On sale: False sense of Internet security, for the low, low price of $120

Suspicious, ugly thoughts you wish you didn’t have can sometimes save your bacon. Back in the late 1700s, there lived a rascal named Gregor MacGregor (really). A professional soldier from Scotland, he trundled off to South America to fight for the region’s independence. When he returned to England, he bore the weighty responsibility of having become the Prince of Poyais, a small country located near the Black River in what is today Honduras.

The problem he laid at the feet of any Englishman who’d listen was that this fantastic country, a paradise rich in natural resources, needed buckets of money and an army of willing colonists to effectively develop. The prince managed to score both cash and colonists. He invested the one and told the other they should settle ahead of him and he’d follow directly once his country’s investments were secure. Unfortunately for those unsuspicious colonists, there was no Poyais, as most found out only after they tried to travel there using MacGregor’s supposed directions.

[ Don’t panic: That Russian hack bombshell isn’t what you think | 5 reasons Internet crime is worse than ever | For a humorous take on the tech industry’s shenanigans, subscribe to Robert X. Cringely’s Notes from the Underground newsletter and follow Cringely on Twitter. ]

We laugh at those poor schmucks today, standing there dumbfounded much like Butch and Sundance did 200 years later when they stepped off the train in the movie version of their last little outing to Bolivia. But there wasn’t much they could have done. They wanted the opportunity; colonization was all the rage; and how could they have checked up on his story anyway? Many of their contemporaries were colonizing successfully, so they eagerly took it on faith.

My trust-challenged mind is wondering if we’re doing the same thing ourselves, though motivated by fear as opposed to greed.

Freak out first, ask questions later

The Webosphere was abuzz recently with a report released by Hold Security that more than 1 billion passwords, across 400,000-plus compromised websites, had been stolen by a heinous and invisible Russian crime ring, which Hold has decided to give the malevolent-sounding name of CyberVor. You can almost see M giving James Bond the order to retire these buggers along with his new Bond girl, Didgi Delish.

Given how similar breaches seem to happen every other day, most of us took the news on faith born from resigned despair. This crap keeps happening over and over and over, so why start wondering now? Then Hold states it’s willing to investigate the passwords and accounts of individuals who want to know whether they’re affected, pending payment of $120 per person/customer/sucker.

Note to all the lawyers leaping for their keyboards to draft a libel suit against me: I’m not accusing Hold of anything, merely posing a hypothetical comparison of Hold’s — and other companies’ — path to riches with that of MacGregor’s. (I’m not the only one; the guy who got me thinking this way was Graham Cluley.)

A fourth estate fail

For the vast majority of us, the breach report has to be accepted on its face, but do some digging and you’d be hard-pressed to find any news outlet that verified Hold’s claims through a third party. In fact, most used the original New York Times story as the sole foundation for their pieces and went on to describe other such tragic breaches, usually Target’s, which was also broken by the intrepid digital detectives at Hold.

Sure, it’s a nice story, but dang, it’s a tad anemic on verification. We could pay Hold its $120 to figure out whether we’re one of the unlucky billion, but maybe we should pause and consider: How do we know this honking heist even took place?

I gave Hold’s official statement a read, and it describes the company’s tracking of CyberVor. According to Hold, the villains acquired stolen credentials from other black-market hackers, used those credentials to spam and redirect their initial victims, deployed botnets to identify SQL vulnerabilities in those 400,000-odd websites, then swiped the aforementioned 1.2 billion unique emails and passwords through those security holes. But that’s it: No link to numbers or audit results or proof of any kind. Hold couldn’t even name the affected websites “due to nondisclosure agreements.”

Again, I’m not saying the report is full of the brown stuff that comes out of cows hopped up on hay and norovirus, but I am pointing out that most of us have no way of knowing for sure. Furthermore, the statement immediately links panicked companies and individuals to Hold services that can let them know if they’ve been affected and keep them informed of any future digital nastiness for a full year, but “we just need your credit card number.”

That’s fantastic marketing. It comes complete with lucky timing that exposes the theft at the same time the big black-hat security convention is going on in Vegas. Awesome!

Granted, I’m an old and maybe life has dealt me one too many kicks to the jewels, dropping me into a downward spiral of paranoia. The report is probably true given the state of Internet security today. But, gee, I wish we had a way to be certain.

This much is true

Then again, maybe the truth is irrelevant. Even if Hold’s report is a fable, your credentials have doubtless been stolen by somebody: reprobate Russians, nefarious Nigerians, or any number of gleeful government spooks.

At least, rest assured in this one piece of complex advice (and save yourself $120): Don’t ask “if.” Assume you’ve been Web-mugged and change your passwords — often.

This article, “On sale: False sense of Internet security, for the low, low price of $120,” was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely’s Notes from the Field blog, follow Cringely on Twitter, and subscribe to Cringely’s Notes from the Underground newsletter.