Something you know, Something you have

I read an article today in an educational newsletter about keeping your accounts safe with a strong password.  It suggested a range of sensible things like having at least 8 characters, using a mix of uppercase, lowercase, numbers and special characters, and not reusing old passwords.  All pretty good advice.

I hear a lot of people expressing concern about the security of “the cloud”.  They worry that their data could be compromised if kept on a server they don’t own themselves, or a server that is located somewhere else, possibly even in another country.  They express concerns about data breaches from hackers, security breaches of data centres, or even data being accessed by foreign powers during a government uprising. Is any of this possible?  I suppose so. Anything is possible. Unlikely perhaps, but possible.

If it’s true that anything is possible, and we want our data to have zero risk, then we need to not keep data anywhere. The only sure way to have no risk with our data is to have no data, but that’s obviously not possible, because we live in the real world where having data is important and useful. To live in a world without data is not an option. So when it comes to the security of your data, we need to decide what level of risk is acceptable to us.

Putting aside the likelihood of secret hacking attempts or tinfoil-hat conspiracy theories, can we all just acknowledge that the single most likely way your data will be accessed by someone else is if they get hold of your password.  Either you didn’t pick a very secure password to start with, or they guess it because they know your pet’s name, or you do what so many people do and write it on a post-it note and stick it to your monitor at work. Or maybe you are away from your desk without locking your computer. Or maybe you’ve shared it with someone you know.  Whatever the reason, that password, those eight or so little characters, are all that stands between you and potentially disastrous consequences.

So why, oh why, do more people not use Two Factor Authentication (or 2FA)?  I have had literally hundreds of conversations with people who will argue about the alleged insecurity of the cloud, and who get all freaked out because they don’t know where or how their data is physically stored, and who claim that they can’t possibly rely on a cloud service to store their precious data, but who don’t use 2FA on their account!  It’s insane.

Look, I get that some people might be mistrustful of the idea of putting their data somewhere other than a server that they own themselves. But unless they at least use 2FA to secure their account I cannot take anything they say about security seriously.  They are not even taking the most basic of steps to secure their own data, while they bleat about highly unlikely potential worst case scenarios.

So what exactly is two factor authentication?

Many people have two locks on their front door – a top lock and a bottom lock, each with it’s own key. Unlocking either one of the locks is not enough to open the door – you need to unlock both locks at the same time. That’s two factor authentication. You need both factors – in this case, both keys – to open the door.

When it comes to data, you also want to have two keys, or ‘factors’. And ideally you want to have two different kinds of factors – something you know and something you have. 

The something you know is the password, and yes it’s still a good idea to have a strong password, something with enough length and complexity that is hard to guess but easy to remember.  But it’s not enough. It’s just one factor.

The second factor is something you have, or something you physically carry with you, such as a phone or touch key. Unless the hacker or foreign power actually has your phone, they can’t access your data, even if they know your password.  Just like the two keys for the front door, they need both your password AND your phone at the same time. If they have both those things, you may just have bigger problems to deal with.

Some people think that using two factor authentication can be a pain, but it doesn’t have to be. It’s easy and absolutely worth whatever very minor inconvenience it might cause.  You probably have your phone with you all the time anyway, so it’s really not a big deal. Once you set it up, when you log into your account on a new device you simply enter your username and password as usual, then tap a button or enter a code on your phone to complete the login.  No phone, no login. Take that, hacker!

There are a number of ways to get that second factor, from receiving a text message, to entering a secret number that gets generated every 30 seconds, to tapping a ‘Yes’ button on your phone, to having a dedicated Yubikey in your computer. It’s an extra step, sure, but it makes your account very, very difficult to hack.

So please, if you don’t already use 2FA (on every account you own!) then set it up now. Your online life will be exponentially more secure. And if you don’t, then please do not ever express an opinion about the security of the cloud or anything else. If you can’t take even the most basic steps to protect your own online data then you have no business expressing your opinions about whether a cloud system is secure enough or not.  You just sound silly.

The Power Of Spreadsheets

I had a knock on our front door a few weeks ago. It was a young English guy going door to door for an electricity retailer, trying to get me to switch my power company.  As it turns out, it was his first day so he didn’t really know a lot about what he was selling and couldn’t answer many of my questions in detail. To be fair, I can be a bit analytical about these things and I don’t think he was prepared for so many questions. His spiel was basically “You should switch to us because we are better”, but when I asked about the rates they charge, all he could respond with was “We have really good rates”.

If you ever come knocking on my door, whether you’re trying to get me to switch energy companies, or convince me that Jesus loves me, you better be prepared to engage. I ask lots of questions. You better have answers.

So I grabbed my most recent power bill, and asked him exactly what their rates were per KWh. He had never heard of a Time Of Use meter (TOU), which our house uses, so I had to explain the concepts of Peak, Shoulder and Off Peak rates to him. As we compared the rates, we both learned that his company’s “really good rates” were not quite as good as he had been led to believe.  Compared to what we were currently paying, they were slightly cheaper for Peak and Shoulder, and quite a bit more for Off Peak.  It was an interesting discussion and I told him I would take the data he provided and think about it.

When I think about data, I do it with a spreadsheet. I often amazes me how few people really understand the power of a spreadsheet to analyse numbers. Even with just a few simple formulas, it’s possible to dig into numbers and see what they really represent.  Especially with consumer level data – like knowing how much things really cost – it astounds me that more people don’t know how to make sense of the numbers for their basic expenses.

So I knocked up a spreadsheet in Google Sheets. I transferred the KWh usage from my last power bill onto the sheet (which was a little tricky as there was a rate change part way through the quarter, so I had to calculate the different rate amounts and add them together for the total) but in the end was able to correctly derive the exact same $429 figure as I actually paid. Just that part of the exercise was useful as it helped me understand exactly how my power bill was calculated. (Do you understand how yours is calculated?) I then projected the amount of my next quarterly power bill – $529 – assuming the usage was the same, but with the latest rates.

Then I copied the usage data and plugged in the KWh rates being quoted to me by my door knocking friend. His company was offering a 15% pay-on-time discount on the bill (but only on the actual power usage, not the supply charge, as I found out later by reading the fine print). As it turns out, his company – Simply Energy – was indeed cheaper than my current provider, coming in at $439 for the same usage and a saving of $89.88. Not bad.

But wait, it got me thinking. Could I do even better? A quick internet search turned up a power provider called Red Energy. Red Energy was highly recommended by Canstar, so I found their rates and plugged them into my spreadsheet. Their KWh rates were cheaper, however they only offered a 10% pay-on-time discount, but it was on the whole bill not just the consumption component.  Can you see why you really need a spreadsheet to analyse this data if you want to make any informed decisions? I’m sure that companies deliberately calculate their charges using different formulas to their competition, just to make it harder for consumers to make apples-to-apples comparisons. Thank goodness for spreadsheets and knowing how to use them.

Red Energy was not actually the cheapest option, but they were close enough and the one I felt best about as they are a 100% Australian owned company. So I called them, and made the switch.

And then the fun started. Yesterday I got a call from Energy Australia, my current power provider, telling me what a valued customer I am and how much they wanted to keep my business. So much so that they offered an ongoing 26% (!) pay-on-time discount on my power bill. While that certainly sounded like an attractive deal, their actual rates were still higher, so how can you tell?  Yes, with a spreadsheet.

As the Energy Australia rep was wooing me with enticing offers I was able to say “Hang on, I have a spreadsheet!”  I quickly entered their data into the sheet and was now discussing the options knowing exactly what I was talking about. Having data is powerful.  Turns out it was a good deal, so I decided to remain with my original provider (although I was a little bit annoyed that you need to threaten to leave them before they suddenly discovered they can offer me a discount!)

Now I had to call Red Energy and tell them I was cancelling the switch. But, surprise surprise, Red has a customer retention department as well and they didn’t want to lose me as a potential new customer either. So they upped the ante to a 12% pay-on-time discount AND a $100 rebate on my next bill. Into the spreadsheet that new data went. And it turns out that when you take all of that into account, Red wins – by $6.34 annually.  So I decided to stick with my decision to switch after all.

You can check out the spreadsheet I made here if you are interested.

I think there are a couple of lessons here…

  1. If you want to be a canny consumer, you need to have the facts. Many companies give you information that is confusing, incomplete or just misleading. Take the time to analyse the data for yourself so you know the reality of their claims.
  2. If you want to save money on basic bills, then leave your current provider (or at least threaten to). Switching your power, phone, gas, or other service to a competitor is likely to get their customer retention department calling with a much sweeter deal than you currently get.
  3. Learn to use a spreadsheet! They are a simple tool, but oh so powerful. I can tell you, at least anecdotally, that most people I meet have absolutely no idea how to use one. Don’t be one of those people.
  4. If buying locally matters to you at all, do some research. Turns out that Energy Australia, despite the name, is a wholly owned Hong Kong company. Red is 100% Australian owned by the Snowy Hydro Scheme. Foreign ownership of Australian companies is an interesting can of worms.

Here the educational part of this blog post…

As a teacher, I see this kind of thing as a brilliant activity for students. What if you gave your learners the basic skills of calculating numbers with a spreadsheet, and then a bunch of different rates from different competing companies and simply asked “Who is offering the best deal?”  This process usually raises lots and lots of questions, and will certainly make them better consumers, better at understanding data, and better users of spreadsheets.

For an example of the kinds of ways you can take this convoluted consumer experience and turn it into a reasonably useful learning task for students, the links below are from a task I have used with my Year 11 students looking into how to figure out the best mobile phone plan. As you will see from looking at the task, it tried to take account of the complexities of the word “best” by introducing a user-centric approach (best for who?) and encouraging them to really dig into the information being provided to make sense of it. I’ve also included a grading rubric to give you an idea of how I graded this task.

Should I Trust The Cloud?

https://www.flickr.com/photos/dherholz/450303689/

I received an email recently from a colleague asking about data sovereignty, and in particular asking about how schools deal with the  need to store all personal data on Australian servers to be compliant with the law. This was my reply…

When deciding whether to do a thing – any thing – you need to assess the relative risk. There is NOTHING that can have it’s risk mitigated to zero. So while we can have debates about the security of the cloud, the fact is that ANY service is generally only as safe as the password that protects it. It’s far simpler to socially engineer your way into a system than to hack it, and it’s easier to follow someone through an open doorway before the door shuts than to crack the lock. There are security risks involved with every system.

What makes you think that data saved on a server that happens to be geographically located on Australian soil is any safer than data on a server located on the other side of some imaginary geographical dividing line? What policies make Australian servers impervious to security issues?  What is it about Australian passwords that are safer than non-Australian passwords?

It’s interesting that whenever I hear the security argument from someone, I ask them whether they use 2-factor authentication on their online accounts. The answer is almost invariably never. I find it hard to take someone seriously when they bleat about security and yet do nothing to secure their own stuff using the safest and simplest technology we have available; 2 factor authentication.

I also find it amusing that these same people who bang on about not trusting the cloud, also almost always have a bank account. When I ask them where their money is stored, they say “in the bank”. When I ask where is it actually stored, they have no idea. They don’t know where their money – or the digital records that define the concept of money – is actually stored. They never stop to consider than when they go to an ATM and withdraw $50, it’s not the same $50 note that they actually put into the bank. There is no magical shoebox under the bank’s bed that stores their actual money… it’s all just computer records, kept on a server, somewhere, and I guarantee that they have no idea where that somewhere is.

That’s why the debate about whether we should be allowing our data to be stored offshore is such a laughable concept. It shows a real lack of understanding about the way the Internet actually works.

The truth is, it doesn’t matter WHERE your data is stored. What matters is WHO is storing it, and whether you trust them with it. I’d rather trust my data to major cloud provider offshore who offer privacy policies that I trust, along with strongly encrypted and sharded data storage techniques, virtual and physical security over their datacentres, and a proven track record of doing the cloud right, than to some minor player in the cloud storage space just because they happen to have servers in Australia.

I’m also not a lawyer.  However, I’ve done enough research into the Australian data sovereignty laws to feel satisfied that I’m interpreting them the right way. And contrary to all the Fear, Uncertainty and Doubt being spread around regarding these laws, they do NOT say that cloud services cannot be used unless the servers are in Australia. What they say is that the cloud service USER – that’s you – needs to feel satisfied that the cloud service PROVIDER is offering a service that meets your expectations of safety, security, privacy and redundancy.  If you do your due diligence, and come to the conclusion that you’re satisfied with your cloud service provider is giving you a level of service you can trust, then you are free to use it and in turn offer it to your users. If you don’t believe they are offering this level of service, then don’t use them. It’s as simple as that.

Your choice will never be able to come with a 100% guarantee. Nothing does. But if you do your research carefully and make your choices well, the chances are as good as they will ever be that you have made the right decision. The cloud offers amazing possibilities, and I’m completely convinced it IS the future of computing. I’m all in on the cloud as the platform.

To me, there is really only one obvious choice in picking a cloud provider. You want someone whose entire infrastructure is built for the cloud, whose entire business model is built on doing it right, managing data with security and integrity and maintaining the trust of their users. I’m not mentioning names because I’m sure you can make your own decisions about who you trust and how well they do this cloud thing.

What I don’t want to do is to place my data with a cloud provider who is still playing catchup, whose cloud infrastructure run on legacy platforms that were never built for the cloud, and whose business practices in slagging their competition I find completely distasteful.

I don’t care where their servers are located.

Header image by Dave Herholz – CC BY-SA