Sed quis custodiet ipsos custodies?

Who watches the people who watch what I do on my computer?

Like many corporations these days, my office has instituted a ‘no internet for personal use, thank you’ policy, which has trickled down to no use of personal email. I won’t begin to snark about how I feel there, since frankly, I can see both sides of it and I know it’s a matter of me not liking it.

I still spend a significant time on the net, but frankly, I’m looking up information about the desktop, security, etc. And if I get yelled at for it, well, I’ll have to ask what they mean by ‘for work only’ since I think I’m not causing much harm and I’m still ass kicking my projects.

No rant, no rant, no rant.

Who keeps an eye on the people who are monitoring my internet usage?

Who keeps an eye on the people who monitor the databases where my personal information is kept?

The other day, while venting about something stupid at my office, we talked about the latest security breach at a major company (Lexis-Nexis). Personal information was shared all over the place. Credit card information, you name it, it was hacked. And no one knew how much stuff was snagged or who was affected.

Pause and do that golf clap as you say ‘… Well done!’

I’m considered a mild paranoid (I don’t think everyone’s out to get me, but I keep abreast of the issues in personal privacy/security). I was asked if I was worried. No, no I’m not. Because I know for $8 or so, I can dig up the personal information, credit card history and rating, criminal records, drivers information, and a slew of other things. And yes, I did mean $8. That’s the second lowest rate I could find for paying a PI type website to snoop. I’m pretty sure if I asked at my local spy shop- excuse me, locksmith- I’d get a better and more secure rate.

Don’t think for a second I’m going to give my credit card information to a website that specializes in, oh, selling information. That’s right up there with Tossed Salad Man and shooting my own ass. But. I also tossed the idea of becoming a licensed PI for Illinois just to have access to the cool tools I know Veronica Mars uses. Yes, it’s a TV show, shut it. I’m just saying it would be cool to be able to pull up that information when I wanted to. For a monthly fee.

But that has it’s own problem. What if you, like this poor woman in Florida had your Sheriff get your personal information from the DMV? Okay, so he could have gotten the information he wanted off of Google. Instead, he used a very legit tool for a squidgy reason. It’s not illegal per-say, but maybe it should be.

What’s to stop a bank teller from looking up a neighbor’s bank account? What stops Mrs. Landingham my IRS person from taking my personal information and ripping me off?

Social conscience.

And we all know how reliable that is.

I’ve known for years that anyone who knows my name can find out a shit load about me. A stalker could find my address and phone number, regardless that the latter is unlisted. Hell, I own a domain, and I know exactly how easy a whois would be for anyone looking for me.

Not that I was a hell of a lot safer pre-internet. A couple phone calls, a trip to the DMV, and bam. After all, it has to be legal for a Repo Man to, well, repo. So the information must be accessible. It’s only logic. Next go look at colleges. Every last stinking one I’ve been to uses your SSN as your student ID. Easy to remember for the student. Easy to tie into databases for the school. And when I got a bill? Damned if my SSN wasn’t printed right there on my bill. Everyone knows (or should) that tampering with mail is a federal offense, but let me walk you through how my mail was delivered on my high school campus.

1. Mail is sent to a PO Box
2. Mail is picked up by a teacher
3. Mail is sorted into two piles ‘Teacher’ and ‘Student’
4. Student mail is put in a box
5. Student assigned to mail takes the box to our unlocked, public mail boxes and sorts
6. Students pick up mail

We’re trusting three key elements here: the guy at the PO Box, the Teacher who gets and/or sorts the mail, the student who ‘delivers’ the mail.

Yeah, your personal information has never been secure. It’s just faster to find now.

It’s weird, but I’m going to bring this around to the Pope, so hold on for a sec.

Bruce Schneier wrote a great article about Hacking the Papal Election, when he explains the ins and outs of how they vote. The short story is this: Hacking the Papal election is nigh impossible! The entire thing is manual, so no hanging chads or manipulated computers. Only the Cardinals are allowed in, and it’s not like you can play dress up and sneak in. You have to walk up, in front of everyone, to vote, and since the votes are counted twice and chucked if there are too many or too few, you can’t stuff the ballot. The only places where it might be easy to change votes is when the votes are counted the second time (the person could slight of hand a vote, though given the dresses- I mean robes– they wear, it’s hard), or when a transcriber writes the vote for a Cardinal who’s unable to write. And if you get caught doing that you get excommunicated. So not worth it.

I bring this up because it goes back to social conscience. What ever you think about the Pope and Catholics, you can probably agree with me when I say that these Cardinals really want to do the best job they can. They’ve got so much shit thrown at them, from JPII being so damned popular to sex abuse and STDs that they need to get some positive spin on them. In their case, it’s freakishly reliable that they’re going to do the best they can. Now, I do think there’s a lot of bullying, bribery, promised, etc going on pre-vote, but I expect that. “If you vote for Cardinal Glick, I’ll tell everyone about the hooker you had in your room when we were just priests.” See, I’d totally do that shit, and you know they would too. I know the votes are secret, but you can’t expect me to believe people won’t try and persuade each other.

How does this reflect on security and your personal information?

It’s indirect, I admit, but follow this: Personal information which is compromised leads to identity theft, which can be used to commit voter fraud, which can re-elect George Bush, but which can’t be used to make an American the Pope.

Yeah, you were worried about your money.

Okay, look, here’s the real point of all this: You’re not safe. You never were and you’re really never gonna be. There are things you can do, starting with paying better goddamned attention. Get an email that looks iffy? Delete it. Buying stuff online? Make sure it’s from someone you can trust. Have a different password per site that you use in conjunction with your money. And be careful.

You know that you can’t rely on the social conscience of others to not fuck you over, so all you can do is keep a close watch on what you do.

After all, how is it any more secure to pay for your dinner with a credit card than it is to do so online? They take your card to a back room, run it through the card scan to make sure you can pay, and bring it back. Shit, they could photocopy it in that time, and they have an example of your signature!

Which is why all my cards say ‘Ask for ID.’

And people so rarely do.

I don’t have the answers, but if this blog has scared you then I’ve done my job. Be aware.