KISS Principle: Keep it Secure Simply

You're probably familiar with the traditional KISS Principle and if you're thinking of Gene Simmons or Ace Frehley, you're way off track. It has long stood for Keep It Simple Stupid.

I’d like to update this to Keep It Secure Simply.

What’s easier to simultaneously defend, one fort or twelve? Say you only have one fort. How many gates, doors, ramps and other access points do you want through the wall to defend? Since it is relatively easy to defend one door, this is why scaling over and sapping through / under walls was undertaken throughout history. Think of Helm’s Deep in Lord of the Rings! 

The less points you have to defend, the better you can focus your defenses, making attackers work significantly harder.

Now think about your digital life. Consider these questions:

  • How many exposure points do you have to defend? Look at your bookmarks. Look at your browser history for the last 60 days. Lots more there than you thought isn’t there?
  • How many of them are interrelated? Consider these two high profile cases where hackers were able one piece of data from one link into use at another and then another to completely undermine these unfortunate souls.
  • Could your digital life withstand such an attack? Sure, you can’t help an hourly-wage call center representative giving out more information than they should, but how far can the hacker then take a single piece of information and reuse it to move on and on? Here’s a couple tips:
    • Use two-factor authentication everywhere you can and if at all possible change providers from one service that doesn't offer it to one that does.
    • Don’t have your “password reset” email be your main email address. Better yet, create an email account that is for this purpose alone and of course with an email service offering two-factor access. Never use this “password reset” password to send an email.
    • If a site has you answer questions that you then answer to help recover passwords or access, please, please don’t answer the questions accurately! The answer to a question such as “Best friend in high school?” should be something like “strawberry” or “piggedypoo”, not Bob. A good password manager can help you manage this easily. See next bullet point below on password managers… they have many uses!
  • How many sites have you interrelated by using the same password? Yes, I know having a separate password for every site is impossible to remember without resorting to using patterns that then become apparent to attackers. If your online Chase bank password is “123Chase456” and your GoDaddy password is “123Godaddy456”, you really think those will hold up once one is compromised. Time to get with the 21st century and get a password manager that creates unique, complicated passwords for every site! Me, I’m a LastPass fan, but there are several good ones. Remember the two-factor tip above when choosing one!
  • Do I really need to buy this on this site I've never used before? Sure it may save you a couple bucks today, but why give more people your credit card and attendant information than you have to? You drive down to bad parts of town to get a deal?
  • How many of the services you use have more data than necessary? Couple tips:
    • If you can sign up with fake data and have the service be effective, do it.
    • Beware how much personal data you make public on social media, especially if you ignored my advice above in not answering challenge questions accurately. If the answer to the challenge question is “Best friend in high school?” is Bob, then how long would it take me to find this out on Google+ or Facebook?
  • How many are stranded and you don't even use anymore? Time to work through your bookmarks or password manager and either close them, edit down to a bare minimum what data they have (they still need your credit card #?) and / or change the password to something unique and complicated. Do I need to bring up two-factor authentication again at this point <grin>?
  • How many of them are necessary for you at all? If dey ain’t, den close ‘em down!

Yes, this KISS principle seems to fly a bit in the face of the traditional Keep It Simple Stupid version, but remember one of my Security Maxims: Being insecure is easier than being more secure. Since being secure isn't the easiest approach stupid, Keep It Secure Simply.

Less is more when choosing digital ecosystems!

Good article to review and ponder how you're organizing your digital life.

How to Survive the Next Wave of Technology Extinction

Here's a couple thoughts:

The author highlights five behemoths, Amazon, Apple, Google, Facebook and Microsoft. Nice that he ordered them alphabetically to not show favoritism. Me, I'd drop Amazon and Facebook off the list entirely. Why? One word... Email. Still the killer app to which all else in a real ecosystem must tie without being on the website or running a site-specific app.

What about Yahoo? Interesting that Yahoo isn't on his list and without them having an iCloud, Google Docs, SkyDrive type component, I guess I can't argue for them as a good ecosystem either. Too bad, I remember when Yahoo used to be somebody.

Picking a digital ecosystem is important. Having as few ecosystems as possible is better than more. Why? It is easier to properly secure less points of attack than more. Consequently, those ecosystems that provide the broadest range of utility are better than those that require yet more utilities to satisfy your digital lifestyle needs.

I disagree with the prioritization of iOS over Android if you're going to recommend Google services. iOS is great hardware, obviously, but iOS is no longer superior in any way to Android. More apps? Some apps come out for iOS before Android? Perhaps, but per my first point, fewer ecosystems, hence apps is better for productive and secure use. If you are a hardcore Apple user with a Mac and use Apple specific apps, then you're already disregarding Google services, so iOS at that point makes perfect sense.

I completely agree that Amazon is the way to go for media. Books, movies, TV shows, with these last two tied into Amazon Prime for free shipping. No brainer.

Given how Amazon purposely breaks your ability to fully use Google services on their Kindle Fire line of tablets, steer clear. I've been very disappointed in how many things family members who have the Fire, one of which I bought for them, can't do with their device. Save a little more money and spring for the Nexus 10 or 7 to get ALL the power of Google with pure Android.

DrobBox and Evernote are great apps, but again I'd argue that you can get the same utility of these services without adding them to Apple, Google or Microsoft ecosystems.

I'm very interested in other's thoughts, even fanboys! :-)

Remotely Ring, Lock or Erase your Android Devices

Remotely Ring, Lock or Erase your Android Devices

Did you know that you can remotely locate, lock and erase your Android devices?

Did you know you can do this with free, built-in functionality from Google without an expensive security app service?

Any device to which you’ve added your Google account will show up in a handy Android Device Manager (ADM) interface. You can access ADM from any browser or from the Android Device Manager app on any other of your Android devices

Let’s take a couple straightforward examples in increasing severity:

Read More

News to me! You?

Finally lifted my head from a busy day deeply involved in some hot to-do's for a client and took a peek at the news of the day. Since I didn't do a good job having a "real" blog post ready in time to post today and since these items are of interest to me I'm going to try and make them of interest to you. 

Also noteworthy is that this is the first blog post I'm crafting entirely on my recently acquired Chromebook Pixel. I'll be discussing that more in a future post.

News Item 1: Google Sells Motorola Mobility to Lenovo

Not really a surprise as this always seemed to me to have originally been a purchase to get at the patents to protect Google and their other Android using partners. They are sending off Motorola hardware bits to Lenovo with a nice tail wind of recent and well received devices. I certainly hope Lenovo builds on the successes here and leaves what seems to be working nicely well enough alone.

News Item 2: Twitter Hack & Two-Factor Non-Factor

This is a long article and not all of it is all that interesting, but it does resurface the issue of the vulnerabilities of humans attempting to authenticate other human beings. The hacker in this case worked themselves through an increasingly familiar chain of services phone support personnel working standard social engineering tactics. It is long past time that companies (and it is always the same group of companies or is it just me?) need to develop a better procedure for validating a customer over the phone.

My apologies to my friends at IDology and other "generate questions from public database" companies, but asking these ridiculous questions about what my car payment is or what address I lived at back in the 80s is not the way to go. The information is too easy to get at if you've worked yourself up the chain of services such that you have all the information you need when you get to that point.

Oh, and asking for the last 4 digits of a credit card is just plain ol' moronic. These are the digits that don't even get masked on receipt printouts for cryin' out loud!

What would be better? Well, let me tie into the comment in the article by the hackee that even 2-factor authentication wouldn't have helped. Really? I have two-factor turned on with service X predominantly for use on the web, but guess what? That same two-factor authentication method will work just fabulously over the phone! They can ask me and I can tell them the one-time code. That causes anyone angst giving a customer service rep a code that is also used to authenticate me for login, then have me type the code in on the keypad and have the phone system which is listening ("your conversation may be recorded...") merely give a "yup that's the right guy" response to the customer service rep.

Anyway, as you can tell this one really punched a couple hot buttons with me!

News Item 3: Google Successfully Pressures Samsung To Dial Back Android Tweaks

Hurray, Hurray, Hurray! Samsung makes great devices and is doing some interesting things with camera hardware and other cool little things that I'd love to have. Problem is that having used their CheezWhiz UI and the plain Google Android UI, I want no Cheez!

It isn't just the UI, but also their custom Samsung apps. They are not good. I am not alone as you can see from this quote lifted from the article: 

In his Galaxy S4 review , Re/code’s Walt Mossberg wrote, “I found Samsung’s software often gimmicky, duplicative of standard Android apps, or, in some cases, only intermittently functional.”

I'm thrilled to hear Samsung is moving toward more stock Android and only time will tell if it turns out to be true. The sooner it is, the sooner it is likely I'll buy another Samsung device vs. my current commitment to all Nexus devices, all the time.