Many bloggers and small businesses build websites using service providers such as WordPress or Wix, and friends and family find them using names like mysite.wixsite.com, or mysite.wordpress.com.  This is okay for a hobby.  But it doesn’t work for anyone trying to build a real identity. Spend a few minutes to set up your own Internet identity and look like a pro.  You can still use Wix, WordPress, or your favorite service, but now the outside world will find you by your name instead of the service you use.

This graph from the United States Census Bureau summarizes why setting up your own Internet identity is a good idea.  From Q1, 2008 through third quarter, 2017, US e-commerce sales steadily grew from 3.5 percent of all retail to more than 9 percent. In non-quantitative language, this means sales over the Internet are growing faster than brick and mortar sales, and the trend shows no signs of slowing. This is especially important for authors like me because Amazon is crushing every other sales channel in the book market.  The world is moving to doing most of its business over the Internet, and my books need to be there.

The challenge, of course, is phrases like “domain name” create FUD (Fear, Uncertainty, and Doubt) in people’s minds, and many think setting up an Internet identity is prohibitively expensive.  If you’re one of these folks, don’t let FUD win. It’s not expensive and it’s not rocket-science.

Note that I said “Internet identity” and not “website.” The difference is crucial.  Your website is a critical component of your Internet identity, but it’s not the only component. My Internet identity has several pieces besides my website under my dgregscott.com domain name.

It all starts with DNS, for Domain Naming System. DNS is a mixture of politics, business, and technology. Everyone who uses the Internet should know what DNS does and how to navigate it.

DNS

The concept behind DNS is simple: translate names to IP Addresses.  Think of an IP Address as similar to a telephone number, but on the Internet.  DNS resolvers, also called DNS servers, manage all this.  If I want to access the website at, say, www.dgregscott.com, I first query the DNS resolver assigned to me to retrieve that website’s IP Address, and then send my web request to that website’s IP Address.  The metaphor of looking up a telephone number in an old-fashioned phone-book and then dialing the phone helps visualize the process.

DNS names follow a well-defined set of rules.  They start with a top level domain name, or TLD. The Internet used seven TLDs in its inception – .com, .org, .net, .gov, edu, .mil, and .int.  Today, ICANN, the Internet Corporation for Assigned Names and Numbers, assigns TLDs. Anyone with around $200,000 to spend can file an application and request a TLD, and today’s Internet supports about 1500 TLDs.  But .com will continue to dwarf them all because everyone wants a name in the .com namespace.

ICANN also assigns a two-character TLD to every country in the world. The United States TLD is .us.  ICANN assigned .tv to the South-Pacific island country of Tuvalu, and Tuvalu supports a significant portion of its economy by leasing .tv domain names to media companies.  It’s a great story about mixing technology, business, and politics.

Underneath TLDs are second-level domain names.  These are the familiar names such as google.com, whitehouse.gov, redcross.org, and, millions of others, including my own, dgregscott.com.  And underneath second-level domain names are additional subdomains and hosts. Second-level domain registrants can assign names and subdomains in their namespace as they see fit.

The fully qualified domain name (FQDN) for my website, www.dgregscott.com, consists of the hostname, www, followed by a period (.), and my domain name, dgregscott.com. I also have a few other hosts for different services I offer, including ftp, mail, and others.  Like most domain names, dgregscott.com has no subdomains, and I don’t see a good reason to use them.  The United States .us namespace uses subdomains, as do some other countries.  The website, www.state.mn.us, for example, points to the official State of Minnesota website.  But that name redirects to an easier-to-digest name, mn.gov.  Simple and easy to remember is good.

By convention, we use the hostname, www, for websites, mail for email servers, ftp for ftp servers, and a few others.  But nothing enforces this convention. We also have a concept called a default name, which points the domain name without a hostname to a specific system. Since websites are the most popular application on the Internet, most default names point to the website associated with that domain.  Browse to http://dgregscott.com and end up at the same website as http://www.dgregscott.com.

And that leads to name registration. How does somebody acquire a domain name?

Name Registration

Full disclosure here.  I am an Internet domain name name registrar.  I resell a service from Network Solutions, the original Internet domain name registrar, and I manage the records for a few domain names, most of them my own.  As of this writing in Feb. 2018, I have no desire to ramp up this business.  I do it on a small scale for my own convenience and for a few others. Typical cost is $20 per year per domain name in the .com namespace.

Many website operators bundle domain registration with website hosting service, and many people and organizations use it because it’s convenient and they don’t want to understand how it works. This is a mistake.  Your domain name is your Internet identity and it may be even more valuable than your trademark.  Nobody else should have the power to hold it hostage.  Take a few minutes and learn how to register and manage it yourself for your own safety.

Here’s how to do it.

The first, and most important step is finding a name not registered to anyone else.  Do that by performing whois lookups on name possibilities.  Whois is an Internet service that returns information for registered domain names, and one easy way to perform whois lookups is with the whois website, at http://www.whois.com.  If you find a name not registered to anyone else, you’re free to register it.

An obvious possibility for my  domain name was gregscott.com.  But an artist in Georgia named Gregory J. Scott registered gregscott.com years ago, and he uses his website to sell paintings. How do I know this?  Here’s a screenshot from a whois lookup.

Gregory J. Scott has as much right to the gregscott.com domain name as me, and he registered it first. I doubt he is willing to give it up. So I chose to build my Internet identity around the name, dgregscott.com. D for Daniel, my official first name.

Once you find a name you like, set up a free account with any domain name registrar, fill out a form, charge between $20 and $35 to your credit card for a one year lease (some offer discounts for multiple years), and you have your own domain name.  It really is that simple.  Network Solutions, Godaddy, and Tucows are popular domain name registrars. There are dozens of others.  I like Network Solutions and its sister Web.com companies because they’ve given me good customer service over the years.  I’ve also dealt with Godaddy. Use Google or your favorite search engine to find one you like. Or twist my arm and I’ll do it for you.

Sometimes, people register names they hope will become popular. This is where technology and extortion meet, and it’s the Internet equivalent of buying up blocks of concert tickets and scalping them.  One example – somebody registered the name, startupinvestors.com, and is now auctioning it off.  As of this writing, apparently, the highest bid so far is $1040. Or, maybe the seller is lying and trying to pump up the price.  I hope he chokes on it. Here’s an amusing article from Wired Magazine back in 1994 about mcdonalds.com during the original Internet gold rush.

What if somebody else already controls your perfect domain name and it’s the only name that works?  Here is a blog post with some thoughts on how to proceed. And here is an article about one person who might control the name you want.

When you find a name you like, also look for similar names and grab them too.  The website, www.paint-can.com apparently belongs to an artist in Toronto.  But the domains, paintcan.com, paintcans.com, and paint-cans.com all appear to belong to extortionists. And paint-cam.com (m and not n) is up for sale.  Connecting with customers will be more complicated than it should be for this artist because so many similar names point elsewhere.

If you’re a nonprofit and you register a .org name, protect yourself by also registering the equivalent .com name.  If the name you want is taken in the .com namespace, don’t try to use the equivalent name in the .net or other namespace.  It looks amateurish.  Dot net names are for companies that do something around managing the Internet, and other organizations who register .net names only create confusion.

After registering your domain name, make sure you keep up your renewal.  If your name registration expires, it’s a good bet an extortionist with automation that watches for expired names will scoop it up and offer it back for lots more than you spent to lease it the first time.  You might be able to fight it in court, and you might even win after several years and a boatload of legal fees.  Don’t put yourself in this position.

And that’s it. Now, you have your own Internet identity and you can put it to work by building a website, setting up an email address, and setting up other services you want to offer.

Putting your Internet identity to work

You’ll want to point a DNS host (A) record under your domain name to your website IP Address.

Query your web hosting provider to find out the website name and IP Address assigned to your website. The name will most likely be www. The web hosting provider may offer to handle DNS for you. Don’t do it. This gives your web hosting provider too much power over your overall Internet identity. Instead, keep DNS with your domain name registrar, and set up your host (A) record yourself.  Any web hosting provider should be able to easily accommodate that.

Here are the host (A) records I set up with my domain name registrar for my dgregscott.com domain:

You may also want to set up a Mail Exchange (MX) record for email. This is a special record describing the name of the server that handles email service for your domain.  I host my own, and I set up a host (A) record cleverly named, “mail” with its IP Address.  Next, I need an MX (Mail Exchange) record to point to it. Here is what mine looks like:

Your email will most likely be with a commercial service provider, such as Google, Microsoft, or your web hosting service. They will have their own host (A) records associating the name of their email server(s) with the appropriate IP Addresses, and so all you’ll need in your own DNS is an MX (Mail Exchange) record to associate email for your domain with the name(s) of their email server(s). You’ll also need to work with your email provider to make sure their email servers accept inbound email for your domain.

Once you set up your MX record, email to yourname@yourdomain.com should flow right into your inbox. Combine that with your website at www.yourdomain.com, and your identity to the outside world will be on an equal footing with the largest corporations on the planet. And, if you become unhappy with an email or web service provider, you can move either one by changing your DNS records.

Don’t be intimidated.  If you learned how to drive an automobile in traffic, you can learn what you need to set up your own Internet identity. Invest a few minutes to understand how this infrastructure works, establish your Internet identity, and become a full-time member of the digital economy.

An email came in the other day from the GOP, the United States Republican party.  The party I used to respect.  It claimed to be a one question survey.  The question was, “The president’s job performance has been…”  My choices were great, good, OK, or other.  Here’s a screen shot.

I’m a civics minded guy. We, the people of the United States of America are supposed to express our opinions. The email really was from the GOP. Maybe the Republicans really were looking for feedback. So, like a dork, I took the bait and clicked “Take the Poll.” I should have known better.

That brought me to a website with the one question, as promised in the email.  I clicked “other,” and chuckled at the obvious bias.  Why no “atrocious” choice?  The survey invited comments, so I added a few about sexual abuse, late night tweeting, alternative facts, fake news, and others to summarize my opinion of President Trump’s first eleven months in office.

And then I clicked Submit.  This is where I got mad.  Instead of “Thank you for taking the time to respond,” or something similar, it took me to a page like this:

The little section at the top left had three steps.  I pasted in step 2 of 3. In step 1 of 3, I had to pledge a dollar amount so the GOP would pass my opinion onto President Trump.  In part 2, the GOP wanted to know my name, address, my occupation, and my employer.  And part 3 is where I was supposed to provide my credit card number.

I have another message for the GOP.  I’m not going to fill out your form and tell you my occupation and my employer.  And, given both political parties’ sorry track record around security, and Trump Industries’ weenie excuses for security problems, I’m certainly not going to trust you with my credit card number.  And asking me for a contribution for you to pass my comments onto the president? That’s just lame.

I could write several paragraphs about how wrong it is to solicit opinions from the public and then tie them to a political contribution, but why go to the trouble?  You guys should already know better.  Are you the same clowns who did the pitches to take money out of people’s pockets for Trump University?  Is this the best you can do to earn my trust?

President Trump, how am I supposed to have any respect for you as the leader of my country when you keep pulling these rinky-dink pranks?

Mr. President, cut the crap.

I keep asking myself, why do we still see sensational data breaches almost every week?  Are attackers really that much smarter than the good guys?

The short answer is, no, they’re not.

Attackers win because the good guys do a lousy job of defense.  The good guys are so bad because nobody presents cyber-security to busy decision makers in a manner they can digest. Clueless, our leaders throw it over the wall back to the IT staff, but with minimal support because we haven’t convinced them that IT should be an asset, not an expense. So, everyone makes the same mistakes, over and over and over again, and that’s why our private information us up for sale in underground websites.

If we want to beat cyber-attackers, we have to break this cycle. We need to lead our leaders.

Start by presenting security in a manner busy decision makers can use.  I distilled it down to a six word rhyme everyone should take to heart. I don’t know how to make it any simpler.

Care and share to be prepared.

In part one, I made the case why everyone should care enough about cyber-security to take action.  Here, I’ll make the case for sharing.  Warning: It’s radical. Here it is. Organizations should make all their security practices public. Publish it. Present it at conferences.  Subject it all to peer review and scrutiny. Stand up in front of audiences and defend it. Answer questions. Listen to public criticism. Make changes.  Rinse and repeat.  If an attacker steals personal information about millions of people from your organization, fess up, share what went wrong, in detail, and the plan to get better. Operate in the open.

Am I nuts?  I can hear the objections already.  How does it make sense to share security tactics? Shouldn’t that stuff be among the most closely guarded secrets of any organization? Doesn’t sharing it give away proprietary knowledge to attackers?

Here is another short answer. No. Opening up about how we do security doesn’t give away anything. Attackers already know this stuff. Attackers spend all day probing and all night comparing notes to improve their probes for the next day. Bad guys collaborate.  Good guys don’t.  Is it any wonder industry and government are such easy targets?

Don’t believe me?  Forget high-tech for a minute.  Take a look at a tidbit of history.

Alfred Charles Hobbs was a famous locksmith in the mid 1800s.  In 1851, he embarrassed British lock makers by picking their best locks during London’s Great Exhibition, forcing manufacturers to design better locks.

Hobbs’ work led to a book, “Rudimentary Treatise on the Construction of Locks,” edited by Charles Tomlinson, and published in 1853. Take a look at what Hobbs had to say, before most of our great great grandparents were born, starting near the bottom of page 2:

A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by shewing others how to be dishonest. This is a fallacy.  Rogues are very keen in their profession, and they know already much more than we can teach them respecting their several kinds of roguery.  Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done.  If a lock—let it have been made in whatever country, or by whatever maker—is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to be the first to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.

Sound familiar? In today’s world, Hobbs would be an Internet security researcher.

Still not convinced?  I’m publishing this on Saturday morning, Dec. 16, 2017.  Here are a few articles about data breaches or their consequences over the past week.  Not the past year.  Or the past month.  The past week. Plus one more from eight days ago about a company that should have known better.

• Dec. 15, 2017: Millions of California voter records exposed in unprotected MongoDB
• Dec. 14, 2017: Cryptocurrency Infrastructure Flaws Pose Bitcoin Risks
• Dec. 11, 2017: Data breach exposes PII of 700 Texas school children
• Dec. 11, 2017: Report: Russian Hackers Target Banks in US, Britain, Russia
• Dec. 8, 2017: Henry Ford Health System data breach compromised data of nearly 20,000 patients
• Dec. 8, 2017: Stanford University school’s chief digital officer leaves role after data breach
• Dec. 7, 2017: Uber paid Florida hacker responsible for breach $100K through bug bounty program

How’s the way we’re doing things today working out? What was the definition of insanity again? Maybe I’m not so nuts after all.

The politicians are at it again. This time, US Deputy Attorney General, Rod Rosenstein, wants tech companies to come up with a concept he calls, “responsible encryption.”

I wrote a blog post about government putting its fingers in encryption in early 2016, when the FBI threatened war with Apple over the San Bernardino case.  Although they eventually resolved it peacefully, the deeper issue remains. And, unfortunately, so do the conclusions. No matter what government calls it, Rosenstein’s not-so-new concept of responsible encryption is a fantasy.

Here is the transcript of Rosenstein’s speech.

Rosenstein and other officials are correct when they point out that encryption enables unsavory activity. Child molesters, robbers, murders, terrorists, you name it, all use encryption. Encryption does have a dark side.

The policy challenge is, what can and should government do about it?

The US Government could force a central key repository, where it keeps a copy of encryption keys with a due process to use them.

Imagine a repository containing the billions, maybe trillions of encryption keys we use every day in 21st century society. Now imagine keeping all those keys safe from cyber-attack, keeping in mind the US government’s track record. Just ask any of the millions of OPM breach victims about government and cyber-security. Or read about repeated NSA breaches. Do we really want to trust the government with the encryption keys that keep modern society functioning?

But forget about criminals compromising a government key repository. Consider this – after pouring $billions into setting up a vast bureaucracy to manage all these keys, years of effort into design and implementation, and multiple acts of Congress to set up a legal framework for all this, I’ll click a few mouse buttons and spend $5 to buy end to end encryption software from an overseas supplier. And the US Government will have no ability to regulate me. All that money. All that time. All that effort. All wasted. Child molesters, robbers, murderers, terrorists, you name it, will still use encryption.

Politicians like Rosenstein will argue that this notion of a key bureaucracy is a strawman, and if only tech companies used all their brainpower to come with better ideas, we could achieve responsible encryption. Rosenstein and the politicians are wrong. Encryption depends on keys and algorithms. There are two ways to grant government access to encrypted communication. Either give government access to the keys or weaken the algorithms. Both have so many opportunities for abuse, and so many easy workarounds, the cure is worse than the disease.

The tech industry, and every cyber-security expert I know of, is not putting profit above safety here. We’re just telling the truth.

I want to thank Ryan Conley with Bigger Law Firm, a publication dedicated to legal news, for quoting me in its article.  Here is a link.

I’ve tried and failed to convince more people than I can remember why they should care about Internet security.  Typical responses include eye rolls, yawns, looking at their watch, and taking “important” cell phone calls. Yes, I do notice.

As an IT and security professional, I’m used to being ridiculed, ignored, and marginalized.  It should have an acronym, say, RIM, because it happens all the time, and it should be a verb, as in, “I was RIMed again.”

One organization leader offered this helpful feedback: “Just tell me what I need to know in twenty-five words or less.”  A few bystanders chuckled; another tech-weenie failing in an adult conversation.

It’s frustrating when nobody listens. When people say they want everything they need to know packaged into twenty-five words or less, the real message is, they see no value in learning anything about the subject matter because it’s somebody else’s problem.

But, in fact, they’re playing Russian Roulette.

Don’t believe me? Isn’t all this just meaningless numbers and letters on a computer screen?  Isn’t cyber-security a job for big companies and the NSA? Ask former US Senator, Norm Coleman about that.  Or the former Target CEO.  Or the former US Office of Personnel Management Director.  Or several top officers at Equifax.  Or a few identity theft victims.  Or millions of people now exposed to extortion, blackmail, and identity theft because of data breaches.  I don’t know about you, but I’m tired of watching CEO after CEO parade in front of the TV cameras to claim they take security seriously.  I have a hunch many of us want to ask the obvious question — if you take security so seriously, why don’t you do anything about it?

More than a year after publishing “Bullseye Breach,” a thought came to me. What if I could give busy people everything they need to know about security in twenty-five words or less?  If we give ’em what they want, maybe we won’t be RIMed so often.  Maybe they’ll pay attention.  And then the answer came.  Everything busy people need to know about cyber-security, packed into a six-word rhyme.

Care and share to be prepared.

Nineteen words to spare.  Care enough about Internet security to take action, share what you learn liberally.  I’ll talk about sharing in part 2 (here is a link).  Here, in part 1, I’ll make the case for caring.

If you’re a busy CEO, stop brushing off your security specialists with stupid excuses like, “We sell hammers.”  No matter what your organization does, private sector, public sector, nonprofit, you name it, the information you keep is your most valuable asset.

Think about that.  How much cash do you have?  What’s the secret formula for your world-changing invention?  How much inventory do you have on-hand?  Think about any hard asset or attribute about your organization. What good is any of it if you don’t know about it?  Criminals see value in your information; that’s why they keep stealing it.  Hello?  That should tell you something.  Stop treating your information as an afterthought.

I remember a meeting with a CEO a while ago.  He told me he liked to download and install random software on his laptop and then hand it to his IT Department to fix when it broke. He said it made his IT staff sharp. I have a hunch his IT staff had a different opinion.

Arrogant, ignorant, and proud of it is a dangerous combination for a leader.  Learn to respect the people who stay up all night keeping your company running while you spend quality time with your family.  Unless you enjoy facing TV cameras and resigning in disgrace.

If you’re a busy tech professional, maybe a software developer or system administrator, keep security and layers of defense in mind. Always. I saw a discussion with a rookie developer who did not understand why it was important to protect a few important files against access to anyone logged in.  His argument was, only administrators should access this system, so why go to the extra trouble of denying read access to the world?  Wrong.  Should and is are seldom the same, and what happens if a non-administrator somehow gets inside that system? The community gave that developer a lesson on layered defense. I hope he took it to heart.

If you’re a busy Internet user, educate yourself on the basics.  Just like our great-grandparents recognized basic literacy was important in the horse and buggy days, we need to recognize that basic Internet literacy is even more important today.  The Internet is here to stay.  It’s past time for the public to learn about the dark side of free cell phone ringtones and social media and search engines.

I’ve cleaned more computer viruses than I can count.  Reactions are always the same; people are mystified by how that malicious software got inside their computer, they’re usually worried about the family taxes and 20,000 pictures they never backed up, they still think lonely teenagers launch Internet attacks from their bedrooms, and they’re amazed when I tell them about botnets.

When I was an independent consultant, one end user complained they were unable to access email. I asked what email program they used.  The answer:  “I click on ’email,'”  followed by the usual eye-roll.  Another tech-weenie asking meaningless questions.

Ignorant and proud of it is dangerous for everyone, not just leaders.  It has to stop.

How you care for the confidentiality, integrity, and availability of your data, whether you’re an organization leader, a tech professional, or anyone else, speaks volumes about how much you care about overall quality.  It’s not just a tech thing – it’s how you approach life.  If caring about cyber-security is too techie for you, then care about quality.  Your identity and millions of your stakeholders’ identities could depend on it.

Update Sept. 26, 2017

I put together three video presentations about what went wrong with the Equifax fiasco and what to do about it.

Here is a video presentation about what went wrong.

Here is a video presentation with a structural approach to fixing the system.

Here is a video presentation about killing passwords in favor of passphrases.

Original post from Sept. 19, 2017

Heads are starting to roll after the Equifax fiasco, while its PR agency pretends to offer timely communication and churns out CYA updates.  Follow the saga right here. In the Sept. 15 update, Equifax announced its CIO and CSO are retiring, effective immediately.  Uh-huh.

Here is one question of many I would love to ask Equifax execs – why did you wait until Sept. 15 to present a bulleted list of what happened back at the end of July?  I have a host of other non-question questions I want to ask, but let’s take a collective deep breath and learn self control.  Beyond eviscerating  the execs at Equifax, how do we move forward?

Here are some thoughts.

Should everyone freeze their credit?

A few days ago, I would have said yes.  But now, I’m not so sure.  Brian Krebs in his Krebs on Security blog popularized the idea back in 2015 – and it’s a good idea, but there are tradeoffs.  When you freeze your credit, it’s frozen until you un-freeze it. At least, that’s how it’s supposed to work, assuming the CRAs do their jobs. (CRA – Credit Reporting Agency).  If anyone tries to take out a loan in your name, presumably, the lender will check with the CRA, find out your credit is frozen, and turn down the loan.  Which is why you do it.  But if you try to take out a loan, the same thing happens. And now you might have pay to unfreeze it, do your transaction, and then freeze it again, times four CRAs, apparently at $10 or so each.

One of many aspects about this whole breach incident is, if CRAs charge for credit freezes, incompetent behavior turns into a windfall with millions of consumers parting with hard-earned money to freeze their credit with agencies who collected data about us without our consent.  Equifax is offering free credit freezes for a limited time – I’m not sure about the others.

Besides money, the challenge to freezing credit right now is, the CRAs are swamped with freeze requests.  CNN did a video a few days ago of somebody trying to freeze her credit with Equifax.  She tried doing it from that equifaxSecurity2017.com website and it referred her to a toll free phone number. She called the phone number and heard a recorded message to call back during normal business hours – the graphic on the story said she called around 10 am on a weekday.

I wish I could offer an easy answer to all this, but I don’t see one.  Keeping a close eye on bank and credit card transactions is always good, but if somebody uses my Social Security number to borrow a $zillion in my name, I won’t find out about it until it’s already happened.  And then I’m guilty until proven innocent and, at minimum, will spend hours unraveling the mess.

Reality bites sometimes.  Thanks Equifax.

Is the EquifaxSecurity2017 website tool any good?

That tool is… well, it needs improvement.  It’s supposed to make it easy for me to find out if I’m exposed, and then help me sign up for free credit monitoring.  I fed it my SSN with a bogus name last week and it said I may be affected.  I fed it a bogus SSN and name and it said it doesn’t appear that I’m affected.  With either choice, it presented a button to sign up for a free year of credit monitoring.  Oh joy.  Now I can feel secure that the company that let all my horses out of the barn will tell me when somebody steals my horse.

Is one year of Equifax credit monitoring false security?

Yes – false security indeed.  The main problem is, by the time you find out somebody borrowed $zillions in your name, it’s too late.  They’ve already stolen the money and they’re gone, leaving you holding the bag.  Every breach victim company offers credit monitoring because they’re nothing else they can do.  The horses are already out the barn door.  Freezing credit is one way to cope with a broken system, but it’s really just a workaround.

How do we fix the system?

Today’s system is fundamentally broken and something like this was bound to happen sooner or later.  And the bad news is, it’s not over yet.  But today’s broken system, which is bigger than Equifax, does not take Equifax off the hook and the law needs to hold Equifax execs accountable for their negligence.  In fact, since Equifax helped build today’s broken system, Equifax execs are even more culpable.  Heads need to roll.

But there is a solution.  Here are some rough first draft thoughts.

First – who are the stakeholders?  Consumers need access to credit.  Creditors need a way to assess risk and authenticate consumers.  The more efficient this process, the better for society.  That’s why we need CRAs – to match consumers with creditors.  CRAs play an important role.

One problem – consumers are CRA raw material and not CRA customers.  So CRAs have no incentive to care about the confidentiality, integrity, and availability of consumer data. Which means consumers have no power and no recourse when CRAs fail in their duty.

Another problem – CRAs adopted SSNs for authentication because every American has one, and that started a ticking time-bomb because SSNs never change.  The bomb went off years ago when many SSNs became public.  The public found out about it last week when 143 million of us were exposed.  When I provide an SSN, I don’t prove I’m me, I only prove I know the SSN that belongs to Daniel Gregory Scott.  Same for my driver’s license number, date of birth, mother’s maiden name, and anything else I might know that’s public knowledge.  The shorthand way to say this is, my SSN identifies me, but does not authenticate me.

A private passphrase could authenticate me.  Not a password, but a passphrase.  Passphrases are more secure than passwords because they have more characters and they’re easier to remember than passwords filled with random characters.  The passphrase, “Your mom wears army boots” is more secure and easier to remember than a password, say, “@rMyb00ts!”

A passphrase also has an advantage that I control it and I can change it any time I want.

So, for starters, let’s encrypt all that data CRAs hold about me with a passphrase I control.  Anyone who wants to look at my data goes through me first.  Which gives me all the advantages of a credit freeze with fewer hassles. Nobody can borrow money in my name, because nobody can check up on me with a CRA unless they know my passphrase.  CRAs don’t know the plaintext contents of my data – they only know the encrypted contents.  I control the key, which means I control the access.

That’s radical surgery.  CRAs will scream about how much work it will require to educate consumers and set all this up.  They’ll also scream because this idea takes away much of their power.

Many consumers will also scream about taking on the responsibility to remember a passphrase. And what happens if a consumer forgets their passphrase?  The easy answer – Banks or other institutions can offer a passphrase storage service.

And creditors will scream about how it complicates the system and makes offering credit more difficult than before.

I plead guilty on all charges.   But we have 143 million reasons to change the system, and either we do it in the private sector or the government will force something down everyone’s throat.  And, as a consumer, I should have control over data about me.  Millions of us should have demanded it 30 years ago.

Longer term, let’s task an industry group with all stakeholders represented to come up with standards for how all this stuff should work, and put it through the gauntlet of peer scrutiny, similarly to how other open standards are designed.  This group doesn’t need legal power, just credibility.  Enough credibility that everyone will listen and follow the standards it sets.

The system today is opaque and broken.  Let’s use this fiasco as an opportunity to open it up and redesign it for everyone’s benefit, including CRAs.

I want to thank Kim Insley with KARE-11 TV in Minneapolis for providing the questions to organize all these thoughts.

I shared my initial thoughts about the Equifax data breach in this post from Sept. 8, 2017.  And here is the recording from my WCCO Radio interview with Jordana Green and Paul Douglas.  What follows is an update as of Sept. 11, 2017.

(As of Sept. 14, 2017, this original post is now obsolete, but I’m leaving it intact to preserve the sequence of when we learned key facts. See the bottom for updates from Sept. 13, and Sept. 14 2017.)

The Equifax data breach announcement came on on Sept. 7, 2017.  As of Sept. 11, we still have few facts.  But we do have a tantalizing blog post from a news outlet named Quartz.  Check out this article.

The Quartz article references a Baird Equity Research report about how the breach will effect Equifax stock.  Here is the report.  This key sentence in the report is at the heart of lots of speculation:

Our understanding is data retained by EFX primarily generated through consumer interactions was breached via the Apache Struts flaw…

Apache Struts is a software framework for building Java applications. Struts has had two vulnerabilities recently. One was reported and patched in March, the other on Sept. 4.

Here is another article about Apache Struts from ZDnet.

And now speculation. The Equifax data breach announcement said the attack exploited a website flaw, but I can find no other details beyond that.  The Baird Equity Research report above is not clear about which Struts vulnerability, and doesn’t cite a source.

A few possible scenarios play out here. In the first scenario, Equifax never applied the patch for the March vulnerability and bad guys romped through its systems for two months undetected. This scenario is Equifax’s fault.

In the second scenario, bad guys discovered the new vulnerability before good guys found it. The patch didn’t come until Sept. 4. Smart bad guys could have easily covered their tracks while romping across the Equifax network, such that no automation looking for suspicious patterns would have uncovered it. Somehow, Equifax found the invasion on July 29. Under this scenario, the long wait for disclosure might make sense because there was no fix available until Sept. 4, and Equifax disclosed the breach Sept. 7.

I find this scenario hard to believe because five weeks – from July 29 until Sept. 4 – is a long time for anyone to fix a reported software vulnerability, especially one already in the wild.  The best open source developers pride themselves on great workmanship, and taking five weeks to patch a security flaw is inconceivable. Here is what the Apache Software Foundation had to say about Apache Struts and Equifax.

And the third scenario puts it right back on Equifax – maybe Apache Struts isn’t relevant, since we don’t know where the Baird Equity Research report got its information.

Let’s not rush to judgement yet because there is one credible scenario where Equifax disclosed this thing properly and is not culpable for the breach. I wrote a blog post about how proper disclosure should work right here.

But if Equifax wants to salvage its credibility, then the people with first-hand knowledge need to share what they know about what happened.

Update Wednesday, Sept. 13, 2017

USA Today reported yesterday that Equifax itself said an Apache Struts vulnerability was the attack vector.  But the article does not tell who from Equifax said it, which is frustrating. Here is the relevant paragraph.

On Tuesday, credit reporting company Equifax told USA TODAY the breach was due to an Apache Struts vulnerability. Apache Struts is free, open-source software used to create Java web applications. Several vulnerabilities have been reported, all since patched, but Equifax has not said which one was involved in this breach.

Update Thursday, Sept. 14, 2017

Equifax blew it.  Heads need to roll.  Scenario one above is what happened.  Equifax failed to patch the March Apache Struts vulnerability and allowed attackers to rampage through its network for two months.

The articles quoting the Equifax update are everywhere.  See this ZDnet article and this Ars Technica article.  Their source is the infamous EquifaxSecurity2017.com site. Click on the Sept. 13, 2017 progress update for consumers.

“The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

Let’s summarize.  The people in charge at Equifax learned about the problem on July 29, but didn’t report it until September 7.  A week later, on September 14, after bungling the response they spent five weeks preparing, and only in the face of an uproar, they finally told us which vulnerability the attackers exploited. But they knew all along which vulnerability it was.  Why not report it in the first disclosure?

It gets worse. Three senior executives sold Equifax stock after discovering the breach and before the public announcement. Here’s an extract from this MarketWatch story:

As first reported by Bloomberg News, Chief Financial Officer John Gamble banked $946,374 on the sale, U.S. Information Solutions President Joseph Loughran made $584,099 and Consumer Information Solutions President Rodolfo Ploder earned $250,458. In the same filing, Loughran exercised an option to buy 3,000 shares at a price of $33.60.

Look closely at those titles.  Chief Financial Officer, US Information Solutions President, and Consumer Information Solutions President.  Equifax claims these senior executives had no idea somebody stole the data they were in charge of protecting when they sold their stock.  If true, these folks are incompetent.  If false, they’re crooks.

But wait. There’s more.

Take a look at this Krebs on Security post from Sept. 12.  It’s a story about Equifax operations in Argentina. I’ll quote one key paragraph.

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

I’m still shaking my head.

Equifax CEO Richard Smith is expected to testify in front of Congress on Oct. 3.  I would love to be in the room and ask a few questions.

(I originally posted this on Sept. 8, 2017. Here is an update from a week later.)

Here are a few articles about the Equifax data breach, first reported Sept. 7, 2017.

• A New York Times article, here.
• A nice Krebs on Security writeup, here.
• SC Magazine posted a piece, here.
• And a ZDnet article, here.

It’s all over the news.  Lots of noise so far, little information.  Here is a bulleted summary of what we know to date.

• Attackers penetrated Equifax in May, 2017 and gained access to data about 143 million people.
• Somebody discovered it on July 29, 2017.  Apparently, the attackers took advantage of a web site flaw.  As of Sept. 8, 2017, that’s all the tech details we know.
• A few Equifax execs sold a bunch of stock around Aug. 1, 2017. Equifax PR people say the execs had no knowledge of the data breach.  Uh-huh.
• Equifax hired Mandiant, a respected IT forensics firm, to investigate.
• Equifax set up a website, https://www.equifaxsecurity2017.com, for anyone to look up whether they might be effected.  Feed it a last name and the last six social security number digits.  Note the irony of feeding a social security number to a website for a company that just reported somebody exploited a web site flaw to steal 143 million social security numbers from another company website.
• Equifax told the world about the intrusion on Sept. 7, 2017.

This latest Equifax breach is a big deal, but the ugly truth is, after years of data breaches, our personal information is already up for sale. And it’s not the first Equifax breach.  Quoting the Krebs on Security article I linked above:

This is hardly the first time Equifax or another major credit bureau has experienced a breach impacting a significant number of Americans. In May, KrebsOnSecurity reported that fraudsters exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services.

And Equifax is not the first credit reporting agency to lose our personal information. Take a look at a tangled story about how Equifax competitor, Experian became an unwitting partner in an identity theft ring in the Krebs on Security post right here.  Here’s another article.

You read that word correctly.  I really did say, partner.  Experian unwittingly partnered with an identity theft ring from Vietnam a few years ago after buying a company named Court Ventures back in 2012.

Wonderful – we can’t trust the credit reporting agencies everyone uses to assess our trustworthiness. Now what?  The most workable solution I’ve found is setting up a credit freeze.  Which means paying money to these same credit reporting agencies to set it up and trusting they’ll do their jobs.

Here is a link to another Krebs on Security post with details. Here is a link to the US Federal Trade Commission page about credit freezes. And one more link to a Consumer Reports page about credit freezes, here.

The idea is, pay a fee to each credit reporting agency to flag your record with a freeze notification.  Anyone who wants to open an account in your name will theoretically check with one of these agencies and deny it, since it’s flagged as frozen.  But this is a hassle because if you want to borrow money for, say, a mortgage or a car, you have to spend money to unfreeze your credit with the relevant agency, and then spend more money to freeze it again. Not a bad gig if you’re a credit reporting agency.  A hassle if you’re a consumer, but it might save you from an identity thief.

Also, be on the lookout for emails claiming to come from Equifax with “click here” links claiming to set you up for free credit monitoring for a year.  As of this writing, I know of no such emails, but it’s inevitable some senior manager at Equifax who doesn’t know better will want to send one. It’s part of the typical pattern. Check your email header to make sure any email claiming to come from Equifax really does come from Equifax, and make sure the “click here” link really does point where it claims to point.  See my post about How to Spot a Phishy email for more.

I’ll update this post as new information becomes available.

Finally, keep an eye on my dgregscott.com website for resources.  I have a bunch of mini-seminars and blog posts with how-to information, and you’re welcome to all of it, no strings attached.  And if you like what I put together, I’d appreciate it if you would consider buying a copy of one of my books.  Here is a link for more book information.

Internet trouble can make you crazy. You’re posting away on Facebook and suddenly your posts don’t post anymore.  Or maybe you’re emailing your sister and your email program complains it can’t connect to the server. Or maybe your fancy smartTV won’t connect to Netflix.

Now what?

Of course, you call for help.  But whom do you call?  And what do you tell the tech support specialist when they answer after you’ve waited on hold for who-knows-how-long?

Here is a quick diagnostic for anyone who suspects overall Internet trouble. Do this first, before you call, and you might save yourself and your telephone support technician hours of frustration.

But a caution – this means getting your hands dirty with technology.  If that scares you, get over it, for your own good. None of this is rocket science.

One more caution. None of this works with a smartphone or TV. Some smartphones and TVs have primitive diagnostic tools, but as of late summer, 2017, doing this right still requires a real computer.  Or, at minimum, a download into your phone.

This first test takes about 10 seconds. Launch a command line window (how-to details below). Don’t be freaked out that it looks like a 30-year-old step back in time. Inside that window, type this command:

ping www.google.com

and check the results. Here is how it looks from a Windows system when everything works. Macintoshes will behave similarly.

C:\Users\gregs>ping www.google.com

Pinging www.google.com [216.58.216.228] with 32 bytes of data:
 Reply from 216.58.216.228: bytes=32 time=20ms TTL=56
 Reply from 216.58.216.228: bytes=32 time=20ms TTL=56
 Reply from 216.58.216.228: bytes=32 time=20ms TTL=56
 Reply from 216.58.216.228: bytes=32 time=20ms TTL=56

Ping statistics for 216.58.216.228:
 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
 Approximate round trip times in milli-seconds:
 Minimum = 20ms, Maximum = 20ms, Average = 20ms

C:\Users\gregs>

Ping sends a data packet to the destination you specify and waits for an echo reply. Just like the old submarine movies, only this is across the Internet. And it’s software, not real sounds. The idea is, ping a popular destination and watch for the reply to come back. Not everyone answers pings, but Google is kind enough to do so. If Google doesn’t reply reliably, then you probably have an overall Internet problem.

Also, watch the milliseconds – in my case above, it’s consistent at 20ms. That’s the round-trip time for the echo request to go out and the echo reply to come back. If your milliseconds bounce around all over the place, you may have a problem – or your Internet connection might just be busy from other family members streaming who-knows-what.

Here’s how to launch a command line window:

In Windows XP, click Start…Run.  In Windows 7 and 10, just click the Start button. In the box right next to the Start button, type CMD and press the Enter key. There are other ways to do it, but this is the easiest and it’s universal.

In Windows 8 and 8.1, press the Windows and R keys on your keyboard. The Windows key is on the bottom row of your keyboard, right next to the Alt key, on either side of the space bar. In the box, type “CMD” and press Enter.

If you have a Mac, launch the Terminal, found in /Applications/Utilities/

Next Step

Here is your troubleshooting decision tree.

If your pings show something like this:

C:\Users\gregs>ping www.google.com
 Ping request could not find host www.google.com. Please check the name and try again.

C:\Users\gregs>

then you may have an overall connectivity issue, or maybe just a name translation problem. You need another test to be sure. Since we know one IP Address for Google from above, just try to ping that raw IP Address:

ping 216.58.216.228

and see what it reports. If you see 4 replies and the milliseconds look reasonable, raw connectivity is good and you have a name translation problem. If you see errors, you probably have a raw connectivity problem. Do one more command. My example below is from Windows.  For Macintosh, the command will be “traceroute,” spelled out.

racert 216.58.216.228

The tracert command traces the route from you to your destination. It’s kind of like looking at a map to find all the stops on a road trip between Minneapolis and Dallas. Or pick your favorite cities. Here is what it looks like when everything is normal – your hops will be different.

C:\Users\gregs>tracert 216.58.216.228

Tracing route to ord31s22-in-f4.1e100.net [216.58.216.228]
 over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms fw.infrasupport.local [10.10.10.1]
 2 <1 ms <1 ms <1 ms 216.160.2.158
 3 12 ms 10 ms 11 ms stpl-dsl-gw14.stpl.qwest.net [207.109.2.14]
 4 10 ms 11 ms 10 ms stpl-agw1.inet.qwest.net [207.109.3.105]
 5 20 ms 19 ms 20 ms cer-edge-17.inet.qwest.net [67.14.8.90]
 6 21 ms 20 ms 20 ms 216.111.90.126
 7 * * * Request timed out.
 8 20 ms 21 ms 20 ms 209.85.249.73
 9 20 ms 22 ms 21 ms ord31s22-in-f4.1e100.net [216.58.216.228]

Trace complete.

C:\Users\gregs>

Notice one of the intermediate hops in-between Google and me did not respond. That’s normal. Sometimes routers on the Internet don’t answer echo requests. You don’t care about that – you care about whether and where the tracert dies, which means where all the rest of the hops report “Request timed out.”

The tracert will max out at 30 hops, but if you’re in a hurry, press the Ctrl and C keys on your keyboard to abort it.

Total time for all this – maybe 60 seconds.

And now you have something to give your tech support specialist when you call for help. If you talk to anyone beyond a brand-new rookie, they’ll appreciate you for taking these basic troubleshooting steps first and may take your problem reports more seriously than otherwise.

Well, this is embarrassing. I left a gaping security hole right here in my own author website. I buried my head in the sand and planted a “kick me” sign on my butt. I dodged a bullet because, as you’ll see below, nobody visits my website yet. But, since I tell people to adopt the motto, care and share to be prepared, I need to swallow my pride and share how I messed up and what I did to fix it. Learn from my mistake. And it’s okay to call me a dork on this one. I deserve it.

A few days ago, my buddy from Ukraine, Ihor (prounced Ee-gore) messaged me.  Ihor is a web developer and he taught me how to use Javascript to make a selection list many years ago. We hadn’t talked in a while and I was eager to show him my new author website.

He asked if he could try to hack it.  I laughed and told him to go right ahead, just tell me what he uncovered so I can fix it. I was confident he wouldn’t find anything. I am a security professional, after all. Too cocky for my own good sometimes.

Take a look at the page views for August 2, 2017.  That was all Ihor. He was thorough. And it didn’t take him long to find problems.

First, he tried to login and change my admin password. I saw the audit trail, and WordPress even emailed me a notice that somebody was trying to mess with my password.

I look forward to the day when thousands of people visit this site every day and I need commercial hosting. But for now, it lives inside a virtual machine in my basement, and since I’m the only one who edits it, I was thinking about restricting access to my local network anyway.  But even with access to the login screen granted to the entire Internet – as are most WordPress websites – Ihor was unable to get in. I was feeling smug.

And then he nailed me.  Take a look at the screenshots of shame Ihor sent me:

He was able to look at directory listings of my website, which is about as bad as it gets. And he let me have it. Here are a few of his comments:

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
.
.
.
</Directory>

<Directory /var/www/html/wordpress>
    Options FollowSymLinks
.
.
.
</Directory>