The Daily Parker

Politics, Weather, Photography, and the Dog

Primer on Multi-Factor Authentication

Via Schneier, Stuart Schechter has an excellent article for MFA n00bs people new to multi-factor authentication:

Many online accounts allow you to supplement your password with a second form of identification, which can prevent some prevalent attacks. The second factors you can use to identify yourself include authenticator apps on your phone, which generate codes that change every 30 seconds, and security keys, small pieces of hardware similar in size and shape to USB drives. Since innovations that can actually improve the security of your online accounts are rare, there has been a great deal of well-deserved enthusiasm for two-factor authentication (as well as for password managers, which make it easy to use a different random password for every one of your online accounts.) These are technologies more people should be using.

However, in trying to persuade users to adopt second factors, advocates sometimes forget to disclose that all security measures have trade-offs . As second factors reduce the risk of some attacks, they also introduce new risks. One risk is that you could be locked out of your account when you lose your second factor, which may be when you need it the most. Another is that if you expect second factors to protect you from those attacks that they can not prevent, you may become more vulnerable to the those attacks.

Before you require a second factor to login to your accounts, you should understand the risks, have a recovery plan for when you lose your second factor(s), and know the tricks attackers may use to defeat two-factor authentication.

Read it, and then send it to all of your non-technical friends, unless they happen to be politicians in a certain elephantine party in the U.S.

The TSA finally talks frankly about security

Bruce Schneier says that the TSA's thoughts about security at smaller airports are exactly the conversation they should be having:

Last week, CNN reported that the Transportation Security Administration is considering eliminating security at U.S. airports that fly only smaller planes -- 60 seats or fewer. Passengers connecting to larger planes would clear security at their destinations.

To be clear, the TSA has put forth no concrete proposal. The internal agency working group's report obtained by CNN contains no recommendations. It's nothing more than 20 people examining the potential security risks of the policy change. It's not even new: The TSA considered this back in 2011, and the agency reviews its security policies every year.

We don't know enough to conclude whether this is a good idea, but it shouldn't be dismissed out of hand. We need to evaluate airport security based on concrete costs and benefits, and not continue to implement security theater based on fear. And we should applaud the agency's willingness to explore changes in the screening process.

There is already a tiered system for airport security, varying for both airports and passengers. Many people are enrolled in TSA PreCheck, allowing them to go through checkpoints faster and with less screening. Smaller airports don't have modern screening equipment like full-body scanners or CT baggage screeners, making it impossible for them to detect some plastic explosives. Any would-be terrorist is already able to pick and choose his flight conditions to suit his plot.

And just think, it's only taken 15 years and $45 billion to get here...

Trollin' trollin' trollin', keep those Russkies trollin'

Researchers at Clemson University, working with 538.org, identified 3 million tweets from 2,800 Twitter handles belonging to Russian trolls:

“We identified five categories of IRA-associated Twitter handles, each with unique patterns of behaviors: Right Troll, Left Troll, News Feed, Hashtag Gamer, and Fearmonger. With the exception of the Fearmonger category, handles were consistent and did not switch between categories.”

The five types:

  • Right Troll: These Trump-supporting trolls voiced right-leaning, populist messages, but “rarely broadcast traditionally important Republican themes, such as taxes, abortion, and regulation, but often sent divisive messages about mainstream and moderate Republicans…They routinely denigrated the Democratic Party, e.g. @LeroyLovesUSA, January 20, 2017, “#ThanksObama We're FINALLY evicting Obama. Now Donald Trump will bring back jobs for the lazy ass Obamacare recipients,” the authors wrote.
  • Left Troll: These trolls mainly supported Bernie Sanders, derided mainstream Democrats, and focused heavily on racial identity, in addition to sexual and religious identity. The tweets were “clearly trying to divide the Democratic Party and lower voter turnout,” the authors told FiveThirtyEight.
  • News Feed: A bit more mysterious, news feed trolls mostly posed as local news aggregators who linked to legitimate news sources. Some, however, “tweeted about global issues, often with a pro-Russia perspective.”
  • Hashtag Gamer: Gamer trolls used hashtag games—a popular call/response form of tweeting—to drum up interaction from other users. Some tweets were benign, but many “were overtly political, e.g. @LoraGreeen, July 11, 2015, “#WasteAMillionIn3Words Donate to #Hillary.”
  • Fearmonger: These trolls, who were least prevalent in the dataset, spread completely fake news stories, for instance “that salmonella-contaminated turkeys were produced by Koch Foods, a U.S. poultry producer, near the 2015 Thanksgiving holiday.”

Will learning that Russian trolls' "mission was to divide Americans along political and sociocultural lines, and to sow discord within the two major political parties" help people call bullshit on trolling tweets and posts? Probably not. But a guy can dream.

How the McDonalds Monopoly game was rigged

Via Schneier, the head of security for the marketing firm running the game stole the million-dollar game pieces:

[FBI Special Agent Richard] Dent’s investigation had started in 2000, when a mysterious informant called the FBI and claimed that McDonald’s games had been rigged by an insider known as “Uncle Jerry.” The person revealed that “winners” paid Uncle Jerry for stolen game pieces in various ways. The $1 million winners, for example, passed the first $50,000 installment to Uncle Jerry in cash. Sometimes Uncle Jerry would demand cash up front, requiring winners to mortgage their homes to come up with the money. According to the informant, members of one close-knit family in Jacksonville had claimed three $1 million prizes and a Dodge Viper.

When Dent alerted McDonald’s headquarters in Oak Brook, Illinois, executives were deeply concerned. The company’s top lawyers pledged to help the FBI, and faxed Dent a list of past winners. They explained that their game pieces were produced by a Los Angeles company, Simon Marketing, and printed by Dittler Brothers in Oakwood, Georgia, a firm trusted with printing U.S. mail stamps and lotto scratch-offs. The person in charge of the game pieces was Simon’s director of security, Jerry Jacobson.

Dent thought he had found his man. But after installing a wiretap on Jacobson’s phone, he realized that his tip had led to a super-sized conspiracy. Jacobson was the head of a sprawling network of mobsters, psychics, strip-club owners, convicts, drug traffickers, and even a family of Mormons, who had falsely claimed more than $24 million in cash and prizes.

The longish read is worth the time.

Too many things in my inbox

I probably won't have time to read all of these things over lunch:

Share that last one with your non-technical friends. It's pretty clever.

Morning links

I didn't have a chance to read these yesterday:

Now I'm off to work. The heat wave of the last few days has finally broken!

Your mouse knows when you're lying

Via Bruce Schneier, interesting research into how to use mouse movements to detect lying:

Cognitive psychologists and neuroscientists have long noted a big "tell" in human behavior: Crafting a lie takes more mental work than telling the truth. So one way to spot lies is to check someone's reaction time.

If they're telling a lie, they'll respond fractionally more slowly than if they're telling the truth. Similarly, if you're asked to elaborate on your lie, you have to think for a second to generate new, additional lies. "You're from Texas, eh? What city? What neighborhood in that city?" You can craft those lies on the fly, but it takes a bit more mental effort, resulting in micro hesitations.

In essence, the scientists wanted to see whether they could detect -- in the mouse movements -- the hesitation of someone concocting a lie.

Turns out ... they could. The truth-tellers moved the mouse quickly and precisely to the true answer. The folks who were lying jiggered around the screen for a bit, in a sort of hemming-and-hawing adaptation of Fitts' Law.

That's kind of cool. And kind of scary.

Because who needs cyber security, anyway?

Lawyer Paul Rosensweig and national security analyst Megan Reiss think John Bolton getting rid of the "cyber czar" position is "a magnificent idea:"

Bolton is completely correct that there is no need for any coordinationbetween the various federal agencies on this issue. Cybersecurity is not a cross-cutting problem that affects all sorts of equities. We have no concerns that eliminating this position will result in conflicting mission imperatives. We have every confidence that the National Security Agency, for example, can work out vulnerability disclosure equities without the need for input from the Departments of Commerce, Justice or Homeland Security (much less Treasury or State).

We also are confident that the decision accurately reflects the diminished importance of cybersecurity as a national issue. Cybersecurity is no longer deserving of the prominence that so many national security experts seem to give it. We fully expect the Office of the Director of National Intelligence to eliminate the cybersecurity menace from its annual threat assessment. We are confident that the trend lines for cyber threats and intrusions are down.

Didn't we already know John Bolton was incompetent

Democratic candidates know what they're doing

Greg Sargent this morning points out that my party's congressional candidates aren't running the campaigns that the popular imagination thinks they are, which is a good thing:

There’s a narrative about our politics right now that you constantly encounter on social and political media. It goes like this: Democrats are too obsessed with the Russia investigation, or with Stormy Daniels, or they’re just too focused on “not being President Trump,” and as a result, they aren’t articulating an affirmative agenda and risk getting caught flat-footed by Trump’s supposedly rising popularity.

But this narrative is entirely wrong, and two new pieces this morning help set the record straight.

The first article is by Nate Silver, and it puts Trump’s job-approval numbers in their proper perspective.

If Trump’s numbers are rising, they are only doing so inside a very narrow range that remains abysmally low. And don’t forget the polling that shows strong disapproval of Trump is running higher than strong approval, which could impact disparities in voter engagement.

The second piece is by Ron Brownstein, and it reports accurately on how Democrats are actually running their campaigns right now. As Brownstein notes, many Democrats think that their chances of winning this fall turn less on whether Trump gets further dragged down by scandal, and more on their ability to link the GOP’s tax cuts to its failed (but continuing) drive to roll back health coverage, which together amount to a deeply unpopular overall set of GOP priorities.

With Republican primary elections in Indiana, Ohio, West Virginia, and North Carolina going on today, we may have even better data about how we're retaking the House in November.

On the other hand, Bruce Schneier notes that both parties' campaigns are dangerously nonchalant about IT security. Great.

Quick links

A couple stories of interest:

OK, back to being really too busy to breathe this week...