When the Yahoo Password Theft Isn’t Just a Yahoo Password Theft

I just received a notice from OpenTable, as did their other participants, suggesting that I should change my OpenTable password. Their reason for this suggestion is interesting – and often overlooked.

Why did they suggest a password change? Because of the Yahoo password theft. OpenTable says the Yahoo breach had no impact on OpenTable’s systems, but they note – correctly – that many people use the same password everywhere. The OpenTable message says, “we strongly encourage you to update your password to be unique to OpenTable.” They’re worried that the Yahoo breach might have given the bad guys the password you also use at OpenTable and elsewhere.

People often overlook that point. They think, “Well, if my Yahoo password was stolen, I need to change my Yahoo password and I’m done.” The bad guys, however, know that many people use the same password over and over. If they get your Yahoo password, they can try that same password on your other accounts. According to Ofcom’s “Adults’ media use and attitudes report 2016,” the number of those who admit to using the same password on multiple sites is about the same as the number of those who say they don’t. For the bad guys, those are pretty good odds.

By the way, Ofcom’s 2016 statistic on that question is an improvement over the answers they got in 2015. If we’re feeling optimistic, we can say, “Hurray, people are learning how to improve their online safety!” If we’re feeling less optimistic, we can say, “More people know what the ‘correct’ answer to that question is, even if they’re not following it in practice.” It’s probably some of each.

I’ll repeat what I’ve said before about things you can do if your password is stolen (“When Changing Your Password Isn’t Enough”):

  • Use two-factor authentication where it’s available. Even if the bad guys steal your password, that’s still not enough to log in as you. See “Two-factor authentication: What you need to know (FAQ).”
  • Use a password manager to generate a long, random, unique password when you change your password. A long, random password can still be stolen, but if you have a unique password for every site, and none of those passwords are similar to each other, a theft at one site won’t help the bad guys attack you at other sites. For more information on password managers, see “The Best Password Managers of 2017.”
  • Enable login alerts where they’re available. Typically, this means the site sends you a text or email alert if it sees a login from a device you haven’t used before. That doesn’t prevent the login, but it at least lets you know that something fishy happened. For example, you can use Facebook login alerts and Gmail device activity & notifications.

Kudos to OpenTable for staying on top of security even when they didn’t have a breach.

Jim Becker

When Changing Your Password Isn’t Enough

When your contacts get a bogus message from you, the first advice is often “Change your password!” However, sometimes that’s not enough and sometimes it’s not even useful. It depends on how that bogus message got sent out.

I’ll look at a few scenarios below, and talk about what actually helps or doesn’t help.

In general, the best password practices are:

  • Use two-factor authentication wherever it’s available. This can stop the bad guys before they do any harm.
  • Use a password manager to randomly generate a long, unique password for every site. This gives you passwords that are very difficult to guess. They’re also very difficult to remember and to type, but your password manager will help you out there. Important note: No human-chosen password is as strong as a long, randomly generated password. If you think you’ve somehow created an unguessable password, that tells me you don’t know how this works, so you probably need a password manager more than anyone.
  • Enable login alerts where they’re available. For example, Facebook offers login alerts so you can tell when someone logs into your account from a new location. Bank and credit card sites offer additional alerts as well.

Scenario 1: The bad guys spoofed your email address. That is, the “From” address says it’s from you, but the message really came from somewhere else, under control of the bad guys.

What helps?

  • Almost nothing. You can’t stop someone else from spoofing your email address. What you can do is get smarter about recognizing spoofed email you’ve received. If you happen to be an organization’s email administrator, there are steps you can take, but that’s beyond the scope of today’s blog posting.

What doesn’t help?

  • Changing your password. Why doesn’t that help? The bad guys don’t need your password to spoof your email address. They probably don’t even know it.

Scenario 2: The bad guys guessed your password. They made a few guesses based on common passwords that everyone uses, or maybe they know a few things about you and worked with that info. This is often how it happens on TV. Sometimes, it happens in real life too, but now lots of people think this is the only scenario to worry about.

What helps?

  • Two-factor authentication: They’ve guessed your password, but that’s not enough to let them in. Cautionary note: Some two-factor systems let you have a few logins without a second-factor challenge. In those cases, the bad guys could still get into your account, at least once.
  • Password manager: The least guessable password you can create is as long as possible, randomly generated, and unique for each site where you have a password. This is what password managers do.
  • Login alerts: The alert doesn’t prevent the bad guys from logging in, but it tips you off when it happens.

What doesn’t help?

  • Changing your password. Okay, it’s better than nothing, but if you didn’t pick a very good password before, chances are you didn’t pick a very good one just now. Studies of real-world password usage showed that most people use a pattern when coming up with new passwords, which makes life easier for the bad guys.

Scenario 3: The bad guys have compromised your computer with malware. The malicious software might steal what you type and send it off to the bad guys. It might let the bad guys connect to your computer and use it without your knowledge. It might run applications on your computer, such as your email software. It might alter your system configuration in the bad guys’ favor.

What helps?

  • Anti-malware tools: Run regular scans. Take advantage of the tool’s preventive measures, like monitoring your downloads. Keep the anti-malware tool up to date!
  • Two-factor authentication: This stops the bad guys in their tracks, because your computer alone isn’t enough to let them log in where you’ve got two-factor authentication enabled.
  • Login alerts: This might be the way you find out you’ve got a problem. It doesn’t prevent logins, but it lets you know when something fishy happens.
  • Good online security practices: Follow good online security practices in general, to avoid having this happen again.
  • Reinstall your operating system: Nobody like this possibility, but if your computer has been compromised, this is the only surefire way to make sure it’s clean again. Anti-malware tools are good, but they don’t catch everything.

What doesn’t help?

  • Changing your password. The bad guys already have a way to steal your password. As soon as you change it, they can steal it again.
  • Encrypted WiFi and/or https. Those are best practices, but they encrypt the network traffic. They don’t encrypt your computer, and that’s where your password was stolen. Encrypted network activity doesn’t stop them, in this case.

Scenario 4: The bad guys physically stole your computer or smartphone. If you’ve saved a password so you don’t have to retype it every time, the bad guys don’t need to know your password. You’ve saved it for them.

What helps?

  • Two-factor authentication: Again, this stops them dead in their tracks if they try to log into your accounts. Having your computer isn’t enough. Cautionary note: Typically, two-factor authentication involves the use of your smartphone. If the bad guys have stolen both of your “two factors,” you’re in trouble. As good as two-factor authentication is, it doesn’t solve every security problem.
  • Login alerts: This could be your tip-off that something’s wrong.
  • Changing your password: Change any password that might have been saved on your stolen device. Use your password manager to do this, so you can get long, random, unique passwords.
  • Reporting your stolen property: Of course, you should also contact the police if your computer is stolen.

Scenario 5: The bad guys stole a bunch of passwords from some site you use, and you use that same password elsewhere.

What helps?

  • Two-factor authentication: Same story as above. The bad guys can’t log in as you if your password isn’t enough to get you logged in.
  • Password manager: If you’re using a password manager to generate a unique password for every site, you’ve contained the damage the bad guys can do. At worst, they’ve got your password for exactly one site.
  • Login alerts: This tips you off about suspicious activity.
  • Changing your password: Of course, generate a new long, random password for the site that was compromised.

Jim B

 

Good and Bad Password Strength Checkers

I’ve found only two good online password strength checkers, Passfault and Kaspersky Secure Password Check. The others I’ve tried are pretty bad. Even with those two decent checkers, you’ll be better off if you use randomly generated passwords instead of trying to think up good ones.

In the recently reported Yahoo security breach, lots and lots of passwords were stolen, in their hashed form. It turns out the passwords had been stolen two years earlier.

And now people keep spreading the same debunked advice on how to make “unbreakable” passwords. They claim that as long as you mix upper and lower case, digits, and punctuation, you’re safe. This has been debunked and satirized, but people keep spreading this advice.

Test Your Old Yahoo Password

Check your former Yahoo password (the one you’ve changed since the breach was reported, right?):

  1. Go to Passfault.
  2. Type your old Yahoo password but don’t hit Enter or click Analyze yet.
  3. Click Show Options.
  4. Under Cracking Hardware, pick “Government cracker ($500,000 machine).” Yahoo reports that a foreign power did this, so we’ll pick this option to try to simulate that situation.
  5. Under Password Protection, pick “Unix BCrypt Hash,” which is what Yahoo uses.
  6. Click Analyze. The site will estimate how long it would take to crack your password.

If the result is less than two years, the attackers have had plenty of time to crack your password.

If the result is in centuries, the attackers have had only a small chance of success against your password.

You can test your old Yahoo password against the Kaspersky Secure Password Check as well, but note that Kaspersky assumes the use of an average home computer – an attack by amateurs instead of a government with lots of equipment and expertise available.

The Problems With Weak Strength Checkers

The ancient password wisdom about password complexity is a case of misapplied math. The thinking was that if you drew from a larger character set, the attacker’s job was harder. They’d invoke the math that if you had L characters in your password, drawn from a character set of N characters, the attacker would have to try N^L (N to the Lth power) possible combinations in order to get your password. They point out that 8 characters drawn from the whole North American keyboard (95^8) gives far, far more possibilities than 8 lower case letters (26^8).

What’s wrong with that formula? It’s the wrong mathematical model for what really happens.

It applies only to randomly generated passwords, not human-chosen passwords. Very few people use randomly generated passwords. By the way, claiming that “nobody would ever guess THIS password” is not the same as a randomly generated password. A password manager or an online password generator can give you randomly generated passwords that are far stronger than anything you’d make up on your own.

The usual misguided usage of that formula assumes that if you’ve used ANY characters of a particular type (upper case, lower case, digits, or punctuation), that’s as good as using ALL of them. For example, the flawed GRC strength checker assumes that as soon as you change “password” to “Password”, you’ve gone from 26^8 to 52^8. If you also add a digit to the end, GRC claims you’ve now created 62^9 possibilities. How on earth does capitalizing one character and adding one digit create that much improvement? It doesn’t. “Password1” could be cracked within a fraction of a second. The formula 62^9 would be relevant only if you used a rich, random mix of upper case, lower case, and digits.

Put yourself in the attacker’s shoes. The attacker already knows the most common passwords. They know they’ll get a lot of passwords very quickly if they try those. A mere 50 guesses will catch a lot of passwords. If they try a “dictionary attack” of the most common 10,000 passwords, for example, they’ll crack a lot of passwords quickly. Of the remaining uncracked passwords, the attacker knows that if you’re required to include at least one capital letter, it’s probably the first character, and if you’re required to include at least one digit, it’s probably the last. Therefore, if they brute-force their way through the pattern ULLLLLLD (one upper case, six lower case, one digit), their next (26^7)*10 guesses will catch a lot of passwords. The weak strength checkers would have you believe that the attackers have to go through 62^8 possibilities, but it turns out that searching only a small fraction of those possibilities will have a big payoff. The attacker could eventually be faced with 62^8 guesses, but not until they’ve already picked a lot of the low-hanging fruit. They might not even bother with the full workload of guessing all possible passwords.

What’s the Answer?

Use a password manager that will generate long, random passwords for you – a different password for every site you care about. You’ll need to remember your master password for the password manager, but not all the individual passwords.

Use two-factor authentication wherever it’s available. That way, even if your password is guessed or stolen, the bad guys still don’t have enough info to log in as you. If a site doesn’t offer two-factor authentication, using a password manager with long, random passwords is still a lot safer than self-chosen passwords.

Avoid using the flawed password strength checkers that make really bad assumptions about how password attacks work. You can use  Passfault and Kaspersky Secure Password Check for some realistic assessments, but you won’t need them if you use a password manager and two-factor authentication.

Jim Becker

 

The Problem With Security Questions

The recent IRS breach (Hackers stole personal information from 104,000 taxpayers, IRS says) succeeded because the attackers knew how to answer the “security questions” for a lot of people. The attackers had a phenomenal 50% success rate, roughly 100,000 successes out of about 200,000 attempts. As attacks go, that’s hugely successful.

The incident highlights two important trends:

  • Security questions stink. The attack on the IRS succeeded because attackers were able to get the right answers on half of their targets.
  • Computers keep getting more powerful, but we don’t get any better at remembering passwords or security answers. The attack succeeded because the attackers had the resources for collecting and tracking individual security answers.

What’s wrong with most security questions?

You get the questions that are easy for someone to figure out. Your mother’s maiden name. Your birthday. Your favorite sport, movie, book, or song. These are easy because a lot of people state these things on their social networking sites, or in online profiles. This is how Sarah Palin’s email got hacked in 2008.

You get the questions that are hard for you to remember. Did you enter your city of birth as Washington, Washington DC, or Washington, D.C.? Was my “first car” the first one I drove or the first one I bought?

Some security questions have answers that might change over time. Is your favorite movie today the same as it was when you first provided answers to your security questions?

Password advice usually tells you not to pick a name, date, or place that’s easily associated with you, and yet that’s exactly what the “security” questions are asking you to provide.

When you’re stuck with setting up security questions, try these ideas:

  • Use a password manager, and have it generate and track random answers. What’s your mother’s maiden name? 8=z<BzDb’wvd{J(~
  • Pick what your answer would have been in 2000, before there was Facebook, or in 1990, before the Internet became popular – unless it’s the same as today’s answer.
  • Add a standard bit of nonsense to the end of every answer. What’s your favorite color? blue biscuit. What was the first car you drove? Nova biscuit. Just don’t tell anybody what your nonsense add-on is, and make sure you’ll remember it.

On top of security questions, take advantage of two-factor authentication (also known as two-step verification) wherever possible. Many banks, email systems, gaming sites, and other online services offer this now. If your password or security questions are ever guessed or stolen, you’ll still have a layer of safety for stopping attackers.

 

Rule of Thumb for Password Length: Add 1 Character Every 3 Years, Just to Keep Up

Here’s a rule of thumb: You need to make your passwords one character longer every three years, just to keep up with the attackers. The eight-character password that might have been good enough six years ago should be ten characters long now, to have the same strength.

Why is this? Computers keep getting faster and attack methods keep getting smarter. If your password doesn’t keep growing, it keeps getting more and more vulnerable to attack.

Why one character every three years?

First, let’s look at the attackers. As a rule of thumb, I’m applying Moore’s Law to computer power, and therefore to attack strength for automated password guessers. Attack strength doubles every couple of years. Doubling every two years, for those who don’t do binary powers, is like adding one “bit” of attack strength every two years. Let’s call it half a bit per year.

Second, let’s look at the defending side – your password’s length. Despite the frequently regurgitated advice of adding punctuation to your passwords, password length matters a lot more than the use of special characters. (Guess what: The Bad Guys have heard about using special characters too.) A rule of thumb from the NIST Computer Security Resource Center estimates that once you get past eight characters, each additional character adds 1.5 bits of entropy (password strength).

Now we compare the two trends: adding 0.5 bits of attack strength per year vs. adding 1.5 bits of defensive strength with every added character. In other words, one extra character of password length makes up for three years of faster computers. And there’s our rule of thumb: Make your passwords one character longer every three years.

Why Stop There?

There’s no need to stop there. As I’ll explain below, this rule of thumb isn’t perfect. Consider it a minimum standard. If you can come up with a much longer password you can remember, go for it. One way to do that: Think of a line from a song you’ll remember, and use the first two characters of each word. “Come on, Baby, let’s do The Twist” becomes “CoonBaledoThTw” – a nice fourteen-character password. Or you can throw in the punctuation if you want to pad it out some more: “Coon,Ba,ledoThTw.”

Got Quibbles?

One could easily argue that Moore’s Law doesn’t still hold, or that it doesn’t apply to password attack capabilities. Yup, that’s why I’m calling it a rule of thumb. The point is that computers keep getting faster, so your password needs to keep getting stronger to have the same survival chances it did a few years ago.

One could easily argue that the NIST rule of thumb for password entropy is invalid. In fact, there was some research a few years ago (“Testing metrics for password creation policies by attacking large sets of revealed passwords“) showing that NIST’s rule of thumb wasn’t accurate. Again, I’m offering my one-character-every-three-years rule of thumb as rough guidance. If you’re not doing at least that much, your password keeps getting weaker with each passing year.

You could also argue that lockout policies (temporarily locking your account after a certain number of bad guesses) make a lot of this go away. You’re right, if the attacker is trying to log in directly. (This is called an in-band attack.) However, if the attacker has acquired the password hashes, the lockout policies don’t apply. The attacker can make many millions of guesses per second.

But Every Other Article Says I Need Special Characters

The xkcd comic strip on password strength explains the problem well. Complexity rules are often harder on you than on an attacker.

Many years ago, somebody computed (correctly) that a larger character set, like the 94 characters found on a US computer keyboard, yields a lot more possible passwords. For example, eight lower-case letters give you almost 209 billion possible passwords (26^8), whereas eight characters from the full keyboard give you about 6 quadrillion possible passwords. That’s about 29,000 times more possibilities, so – the thinking went – that password must be 29,000 times stronger. The problem is that the calculation applies only to randomly generated passwords. Most people don’t pick random passwords. If you tell them they can’t use “password,” chances are they’ll pick something like “Pa$$w0rd1,” and that’s pretty easy for an attacker to get. The Bad Guys have known about those substitution tricks for many years.

Longer Is Stronger

The best way to make your password stronger is to make it longer.

I offer up my rule of thumb to add at least one character every three years as a minimum standard, just to keep up.

Jim

 

 

Breaches Gonna Happen

Two simple tests tell me whether someone does or doesn’t get infosec.

The First Test: Do you think your systems will ever suffer a breach?

If you say yes, if you assume there’ll be a breach, sooner or later, because nobody is invincible, then in my book, you get infosec.

If you say no, because you think nobody could get past your infosec solutions, you don’t get it. You’re adding to the risk if you think you’re invincible.

The best infosec people assume a breach will occur. Certainly, they strive to prevent a breach, and to detect and contain a breach rapidly if one occurs, and to recover rapidly and thoroughly, but they never assume they’re invincible.

The people who worry me most about infosec are the ones who think that any breach means someone needs to be fired or something needs to be replaced. These are the people who play the blame game: if something goes wrong, there must be someone or something you can blame (other than yourself, of course).

Take, for example, the flap over Symantec anti-virus and the New York Times breach. The New York Times got hacked, and Symantec’s anti-virus tools didn’t stop it. One of the sure signs that someone doesn’t get infosec is that they think an anti-virus tool should make them invincible. I’ve never heard an anti-virus provider make that claim. If the Times thought an anti-virus tool should be 100% successful against 100% of attempts, shame on them for dangerously naive security planning. It’s like thinking that a lock on your front door should prevent all crime against you.

As reported so far, Symantec tools captured only one of the 45 pieces of malware that had invaded the Times – but was that because the malware was delivered where anti-virus tools weren’t deployed or involved? Were the anti-virus tools misconfigured or out of date? Was the malware customized not to match known virus signatures? Were there ways for the Times staff to bypass virus checking? Was it the only tool in the toolbox? Back to the door lock analogy: if there’s a crime in my house, I wouldn’t blame the front door lock until I determined that’s where the criminal got in, and that the lock had been properly locked. Even then, if the criminal got in through a locked front door, I wouldn’t declare it’s time to stop using door locks.

If it turns out that the anti-virus tools at the Times were thoroughly deployed and properly configured, and the attacks got through only because they didn’t match known anti-virus signatures, that confirms what people who get infosec understand very well – that anti-virus tools alone aren’t enough. If the anti-virus tools are indeed catching lots of other malware, they’re still serving a purpose, but failure to stop this breach doesn’t mean it’s time to throw out the anti-virus tools.

The Second Test: Do you think infosec decisions are business decisions or technology decisions?

My second test is as important as the first: Is infosec a business decision or a technology decision?

If you think it’s a business decision, you get infosec. If you think it’s a technology decision, you don’t. No tool is universally the right answer; business matters drive the selection and usage of tools.

The “IT knows best” crowd – or, one might say, the “shut up, it’s good for you” crowd – thinks technologists should decide which solutions to enact and how to configure them. Sometimes, IT people are the ones with this attitude, but sometimes it’s management: the managers who dismiss infosec discussions as icky techie stuff, so they wash their hands of it and leave it to the technologists to magically render the organization invincible.

Is this what happened at the New York Times? Did management fail to view infosec from a business perspective, and then they were astonished when the security tools in place didn’t match up with business needs? The fact that the Times is looking for someone or something to blame suggests to me that management at the Times doesn’t get infosec.

Infosec decisions are business decisions, based on impact and likelihood. The potential breaches that have the greatest impact – from the organization’s perspective – and the greatest likelihood, need the most thorough protections. The potential breaches that have the least impact and the least likelihood don’t need the most thorough or costliest solutions, and in fact you’re wasting your resources if you overdo the security in those areas.

You can pass the tests with or without an infosec or IT background

You can pass both of my tests whether or not you have an IT background, and whether or not you have an infosec background. You don’t need to be an expert to understand that breaches are always possible or that they should be driven by the organization’s needs, and not just by technical matters.

What really led to the breach at the New York Times? The reports so far don’t say, but there are multiple possibilities:

Management gets infosec Management doesn’t get infosec
Infosec staff gets infosec The infosec environment was good, but management and staff both understood that no solution would be 100% effective every time. They’ve got work to do to recover and adapt, but they understood a breach was always a possibility. They’re not blaming a tool failure until they find out that’s really the culprit. The staff did the best they could without much help from management, and they knew a breach was entirely possible, but now management is fishing for something or someone to blame.
Infosec staff doesn’t get infosec The staff did a poor job of delivering an infosec environment that matches business needs. This breach might have been preventable, if they had delivered a better environment. Management would get after the staff for poor execution, and wouldn’t single out one tool as the cause. It’s no wonder this breach occurred. Management and staff together thought that as long as they deployed some anti-virus tools, this kind of thing couldn’t happen. Of course they’d try to blame the anti-virus tool for their problems.

We may find out more later on, but for now, trying to blame the anti-virus tool at the New York Times suggests that somebody there doesn’t get infosec.

IT Security Trends From 2012

Kaspersky Security Bulletin 2012: The overall statistics for 2012” offers up some very interesting data. Online security threats have evolved, and some cherished myths have been shot to pieces. In particular, 2012 was a big year for attacks on Android devices and Macs.

Mobile Malware – Mostly Android

The report says “99% of all the mobile malware we detected every month was designed for Android.” Each month of 2012 saw thousands of new pieces of Android malware. The main type of Android malware was the SMS Trojan – malware hidden in some app you chose to download. The SMS Trojan quietly subscribes you to a premium-rate number, racking up charges for you and profits for the spammer. Android devices were also subject to adware, like software that redirects your browser. Androids were also attacked by malware that acquired root-level access to your Android’s operating system.

Kaspersky also reported a huge increase in spyware aimed at mobile devices, for tracking the phone’s location and activity, and for transmitting data without the user’s knowledge. They mentioned FinSpy as an example.

Macs – Debunking the Myths

The Kaspersky report says “2012 saw the comprehensive debunking of every myth about the security of Mac environments.” Macs were subject to botnets (especially Flashfake), DNS poisoning, and fake anti-virus software that extorts money from you to handle “detected” viruses.

Vulnerable Apps

Which apps were the most targeted? Java vulnerabilities were the big winner (or actually the big loser). Kaspersky reports that attacks on Java accounted for 50% of all attempts to exploit vulnerable apps. In other words, Java was attacked as much as all other apps combined, and it was attacked on Macs as well as PCs. As of last week, the Department of Homeland Security is still warning people to disable Java entirely.

In second place, with 28% of the attacks, was Adobe Reader. Kaspersky notes that Adobe has taken many steps to tighten up security in Adobe Reader.

Guess what got only 3% of the attacks: “Windows components and Internet Explorer.” Yep, only 3% of the attacks were specifically related to Microsoft. There goes another security myth.

What’s Next?

While attacks on mobile devices rise, because increased usage and lower prices have outpaced improvements in mobile security, my prediction is that the next big growth area for malware will be “connected” devices that didn’t used to be connected.

Examples include telehealth technology, like at-home monitoring of health. Timely, accurate data is a great thing for health care, but the newfound connectivity for protected health information opens new vistas for security problems.

Another example is increasing connectivity for your car, which leads to opportunities for malware in your car.

Iran hacked a GPS signal to capture a U.S. drone. Fictionally, an episode of the Monk TV series (“Mr. Monk Goes to the Ballgame,” 2003) featured a victim who drove to his attacker because his car’s GPS unit had been hacked – fictional, of course, but not inconceivable.

Now that every phone is a camera, there are new risks for spyware using your phone’s camera to see where you are.

Where there’s software and connectivity, there’s malware.

The coolness factor for new areas of connectivity pushes us down those paths faster than we’re securing them. Security that’s baked in from the start is a lot easier to add than security that’s strapped on later, but technology buyers want the latest features, and technology purveyors don’t want to be left behind.

Folk Hero or Wrong-Doer?

I don’t consider “Bob” the programmer a folk hero. He drew a salary for a job he didn’t perform, because he had outsourced his work to China. He goofed off and collected a paycheck, while the Chinese company did his work. Verizon describes how they uncovered the off-the-books outsourcing. “Bob” is the pseudonym Verizon assigned to the programmer.

Those who consider Bob a hero tend to cite two things. First, they claim he was only doing what corporate leaders do when they outsource work. He’s just doing to them what they might do to him some day. Second, they note that the guy got good evaluations. The company liked what his Chinese providers were doing.

Here’s why I don’t consider Bob a hero:

  • He’s been lying. He’s been deceiving his employer about who did the work. That’s unethical and dishonest. If he had been up front about it, and helped his employer arrange to get good results inexpensively, then he could be a hero. But he lied about it. In business as in romance, if you’re hiding a secret relationship and lying to cover it up, you’re cheating.
  • He’s been taking money for work he didn’t do. That’s unethical. If you’re an honest broker, the people who engage your services know it. If you pass off someone else’s work as your own, you’re dishonest.
  • He violated a basic security rule by sharing his login credentials. Just about every set of security guidelines on the planet tells you not to share your login credentials with others. Bob did it regularly and often, shipping his security tokens off to his Chinese provider.
  • He violated a confidentiality agreement, and might have put the US at risk. The Verizon write-up says the company was a US infrastructure provider, and “The implications [of the unauthorized access] were severe and could not be overstated.” Bob was routinely granting access on the sly to people who weren’t entitled to the information. This is bad enough in almost any company, but it’s even worse in this case because he was handing privileged access to a foreign power that might not have the purest of intentions toward US infrastructure.

A disturbing aspect of this is that it’s the reverse of the usual espionage scenario: Bob’s foreign handlers didn’t have to pay him to get insider access to US infrastructure. He paid them. Or you might say they paid him in services instead of money. I wonder if this is a new MO for espionage, getting the dupes to pay the handlers instead of the other way round.

No, I don’t consider Bob a hero.