A Rinky-dink GOP phishing campaign

An email came in the other day from the GOP, the United States Republican party.  The party I used to respect.  It claimed to be a one question survey.  The question was, “The president’s job performance has been…”  My choices were great, good, OK, or other.  Here’s a screen shot.

I’m a civics minded guy. We, the people of the United States of America are supposed to express our opinions. The email really was from the GOP. Maybe the Republicans really were looking for feedback. So, like a dork, I took the bait and clicked “Take the Poll.” I should have known better.

That brought me to a website with the one question, as promised in the email.  I clicked “other,” and chuckled at the obvious bias.  Why no “atrocious” choice?  The survey invited comments, so I added a few about sexual abuse, late night tweeting, alternative facts, fake news, and others to summarize my opinion of President Trump’s first eleven months in office.

And then I clicked Submit.  This is where I got mad.  Instead of “Thank you for taking the time to respond,” or something similar, it took me to a page like this:

The little section at the top left had three steps.  I pasted in step 2 of 3. In step 1 of 3, I had to pledge a dollar amount so the GOP would pass my opinion onto President Trump.  In part 2, the GOP wanted to know my name, address, my occupation, and my employer.  And part 3 is where I was supposed to provide my credit card number.

I have another message for the GOP.  I’m not going to fill out your form and tell you my occupation and my employer.  And, given both political parties’ sorry track record around security, and Trump Industries’ weenie excuses for security problems, I’m certainly not going to trust you with my credit card number.  And asking me for a contribution for you to pass my comments onto the president? That’s just lame.

I could write several paragraphs about how wrong it is to solicit opinions from the public and then tie them to a political contribution, but why go to the trouble?  You guys should already know better.  Are you the same clowns who did the pitches to take money out of people’s pockets for Trump University?  Is this the best you can do to earn my trust?

President Trump, how am I supposed to have any respect for you as the leader of my country when you keep pulling these rinky-dink pranks?

Mr. President, cut the crap.

Care and share to be prepared – Part 2, sharing

I keep asking myself, why do we still see sensational data breaches almost every week?  Are attackers really that much smarter than the good guys?

The short answer is, no, they’re not.

Attackers win because the good guys do a lousy job of defense.  The good guys are so bad because nobody presents cyber-security to busy decision makers in a manner they can digest. Clueless, our leaders throw it over the wall back to the IT staff, but with minimal support because we haven’t convinced them that IT should be an asset, not an expense. So, everyone makes the same mistakes, over and over and over again, and that’s why our private information us up for sale in underground websites.

If we want to beat cyber-attackers, we have to break this cycle. We need to lead our leaders.

Start by presenting security in a manner busy decision makers can use.  I distilled it down to a six word rhyme everyone should take to heart. I don’t know how to make it any simpler.

Care and share to be prepared.

In part one, I made the case why everyone should care enough about cyber-security to take action.  Here, I’ll make the case for sharing.  Warning: It’s radical. Here it is. Organizations should make all their security practices public. Publish it. Present it at conferences.  Subject it all to peer review and scrutiny. Stand up in front of audiences and defend it. Answer questions. Listen to public criticism. Make changes.  Rinse and repeat.  If an attacker steals personal information about millions of people from your organization, fess up, share what went wrong, in detail, and the plan to get better. Operate in the open.

Am I nuts?  I can hear the objections already.  How does it make sense to share security tactics? Shouldn’t that stuff be among the most closely guarded secrets of any organization? Doesn’t sharing it give away proprietary knowledge to attackers?

Here is another short answer. No. Opening up about how we do security doesn’t give away anything. Attackers already know this stuff. Attackers spend all day probing and all night comparing notes to improve their probes for the next day. Bad guys collaborate.  Good guys don’t.  Is it any wonder industry and government are such easy targets?

Don’t believe me?  Forget high-tech for a minute.  Take a look at a tidbit of history.

Alfred Charles Hobbs was a famous locksmith in the mid 1800s.  In 1851, he embarrassed British lock makers by picking their best locks during London’s Great Exhibition, forcing manufacturers to design better locks.

Hobbs’ work led to a book, “Rudimentary Treatise on the Construction of Locks,” edited by Charles Tomlinson, and published in 1853. Take a look at what Hobbs had to say, before most of our great great grandparents were born, starting near the bottom of page 2:

A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by shewing others how to be dishonest. This is a fallacy.  Rogues are very keen in their profession, and they know already much more than we can teach them respecting their several kinds of roguery.  Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done.  If a lock—let it have been made in whatever country, or by whatever maker—is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to be the first to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.

Sound familiar? In today’s world, Hobbs would be an Internet security researcher.

Still not convinced?  I’m publishing this on Saturday morning, Dec. 16, 2017.  Here are a few articles about data breaches or their consequences over the past week.  Not the past year.  Or the past month.  The past week. Plus one more from eight days ago about a company that should have known better.

How’s the way we’re doing things today working out? What was the definition of insanity again? Maybe I’m not so nuts after all.