Posted via email from danielmiessler.com | posterous

Posted via email from danielmiessler.com | posterous

Posted via email from danielmiessler.com | posterous

Posted via email from danielmiessler.com | posterous

I’ve updated my PGP information.

Quick question: how many of you use PGP often? I hardly ever do, but I like having it available for those rare cases. ::

As an example, if you use Flash in a standard way you are often sending websites information about the other Flash sites you’ve been to–even if you’ve done the standard browser privacy stuff. So you can think you’ve covered your tracks, but in fact still be blabbing about where you’ve been to any site you visit running Flash.

Using this application shown above, you can actually see this invisible content. From there you can manage not only the Flash artifacts you currently have, but also apply settings for handling them in the future.

Pass it on. ::

Links

[ Flash Cookie Manager | adobe.com ]

[bash]strings $SongName | grep -i daniel[/bash]

Sure enough, it gave me this:

So that’s:

1. My iTunes account
2. My full name

…in every song.

Not necessarily alarming but good to know. In short, even though these songs aren’t locked down like the previous ones, you should keep in mind that they can always be tracked back to you. ::

Holy shit. I mean, yeah, I knew this would eventually happen–maybe 5 or 10 years from now, but damn.

These scientists in Japan can show people a word and then pull it back out of their brain–without even touching them (fMRI). I add that last part because it’d still be cool if they needed to be jacked into their skull to do it. But no, they don’t.

Wicked brutal stuff. Here’s a funny quote from this article about it:

The researchers suggest a future version of this technology could be applied in the fields of art and design…

Yeah, that’s the first thing I thought of, too. You can read people’s minds from a distance, and now we’ll be able to do better art. Someone needs to get out more.

[ Lifecasting: What It Is and How It Will Change Society ]

Our society is about to change drastically, and not in 20 or 50 years, and not because of cybernetics or nanotechnology. It’s about to change due to lifecasting.

Lifecasting in its current form is where people broadcast, usually via a mounted camera at home, a significant portion of their lives. Justin.tv is one of the most successful examples of this form of expression. But this is just the first stage of lifecasting; the real impact to society, which is about to come, requires a particular condition to exist.

That tipping point will come when a significant percentage of society is broadcasting their lives, nearly continuously, from mobile devices.

You might be thinking, “Ah, that’s just another “social media” trend, i.e. “something those crazy Internet kids are doing”. This is true of lifecasting in its current, infantile stage, but not in the stage it’s about to reach. Within the next 5-10 years lifecasting will change the way people interact with each other in nearly all settings. Lifecasing will redefine how the rules by which we expose ourselves to the world.

More Than the Sum of the Parts

The reason lifecasting is currently being overlooked is because the technologies that will power it are rather unremarkable by themselves. It’s basically composed of three pieces: 1) mobile video via mobile phone or some other highly portable camera, and 2) the ability to send that video out in real time to the Internet, and 3) the ability to quickly parse the incoming content into usable chunks. Nothing major, really. In fact, two of the three are already being done.

The issue is scale, and that’s the part that’s about to change. How many devices can stream live video? How many mobile phone carriers support the constant upload of a video stream from their entire user-base? And finally, how many services are out there that take in these videos and tag them, make them searchable, integrate them with social networks, etc? Very few.

A Visible New World

Once these elements change (see iPhone/3G/4G LTE) our world will change with it. Here’s how it’s going to play out:

1. All phone carriers will start supporting all-you-can-eat data plans, and they’ll get much cheaper.
2. The bandwidth (both download and upload) on said services will increase very rapidly, e.g. the next network upgrade after 3G is going to be scary fast (try between 100-300Mb).
3. All mobile phones are going to do video, and they will all ride these newer, faster networks.
4. Within the next ten years a significant percentage of people in first-world countries are going to be broadcasting every moment of their waking lives (and in many cases their sleeping lives as well).

This is a friction point for some. Why would people want to broadcast their lives? Won’t it only be a few fringe people and not a “significant percentage”? No. It’ll be a massive number. Many forces will influence the adoption of “casting” by the masses. Here are a few:

1. Youth. The world is getting younger, and young people will naturally be drawn to the idea of sharing everything about their lives. It appeals to the sense of self-importance present in most young people.
2. It makes sharing your life with loved ones infinitely more easy. In order to see what you’re doing, they don’t have to contact you for an account of what happened, or even what is happening. They just tune into your view of the world. They see what you see. They hear what you hear. There will be pressure from loved ones to continue casting in order to allow others to feel close to them.
3. Financial incentives. There will be an explosion of services focused solely on harvesting interesting events from everyday lives. I’ll go into these services in detail later, but the point is simply that there will be financial benefits to participating.
4. Civic reasons. The government will offer incentives to “casters” because your set of eyes will help find and apprehend criminals. More on this later.

Impact

Now we get to the core of it. So what, right? Why should we care?

Ok, so let’s assume you’ve accepted that the numbers will be there. Let’s consider the implications. Millions of people uploading their actual life perspective with sound and video, and all of this content will be stored, tagged and made searchable by Google, Microsoft, etc. — instantly — as it’s coming in. Oh, and add to it the fact that most of it will be geotagged as well. It’s staggering to even think about.

Consider the sheer number of things that take place during everyone’s daily lives that are lost forever. Well, no longer. As lifecasting becomes mainstream, public places will become 24/7 broadcast zones. If anything at all happens worth noting it will be discussed, propagated across the Internet and the people involved will be unable to the ramifications of the events they were a part of.

The Camera is Everywhere

He notion of being unable to show any sort of negativity without it being shown to the world (with your name, address, and place of business) will have a staggering effect on society. Here are a few scenarios to think about.

One improper comment out of your mouth can now get you fired, or even aired on CNN. A single off-color joke about wanting to “do” some woman at work, or maybe you made fun of a handicapped person as they walked by. A simple funny face would be enough. Or maybe you’re a racist who makes some mouthbreathing comment about black people while eating in a restaurant with a friend.

The person didn’t hear it, and nobody was offended (then), but unfortunately for you it was captured by four different people who were lifecasting near you at the time. Oh, and the guy at work that hates you caught it on the Internet and just sent the link to your VP, who is black.

Fail.

In short, everything you do will be subject to scrutiny by the entire Internet. And any undesirable behavior that is captured will be easily distributed for ill-effect. You will be able to quite literally cuss someone out while driving to dinner and have someone send you the video of you doing it (titled “This guy’s an asshole”) as you’re being seated. Who else is getting a copy of that video showing you inventing new ways to be vulgar?

The list of bad behavior that we all do constantly is nearly endless, but now it’ll be visible:

• Rudeness
• Dirty looks
• Bad Jokes
• Foul language
• Cruelty
• Maliciousness
• Snobbery
• Condescension
• Enjoying the Misfortune of Others

Everyone is a Reality Show Star About to Have a Big Break

But it won’t be only bad things that are captured; the ever-present cameras will also catch the positive things:

• Random acts of kindness
• Heroism (did they know they were being casted?)
• Rescues
• Extremely strange, unlikely events, i.e. freak occurrences
• Humorous scenarios
• Baby and child cuteness that would have otherwise been lost

The Concepts of Time and Location

A particularly scary thing about this is the fact that any place with lots of people will be under what equates to constant surveillance. And virtually all video will include highly precise time and location metadata. Hanging out with that other guy or other girl in public will get a lot more difficult. “What the hell! Someone just sent me a cast of you at the mall with Cindy!”

It’ll be possible to simply type in a location and watch as various views of that place stream in and out. So the screen is black for a little bit because nobody is around, then all of a sudden you see the place from the north, and it passes quickly (someone in a car). Then you see it from the right, and it’s bobbing up and down (someone walking), plus you hear a conversation. Then the screen splits because you’re now seeing two different views of the same place. And you can even see the two people casing now, because their cameras are catching each other.

Customer Service Feedback?

One of the things that got me thinking about this was being the recipient of abominable customer service. I’ve seen people absolutely ignore me while shouting and playing with friends in the back — while I was clearly visible, only to come to the register, not look at me, and mumble, “Watchu wuh”

Imagine these types of events being captured constantly, with the option to instantly upload them to a given drop-off point to be reviewed by staff for that given company. So you clip your cast and send it to the URL for McDonald’s review service. It goes into a queue and gets acted upon immediately depending on severity.

Or even better, how about McDonald’s having staff that simply scan lifecasts that are coming from their stores’ locations. So while it’d be kind of weird to put up full-time video cameras in their stores to track employee behavior they’d be able to simply query Google for all video coming from their stores’ locations. They could get paid to just sit there and watch those feeds and look for corporate policy infractions.

So a customer gets a dirty look, or the lines are WAY too long at a particular location. A form isn’t filled out and mailed in by some customer a week later. No. It’s seen in real-time, escalated, and two minutes later a corporate manager is calling that store manager saying, “WTF?” Instead of saying, “some customer said one of your employees was rude.”, the manager will say, “I’m looking at a video of one of your employees being rude to customers. Take them off the line and fire them immediately.”

As with the other types of behavior, poor customer service in this new environment will have instant ramifications.

Crime Fighting / Government Surveillance

This is a big one, and it’s scary too. Ok, so we already see here what all is going to be captured. Now imagine law enforcement tapping into it. So many crimes that would have gone unsolved will now be trivial to take care of. Suspect grabbed a purse at location x then ran off to the north. Ok, show me all Google lifecast video for the area he just ran to (remember, most all video will have location metadata in it).

Parsing lifecasts will become a regular part of crime fighting.

Now add the government to it. Think of the NSA walking in to Google and demanding a full feed of their data. Now imagine their face, voice and other types of recognition software being trained on the full feed of incoming casting data. It’ll be like tapping into millions of sets of eyes to look for and track somebody.

The order to the computer will be: “Find Daniel Miessler.” At that point the interface will be irrelevant. Whether it’s phone, a static video camera or a lifecaster — it’ll all be the same — all being fed into the same search/analysis algorithm that can find my identifier tokens, e.g. credit card numbers, phone numbers, my voice, my facial characteristics, my license plate, or even someone browsing the web the way I tend to.

Castwatching as a Service

An entire new profession will arise from this. Castwatchers. People watching lifecasts for various reasons. You’ll have people watching lifecasts looking for celebrities so they can report on current locations. Imagine a Google Maps mashup called Oceans 17 — it tracks all celebrities that were in the movie, i.e. Brad Pitt, George Clooney, etc. and displays constantly updated markers on a Google map.

Of course, you roll over the icon and get their current activity. Like, drinking coffee — and the text is a link to buy the coffee they’re drinking. Oh, and on the side you can click to view the casts that are updating the location. In other words, here’s Brad Pitt from two tables over. Here’s Brad Pitt from the perspective of the waiter.

Then you’ll have reporters watching for new stories they can pounce on. In fact, there will be pools of trained analysts who can spot interesting behavior. And that can be sold as a service. So people will subscribe in order to look for blackmail-able offenses. So if you see someone that looks rich acting guilty while interacting with drugs or sex, research who the person is and give me their location.

Think of what the tabloids will do. Find me racism. Find me suffering. Find me sex. They’ll be paying these kind of services to dig up garbage that will sell.

Security and Privacy

Being in information security one of the things that freaks me out is that many people, if not most, are going to keep location-tracking / metadata enabled for at least their friends and family. And many are going to keep it enabled for everyone. People who get no attention can scarcely believe the “too much attention” problem even exists, so they’ll lifecast continuously and allow anyone and everyone to know exactly where they are. What could go wrong, right?

Facial Recognition

This one’s a bit farther in the future, but not too far. One of the most significant applications of lifecasting will be widespread use of facial recognition technology. This point is best made with an example. Let’s say you’re sitting in a restaurant near the door, and your casting camera has a view of people as they come in. Well, your device (your personal computer), which is currently called your phone — will take a picture of the person as they come in, try and get any other angles of the person if they were just uploaded by people in the same restaurant with another angle, and then it will use both/all of those images to perform a search on Google for that person.

Think about this. Every person you see, and hence your device sees, will get queried against Google for a match. If it finds the person, their identity information (whatever’s available) gets sent to your device. Your device will then perform its matchup algorithm on the data pulled down vs. your data that it already has. Where are they from? What do they like to do? Etc.

The next and most interesting extension of this functionality will be an addition to the crime fighting piece. It’s also the most scary. Carriers will offer subsidies for your service fees if you volunteer to use facial recognition at all times and allow law enforcement access to your uploads. So in other words, everyone casting with this service turned on will be helping the police, FBI, DHS, etc. catch the people they’re looking for.

They’ll be able to send profiles to your device and use your device (passively) to scan for those profiles. This will either be mandatory (depending on where our society is when this happens) or it may be a service that you choose to take part in as a “good citizen”, with a reward of reduced cost for your other addons.

Accidents

Imagine the video that will be available of car (and other vehicle) accidents. If you thought the video on “Crazy Car Crashes” was extreme, wait till you have visibility to 100,000% more crashes.

Drama

We’ll start being exposed to some of the most touching and heartwrenching scenes ever witnessed. Real stuff. Imagine the scenarios that happen in the movies and on the TV shows, only real. All that stuff really happens; it happens every day, but it’s never captured. But now it will be, and many of the subjects of the “best” drama will become instantly famous.

“She was the one in “the breakup”. Imagine the whole Internet watching a breakup between a couple that they didn’t know was being recorded. Millions will want to know about their lives. What are they doing now? Are they dating again? Who will pay to watch the “casts” of their first dates with their new boyfriends and girlfriends?

Also, aside from breakups, imagine the lovers in Paris. The handholding. The sweet words. The smiles. The laughs. These precious moments that have hardly ever been captured other than in Hollywood will now be regularly brought to billions. And once again, the participants will have the option to become famous, even if only for a moment.

Fights

Simple. Let’s say we’re currently only capturing a millionth of a percent of all fights. Now let’s bump that up to 3%. Now add knife fights. Attempted muggings. Shootouts. One defender, multiple assailants. All this stuff that there’s very little video on will now be captured on a regular basis.

Instant Celebrity

People who used to be unknown will quickly be discovered. That super fat guy at Arby’s? He’s online now. 140,000 views in 5 minutes. Someone just submitted his name. Here’s where he lives. Here’s his username on eBay. Oh, another caster is walking up to him now and asking him if he knows he’s famous. That’s being casted as well. Etc.

Perspecive Sharing

One of the coolest consumer benefits of this kind of thing is going to be the social-networking aspect. Right now we can call our friends, text them, send them email, and that’s about it. In Japan and Europe you can do a bit of video on a mobile phone, but it’s not all that ubiquitous yet.

Well once this is commonplace you’ll have another option for staying close to friends and family — changing to their perspective. Basically, they share out their camera to a group of people (I’m looking at you, identity services) and if you are in the group then when you click on their contact in your mobile device you’ll have multiple options:

1. Voice call
2. Video call
3. Text
4. Email (will merge into others soon)
5. PerView (perspective view)

This gives a whole new meaning to, “Dude, check this out.” When you send that to a friend now, via voice or text, it will be a prompt to change to your perspective. And it won’t matter if you’re on the other side of the country, or the world. You’re sitting in a restaraunt and a gorgeous woman is at the next table over. You are just eating your burger but you want your buddy to see how fine she is.

“PerView Ping Brian”, you say to your device. Brian is sitting at work and vocally accepts the incoming PerView ping (which he has setup to automatically begin a voice call as well) and he immediately sees the woman that you’re looking at. “Damn, dude…go ask her out. I’ll watch.”

Countermeasures

There’s no doubt that there’ll be a total backlash against casting (lifecasting). Many places will have signs displayed: “No lifecasting allowed.” Why? Because it’ll scare away customers. People will demand establishments to become safe from the eyes of the Internet. People will get wanded for cameras (which mobile phones will have anyway) when entering certain areas. Plus, who’s going to consent to having their mobile devices taken from them at the door? People will constantly be looking for who’s watching them. For who’s recording them.

In fact, many organizations will not only search people (that’ll be largely ineffective) but will actively jam the frequencies of the mobile devices to keep them from lifecasting from their environments.

The game will become figuring out how to cast from places that don’t want you casting from them. Remember, people will be going to these places to do the things that they don’t want anyone seeing. Now factor in the people who are paid to catch those same people doing those things. And a new arms race will begin.

Language

So what’s the lingo that will surround this new phenomenon? Here are a few obvious/unimaginative options. I’ll rely on readers to come up with better ones. First, for lifecasting itself:

1. Lifecasting
2. Casting
3. Shooting
4. Being “live”
5. Streaming

Then for going offline, i.e. NOT lifecasting.

1. Going Dark
2. Unplugging
3. Dropping Off
4. Deadening
5. Hibernating

Conclusion

I’m only barely touching the first few layers of this thing. It’s just massive. I’m kind of overwhelmed right now and just need to post this as-is despite it being a jumbled mess of word things. I’ll continue to work on the organization of the idea and add examples as I remember/think of them. I’ll also update it with ideas from the comments.

I’d love to hear your thoughts on the idea, i.e. do you think it will be as big as I think it will? If not, why not? What specifically will stop this from becoming reality?

My answer? Nothing.

Notes

• Thanks to Zed for helping me think through the concept over some chicken wings.

Everyone loves Google. They want to be everything to everyone, and they’re getting pretty damn good at it. Once you start using their services it gets easier and easier to migrate more of your life to them. But there’s a slight problem.

Google, like most other similar services, encrypts login traffic but not your content. So the moment you’re signed in they switch to plain-text communications and send everything to you in the open.

This means your mail, the news sources you read, your calendar events — are all able to be read by someone with access to any part of the network between you and Google. This could be your employer at work, the wireless network at your local coffee shop, whatever. This isn’t good.

Here’s an email I just sent myself over the default (unencrypted) connection:

1. Use Bookmarks for Your Google Services Create bookmarks (or modify them if you already have them) for Gmail, Google Calendar, Google Reader, and iGoogle (your Google homepage) using https instead of http, like so: https://mail.google.com/mail/. Do this for every service that you use at Google.
2. Don’t Click on Links Within Google to Take You to Your Services If you use their links Google will often take you to the unencrypted version because it’s easier on their servers. Use your links instead to ensure that your sessions are encrypted

The more we depend on Google (or any other monolithic service) the more we need to safeguard the information they have of ours. One way we can help is by demanding (via secure bookmarks and other methods) that they send us our mail, news feeds, calendars, and other information over a secure connection.:

[ Note: This is not a Google-specific problem. Most other services work in exactly the same way. The difference is that Google is so prolific and is becoming very successfully at getting people to use not only their email service but also their calendaring, news reader, instant messaging, their search (with history), etc. It's the all-in-one dynamic that makes it especially important to protect Google traffic. ]

—–BEGIN PGP MESSAGE—– Version: GnuPG v1.4.5 (Darwin)

hQQOA11AgtNhPwrtEBAAzaEnUxjIz8sK4o//mROU59VrueX4+NkO58w3JgytYBdm paHwG7ZwE8JNJsOSxRFaGML+gC954ivV7j0fiRfMUnyziYM+KX8DIXWTls2Dq80i wE7WBz1Inr1gwS4s8uEfMiXHRxldAu2iaFx4AyqFI58vKkh6UsQF2UxMaoc+SuQS aDQioG00SDsc1JJPJwScolpp55CYBwYvGzFUklstgydjkM7AoBXdva4ZYZCg/vCN HzwH4yO6Uorw1tJkciyBv25ja23SDzpt8RCUI0vZqMUymvASgnxJO93tHVcX1Ecz 8wRyd04OMCecqvhR2KOwiVsNsVC9e/+99DC+x5c+WKH1pES5lMA+gScrSGaucrF0 ozyL2n/+roX2c5D4BF2U7iPpePvb2IjojSELmyQYgYGuPDEJawWdbjuy1w1xnGww 2n8Ihh6q67vhsuRJuE4cMhCFA1A+Rz/ecDx3o2CKRMAfzz5dQ+3N3bRhiDpfwfdO 8HeREJRaaEH3BwC3easpxZQPVgQ7C8g4bHq/3jgHK0Ru0As8QMMG1uT3dqTh7jlt hgZy0k9oIdQdg0IzzeQO1qnaA1PcjDdqoBl1EmB+C5HGsrJVKeyvydJkU/1kCgtv 36wsFztb2dOCowHmzaXKjkv8/+H8UHq79OZSt26G3TCzOAUVyBLoyqPrVYWEyFcP /2yisgsRvV4AI9E++I5JSUZS3KF2e7ATemivURKAa9dqehEpkgw4/LE6mLqWMe7Y UfpOP5WufDoNf8odAylWlBZk/vBiI7cD12Llzs05CObxpTZGBL2HqBDvZu1rTeH8 QEIldTBphCit4WACqtOxYc+7absg/X71c+8tlDjCXz0Vl9O1GLKrtDuT6wBXnIdk +Dr+1uFCLpjAVU8SIGd3REhV6S+lpf+ZcB+IG5EjfjFKEKm2p1KTkDxj1IwH6yt7 k8Pq04Ef5RV0Q9SgfvHoFD1LJvZGRmZj2thWeXclxG6v//Vue76Rmfd40mNdkoKs BaAHhalockopsIWGmVwS68cTjZzmCMl3EJwwS32R3TyYYhrqnlUmHPgNzlG0Juqo piNsEvk0zqmhySET6BeLe2zJSEKszUsYvV2kaur7MlBSWMTcSkxgOpRmDmDeYXZ5 dgTlJsgmrNeNs4iEjt21DtHnAywksSSuzSJZFmWnqSea3jjnw0cA1ccQYbXn+9yZ Ay7BNDfjqB8Qs82w1TfboepAdHMK5v4FyNdKlyt1XCwpIcQN6PjtUDvkv67k7SJT +bNjdXtALKC2h+Y4owAnM+48CgaVnv2E4mnp818VmE4CXuLG/Cmgipm5GQgVttJ5 q0O434hilfLyAem3hcaMpK3U+ltJH6uDFezDTh7G/+QR0ukBfW+MPwqt+ApACj2b GEGG1oB0U7K5nuett2xjsKbE+0V7Vv/6Sk2VKds/IRwYb+ER8wLJKEULzTKM2ADe a9cs7wLApN3az0t+ueBzCVC+EefzlQX+H7V9uWmrV95XehFNpJX0+hFFgd+uWEBZ mgFMrwZbB9xaL8EFp4cKxCBOWdqZnc/Zc39fMfISZIFGp+w3sU0q1Lp1KILubWbK Mw4YIhklj539e6uFKZHJvY/0PzRp1D08a9AzvLRnwb7tDHgd9qbPA8+YrUx083yV d8bu2uOxB4wMOnpr88OBYNpsF8QF4b4jp3XWm6/7nnexVTsx6KVxdLQQXZYmC2ZC mY9EI1oaC9niOu4IicsJEMWY3PaPfEnjh+mifvIunN92jMOtOHkF+0Aeymf2n0Rt K25Xr6kFksjQRFhyvrT+BJd41FiJSANc7XC1b+/pVLufmlGPA+ZwWksoBvyw7kCi IHjEk7gg9VkduRa1F2sXLmU1MgKCCFT+ptl/C+nXBFa3RwCE3xB4uzbd33kzLJbd HT1qOVo2JZWTZ3MgzBpglv9NSKliPE7A1Ms9lhZL6IAk11U2RNypwTRCp8MkIHLI JsGm8m9cC61T/XDmRPZ9R7iLNPf/fc7iEdL6w5sX+OzCkcPUHTUyC4Aoxe3hQXnX X+KQ/bACGgwxmcvYhmxqjw+sHcDuxlCohq1VeUPbW8fq8oSV0trGeudZU7UBGCy9 hncZiBbNJGzbBHmMfVOsKw9cH+nVobbEJp5pSYGwLLXtdfqV59kdE95LEaHpol1r BRqDSZq9KSLtUnIwTl9qV+Cg1bGhZpOd0hIAQPQzxDfoBH3oUJlfHREalgg5d0/Q WwKR1bcAEuahwOwQbL5U6rFLLVtkyEtapCjM3D3kuMuMqhNwXio+GVT5w+ZdAafF GDIIDyPnypZfunBfGK5nj5e4sbBhE2IdZiA77yoTUp2hqSldjO+2+fuYITS+5RDi EKNC2Thj8avhl+x57o49IOYIDfSyaghVhtCHD/dgFroA0FXBTs9NKptpx6jslCp4 XuTpciLFuFP0uT9UZHeOuBhIzQe4TyOyMpZ734PlZQbE2AuIRBN0sXUJ0ENeJZTg tjifhgpNo6TJrHn1DMgaKMrMxTDrRJn77+iB6YBdY2WLZD/lk9lQ+QtHo/IBTOI+ NZIyqFG9z6E/tMDdGJPTjY+ltLFZEAEvLEVgxazd81nMJwr8aOKSMSQB4IYGE7bx 4DyAbs/uVjt1ERnTAib6PNAvUQ== =wftQ —–END PGP MESSAGE—–

Hiding Your IP Address

The Problem

The main issue we’re all grappling with is the number and complexity of the passwords we need to remember. Ideally, we would never share a password between any two sites. They would all be different and at the same time highly complex. Unfortunately, this doesn’t mesh well with reality. The human brain just isn’t up to the task.

Simplification Through Classification

The way we get around this limitation is to classify our online accounts according to risk. In other words, we’re going to determine how important each of our accounts are, and then put them into one of three (3) groups. For the purposes of this article we’ll use the military classifications.

1. Top Secret
2. Secret
3. Confidential

Next we’ll simply group your Internet account types into each of these categories:

• Top Secret Banking, brokerages, financially or identity-oriented sites. Think about your social security number and other sensitive personal data. Any accounts of this nature you want to protect with your strongest layer of security.
• Secret Personal email, blogging sites, important forums, etc. These are your main accounts that you use on a day-to-day basis. They aren’t ultra-sensitive, but they a huge part of your life and need to be secure.
• Confidential Product forums, mailing lists, etc. These are your low-risk accounts, meaning that if one were to be compromised it would be annoying but not a major problem. We’re still going to have relatively strong passwords here, but they’re going to be simple in comparison to the two higher levels.
** Also keep in mind whether or not a site supports encrypted logins or not when assigning your accounts to these groups. Never put an account into the top two groups (Top Secret or Secret) if that site doesn’t support encryption. We don’t want someone possibly intercepting one of your upper-level passwords.

Designing Our Password Schemes

Ok, now that you have your accounts grouped properly it’s time to design our three password systems. We’ll start with the Top Secret:

Level 1 — Top Secret: For this level we’re going to use a combination of upper-case, lower-case, numbers, and special characters. We’re also going to make the password at least 12 characters in length. You will be writing these passwords down on a card in your wallet or purse, so it doesn’t matter if you can’t remember the password at first. After you use it a few times it’ll become second nature regardless of how complex it is. Try something like this:

5PF.c9a8>12!

It looks pretty scary, but you’d be surprised how easy it is to remember once you type it a few times over a number of days. The point is that it’s not going to be guessed, and it’s not going to be tied to another account. If you absolutely have to, you can use a sentence algorithm to build the password, like so:

My Online Bank Password Is Not Simple To Guess At All, Julie.

M0bP1n5tGAAJ.

You will be writing these passwords down on a card in your wallet or purse, so it doesn’t matter if you can’t remember the password at first. After you use it a few times it’ll become second nature regardless of how complex it is.

One point on writing down passwords: Many people think this is a bad idea, but that fully depends on how you secure them once their written down. Sticky note on monitor? Bad. Wallet? Good. You have to balance the risk of strong passwords in your wallet vs. weak ones in your brain.

Regardless of the scheme you use to create your passwords, you want them to be a) pseudo-random/highly complex, b) over 10 characters in length, and d) absolutely unique. In short, we don’t want someone with your brokerage account password to be able to log into your bank with the same credentials.

Level 2 — Secret:

With the secret level accounts we’re going to introduce an aspect of simplicity/usability. We’ll do this by creating an algorithm for creating and varying passwords for various sites while still maintaining the appearance of randomness within each individual password.

In short, all level 2 (Secret) passwords will be generated by the same algorithm. As such, they’ll look very similar to you, but will look like random garbage when viewed independently by an outsider.

So let’s build your Level-2 (Secret) algorithm; we’ll use a Gmail account as a template:

[This is just a sample algorithm; you should make your own.]

1. First two letters + last letter of the account. GML
2. Add the three letters up and subtract your birthday. G (7) + M (13) + L (12) = 32 – 15 (if you’re born on the 15th) = 17 GML17
3. Add the two numbers you made to create a third number. 17 = 1 + 7 = 8 GML178
4. Add a word for length. Use character substitution for complexity if you want. GML178H0lid4y
5. Add special characters. !GML178H0lid4y#
6. Scramble as desired. !H0lid4y#GML178#

You now have a very solid password for your Gmail account. But it gets much better than that. You’re using the same algorithm for all your level 2 accounts. So do the same for your Hotmail account and you’ll end up with:

!H0lid4y#HOL358#

Level 3 — Confidential:

For our lowest security level (3) we’re going to use an algorithm similar to the secret level (2), only it’s going to be completely different and much simpler. Remember, these are your unimportant accounts; you wouldn’t want them to be compromised, of course, but if they were then it wouldn’t be that big of a deal.

Let’s make a level 3 algorithm for a site called cars.com:

1. Last letter then first letter of the site (cars). SC
2. A word to be used for all your low level accounts. Add a single character of number substitution (i to 1) SCPubl1c
3. Use a special character. SCPubl1c$
4. Scramble as desired. $Publ1cSC

Again, you now have a decent password that’s not easy to guess and will give a bit of difficulty if someone gets one and tries to guess others. Of course, if they get one of these level 3 passwords and try to break your Secret (2) or Top Secret (1) passwords, they’ll be unsuccessful.

Conclusion

Using this system can increase both security and usability when working with multiple accounts online. Here are a few additional guidelines about this technique and passwords in general:

• Vary your algorithm for level 2 and 3 accounts regularly (I recommend at least once a year)
• Memorize your algorithm and write down your passwords on a card in your wallet. Don’t write down the algorithm itself. Just seeing a password created with it should jar your memory.
• For an extra layer of security you can consider leaving out or modifying a crucial part of the passwords you write down. This way, even someone with the card will not be able to use it. Be warned that if you forget what you changed, however, you’ll be very upset.
• Change your level 1 passwords often as well. With the strength that we’re using in this article I’d advocate once every 6-months.
• Many also use what’s effectively a level 4 account, i.e. a throw-away password that is used for accounts even lower in importance than level 3. Usually this is a static password. Just be sure to be very selective about where you use such a password, and make it as complex and long as possible while retaining its benefit of simplicity.
• An encrypted database is another option for managing passwords. I advocate this method over that one due to issues with losing or damaging the portable storage that the DB is stored on, in addition to not being comfortable with using such a system on a foreign computer (where necessarily you open ALL of your passwords to the system being used). It’s really a matter of personal preference, however, as both systems have their strengths and weaknesses.

I hope this has been useful. For any questions or comments, please feel free to contact me directly.:

Understanding The Diffie-Hellman Protocol

The thing is, we literally forfeit our right to complain about our rights being taken away if we are too lazy to take 10 minutes out of a single day to make a couple phone calls or send a couple emails. If you care about this country at all, please read the text below and act on it via the link above.

I want to remind my colleagues of the serious problems with the Patriot Act that we have been discussing for several years. Let me start with Section 215, the so-called “library” provision, which has received so much public attention. I remember when the former Attorney General of the United States called the librarians who were expressing disagreement with this provision “hysterical.” What a revelation it was when the Chairman of the Judiciary Committee, the Senator from Pennsylvania, opened his questioning of the current Attorney General during his confirmation hearing by expressing concern about this provision of the Patriot Act. He got the Attorney General to concede that yes, in fact, this provision probably went a bit too far and could be improved and clarified. That was an extraordinary moment. It was a moment that was very slow in coming, and long overdue. And I give credit to the Senator from Pennsylvania because it allowed us to start having a real debate on the Patriot Act. But credit also has to go to the American people who stood up, despite the dismissive and derisive comments of government officials, and said with loud voices – the Patriot Act needs to be changed. These voices came from the left and the right, from big cities and small towns all across the country. So far, more than 400 state and local government bodies have passed resolutions calling for revisions to the Patriot Act. I plan to read some of those resolutions on the floor during this debate. There are a lot of them. And nearly every one mentions Section 215. Section 215 is at the center of this debate over the Patriot Act. It is also one of the provisions that I tried unsuccessfully to amend here on this floor in October 2001. So it makes sense to start my discussion of the specific problems I have with the conference report with the infamous “library” provision. Section 215 of the Patriot Act allows the government to obtain secret court orders in domestic intelligence investigations to get all kinds of business records about people, including not just library records, but also medical records and various other types of business records. The Patriot Act allowed the government to obtain these records as long as they were “sought for” a terrorism investigation. That’s a very low standard. It didn’t require that the records concern someone who was suspected of being a terrorist or spy, or even suspected of being connected to a terrorist or spy. It didn’t require any demonstration of how the records would be useful in the investigation. Under Section 215, if the government simply said it wanted records for a terrorism investigation the secret FISA court was required to issue the order — period. To make matters worse, recipients of these orders are also subject to an automatic gag order. They cannot tell anyone that they have been asked for records. Now some in the Administration, and even in this body, took the position that people shouldn’t be able to criticize these provisions until they could come up with a specific example of “abuse.” The Attorney General has repeatedly made that same argument, and he did so again in December in an op-ed in the Washington Post when he dismissed concerns about the Patriot Act by saying that “[t]here have been no verified civil liberties abuses in the four years of the act’s existence.” First of all, that has always struck me as a strange argument since 215 orders are issued by a secret court and people who receive them are prohibited by law from discussing them. In other words, the law is designed so that it’s almost impossible to know if abuses have occurred. But even more importantly, the claim about lack of abuses just isn’t credible given what we now know about how this Administration views the surveillance laws that this body writes. We now know that for the past four-plus years, the government has been wiretapping the international communications of Americans inside the United States, without obtaining the wiretap orders required by statute. You want to talk about abuses? I can’t imagine a more shocking example of an abuse of power, than to violate the law by eavesdropping on American citizens without first getting a court order based on some evidence that they are possibly criminals, terrorists or spies. So I don’t want to hear again from the Attorney General or anyone on this floor that this government has shown it can be trusted to use the power we give it with restraint and care. The government should not have the kind of broad, intrusive powers in Section 215 – not this government, not any government. And the American people shouldn’t have to live with a poorly drafted provision that clearly allows for the records of innocent Americans to be searched and just hope that the government uses it with restraint. A government of laws doesn’t require its citizens to rely on the good will and good faith of those who have these powers – especially when adequate safeguards can be written into the laws without compromising their usefulness as a law enforcement tool.

I just think it’d be nice to start fresh. Everyone who manages keyservers could send a series of notification emails to the addresses listed in their key database, and after like a year (or whatever agreed upon amount of time), the deletions would begin.

Worst case scenario is that some people need to re-upload their public keys. I think it’s a small price to pay given the resulting “fresh” feeling. I for one can’t stand looking at all those redundant, orphaned keys — it’s the OC in me I suppose.

Thoughts? Anyone agree?

Many view this as proof that the company is heading down a dark path — a path that will eventually lead to them knowing virtually everything about their account holders.

I disbelieve.

I have seen nothing but honesty from the company since I began using their search engine in 1999. I have a high level of confidence that they are using my information for the reasons they claim, and not for some hidden, malicious purpose.

However — and this is a big one — this is all contingent on their current management structure.

This debate really needs to focus on the people in charge more than anything else. They are the ones who control the “morality” of the company’s culture. As I said, I’m relatively comfortable with them right now due to how they’ve conducted themselves over the years, but that could change in one night. One bad meeting, one change in the personal life of a key decision-maker — any number of catalysts could send the company over the edge.

Imagine a room full of highly explosive gas, and then imagine a giant match. Well, the room full of gas is Google, only it’s a room the size of 10,000 football stadiums, and it’s growing every day. So the issue isn’t so much whether or not the current management staff is the match, the issue instead is the fact that there will inevitably be one at some point.

So the question then becomes — how much of your information do you want Google to have of yours when they do have that management change and open their doors to the government (and God knows who else)? This, by the way, is the match. If you think about it, it’s actually quite easy to see. I believe the current heads of Google are decent, honest people, but do you want to bank your life’s information on the fact that they will always be there? Can you be sure they will always be successful at keeping those who want their infomation at bay?

Think about how much profit potential Google represents to someone willing to take advantage of it for business purposes, or how much intelligence information it holds about account holders. It’s seriously mind-boggling, and to believe that a few good people will be able to perpetually defend this massive gold mine is an exercise in naivity.

My point is simple — don’t overreact and label Google as the great Satan or some variant thereof; that’s just being a little silly at this point. But at the same time we need to stay aware of what could, and arguably will, happen in the future.

As for me, I’m going to continue using Google; they’re an exciting company that continues to bring out some awesome products. But I won’t be using it as a primary system for personal correspondence. I prefer having all my mail under my control, i.e. on a LAMP server that I admnister. So I may use the mail forwarding from time to time, or Analytics, or whatever other cool stuff they come up with as time goes on, but I’m not going to drink the punch.: