Who should be more embarrassed?

Ars Technica reports that one of the top cybercriminals wanted by the FBI had a ridiculously easy password. It was his cat’s name.

So, who committed the bigger blunder here? The criminal, or the FBI’s agents who didn’t bother to use standard passwords like pet names (or even a dictionary attack)?

I think the criminal wins this contest by an edge. No matter how notorious the guy is, he’s an idiot for not using a more secure password.


Apple Pay v. CurrentC

Paying for merchandise at a store can be a pain. You go up to the counter, watch as your items are rung up, dig in your wallet for a credit card or debit card, and hand it to the cashier. After your purchases are bagged, you head out the door—left to wonder whether the retailer you just visited will be hacked as Target was earlier this year.

Convenience and security are the two selling points behind Apple Pay. If you have one of the new iPhone 6 or 6 Plus phones, you can simply pull it out, put it near the reader while touching the Touch ID sensor, and voila—you’ve paid for your purchase. I must admit, I do not fully understand the security details that purportedly protect your credit card number. Apple’s Tim Cook has bragged about the tough security, but that doesn’t mean the system is secure.

News came out last week that major retailers like Wal-Mart, CVS, and Best Buy were not going to use Apple Pay (or Google Wallet) since they were signed onto a retailer-developed system known as CurrentC. But the news has broken this week that CurrentC has been hacked. It’s not a major security breach because the hackers only got email addresses of users. But this doesn’t do much to bolster consumer confidence in the system.

In the past year, I’ve had to have new account numbers issued for at least three credit cards. The little I understand about Apple’s system tells me that it doesn’t actually transmit your credit card number to the retailer but instead uses some kind of “burnable” temporary number. That’s appealing, but since I do not have an iPhone 6 (my wife got the upgrade this year) Apple Pay is not going to be anything I use anytime soon. All I know is, I want something more secure than we have now.

Security is hard, and the type of security that Apple and its competitors are trying to implement is very, very hard. Breaches will be inevitable in any system, just as a determined burglar will get into any home regardless of the security systems in place. Heck, prisons are among the most secure places in the U.S., and we cannot keep weapons and other contraband from being smuggled in. Apple, CurrentC, and other providers are going to have to get things right and hope to stay one step ahead of the hackers. That will be no easy task.

What’s up with TrueCrypt?

TrueCrypt is a free encryption application that runs on Windows, Mac OS, and other platforms. I’ve suggested its use before to aid lawyers in securing data stored in various cloud services. Heck, there’s even an iOS app that can open TrueCrypt vaults, Disk Decipher.

Recently, though, TrueCrypt appeared to pull the plug on itself, suggesting users migrate to BitLocker for Windows and using encrypted disk images for Mac OS X. People wondered, is this a joke, a hacking incident, or the real thing? Security guru Steve Gibson predicts the plug being pulled is probably the real thing.

The biggest question is: Can we still safely use TrueCrypt? Fortunately, the answer appears to be yes, and Steve Gibson has done the world a huge favor by creating an archive where users can download the last fully working versions of the software.

As we learn more and more about the NSA and other government agencies around the world spying on communications and information that have nothing to do with terrorism, crime, or anything else remotely relevant to public safety, we have to be mindful that encryption tools are critical. Sorting through all of the various claims by developers (“Our product is impossible to crack!”) can be a headache unless you have a Ph.D. in math and can understand the encryption algorithms being used. TrueCrypt is (was) a known application with a long history of not being broken by hackers.

It’s good to know that it is still safe to use.

Why are passwords so hard for lawyers?

That’s the question Tom Mighell poses in his latest blog post.

I haven’t given as many presentations as Tom about the need for good password practices, but I have seen the same reaction from many lawyers: “Here we go again. This is silly, no one is going to hack me. I don’t have anything worth hacking.” After the presentation, the lawyers go back to their offices and don’t change a single thing they are doing.

Such a cavalier attitude—”I’ve got nothing worth hacking” can lead to big headaches. Here’s a summary of what happened to just one unfortunate guy who did use good password practices.

This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all…. [T]hey used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.

If this is what can happen to someone using good passwords, what do you think can happen to you when you use crappy passwords?

If the threat of losing irreplaceable photos of your family isn’t enough to frighten you into good password practices, then how about a potential malpractice suit? I haven’t researched it, but I bet it isn’t too hard for a judge or jury to conclude that a lawyer is negligent for using an easily hackable password that leads to disclosures harmful to a client’s financial interests.

I don’t know about you, but I would not want to be the defendant in a test case like that.

Yes, good password practices can be a pain. So is locking your doors and setting an alarm. But you do it because you want to protect the things behind those doors. Passwords are your keys and alarm systems. If you use crummy ones, you’ll regret it. There are plenty of tools available (like this one or this one) to help you create and manage secure passwords. If you aren’t using one of them, you’re begging for trouble.

If you think it’s still too much trouble, good luck using that excuse with your malpractice carrier or your bar’s disciplinary authority.

Lawyering in the age of NSA spying

The news about the National Security Agency’s wholesale gathering of Internet and phone data is getting to be old news. The issues this news create, however, are not. Indeed, over the weekend, I began wondering about what duties we lawyers have that might be affected by the NSA’s data collection.

We all know that we have a duty to maintain client confidences. Rule 1.6 makes that abundantly clear, and even in the absence of the Rule clients expect confidentiality. It is widely understood that email is not a secure means of communication with clients, and some jurisdictions might require attorneys to advise clients of this fact. Apart from encrypting email, there’s not much that can be done to make email more secure.

But what about other Internet traffic that we generate? For example, could the NSA or some private actor be sniffing at your Internet traffic to see what web sites you’re visiting? Could those web sites give a clue to someone about the matters you’re working on? If you’re a business lawyer with a client that sells pizza restaurant franchises, imagine what a competitor might conclude if its snooping reveals you’re suddenly accessing web sites related to a new territory—like the state’s secretary of state. Your client’s secret plan to expand into a new state might not be so secret any longer.

Let’s not even start to contemplate all the web traffic associated with lawyers using online practice management services like Clio.

Before you begin to get too paranoid (or you conclude that I am), let’s keep in mind that the amount of traffic on the Internet is enormous. There is a practical obscurity that provides a level of security. Singling out your Internet traffic on behalf of a client is like looking for the proverbial needle in a large field of haystacks.

That being said, we lawyers are under a duty to take reasonable precautions or steps to ensure client confidentiality is preserved. We’re required to instruct our staff about this duty. We make sure that any online tools we use have sufficient encryption and security policies. Perhaps we should take one reasonable step with regard to our own Internet traffic. What would that step be?

Introducing virtual private networks

Virtual private networks, or VPNs, are nothing new. Their ease of use, however, has improved greatly. A VPN basically creates an encrypted tunnel on the Internet through which all of your traffic travels. This makes it a whole lot harder for an outsider (like the NSA, the Chinese government, or your neighborhood hacker) to see what your traffic looks like. A VPN can also confuse snoops, making them think your computer is actually in another city, state, or even country.

I won’t go into more details here, but Lifehacker.com has an excellent article that covers the details and more. I commend it to you for your consideration.

Having thought about it for a while over the weekend, I decided that a VPN was a good idea. The cost is very reasonable, and I know that my home and work computers no longer generate traffic that is easily monitored. I’ve been able to easily use the VPN on my iPad and iPhone as well. Now I have one less thing to worry about.