But what if my password manager gets hacked?! A few thoughts on how to talk about security worries with non-experts


Authentication is one of the riskiest and most misunderstood things that non-experts have to manage day in, day out, and even though there are lots of companies out to “kill” passwords, they’re not dead yet. For the foreseeable future, experts or not, we’re all stuck with making the best out of what we have, and as security practitioners, we need to continue focusing on improving security outcomes to set humans up for success instead of password reuse and failure.

One of the most common questions I am asked in 1000 different ways when I talk about password managers as a way to remove credential management burdens from users is, “Are password managers safe? What if they get hacked?” As a self proclaimed password truther, I don’t mind this at all— once upon a time, I got into an argument with an extremely intelligent guy at a friendly meetup who wouldn’t leave me alone about mutual authentication with TLS when I worked at 1Password— and, well, spoiler alert… we’re getting married this year. Continue reading “But what if my password manager gets hacked?! A few thoughts on how to talk about security worries with non-experts”


Privacy, accessibility and student data security: An Analysis of Clever Badges

Last week, I stumbled onto a blog post from Clever announcing its new “Clever Badges” for students in Grades K-2. Designed to make it easier for younger students to access the edtech apps they use in the classroom, the badge replaces passwords with a laminated QR code that a student can flash at the camera on their machine to login.

In its own words,

“With Clever Badges, students simply flash their Badge and get access to all of their personalized learning applications. Our goal is to take something known as cumbersome and inefficient and make it fast, easy, and even fun! And best of all, Clever Badges significantly raises the bar for security and privacy in most classrooms.”

As I watched the video they’ve made to introduce this feature and read through the rest of the post that touted this as a win for student privacy and security, I was struck by how much more education needs to be done on those topics in edtech. In 2016, it shouldn’t be possible for technology companies of any sort to confuse accessibility and convenience with security and privacy, but here we are. Continue reading “Privacy, accessibility and student data security: An Analysis of Clever Badges”

Security… for everyone? Apple Store Edition


Today, I had to take a trip to the Apple Store. Because of all of the things that could break on my computer, the most important one that I can’t live without started misbehaving: my trackpad.

After checking in, leaving a trail of umbrella drips from the front door to the upstairs Genius Bar, and getting my machine ready to be all fixed up, I was ready to surrender my darling little machine to the powers that be so that what was broken could be fixed in-warranty. I entertained a round of interrogation about the colorful stickers on my laptop— “Oh, that’s Threatbutt, it’s a totally innovative security thing that only the smartest people know about!’’ and once my machine was whisked away, I sat back and observed the interactions going on between the people near me.

To my right, an older woman had brought in her computer because it wouldn’t connect to the internet. She had been hunting down the perfect quilting pattern for her granddaughter’s wedding gift, and while downloading templates, she had somehow added 45 different extensions to her browser. Hidden in these malicious extensions were competing strains of adware that were running amok on her machine, making it impossible for it find its way to the internet and transfer any sort of data back and forth.

Behind me, another woman had a similar issue: her twenty-something daughter was telling her to download a new app that was just ~*to die for*~ on her computer, and she did. But once she downloaded it, the app disappeared and couldn’t be found on her computer or phone. For the past few days, she had gone to the web and searched for the app to download again, but didn’t understand why it wasn’t showing up on her device. A few minutes later, the was clear: after she downloaded the app from the first Google result on the web, she opened iTunes and tried dragging the app onto her phone while it was syncing with her computer. As a result of downloading software from an untrusted source, she had adware on her machine. When the technician explained what this was and why it happened, she sighed deeply and had a positively dejected look on her face.

“My daughter kept telling me to download this app on my phone— she lives in Miami— and I tried, I really did. My husband used to do these things for me and he was so patient, but he passed away last year…I have absolutely no idea what any of this is. Everyone else seems to be having so much fun with these apps and things, and I want to enjoy technology with them, but that just doesn’t feel like it’s ever going to happen. I spend more time scared I’m going to break the damned thing than I do having fun with it.”

Another quite sassy lady sitting across the table from us had a computer that just “wouldn’t listen to her.” When she “told” her computer to go to a website, it just went wherever it pleased, and she was “damned tired” of it acting like it’s “possessed.” And lest ye think that the Apple Store was full of damsels in distress on that very, very rainy day, there was a man behind me whose computer kept emailing people… but he couldn’t figure out how. When he searched, he couldn’t see or find the emails, and didn’t know how to make something that was invisible to him stop infecting the inboxes of his friends, colleagues and family. In the space of a half an hour, six more people around me were (very patiently, professionally and diligently) walked through the steps and given a few basic tools to help them solve security problems and avoid reintroducing them to their computers. Which got me thinking…

Far too often, security practitioners and technologists take the position of blaming users for security failures or thinking that users deserve all of the bad things that they might encounter out there on the web as a consequence of not knowing all of the ins and outs of technology. “People are the weakest link in security!” seems to be more of a comfortable excuse lean on than a rallying cry to actually do something to change the status quo. While we might be able to master protocols, grok complex technological concepts, and break whatever we feel like whenever we want… those skills and the highly specialized language surrounding them isolate us from the people we are defending.

(“Wait, what?! When we do this security stuff, we’re defending people?! People are SO dumb.” …  Um, yes, what in the hell did you think you were doing when you took that security job?)

To date, billions of people have literally bought into the idea that their computers would change their lives (and sometimes they do), and we know quite a bit about how and why they interact the ways they do with technology. We know that no one has taken on the responsibility of truly educating most people about the risks that come with the very many rewards the internet has to offer. And then many of us fault them for not knowing things, especially the things that they had no way of knowing or learning about them whatsoever. But tell me…

When was the grandmother making a quilt for her granddaughter’s wedding supposed to learn basic online security principles? How should she have known where to find information that she didn’t know she needed to know?

When would a 75-year-old lady ever have learned that the machine she uses for knitting needs backing up? Who would have explained to her the value of her data?

How was the widow going to learn all of the ins and outs of technology when her husband was the one with years of tech experience?

How should little old ladies navigate operating system updates when the quilting software they use for sewing isn’t compatible with the latest, greatest and shiniest new thing out? (“Use better software” isn’t an option.)

Where would someone who had never before been exposed to an App Store ever learn about how any of those things work?

And how would someone whose use case of the internet never, ever gave them reason to think of malicious uses of the internet? How would anyone in this situation know to take proactive security measures against them?

At the end of the day, sitting around and speaking poorly of end users doesn’t help any of us fix the eleventy twelve billion problems at hand, and it doesn’t make end users smarter and wiser either. Neither does ignoring reliable data, psychology, science, usability studies, or the reality that we will need a multitude of tactics to truly get end users and technologists doing everything they can on both sides to help us take care of the web.

After spending days, months, years, and thousands of hours behind a computer, it’s sometimes hard to remember what it felt lie to sit in front of one of these things and have absolutely no fucking idea how it worked. It’s almost impossible to recall what it felt like to not know that there were so many things you didn’t know. Should we all have to be experts in every single detail of technology to be able to use it? No— and that’s just not going to happen given the ease with which anyone, even in developing countries, can gain access to the connected world. (And seriously, show me someone who is deserving of such a thing, an absolute and total expert in every technological capacity — I’ll wait.)

Staying holed off in our own little corner of the internet and fighting with each other about the most senseless of things isn’t helping us in any way, and yet some days it feels like we’re good at doing very little else than that. We complain that people are why security fails all of the time, but then forget that at the core, we’re people too and we are no better than anyone (everyone) else. When we ignore the facts of the situation— that the web is supposed to belong to everyone, not just the technological geniuses and cool kids who can hack this then whack that— and isolate ourselves from ever having to interact with people not like us, we fail everyone and we make our jobs much harder than they truly have to be.

But what do I know? I just went to the Apple Store to get my computer fixed one day. And now a bunch of people know that Taylor Swift and her squad are basically one badass hacking gang.

Some personal news

A few years ago, I heard an idea that seemed so crazy that it just might work: because so passwords had become so easy to crack and subvert, it was safer for me to not know my passwords than to be able to actually remember them. This idea was put forth by the makers of a thing called a password manager, and I was so intrigued by it that I had to try one. After a long and epic romance of four years with the keeper of all of my most important internet secrets (my passwords!), I’m stupendously excited to share that I am finally making it official with my boo who started it all…  at the end of August, I’ll be joining AgileBits as chief hype girl security evangelist for 1Password, my most favorite software in the world. Continue reading “Some personal news”

Another Student Data Privacy Act That Doesn’t Protect Student Data or Privacy

This weekend, the New York Times published a story mentioning the Obama administration’s focus on online privacy and security. As part of their initiative… the administration intends to introduce and pass legislation about breach notification and student data security. 

From the NYT: 

“The president will also propose the Student Data Privacy Act, which would prohibit technology firms from profiting from information collected in schools as teachers adopt tablets, online services and Internet-connected software, officials said. And he will announce voluntary agreements by companies to safeguard home energy data and to provide easy access to credit scores as an “early warning system” for identity theft.”

The story mentions that this a reaction to the industry’s attempt to self-regulate with a privacy pledge this past October, and that the legislation which will be similar to California’s SOPIPA, which prohibits targeting students with online marketing and advertising, selling student information, profiling students based on data collected, and requiring companies to put security measures in place to protect student data. (While security measures are required to protect student data, SOPIPA set no bare minimum security standards for education technology companies, and did not require companies to disclose their security measures to users.) Continue reading “Another Student Data Privacy Act That Doesn’t Protect Student Data or Privacy”

On Resolutions: Two Lists that Changed My Life

As a rule, I tend to avoid writing about myself in public— but some rules are meant to be broken. As 2014 draws to a close, I couldn’t help but write about what has been the absolute best and most favorite year of my life.

For most of my life, I’ve failed miserably at New Years Resolutions. There was the year when I got all excited (with a million other people) about learning how to code… and ended up being a Codecademy dropout in no time. There was another year where I was going to get back into running again but, … surprise! It’s actually really hard to get motivated to wake up early when you are a night owl and run through the pain of shin splints and past injuries in the frigid, icy cold of winter. Frustrated with my history of failed resolutions (we only really keep to them for about 6 weeks anyway), last year I decided to forego the tradition of setting myself up for failure for the first couple of months of a new year and try something entirely new.

Instead of making resolutions, I decided to make a list. Continue reading “On Resolutions: Two Lists that Changed My Life”

This is bullshit: A rant on hacking, passwords, security and usability.

Over the weekend, a major news story broke about an iCloud attack in which hackers broke into the accounts of 100 female celebrities to steal compromising nude pictures. Every. single. time there’s a “hacking” incident, the media coverage is awful— and the security advice is even worse. Case in point:

In all of the discussion of the incident,

Continue reading “This is bullshit: A rant on hacking, passwords, security and usability.”

This is why your “Women in Tech” event sucks

giphy (1)

A few weeks ago, my friend Leah wrote a thoughtful post about how to get more women into technology and STEM careers. In her post, she says:

Enticing women to tech isn’t about making it “diva-fied” or “girlification.”… Reducing women in tech from engineers to “web divas” pushes us into superficial territory and marginalizes our skills and contributions.  Instead of looking up to women in tech as problem-solvers and visionaries we get looked down upon as interlopers far from home.

Women are not all the same.  We don’t all want pink and flowers and glitter.  We don’t all think the same. We aren’t one dimensional creatures who will be drawn to the tech world because someone sent us a flier with pretty purple letters and butterflies.  We don’t all enter the tech world the same way and any strategy that relies on all women being alike is doomed to fail.

Continue reading “This is why your “Women in Tech” event sucks”

“We do not understand this tragedy. We know we did nothing to deserve it… no one deserves a tragedy.”

Candlelight Vigil on the Drillfield at Virginia Tech, 4/17/2007

“We are strong, and brave, and innocent, and unafraid. We are better than we think and not quite what we want to be. We are alive to the imaginations and the possibilities. We will continue to invent the future through our blood and tears and through all our sadness.

We are the Hokies.

We will prevail.

We will prevail.

We will prevail.

We are Virginia Tech.”

– Nikki Giovanni, 4/17/2007