Yahoo breach exposes naked truth about online security

The hits just keep on coming. Yesterday’s news that Brit spy mongers recorded the video chats of 1.8 million Yahoo users over six months left me numb, as if I had inhaled a frosty Slurpee full of Novocain. Yahoo claims no knowledge of the theft — yeah, I said it, because that’s what it is — but that declaration is worthy of more than a little skepticism. And hey, look: This morning’s news headlines show that British firm, Hold Security, stumbled across the biggest caper in cyber pillaging history: around 360 million accounts and up to 1.25 billion (with a “b”) email addresses. I read it, but I can’t get my head around it.

But more than this being yet another nail in the coffin of our privacy is the question of why do we keep enabling this crap? I don’t mean legally. There are plenty of lawyers looking to tilt at the NSA windmill. I mean on a technical level — or we could call it a plain, everyday, commonsense level.

[ It’s your data, dummy: Make every day Data Privacy Day | For a humorous take on tech industry shenanigans, subscribe to Robert X. Cringely’s Notes from the Underground newsletter and follow Cringely on Twitter. | Sign up for InfoWorld TechBrief, your source for quick, smart views on the news you’ll be talking about. ]

For example, according to all the newsies who carried the Yahoo story yesterday, among the stolen chat data was a lot of nudity. In case Pammy reads this, I’m no expert, but based on available evidence, it appears the nudity is an extension of the popular sexting trend, translated to video.

Shocked at the Yahoo affair? You and the endless string of celebrities who feign amazement when one of their naked phone photos or sex tapes wind up on the Web. If you put a raunchy romp on anything digital today, it’ll eventually wind up on the Internet; that’s a law of nature, like gravity or Windows flaws.

Lacking in Logic 101

Common sense here would dictate that if you’re going to show your twigs and berries on a medium frequented by billions of users, maybe you want to at least try for security. For example, some webcams support SSL, and nothing is stopping you from doing a direct-to-cam connection rather than running through a chat service. Sure, it requires a little technical knowledge, though not much.

If that’s your problem, I’d still point out that in this day and age everyone knows someone at the geek level, whether it’s the 8-year-old next door or a pay-for-nerd from Geek Squad. Ask one of them to help out. If you’re embarrassed, tell them you’re setting up a nanny cam.

But we don’t go that route. Yahoo, Skype — they’re easier. If you think the world’s intelligence services only targeted Yahoo, please go outside and set yourself on fire. If Yahoo was cracked like a soft-boiled egg, you can bet that other video chat services have been compromised, too. And if 1.8 million vid chats were collected over six months, how many have been collected over the last year? Or two years? And by how many spy agencies, marketing companies, and Nigerian data pirates besides the GCHQ’s James Bond wannabes?

Frankly, I doubt there’s any way to stay completely secure using Web communication of any kind. Ars Technica caught Skype in a security lie over its text chat service just last year. For all its billions, you know WhatsApp and its ilk didn’t invest in end-to-end encryption and undoubtedly have no intention of doing so. That might cut into the party budget or derail their moron plans for a six-state lawless geektopia. Your stuff is floating around out there, basically in clear text.

Remember wardriving? Not everyone does

We’re not even learning from old lessons. The last time wardriving made the news was back in the late ’90s, but last month a Sophos security researcher in much better shape than me hopped on his bicycle with a wardriving rig and spent four days cruising around San Francisco. Along the way he bumped into more than 70,000 different Wi-Fi networks, supporting all kinds of new client devices, like tablets, phones, game consoles, even printers and refrigerators. According to James Lyne, the warbiker, 20 percent of the networks he saw were flat out open, like come-on-in-and-peruse-my-hard-disk open.

Worse, 10 percent of the networks whose owners had the presence of mind to hit the Security button on the setup wizard opted for plain WEP, which was outed as digital Swiss cheese a decade ago. Linksys, Netgear, D-Link, all you home/SMB router folks: That protocol shouldn’t even be available anymore. If you must go that route, at least name it “I love the NSA” so that people know what they’re logging into.

Merely skimming the news over the last year for similar examples would turn this little rant into a book. From ATMs to POS terminals to email exchanges and goofy server passwords like “p@ssword” or “hackme,” the list goes on and on and on. We shouldn’t be plagued by spies, crooks, corporations, and Google AIs rummaging through our digital closets, but we are and we all know it. If you don’t, you’re not on the Web anyway, and the NSA will have to root through your garbage to get data on your private life.

Who’s feeding the crooks? We are

Even though we know intelligence analysts are slavering over our Web trysts, we’re not turning off our Web access. According to a survey from the Pew Research Center, 10 percent of us would rather give up TV before giving up Internet access — myself included.

I can’t live without the Web anymore. It’s sad but true. When the evil, hunchbacked wretches at Comcast manage to down my connection every so often for a cackle, I’m bouncing off the walls after a couple of hours. Turn off my TV and I’ll pop a DVD into the Blu-ray player or log into Netflix or whichever online entertainment service can afford Comcast’s streaming video toll these days. But turn off my Web connection and I’m no longer sure what to do with myself. Well, there’s always that, but what am I going to do two minutes later? Probably tell myself I’m going to the gym but wind up at Starbucks drinking a $10, 800-calorie cappuccino and hooking into the store’s Wi-Fi for my fix.

I’m probably shouting at the wind, but we need to pay a little more attention to our digital privacy. I can’t move to Wyoming and live off the grid, mainly because I’m too out of shape to chop wood and Pammy would shoot me before I reached the West Side Highway.

But I’m certainly techie enough to make it a little difficult on whomever is trying to sleazily Dyson-ize my data. Check out the TOR network. Use WPA2 or maybe a good, old-fashioned Cat5e cable. Encrypt my email. Use a password that isn’t crackable in 10 seconds by a grade schooler with an iPad. Don’t restructure my 401(k) on my smartphone. None of it’s hackproof, but at least it’ll make brows furrow for a little while.

And here’s a thought: Maybe keep my love life offline.

This article, “Yahoo breach exposes naked truth about online security,” was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely’s Notes from the Field blog, follow Cringely on Twitter, and subscribe to Cringely’s Notes from the Underground newsletter.