Unauthoritative Pronouncements

Like many children of the 90’s, I have an old AOL account still active for use with a third party AIM client. (I know they rebranded, but it’s stupid, so I refuse to type it. They even forgot they rebranded in the docs they typed, so good job guys.) Upon signing in today, I was greeted by an automated alert from AOL:

We place a premium on your privacy, security and our ongoing relationship with you. We apologize for any inconvenience the recent email spoofing and unauthorized access of AOL’s contact database has had on you and your contacts. If you have any unanswered questions, please visit our FAQs.

Faaaaaannntastic.

If you’re curious, you can click the FAQ to find out that basically anything AOL had on file: “email addresses, postal addresses, contact information (as stored in the AOL Mail “address book”), encrypted account passwords, and the encrypted answers to account security questions that we ask when a user resets his or her password.” That is now in the hands of people that would do not-nice things with them. On the FAQ, they advise users change their password, but don’t even bother to mention it in their automated IM. They also don’t mention whether or not they will change the kinds of account verification questions they used to use when you’d ask for a password reset. You know, just in case their flawless encryption is broken on those answers and they just get in to your account anyway. Also, this could theoretically affect people that no longer hold active AOL accounts and you’d have no idea.

The “how” section is particularly comedic because it is a tautology. To paraphrase: Unauthorized access happened because unauthorized access happened. More troubling is the amount of time AOL took to contact me that my account was one of the accounts in the breach.

Why wasn’t I notified sooner? It is always our intent to be as transparent as possible when it comes to our members’ security. As soon as we were alerted to this issue, we began investigating its cause to identify the scope of affected users as quickly as possible. We then quickly took protective measures to address the impacts of the spoofing issue on April 22, 2014 and notified our consumers of that action in a post at blog.aol.com. We gave further information on April 28, 2014.

We want to be as transparent as possible about issues with AOL Mail that may affect you. Please check our blog periodically for the most up-to-date information.

There we go, every thing a person using AOL as an IM client would never see. Didn’t I check out their official blog? No, of course not! What the hell kind of a notification is that? “We published information about this breach in the 2nd floor women’s restroom of our North Sacramento, CA offices.” Would be nearly as helpful. Furthermore, if passwords were accessed, what possible reason would they have had to not immediately force a password reset? Sure, just keep logging in for another six weeks from the time we knew about a breach! Herp derp!

Also, they say in their FAQ that they are emailing people affected by this. I got an IM notification, and not an email. That’s a really consistent message to send that doesn’t make me at all confident. “Well they didn’t email me so I might be fine…”

Not Just Them

There are information breaches all the time these days. Adobe, eBay, Evernote, Target, etc. In each of these investigations, it has turned out that the people storing the data are total fucking morons. They might as well print all of our passwords and put them in neatly labeled file folders in the lobby area of their corporate headquarters. They might be nominally safer there. No regulation has even been suggested for industry-wide best practices, or to regulate what steps are mandatory when a breach occurs. Hypothetically, if I was unable to reset the password myself because I was not currently using the service, then anyone could exploit the account. There is no mandatory password reset required. The ones that reset the passwords have been the nice ones. I can literally say that Adobe was nice enough to forcefully reset my password.

Many people, myself included, have moved to using 1Password by AgileBits to manage separate passwords to accounts because there are simply too many to remember, and reset these days. After a breach there is the geek lamentation that these companies don’t work with AgileBits to have a 1Password 1Reset button. (The fact they can’t secure anything is a pretty big clue that no one should hold their breath on reset features.) That’s still a pretty fucked up thought though. We have so little faith that a company will learn its lesson after a breach has occurred at their company that we’re willing to ask for them to just make it easier for us to reset it. We fundamentally do not trust them.

What if this had been Google? What if this had been Apple? Could you imagine them sitting around for six weeks before notifying a person that they should consider resetting their password? Maybe we’ll find out what they will do some day when they experience a security breach. I am not entirely confident that any of these companies are secure.

When Dropbox announced they were adding convenient, limited-time-only-opt-out arbitration, one of the reasons I was so skeptical was that it just protects them in the event any data is compromised.

Stephen Hackett, and Casey Liss, have both complained about companies shortening the required passwords for services. One was a bank the other was T-Mobile. That seems like security is trending in the wrong direction.

You’d think that breach, after breach, would compell companies to audit their own security. You’d think…