But what if my password manager gets hacked?! A few thoughts on how to talk about security worries with non-experts


Authentication is one of the riskiest and most misunderstood things that non-experts have to manage day in, day out, and even though there are lots of companies out to “kill” passwords, they’re not dead yet. For the foreseeable future, experts or not, we’re all stuck with making the best out of what we have, and as security practitioners, we need to continue focusing on improving security outcomes to set humans up for success instead of password reuse and failure.

One of the most common questions I am asked in 1000 different ways when I talk about password managers as a way to remove credential management burdens from users is, “Are password managers safe? What if they get hacked?” As a self proclaimed password truther, I don’t mind this at all— once upon a time, I got into an argument with an extremely intelligent guy at a friendly meetup who wouldn’t leave me alone about mutual authentication with TLS when I worked at 1Password— and, well, spoiler alert… we’re getting married this year. Continue reading “But what if my password manager gets hacked?! A few thoughts on how to talk about security worries with non-experts”


This iOS 10 trick will save you a few home button taps (and your sanity)



Are you using an iPhone with Touch ID that isn’t an iPhone 7? Do you regret updating to iOS 10 because you now have to tap home button to unlock  your device, even when you use Touch ID?

Take a deep breath and exhale… because there is a way out of the Apple-induced rage that we’re both sharing. Things don’t have to be this way anymore, especially if you make your way to a very hidden toggle and tap it on.  Continue reading “This iOS 10 trick will save you a few home button taps (and your sanity)”

Privacy, accessibility and student data security: An Analysis of Clever Badges

Last week, I stumbled onto a blog post from Clever announcing its new “Clever Badges” for students in Grades K-2. Designed to make it easier for younger students to access the edtech apps they use in the classroom, the badge replaces passwords with a laminated QR code that a student can flash at the camera on their machine to login.

In its own words,

“With Clever Badges, students simply flash their Badge and get access to all of their personalized learning applications. Our goal is to take something known as cumbersome and inefficient and make it fast, easy, and even fun! And best of all, Clever Badges significantly raises the bar for security and privacy in most classrooms.”

As I watched the video they’ve made to introduce this feature and read through the rest of the post that touted this as a win for student privacy and security, I was struck by how much more education needs to be done on those topics in edtech. In 2016, it shouldn’t be possible for technology companies of any sort to confuse accessibility and convenience with security and privacy, but here we are. Continue reading “Privacy, accessibility and student data security: An Analysis of Clever Badges”

Security… for everyone? Apple Store Edition


Today, I had to take a trip to the Apple Store. Because of all of the things that could break on my computer, the most important one that I can’t live without started misbehaving: my trackpad.

After checking in, leaving a trail of umbrella drips from the front door to the upstairs Genius Bar, and getting my machine ready to be all fixed up, I was ready to surrender my darling little machine to the powers that be so that what was broken could be fixed in-warranty. I entertained a round of interrogation about the colorful stickers on my laptop— “Oh, that’s Threatbutt, it’s a totally innovative security thing that only the smartest people know about!’’ and once my machine was whisked away, I sat back and observed the interactions going on between the people near me.

To my right, an older woman had brought in her computer because it wouldn’t connect to the internet. She had been hunting down the perfect quilting pattern for her granddaughter’s wedding gift, and while downloading templates, she had somehow added 45 different extensions to her browser. Hidden in these malicious extensions were competing strains of adware that were running amok on her machine, making it impossible for it find its way to the internet and transfer any sort of data back and forth.

Behind me, another woman had a similar issue: her twenty-something daughter was telling her to download a new app that was just ~*to die for*~ on her computer, and she did. But once she downloaded it, the app disappeared and couldn’t be found on her computer or phone. For the past few days, she had gone to the web and searched for the app to download again, but didn’t understand why it wasn’t showing up on her device. A few minutes later, the was clear: after she downloaded the app from the first Google result on the web, she opened iTunes and tried dragging the app onto her phone while it was syncing with her computer. As a result of downloading software from an untrusted source, she had adware on her machine. When the technician explained what this was and why it happened, she sighed deeply and had a positively dejected look on her face.

“My daughter kept telling me to download this app on my phone— she lives in Miami— and I tried, I really did. My husband used to do these things for me and he was so patient, but he passed away last year…I have absolutely no idea what any of this is. Everyone else seems to be having so much fun with these apps and things, and I want to enjoy technology with them, but that just doesn’t feel like it’s ever going to happen. I spend more time scared I’m going to break the damned thing than I do having fun with it.”

Another quite sassy lady sitting across the table from us had a computer that just “wouldn’t listen to her.” When she “told” her computer to go to a website, it just went wherever it pleased, and she was “damned tired” of it acting like it’s “possessed.” And lest ye think that the Apple Store was full of damsels in distress on that very, very rainy day, there was a man behind me whose computer kept emailing people… but he couldn’t figure out how. When he searched, he couldn’t see or find the emails, and didn’t know how to make something that was invisible to him stop infecting the inboxes of his friends, colleagues and family. In the space of a half an hour, six more people around me were (very patiently, professionally and diligently) walked through the steps and given a few basic tools to help them solve security problems and avoid reintroducing them to their computers. Which got me thinking…

Far too often, security practitioners and technologists take the position of blaming users for security failures or thinking that users deserve all of the bad things that they might encounter out there on the web as a consequence of not knowing all of the ins and outs of technology. “People are the weakest link in security!” seems to be more of a comfortable excuse lean on than a rallying cry to actually do something to change the status quo. While we might be able to master protocols, grok complex technological concepts, and break whatever we feel like whenever we want… those skills and the highly specialized language surrounding them isolate us from the people we are defending.

(“Wait, what?! When we do this security stuff, we’re defending people?! People are SO dumb.” …  Um, yes, what in the hell did you think you were doing when you took that security job?)

To date, billions of people have literally bought into the idea that their computers would change their lives (and sometimes they do), and we know quite a bit about how and why they interact the ways they do with technology. We know that no one has taken on the responsibility of truly educating most people about the risks that come with the very many rewards the internet has to offer. And then many of us fault them for not knowing things, especially the things that they had no way of knowing or learning about them whatsoever. But tell me…

When was the grandmother making a quilt for her granddaughter’s wedding supposed to learn basic online security principles? How should she have known where to find information that she didn’t know she needed to know?

When would a 75-year-old lady ever have learned that the machine she uses for knitting needs backing up? Who would have explained to her the value of her data?

How was the widow going to learn all of the ins and outs of technology when her husband was the one with years of tech experience?

How should little old ladies navigate operating system updates when the quilting software they use for sewing isn’t compatible with the latest, greatest and shiniest new thing out? (“Use better software” isn’t an option.)

Where would someone who had never before been exposed to an App Store ever learn about how any of those things work?

And how would someone whose use case of the internet never, ever gave them reason to think of malicious uses of the internet? How would anyone in this situation know to take proactive security measures against them?

At the end of the day, sitting around and speaking poorly of end users doesn’t help any of us fix the eleventy twelve billion problems at hand, and it doesn’t make end users smarter and wiser either. Neither does ignoring reliable data, psychology, science, usability studies, or the reality that we will need a multitude of tactics to truly get end users and technologists doing everything they can on both sides to help us take care of the web.

After spending days, months, years, and thousands of hours behind a computer, it’s sometimes hard to remember what it felt lie to sit in front of one of these things and have absolutely no fucking idea how it worked. It’s almost impossible to recall what it felt like to not know that there were so many things you didn’t know. Should we all have to be experts in every single detail of technology to be able to use it? No— and that’s just not going to happen given the ease with which anyone, even in developing countries, can gain access to the connected world. (And seriously, show me someone who is deserving of such a thing, an absolute and total expert in every technological capacity — I’ll wait.)

Staying holed off in our own little corner of the internet and fighting with each other about the most senseless of things isn’t helping us in any way, and yet some days it feels like we’re good at doing very little else than that. We complain that people are why security fails all of the time, but then forget that at the core, we’re people too and we are no better than anyone (everyone) else. When we ignore the facts of the situation— that the web is supposed to belong to everyone, not just the technological geniuses and cool kids who can hack this then whack that— and isolate ourselves from ever having to interact with people not like us, we fail everyone and we make our jobs much harder than they truly have to be.

But what do I know? I just went to the Apple Store to get my computer fixed one day. And now a bunch of people know that Taylor Swift and her squad are basically one badass hacking gang.

Some personal news

A few years ago, I heard an idea that seemed so crazy that it just might work: because so passwords had become so easy to crack and subvert, it was safer for me to not know my passwords than to be able to actually remember them. This idea was put forth by the makers of a thing called a password manager, and I was so intrigued by it that I had to try one. After a long and epic romance of four years with the keeper of all of my most important internet secrets (my passwords!), I’m stupendously excited to share that I am finally making it official with my boo who started it all…  at the end of August, I’ll be joining AgileBits as chief hype girl security evangelist for 1Password, my most favorite software in the world. Continue reading “Some personal news”

Another Student Data Privacy Act That Doesn’t Protect Student Data or Privacy

This weekend, the New York Times published a story mentioning the Obama administration’s focus on online privacy and security. As part of their initiative… the administration intends to introduce and pass legislation about breach notification and student data security. 

From the NYT: 

“The president will also propose the Student Data Privacy Act, which would prohibit technology firms from profiting from information collected in schools as teachers adopt tablets, online services and Internet-connected software, officials said. And he will announce voluntary agreements by companies to safeguard home energy data and to provide easy access to credit scores as an “early warning system” for identity theft.”

The story mentions that this a reaction to the industry’s attempt to self-regulate with a privacy pledge this past October, and that the legislation which will be similar to California’s SOPIPA, which prohibits targeting students with online marketing and advertising, selling student information, profiling students based on data collected, and requiring companies to put security measures in place to protect student data. (While security measures are required to protect student data, SOPIPA set no bare minimum security standards for education technology companies, and did not require companies to disclose their security measures to users.) Continue reading “Another Student Data Privacy Act That Doesn’t Protect Student Data or Privacy”

How to Teach Computer Security Skills

This piece was originally published here by Educating Modern Learners.

With increasing adoption of computer technologies, schools must do a better job addressing two important issues: privacy and security. Here, education security advocate Jessy Irwin offers some first steps in learning about security. And this isn’t just a lesson for students — it’s for teachers and school leaders and parents as well. 

If digital citizens have learned anything from the web in 2014, it is that this year is the year of the hacker. While malicious black hat hackers compromised hundreds of millions of accounts across the web, their ethical, white hat counterparts uncovered code flaws like Heartbleed and Shellshock that weakened parts of the critical infrastructure of the web. In this new web order, the question is no longer “if” you will be hacked on the web, but “when.” In many schools, the primary goal of digital literacy education is to give students the skills they need to find, remix and create content on the ever-expanding worldwide web. In the quest to unlock the potential of the web and its troves of boundless content for learners, however, many educators overlook the weakest aspect of digital literacy for the average web user: security. Continue reading “How to Teach Computer Security Skills”

On Resolutions: Two Lists that Changed My Life

As a rule, I tend to avoid writing about myself in public— but some rules are meant to be broken. As 2014 draws to a close, I couldn’t help but write about what has been the absolute best and most favorite year of my life.

For most of my life, I’ve failed miserably at New Years Resolutions. There was the year when I got all excited (with a million other people) about learning how to code… and ended up being a Codecademy dropout in no time. There was another year where I was going to get back into running again but, … surprise! It’s actually really hard to get motivated to wake up early when you are a night owl and run through the pain of shin splints and past injuries in the frigid, icy cold of winter. Frustrated with my history of failed resolutions (we only really keep to them for about 6 weeks anyway), last year I decided to forego the tradition of setting myself up for failure for the first couple of months of a new year and try something entirely new.

Instead of making resolutions, I decided to make a list. Continue reading “On Resolutions: Two Lists that Changed My Life”

On #edsec: Education’s massive security problem

Dinosaurs are a very important part of the security conference experience.
Dinosaurs: a very important part of the security conference experience.

A few months ago, I gave a talk at BSidesLV on the state of security in education technology. My talk, #edsec: Hacking for Education isn’t a hacker talk in the truest of senses— I had no l33t, sophisticated hacks to show off, no beautiful backdoors into well-maintained code to make my point. Instead, I went the route of discussing the lack of security standards, the dire state of security awareness among educators, the deplorable state of school infrastructure, and the security-averse attitude of developers within education technology .

I should have written this post months ago— I am thankful for alot of people who helped me get through my first-ever talk at a national conference— but I’ve been struggling to overcome an awful, awful feeling that in the pit of my stomach after I finished my week away at hacker summer camp. After being surrounded by people who discussed securing the critical infrastructures that make our web work, protecting medical devices from attack, and preparing for the Internet of Things that is to come, I realized that I didn’t go far enough.  Continue reading “On #edsec: Education’s massive security problem”