Until last week, I’d never heard of Jennifer Lawrence, still less known that she apparently had salacious selfies on her phone’s cloud account. Now, it seems, everybody in the world has the news, and apparently the stolen pictures will be made into an art exhibition. Do I care (just checking the care-o-meter here)? No.
But what I do care about is the fact that the celebrity selfie hacking scandal is everyone’s problem.
My worry has got nothing to do with the way the public debate has been sidetracked by red-herrring arguments, all flowing from the cult of celebrity that began, in the modern sense, as a Hollywood marketing device during the second decade of the twentieth century. That’s why these pictures get targeted. Hey – get a life. Celebrity Bits are the same as Everybody Else’s Bits. Get over it. Celebrities are also entitled to their privacy and property, just like everybody else.
No – the problem is the principle of data security. Everybody’s data security. It’s an arms race, on-line and off. People store all sorts of things on electronic media these days. Medical records, bank account details, passwords. Some of it ends up in the cloud. Some doesn’t, but even home computers may not be safe. Hacking goes on all the time, often looking for your bank account. It’s a sad indictment of human nature that those perpetrating this vandalism look on it as an assertion of superiority. I believe the term is ‘owned’, spelt ‘pwned’.
It’s not going to be resolved by passing laws or codes of conduct. Some immoral asshole out there, somewhere, will spoil the party.
All we can do is be vigilant. Various services are introducing two-step authentication, in which you can’t just log on by password, you have to add a code that’s sent to your phone.
You still need a strong password. I am amazed that the most popular password is – uh – ‘password’, pronounced ‘Yes, I WANT you to steal my stuff’. Other stupid passwords include ‘123456’, the names of pop-culture icons (‘HarryPotter’) or something published elsewhere, like your pet’s name.
But even a password that can’t be associated with you has to meet certain criteria. The reason is mathematical – specifically, factorial, a term denoted with an exclamation mark. In point of fact, the math of password security gets complex, because any human-generated password won’t be truly random – and terms such as ‘entropy’ enter the mix when figuring crackability. But at the end of the day, the more characters the better, and the more variables per character the better. Check this out:
- Any English word. There are around 1,000,000 unique words in English (including ‘callipygian’) but that’s not many for a hack-bot looking for word matches. Your account can be cracked in less than a minute.
- Mis-spelt English word. Doesn’t raise the odds. Hackers expect mis-spellings or number substitutions.
- Eight truly random lower case letters. Better. There are 208,827,064,576 combinations of the 26-letter alpha set in lower case.
- Eight truly random lower and upper case letters. Even better. These produce 53,459,728,531,456 potential passwords.
- Eight truly random keystrokes chosen from the entire available set. Best. There are 645,753,531,245,761 possible passwords.
If you use 10 truly random keystrokes, you end up with 3,255,243,551,009,881,201 possible combinations. But even that is still crackable, given time – so the other step is to change the password. Often.
Make it a habit. And – just out of interest, seeing as we’re talking about true randomness, does anybody know what the term ‘one time pad’ means?
Copyright © Matthew Wright 2014