[sf-lug] HaveIBeenPwned.com (was: Safer Browsing)

[Rick Moen]

Some further observations.  I said:

> Quoting Akkana Peck (akkana at shallowsky.com):

[stuff about 2FA = two-factor authentication sounding like a great idea
in principle]

> > Apparently this is pretty easy to do. I'd trust a dedicated hardware
> > dongle a lot more than phone-based 2FA, but not many places offer one
> > and almost none let you set things up so it's required.
> 
> FWIW, I'm in total agreement with your assessment.  Again, thanks for
> bringing that up.

At the time, I didn't want to get into the surrounding corporate
customer-relations politics surrounding the current push for 2FA for
things like webmail (obvious example: GMail, but also many others).  But
let's delver into that now.

There's a thing that happens in IT, where embarrassing user screwups get
quietly edited out of the narrative because mentioning them would have
been impolitic, even where (and especially where) understanding those
screwup was essential to understanding and properly fixing what
happened.  Everyone who works in IT learns to spot those suspicious
omissions and fuzzy bits in narratives about things that went wrong.

An old little example from my personal life:  Years ago, just once and
never again, I trusted to CABAL's regulars to run (in my absence) a
CABAL meeting, which as always since 2000 when that group moved from San
Francisco to the Peninsula, meets on a Saturday afternoon and evening at
my and my wife Deirdre's house in Menlo Park.  People are welcome to use
my kitchen, dishes, etc., with the understanding that this is a nice
house, not a barn, and they must therefore act like they wish to ever be
welcome again, or they won't be.

I arrived home, and there was an e-mail from one of the regulars who'd
been in (alleged) charge:  An unfortunate, and totally unanticipatable,
accident had happened (I was told), where somehow the drying rack had
managed to be overfilled with dishes, and to everyone's horror one of my
plates had fallen off the overflowing pile that tragically had not been 
emptied to dry off the dishes and put them away, and sadly that plate
was no more.  Its story was ended.  (You could almost imagine the plate
committing suicide in a fit of despondency, the way this narrative was
written.)

I was highly amused at how the anecdote _remarkably_ had no human beings
whatsoever within it:  Presumably they had all been elsewhere when this
outtake scene from 'Toy Story' was being acted out by porcelain
protagonists.  There was no point in reading the riot act to the
regulars who'd not only failed to run the CABAL meeting but then cobbled
together this astonishing interpretation of events -- so I just said to
myself 'Well, OK, CABAL needs adult supervision prospectively.  Lesson
learned.'

With that framing, consider again the corporate push by, e.g., Google
Accounts / GMail to urge 2FA on users -- and consider:  What is the real
back story?  Is there an awkward-to-discuss user screwup problem?

I can hazard a pretty good educated guess.  People tend to sign up for
GMail (or other webmail) and then act recklessly about several things,
in a way that then sometimes bites them:

o  Putting too many eggs in the webmail security basket, e.g., making 
   access to everything else the user does online trivially accessible to 
   anyone with access to the webmail account.

o  Doing dumb things on MS-Windows that fetch and run MS-Windows
   malware[1] (that then causes the malware to steal the webmail 
   credentials), and/or:

o  Falling for phishing come-ons, which involve using various tricks
   to fool the user into thinking the user is dealing with a 
   legitimate login request for online services, but is in fact a 
   fake login that sends the credentials to criminals.

The companies (such as Google) are of course aware that many, many of
their users fall victim to stole login credentials, and it's infeasible
to address the root cause directly by educating users to stop shooting 
their computer security in the foot -- so Plan B is to urge they overlay
atop their computer usage a non-computer-password 2nd authentication
method.  Thus:  a drumbeat for two-factor authetication, voila!

As we both agree, 2FA is (at least in general) not a bad thing.  But my
point is, in the context discussed, it's promoted as an end-run around
the incapacity or refusal of PeeCee users to do Security 101.  From the
corporation's perspective, this is highly pragmatic.  From the user's
perspective, it's a bit dumb and a bit sad, leaving the gaping security
wound unbandaged.  And 'let's require the user have a cellphone and send
it auth codes' is more palatable than 'let's require the user buy a
security dongle', even though the former's a pretty bad solution.  So,
here we are.


[1] Modern malware almost invariably relies on social engineering, i.e.,
talking the user into doing dumb and self-destructive things.  Victims
almost never admit this, in the rare case of them understanding what
happened, and the antivirus/security companies have nothing to gain from
telling the truth, and instead sell software to detect and then either
block or mop up after incidents, monetising user carelessness and its
consequences being much more profitable than addressing it directly.