Sarah Palin's Privacy and Mine
What were her problems? She got her email published on the Internet. What the "hacker" did was easy to do and not something that could be taken care of by an intimidating wink. It seems that all the "hacker" did was go to Yahoo and reset her password. They proved to Yahoo that they were Mrs Palin by answering the security questions with information gathered from Wikipedia. But they did have to guess one answer. They guessed that Mrs Palin met her husband in the school they both went to.
That attack would be difficult to perform on me for two reasons; I am not important enough (yet) to be featured on Wikipedia, and what information on me is out on the Internet is false. An example is Facebook where I claim to have graduated from Berkeley University 4 years before I got out of high school. In fact, I don't think a high school would be named "Ceasar Chavez" back then. Most sites with a security question think my mother's maiden name is something like "oirjtgrhjueqkjhjlskavrrgl"; the result of my pounding the keyboard as randomly as possible.
Everybody should be stringent about what information is on web sites. If you have no choice but to give out more information than you think the site needs then give false information. If the false information breaks the sites function, too bad. My privacy is more important than the ability to find or connect with friends.
While you may not care about other people knowing who your mother is but it does leave a security hole in situations that you do care about. How many passwords do you have that are controlled by a trivial piece of information like your mother's maiden name?
I work hard to make my passwords hard to guess so when a site turns around and not only ignores my attempt but actually subverts it I get offended. While most sites are not the most important thing in my life, their actions may make more important sites insecure. Just like Wikipedia weakened Palin's email account.
Always give false information when a site asks for more than your name and contact info. Then give gobbledygook when setting up a "security question". Just be sure to hold onto your password well since you wont be able to recover it. Either write it down and keep it in your wallet, or (as I do) put it in an encrypted password safe like "password safe" or "keepass" which you can get at SourceForge.net.
Back to the story; Yahoo claims their practices are common in the industry and that they are truly concerned about their users privacy. Well, whether they are concerned or not, the fact is that they are leaving a big security hole open. I really don't care if others are doing the same thing. It may sound kind of presumptuous of me, but I am convinced that if Yahoo was concerned about their users privacy then they would close that hole instead of making a bunch of lame excuses.
Two exceptions to the false information creed is my contact information and my birth date. People can always contact me and if I think they need more information they will get it. My date-of-birth is never true but it sometimes adds up to "age group". When I am on a social network, I don't want to be one the stalkers that pretend to be something they are not.
Some people might think I'm dissing sites like Yahoo. But I've got an account at Yahoo for trivial matters and I don't even give personal information on my own site. I used to put my resume on my site but I've quit doing such. Now the most private things you will see about me are pictures of my favorite hobbies so I don't make any security questions based on them.
Another side of this issue is that we users need to quit blaming hosts like Yahoo. We all need to take control of our own security and quit relying on online companies to comply with standards. Standards are not a bad place to start, but we can't stop there.
update: 10-16-2008
It was pointed out that Bruce Schneier, the security guru who wrote "secrets and lies" and "Applied Cryptography", wrote about this very issue back in 2005.
see a past issue of his newsletter "crypto-gram", http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html
One of the comments makes an interesting point about a wedding anniversary. Since the average marriage only lasts 7.2 years and there are 364 likely days in the year (excluding Feb 29 and Dec 25), there are only 2,620 days that need to be guessed for a wedding date. That is not a big task for a bot on the Internet. If the month/day is published somewhere the number is down to 8.
Dave Keays is an independent web programmer specializing in Drupal and the security of Drupal. In addition to web developing He keeps track of trends on the Internet.
Article Source: ArticlesBase.com - Sarah Palin's Privacy and Mine