John Brennan, AOL, and Bruce Schneier Driving Hard Left

I just finished reading Bruce Schneier’s blog entry, titled “The Doxing Trend”. Let me start by writing that I am usually a big fan of Mr. Schneier. I look forward to his newsletter and I have tremendous respect for his technical intelligence. But as I read his doxing article I couldn’t help but wonder what happened. For the most part, it is not possible for me to disagree more with the position he takes on how to better secure our lives. Let me explain.

Bruce’s article centers on the recent news that CIA director John Brennan’s AOL account was hacked via social engineering. Using information socially engineered from Verizon, attackers were able to do a password reset with AOL. Did I really just learn that the director of the CIA uses AOL for his personal email?  Wow.  What’s really shameful is that people assume the director of the CIA, because of his position, is a technically proficient person. He does not have his job because of his cybersecurity knowledge; he is there because of a combination of CIA experience and politics. According to Wikipedia, Brennan, a 25-year veteran of the CIA, has a bachelors degree in political science and a masters degree in government with a concentration on Middle East studies. This suggest that, while he is a scholarly man with a lot of terrorism related experience, he is not a computer guy. He may be as clueless about the details of technology as a lot of other baby boomers. And if, by some oversight of mine, he was a computer security expert at some point in his career, he isn’t one today. So the fact that his account was hacked is really no more interesting than if it was my father’s account getting hacked.

The few Google searches I did suggest that 2-factor authentication is not available from AOL (which I suspect will change shortly if I am not already wrong). So, the director of the CIA chose to continue to use a personal email service (and send sensitive information to it) when it did not offer a widely available and frequently used security solution. Whose fault is that? AOL, for not offering it, or Brennan for not being up-to-date enough to know that a man in his position is a target of interest? Brennan, more so than most, should know the personal responsibility he has to secure his digital life. I suggest he screwed up for using AOL in the first place. AOL is a dinosaur. But who didn’t know that before this happened? If you visit AOL’s Wikipedia page it reads like a company that has been in a downward spiral for more than a decade. The acquisition of AOL by Verizon in mid-2015 will eventually lead to the brand drifting off into the annals of Internet history where it belongs. Brennan should have known better or, at the very least, done some research.

Stored in his AOL email, Brennan had a copy of his FS-86 that he had emailed himself (the form you fill out for your security clearance). This PDF, like so many today, supports being digitally filled out. But that is not a requirement. Item #2 in the instructions reads, “Type or legibly print your answers in ink. … You may also be asked to submit your form using the approved electronic format.” It does not REQUIRE electronic submission. This means that Mr. Brennan, being the security conscious man that we assume him to be, could have printed the form and carried it in his briefcase. But instead he chose convenience (i.e. availability) over security (i.e. confidentiality) and sent it to himself, electronically filled out. And that’s AOLs fault? Hardly. If he had printed it and someone stole his briefcase would Mr. Schneier be suggesting that Samsonite should be financially accountable for the crappy 4-digit codes on the case? I doubt it.

Brennan also had a copy of a spreadsheet that included the social security numbers of US intelligence officials. That document should have never been in Brennan’s personal email account. Period. Again, let the blame lie with Brennan, not AOL.  Damn, Brennan.  You Hillary much?

Bruce’s article is a call for government action on cloud security. How is it that a guy as smart as Bruce Schneier thinks that the inefficient tentacles of bureaucracy are going to help make the Internet more secure? The institution of laws and regulations will stifle innovation (which Bruce admits) , provide yet another instance of government invading our lives and generally screw things up. One need only talk to people in the private sector who have to deal with organizations like Ginnie Mae, Fannie Mae, CFPB or HUD to know just how awful the government is to work with and how difficult they make it to get any real work done.  Under the auspice of such meaningless generalities as “the public welfare”, “common sense”, “public safety” and the worst one of all, “the greater good”, these organizations introduce so much bureaucracy into life that commercial entities are hobbled, forced by law to deal with them. Once the government gets involved in your industry, you’re screwed. Huge quantities of time, money and energy will be spent on dealing with the bureaucracy rather than on completing any real productive work. Prices go up, productivity goes down and the innovative juggernaut that America once was continues its prolonged death spiral at the hands of an overly-involved government. A guy like Bruce should know this so it’s both scary and inappropriate for him to suggest that the government is the solution to the need for better security.

What would happen if the government, in the name of “public safety”, decided to regulate video blogs (vlogs)?  Do you think a guy like Casey Neistat  or Gary Vaynerchuk would be able to do what they do with the government setting ‘minimum standards’ for their productions?

Mr. Schneier’s continues on to write that, “companies that we entrust with our digital lives need to be required to secure it for us, and held accountable when they fail.” This is true, but not in the way Bruce suggests. It’s not the government that should hold a company like AOL, Amazon, Apple or Google accountable. Their customers should. If Apple is unable to keep information secure, you and I, the consumers, can take our business elsewhere. That’s how control and accountability is exerted. As soon as the government gets involved, the responsibility of the consumer is reduced (or eliminated). And that’s wrong. Apple is accountable to me. Their lack of accountability is penalized by me not buying their products or paying for their services. And if you are reading this thinking to yourself, “Gmail is free.”, let me assure you it is not. You, my friend, are Google’s product. And you are providing to them a wealth of information that they use to target their customer’s advertisements to you. That is the ‘fee’ you pay to Google for your ‘free’ Gmail account. Apple, Google, Amazon and any other ‘for profit’ entity, will respond to an exodus of its customers in a much more appropriate way than any piece of legislation.

Bruce makes an excellent point that our primary email account is a “master key” (Bruce’s words) for many of our other on-line accounts. Because password resets are frequently done by sending a reset link to the email account on record, a compromise of your email account will lead to the compromise of many other on-line accounts as well. This is a very real and very scary reality for all of us.  Solutions are not simple, for sure.  But the increased insertion of the government into the mix is only going to make things worse.

Bruce also concedes that the reason the systems are so easily bypassable is that customers demand they be easy to use. The fact that we, as a society, generally regard it as acceptable that we log into to different sites with just a username and password is a message that the convenience of a remembered password (i.e. availability) is more important than security (confidentiality).  Passwords are easy for both customer and provider.  An ever-increasing number of on-line providers offer 2-factor authentication as an additional, free, enhancement to account security.  It is up to the individual to decide if this added login overhead fits into their tolerances for security.  Each of us is capable of making this decision ourselves, we don’t need 2-factor authentication (or similar) inflicted upon us by the government.  When Bruce writes that the government should set minimum standards and then “let the market figure out how to do it most effectively” he is really saying, “the government knows what is better for you than you do. You are not smart enough to decide what is in your best interest. You just sit back, pay your taxes, and we will make all your decisions for you. You don’t need to think. Let the government do that for you.”  Mr. Schneier is going to fall down if he keeps leaning that far to the left.

I use 2-factor authentication on as many systems as I can but not every company offers it.  I choose to; I am not compelled to do so.  For those that don’t offer it I can either A) contact them and request they add it or B) choose not to do business with them.  As the absurdly fast evolution of our digital lives continues there are going to be problems like this. We, as consumers, need to demand these things from the organizations that provide us service. We should not sit back and need, want or expect the government to compel them to do it via legislation.

In his article Bruce also wrote, “because we don’t have any real visibility into those companies’ security, we should demand our government start regulating the security of these companies” and that the “government should establish minimum standards for results”. If companies are compelled to abide by minimum standards set by the government do you know what most of them will do? They will abide by the minimum standards. The dichotomy of Bruce’s opinion is illustrated by the fact that he wrote “government should not mandate how a company secures our data; that will move the responsibility to the government and stifle innovation”. What exactly does he think ‘minimum standards’ will do? It will let companies proudly state that they are ‘DoD 7840.BS’ compliant or that their system ‘complies with FIPS-BS123’. Done. The compliance box is checked. No need to innovate any more; we’re doing what the government requires us to do.

The government represents the death of innovation and a hinderance to productivity for the commercial world. For an upcoming example, watch the drone industry. The breakneck pace of cool features being released in the personal drone world is dizzying. In short order the government is going to swing in and wreck the whole thing. If you don’t believe me, just sit back and watch it unfold over the next 2-3 years.

Bruce, I love you, buddy. You’re a crazy-smart dude who [usually] makes me smarter by sharing what you know. But you’re way out in left-field on this one. And yes, the use of “left” is sooooo very intentional.

Cheers,

Colin

Posted in:
About the Author

Colin Weaver

Colin Weaver is co-owner and lead instructor at ITdojo, Inc., a network security and information assurance training center and consulting firm located in Virginia Beach, VA. His passion for technology, networks, and security has led him to become enthralled with the idea of IPv6 and its implementation. In this blog he will share with you glimpses of what he has learned and a hint at what you’ll learn in his classes.