. You can, for ease of use, if you have an enterprise account, you can have both your LastPass accounts. And I had done that. So I changed the enterprise password, saved that, thank goodness, for my enterprise account, and everything's in there. So the fact that I can't get into my personal account's not really a problem anymore. Let me ask this. Is there a…
STEVE: So my answer is, for your LastPass master password, it needs to be something big and random, and you have to write it down.
LEO: Put it somewhere.
STEVE: And I don't mean it literally. You have to record it. So, like, do cut and copy and paste and put it somewhere else. Put it somewhere, maybe print it out, or maybe put it in some other place which you feel is secure.
LEO: The problem is, because of synchronization, you need it on all the other devices, too.
LEO: So you have the same problem. Is there a…
STEVE: Or maybe put it in your wallet, but also make some change to it. Don't have it be the exact one. Leave out, you know, change a digit so that…
LEO: That's a good idea.
STEVE: Yup. And when it doesn't work, then you'll remember, oh, that's right.
LEO: Oh, yeah, I've got to do this.
STEVE: The last digit is actually - uh-huh.
LEO: Is there a better solution? Does this mean that we shouldn't be using LastPass?
STEVE: No. I don't think anybody - okay. So in some subsequent postings, Joe acknowledged that some lessons were learned. And so, for example, one of the things they're going to do is they're going to rely more heavily on Amazon server scaling so that they're able to scale their performance to better deal with this kind of surge in everybody needing to do something massively computationally burdensome at once. And I got the sense that they're going to do some additional network segmenting. Ultimately, that's really what you want. We've talked about this, like in the Sony hack, where one of the horrible things about that was that apparently everything was available on a single network.
So where your network is about security, as is the case with LastPass, rather than about convenience, which was the case with a bunch of entertainment people in Hollywood at Sony Pictures, there it really makes sense to separate networks. It means that it's less convenient. But wow, you know, ultimately it's probably what you have to do when the reality is everybody makes a mistake, as that cartoon at the top of the show said. Despite your firewalls and your antivirus and everything, you've still got Dave, who is going to click on the link in the email from his mother and infect his computer, and he's in a trusted network in a company that's all about trust.
So my point is, to answer your question, I'm not leaving. I'm staying with them. I mean, I've always thought it was sort of odd that oftentimes employees are fired when they make a mistake that taught them a lesson because you've just lost somebody who knows more than they knew before, and you're going to replace them with somebody who hasn't learned that lesson and hasn't been chastised. So I've never understood that. I mean, malice is one thing. Goodbye. But a mistake, you know, that happens. So all of their technology is bulletproof. There is, for example, there is nothing I can think of that they could have done more. Obviously, except not to have this happen. But given that it's happened, the environment that it has happened in is as secure as anything I could imagine.
And look at how diminishingly small the risk even now is. It is incredibly difficult for someone to obtain one person's password, maybe, which they've probably changed, and hopefully didn't use anywhere else because the whole point of LastPass is you don't have to use the same password everywhere. And LastPass gives you auditing facilities to look at all the passwords you're using that it's storing for you and verify that they're unique. So, I mean, it's not - maybe they were trying for more, and this is all they got, and they're not happy. I mean, maybe nothing's going to even be done with this. So again, from a practical standpoint, I can't think of anything more they could have done. Users should change their LastPass password and also change other sites' passwords if you were using them also with LastPass.
LEO: And never do that again.
LEO: You should also turn on two-factor. I mean, I didn't feel the need to change my master password. I did. But I feel like…
STEVE: Oh, no, two-factor doesn't help you here.
LEO: It doesn't help you here.
STEVE: You notice I didn't mention it at all.
LEO: You didn't.
LEO: Okay. Tell me about that.
STEVE: Two-factor is orthogonal to this. This is all separate. Two-factor comes in after you've authenticated yourself. So it would prevent a bad guy from logging in with your old LastPass password, if you did not change it. So that part is useful. But the two-factor still allows them to do this attack and determine what your LastPass password was. So if you did have second-factor, you're safe from them logging in as you. But you're not safe if you reused that password anywhere else.
LEO: Right. But you shouldn't have been reusing it. So I did not reuse it. So there is some value to having two-factor, if you don't reuse it.
STEVE: Oh, absolutely, yeah.
LEO: Yeah. So nobody - the main point for me is I don't want anybody to get into my LastPass store. That secure store is the keys to the kingdom.
LEO: Because everything's in there, including my social security numbers, my banking account, my banking account passwords, every - if you had my LastPass store, that would be terrible.
STEVE: Yes. Well…
LEO: So, and there's no threat that that was compromised. That's encrypted with Trust No One encryption; right?
STEVE: Well, and it's clear that they did do the network segmentation I talked about. They absolutely know that traffic on wherever they saw it meant A, but it did not mean B because they absolutely have these systems segmented. So that they've really done right. They were able to emphatically say that the actual databases were never exfiltrated.
LEO: Yeah. So to reiterate - oh, and by the way, could this have happened to KeePass, the open source password manager? It couldn't because that doesn't do syncing. So they don't have anything on a server anywhere.
LEO: So, but that's the disadvantage of - that's one of the reasons I don't use KeePass, because I want my LastPass passwords everywhere. And I use, as many of us do now, many, many different devices. So that's the convenience factor. So your advice is change your master password. And this is especially important if you've ever used, for reasons I wouldn't understand, your LastPass master password anywhere else. Change it. You should turn on two-factor authentication; right? Why not?
STEVE: Yes. It provides additional protection.
LEO: And it's not a big onerous problem. And then go into your LastPass settings, and it's in the advanced settings. He's started to hide some of this stuff. He's rearranged his settings. So go into Settings. On the first page is an Advanced button. And you'll see…
STEVE: Yeah. I couldn't find them. I was looking all over for it.
LEO: You have to search now, yeah.
STEVE: And I had to go to Google. And I said, oh, down - and it's like, oh, there's an Advanced button. I didn't see it, yeah.
LEO: And then you go, you'll see iterations 5,000. That's the default. Bad for a couple of reasons. It's too low, and it's a known number. So you want to change that to a five-digit number, does not begin with two, and it should be random.
STEVE: And you'll never be given a test on this, so you don't need to remember that. Just make something up.
LEO: Right. You never - you don't have to recover it. Again, it's just how many times it will rehash this. And you don't want it to be a number the bad guys might know. You want it to be a number they couldn't possibly guess.
LEO: And why not begin with a two? Because they're going to start - that gives them one less digit to guess because two is the limit, 20,000 is the limit.
STEVE: Oh, just because the dialogue says don't go over 20,000, so they won't go over 20,000.
LEO: Start with two, yeah.
STEVE: So we want to. Yeah.
LEO: Yeah. Oh, so do use more than five digits. Or use five digits and start above two.
STEVE: Okay. So the only reason not to use a bigger number - bigger is better. But the warning that they say is it'll slow you down. Well, I have a - is it five or six? I'm not telling. But I've got a big number with crazy digits, and it wasn't slow. It had to go - I watched the little bar.
LEO: Computers are fast.
STEVE: Yes. I watched a little bar go across. And how often do you do that? It's not happening all the time.
LEO: And in fact, I have hundreds of passwords in LastPass. When I did that, it had to reencrypt every one of them. It takes 10 seconds.
LEO: It doesn't take any time. Get a cup of coffee, it'll be over. All right. So a lot of the freakout is not necessary. But do the bright thing and change your master password.
LEO: And what is the minimum number of characters you should have? Fifteen? Twenty?
STEVE: Yeah. Oh, yeah, I mean, again…
LEO: Make it long.
STEVE: People are bad at generating entropy. So, I mean, it's why my crazy passwords page. It's like 25,000 uses a day. I think that's some scripts that are borrowing - that are getting entropy from GRC. But before that happened it was, like, 5,000 a day. I mean, people are using it all the time, just to get gibberish, because they like my gibberish rather than just gibberish anybody else has or could make up. So, I mean, I use it myself. I go to there, I copy something out of it, and then I mix it around, then I use it. I just use my own gibberish when I'm needing a password. And that's what my LastPass password is. I have no idea what it is. It's complete gibberish. But it's been recorded. So I really think that's what you want to do. I mean, it's inconvenient. But while we're stuck with passwords, I think LastPass…
LEO: That's the inconvenience.
LEO: Is this crappy system.
STEVE: Yeah. And it's belt and suspenders. We're reacting to the nature of past attacks, that databases are lost on websites, so we have to use different passwords on each site, and that attacks, that they're brute-forcing them, so now we need to use passwords we can't remember. And so if we're going to have gibberish spread all over the Internet, we need something to keep it.
LEO: Hold the gibberish.
STEVE: And we all have multiple devices, so now we need them synchronized. So now we need a cloud.
LEO: By the way, somebody's asking in the chatroom, this will never go away, thank you xkcd. I love xkcd. But they were wrong when they asserted that a passphrase with English language words is better than a random password. Make a random long password. A passphrase is not better.
STEVE: Right. And was it Bruce Schneier, somebody who agrees with me said, “Make it long. Make it random. Write it down.” We know how to manage little bits of paper. So manage the little - and then, of course, and the famous comeback is, oh, yeah, the Post-it note under the keyboard. Okay, well, don't leave it under the keyboard. Put it in your wallet. And, as I said, make a change to it so that literally it doesn't work as is. And when you forget that, and you enter it, and it doesn't work, then you'll go, oh, that's right, I made a little change. And then make that change, and you're in. That's the only way to be safe.
LEO: I have a method.
STEVE: I think that's good.
LEO: That I don't want to tell anybody.
STEVE: You shouldn't.
LEO: But I have a seven or eight or nine-digit number that I remember, and I just append to that.
LEO: To whatever. And that's never written down. But that's in my head. That's one way. Right?
LEO: And you've talked about padding. In fact, you have some great stuff on GRC.com about padding.
STEVE: Yeah, haystacks.
LEO: Haystacks. All right. So I think we've covered this. You know what, I'm really glad that we did cover it, though, because there's a lot of misinformation and a lot of panicking, frankly.
STEVE: Yeah. And I saw a lot of tweets from people who were saying, “Thank goodness Security Now! is today because we'll get the full readout about what this actually means.” And so all of our listeners now know that, like, exactly what the risk, what the nature of the risk is and that I'm continuing to be a happy LastPass user. The nature of security is that mistakes are going to happen. And what you need is an architecture that does everything it can to minimize the damage from mistakes. And what we have just seen is the operation of exactly such an architecture.
LEO: Well done, as always, Mr. Gibson. Continue on. The world has been saved once again.
STEVE: Speaking of disasters, the Office of Personnel Management…
STEVE: …has even bigger troubles than we knew. The first breach from a week and a half ago was believed to be 4.1 million records of a certain class. Now we learn that there was a second intrusion involving many more pieces of even more sensitive data. I cut down an Associated Press article, and I'm paraphrasing it. But I just saved the juicy bits.
So the AP reported that hackers linked to China - and American officials have said that the cyber theft originated in China and that they suspect espionage by the Chinese government, which of course the government, the Chinese government has denied any involvement. So “Hackers linked to China gained access to the sensitive background information” - and I think you were talking about this on TWiT on Sunday, too, Leo, the sensitive background information, which is different than what was leaked before.
LEO: Oh, and worse, you may not even have had a government job, and they still have that information; right?
STEVE: Correct, “submitted by intelligence and military personnel for security clearances, in a cyber breach of federal records dramatically worse than was first acknowledged. The forms, which authorities believe may have been stolen en masse, known as Standard Form 86” - I love that, 86. Of course that's standard jargon in the restaurant industry, too. It's like, oh, yeah, we 86'd that - “require applicants to fill out deeply personal information about their mental illnesses, drug and alcohol use, past arrests, and bankruptcies. They also require the listing of contacts and relatives, potentially exposing any foreign relatives of U.S. intelligence employees to coercion. Both the applicant's Social Security number and that of his or her cohabitant, if any, is required. And beyond Social Security numbers, the data include military records; veterans' status information; addresses; birth dates; job and salary histories; health insurance, life insurance, pension information; age, gender, and race data.”
So, I mean, basically stunning, comprehensive information about individuals. But the scope of this is equally disturbing. In a statement, the White House said that on June 8th investigators concluded there was, quote, “a high degree of confidence that systems containing information related to the background investigations of current, former, and prospective federal government employees and those for whom a federal background investigation was conducted” - and, by the way, this goes back to the 1980s. So this is old stuff, too. And as you said, Leo, even if you didn't get the job, they still held all this information - “may have been,” said the White House, “exfiltrated.” Joel Brenner, who's a former top U.S. counterintelligence official, said: “This tells the Chinese the identity of almost everyone who has a United States security clearance.”
LEO: Oh, my god.
STEVE: “That makes it very hard for any of those people to function as an intelligence officer.”
LEO: And they're claiming Snowden got people in trouble. This is far worse.
STEVE: I know. I know. In fact, I thought of this when I was - because we'll speak about the apparently bogus story…
LEO: No, it's a Rupert Murdoch slam piece. It has no reality.
STEVE: Exactly, that China and Russia had acquired and decrypted his stash of documents.
LEO: Didn't need to. They already got everything.
STEVE: Directly from the source.
LEO: Oh, my god.
STEVE: It was, in fact, it was a lot fresher. Snowden's stuff is old now. That's old news. Now we've got the last four years' updated intelligence information, directly from the Office of Personnel Management. So the White House statement said - oh, anyway, so continuing Joel Brenner's comment, he said: “That makes it very hard for any of those people to function as an intelligence officer. The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That's a gold mine,” says Joel. “It helps you approach and recruit spies.” And of course there's been some concern that it could be used as blackmail material.
STEVE: That is, you know, we know about you, so do this for us. Just this little thing, and we'll keep your secret. “The White House statement said the hack into the security clearance database was separate from the breach of federal personnel data previously announced” - and of course we know that - “a breach that is itself appearing far worse than at first believed. Nearly all of the millions of security clearance holders, including some CIA, NSA, and military special operations personnel, are potentially exposed in the security clearance breach, the officials said. More than 4 million people had been investigated for a security clearance as of October 2014, according to government records.” Okay. But that was the newer take on the previous breach.
“But in this newly released hack of standard personnel records announced just last week, two people briefed on the investigation [that the AP is quoting] disclosed Friday that as many as 14 million current and former civilian U.S. government employees have had their information exposed to hackers.” And these are the records that I talked about, all of that stuff going back to the 1980s.
LEO: Including Snowden's records, by the way.
STEVE: “Since there are about 2.6 million executive branch civilians, the majority of those records exposed relate to former employees. Contractor information has also been stolen, officials said.” So anyway, just wrapping up, they said: “The personnel records would provide a foreign government an extraordinary roadmap to blackmail, impersonate, or otherwise exploit federal employees in an effort to gain access to U.S. secrets, or entry into government computer networks.” That's how you guess, you know, social hacking of all kinds. “Outside experts were pointing to the breaches as a blistering indictment of the U.S. government's ability to secure its own data two years after a National Security Agency contractor” - of course they're referring to Edward Snowden - “was able to steal tens of thousands of the agency's most sensitive documents.”
LEO: Yeah, but he was in the building. These guys weren't even in the building. Terrible.
STEVE: Yeah. “After the Snowden revelations about government surveillance, it became more difficult for the federal government to hire talented younger people into sensitive jobs…”
LEO: Oh, oh.
STEVE: Uh-huh, “particularly at intelligence agencies,” said Evan Lesser, managing director of ClearanceJobs.com, a recruiting firm.
LEO: Imagine how hard it's going to be now.
STEVE: And ClearanceJobs.com matches security clearance holders to available slots. And they're saying they can't get young people because young people are just saying, uh, no thanks. And so he said: “Now, if you get a job with the government, your own personal information may not be secure. This is going to multiply the government's hiring problems many times.”
STEVE: And then anyway, then of course Mike Masnick at Techdirt picked up on this and covered the story. And he ended his coverage by saying, “And yet, this is the same federal government telling us that it wants more access to everyone else's data to, quote, 'protect us' from cybersecurity threats, and that encryption is bad. Yikes.” And remember that these are also the people, you know, Donna [Seymour], I forgot her name, who's the CIO, who has not been heard from, by the way, in the last couple weeks, that, yeah, encryption is new technology, and we're still working to deploy it.
LEO: Wow. Wow.
LEO: Mega mega.
STEVE: And so this is on the heels. We have in here, I did want to cover the question of, and you already know the answer, Leo, did China and Russia in fact obtain and decrypt Snowden's document cache. And Glenn Greenwald, who has a horse in this race, and no one would say that he's neutral, but he did just tear the reporting apart. One of the main factual pillars on which this stood was that Snowden had documents with him in Moscow, and that Greenwald's partner met Snowden there, and that there was some document exchange. None of that ever happened.
And so the story was just - the U.K. paper story was just laced with falsehoods and, of course, citing unnamed government employees. And of course the whole story was that this was going to put their agents at risk, but it didn't say who. Not that they would, but that they were pulling them out of the field because their lives were in danger. And so anyway, any fair reading of this looks like this was not the case.
And also, I mean, everything we know about Snowden is that, whether you agree or disagree with everything that he's done, he really appears to have never been anything other than straightforward. And we know that he understands encryption. He stated that he destroyed his personal copies of this so that he could not, specifically so that he could not be coerced into giving it away. The cache is in the possession of the press. And he had none of it when he went to Hong Kong and then on to Russia. So I don't see any reason for that not to have been true. And you cannot disclose what you don't have. So this looks like just completely made up.
And old timers among us will maybe find this interesting. I did. On the bugzilla.mozilla.org site, Bug - they're calling it a bug - 1174462, titled “Remove built-in support for FTP.”
LEO: We're old-timers, though. And first of all, FTP's not secure.
STEVE: No. And in fact I use Wget now. I don't think - I can't remember the last time I actually..
LEO: Yeah, me, too, yeah. Curl or Wget.
STEVE: Yeah. You just don't put ftp. I guess the only place it would hit it is if a really old, creaky site, like something that maybe Jerry Pournelle would have up…
LEO: I bet he still has an FTP page.
STEVE: I bet he has FTP links. That's my point, is there would be links that would be ftp://.
LEO: Ftp://, yeah.
STEVE: Where you would use an FTP protocol to download code, rather than HTTP.
LEO: The point is, anybody who's using FTP or SFTP is probably going to use an FTP client rather than the browser. And so that's just, yeah, I think it's probably a good idea to take it out.
STEVE: And so in the Chromium, Chrome is doing it, too. So this was sort of where it came from. They said in the Google Chromium bug list, they said: “We should consider removing built-in support for FTP from Chrome and move it out to an app. Over a seven-day period, only 0.1 to 0.2% of users” - and frankly, I was surprised it was that high - “end up navigating to any FTP URL,” and it says, parens, “(with slightly higher numbers among Linux desktop users). This has been fairly stable over the last year, so it doesn't look like there are trends for FTP to disappear altogether. With the combination of the sockets API and the downloads API, it may be possible to construct a Chrome app which handles this well. Also would need a way to be able to register an app/extension to handle a particular URL scheme so that navigations would be seamless for users of FTP apps.”
So they're talking about moving it out of the underlying Chrome browser and into an add-on, an extension, an app for - so that people who did need it could still get it. And again, Leo, I would imagine, especially Linux people, they're going to have nine other ways to grab FTP stuff. And then the little Chrome mention ends, saying: this isn't urgent priority, but might be nice to clean up some code for a little-used feature.“
STEVE: So, yeah. So anyway, this sort of just shows the world's changing. It's growing up. And, I mean, it does make sense to shed protocols.