IETF’s Stunning Announcement: Emergency Transition to IPv7 Is Necessary!

Frostbite Falls, Minn. (NOTAP) In a brief announcement today that stunned Internet users around the world, the Internet Engineering Technical Force proclaimed the need for an “emergency” transition to a yet to be designed “IP version 7” protocol, capable of dealing with numeric values up to “a full gazillion at a minimum.”

IETF spokesman David Seville explained why this drastic move was considered necessarily when the ongoing transition from IPv4 to Internet protocol level IPv6 — the latter with a vast numbering capability — is still far from complete.

“Frankly, we’re just trying to get ahead of the curve, for once in the technology field,” said Mr. Seville. “With the dramatic rise in the number of hate speech and fake news sites around the world — not only originating in the Soviet Uni … I mean, Russia — we can’t risk running out of numbering resources ever again! Everyone deserves to be able to get these numbers, no matter how vile, racist, and sociopathic they may be. We’re already getting complaints regarding software systems that have overflowed available variable ranges simply trying to keep track of Donald Trump’s lies.”

Asked how the IETF planned to finance their outreach regarding this effort, Seville suggested that they were considering buying major ad network impressions on racist fake news sites like Breitbart, where “the most gullible Internet users tend to hang out. If anyone will believe the nonsense we’re peddling, they will!”

In answer to a question regarding the timing of this proposed transition, Seville noted that the IETF planned to follow the GOP’s healthcare leadership style. “We feel that IPv4 and IPv6 should be immediately repealed, and then we can come up with the IPv7 replacement later.” When asked if this might be disruptive to the communications of Internet users around the world, Mr. Seville chuckled “You’re catching on.”

David Seville can be reached directly for more information at his voice phone number: +7 (495) 697-0349.

– – –


I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

My Mock-Up for Labeling Fake News on Google Search

Here is my mock-up of one way to label fake news on Google Search Results Pages, in the style of the Google malware site warnings. The warning label link would go to a help page explaining the methodology of the labeling.


I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

Biting the Bullet: It’s Time to Require 2-Factor Verified Logins

For years now, security and privacy professionals — myself included — have been urging the use of 2-factor authentication (aka 2sv, 2-step authentication, 2fa, multiple factor, etc.) systems for logging into Web and other computer-based portals. Regardless of the name, these authentication systems all leverage the same basic principle — to gain access requires “something you know” and “something you have” — broadly defined. (And by the way, the inane and insecure concept of “security questions” doesn’t satisfy the latter category!)

The fundamental point is that these systems require the provision of additional information beyond the traditional username and password pair that have long demonstrated their frail natures as used by most persons.

Even if you don’t engage in notably bad password practices like sharing them among sites or laughingly weak password choices, usernames and passwords alone are incredibly vulnerable to basic phishing attacks that attempt to convince you to enter these credentials into (often very convincing) faked login pages. 

The lack of widespread adoption of 2-factor systems has been the gift that keeps on giving to crooks, scam artists, Russian dictators, and a long list of other lowlife scum. The result has been what seems like almost daily reports of system penetrations and data thefts.

Are 2-factor systems foolproof? No. There are a wide range of technologies and methodologies that can be used to implement these systems, and they vary significantly in theoretical and practical security effectiveness. But despite some critics, they all share one thing in common — they’re all much better than just a bare username and password alone!

Choices for 2-factor systems include text messages, automated voice calls, standalone authentication apps and devices, USB/NFC (e.g. FIDO U2F) crypto keys, and even printable key codes. And more.

With all of these choices, why is there so comparatively little uptake of 2-factor systems in the consumer sphere (in the corporate sphere there has been more, but not nearly enough there either).

Why don’t most users take advantage of 2-factor systems? There are two primary, interrelated reasons.

First is the psychology of the problem. Most people just don’t believe in their gut that a breach is going to happen to them — they feel it’s always going to be someone else. They just don’t want to “hassle” with anything additional to protect themselves, no matter how frequently we urge the use of 2-factor.

It’s much the same kind of “it won’t be me” reasoning that leads most people to not appropriately backup the data on their home (or often their office) systems.

Of course, once their account is breached or their disk crashes, they suddenly care very deeply about these issues, and people like me get those 3 AM calls where we have to bite our tongues to avoid saying “Well, I told you so.”

However, it would be unfair to blame the users entirely in this context, because — truth be told — many 2-factor implementations suck (that’s a computer science technical term, by the way) and are indeed a genuine hassle to use.

Some require the use of text messages (not everyone has a text message capable phone, as the Social Security Administration learned in their incompetent recent aborted attempt to require 2-factor authentication). Some require that you receive a new authentication token every time you login (overkill for most ordinary consumers) — rather than remembering that a given device has already been authenticated for a span of time. Some are slow. Some are buggy. Some screw up and lock users out of their accounts.

The bottom line is that a lousy 2-factor system is going to drive users batty.

But that’s not an excuse, because it is possible to do 2-factor in a correct and user-friendly manner, with appropriate choices for consumer and business/organization requirements.

By far the best 2-factor implementation I know of is Google’s. Their world class privacy/security teams have for years now been deploying 2-factor with the full range of choices and options I noted above. This is the way it should be done.

Yet even Google has to deal with the “it won’t happen to me” mindset syndrome on the part of users.

This is why I am now convinced that at least the major Web firms must begin moving gradually toward the mandatory use of 2-factor methods for users accessing these sites.

Just as responsible websites won’t permit a user to create an account without a password, and many attempt to prevent users from selecting incredibly weak passwords, we must start the process of requiring 2-factor use on a routine basis, both for the protection of users and of the companies that are serving them — and for the protection of society in a broader sense as well. We can no longer permit this to be simply an optional offering that vast numbers of users ignore.

This will indeed be a painful bullet to bite in some important respects. Doing 2-factor properly isn’t cheap, but it isn’t rocket science either. High quality commercial, proprietary, and open source solutions all exist. User education will be critical. There will be some user backlash to be sure. Poor quality 2-factor systems will need to be upgraded on a priority basis before the process of requiring 2-factor use can even begin.

It’s significant work, but if we care about our users (and stockholders!) we can no longer keep kicking this can down the road. 

The sorry state of most user authentication systems that don’t employ 2-factor has been a bonanza for all manner of crooks and hackers, both for the ones “only” seeking financial gain and for the ones seeking to undermine democratic processes. 

The deployment and required use of quality 2-factor systems won’t completely seal the door against these evil forces, but will definitely make their tasks significantly more difficult. 

We can no longer accept anything less.

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

Fake News and Google: What Does a Top Google Search Result Really Mean?

Controversy continues to rage over how Holocaust denial sites and related YouTube videos have achieved multiple top and highly-ranked search positions on Google for various forms and permutations of the question “Did the Holocaust really happen?” — and what — if anything — Google intends to ultimately do about these outright, racist lies achieving such search results prominence.

If you’re like most Internet users, you’ve been searching on Google and viewing the resulting pages of blue links for many years now.

But here’s something to ponder that you may not have ever really stopped to think about in depth: What does a top or otherwise high search result on Google really mean?

This turns out to be a remarkably complex issue.

The ranking of search results is arguably the most crucial aspect of core search functionalities. I don’t know the details of how Google’s algorithms make those determinations, and if I did know I couldn’t tell you — this is getting into “crown jewel” territory. This is one of Google’s most important and best kept secrets.

It’s not just important from business and competitive aspects, but also in terms of serving users well.

Google is continually bombarded by folks trying to use all manner of “dirty tricks” to try boost their search ranks and visibility — in the parlance of the trade, Black Hat SEO (Search Engine Optimization). Not all SEO per se is evil — simply having a well organized site using modern coding practices is essentially a kind of  perfectly acceptable and recommended “White Hat” SEO.

But if details of Google’s ranking algorithms were known, it could theoretically help underhanded players use various technical tricks to try “game” the system to achieve fraudulently high search ranks.

It’s crucial not to confuse search links that are the results of these Google algorithms — technically termed “organic” or “natural” search results — with paid ad links that may appear above those organic results. Google always clearly marks the latter as “Ad” or “Sponsored” and these must always be considered in the context of being paid insertions that are dependent on the advertisers’ continuing ability to pay for them.

Until a relatively few years ago, Google’s organic search results always represented “simply” what Google felt were the “best” or “most relevant” link results for a given user’s query.

But the whole situation became enormously more complex when Google began offering what it deemed to be actual answers to questions posed in some queries, rather than only the familiar set of links.

In simple terms, such answers are typically displayed above (and/or to the right) of the usual search result links. These can come from a wide variety of sources, often related to the top organic search result, with one prominent source being Wikipedia.

Google’s philosophy about this — repeatedly stated publicly — is that if a user is asking a straightforward question and Google knows the straightforward answer, it can make sense to provide that answer directly rather than only the pages of blue links.

This makes an enormous amount of good sense.

Yet it also introduced a massive complication which is at the foundation of the Holocaust denial and other fake news, fake information controversies.

Google Search has earned enormous trust around the world. Users assume that when Google ranks organic results to a query, it does so based on a sound, scientific analysis.

And here’s the absolutely crucial point: It is my belief, based on continuing interactions with Google users and other data I’ve been collecting over an extended period, that most Google users do not commonly differentiate between what Google considers to be “answers” and what Google considers “merely” to be ordinary search result links.

That is, users overall have come to trust Google to such an extent that they assume Google would not respond to a specific question with highly ranked links that are outright lies and falsifications.

Again, Google doesn’t consider all of those to be “specific answers” — Google rather considers the vast majority to be simply the “best” or “most relevant” links based on the internal churning of their algorithm.

Most Google users don’t make this distinction. To them, the highest ranking organic links that appear in response to questions are assumed to likely be the “correct” answers, since they can’t imagine Google knowingly highly ranking fake news or false information in response to such queries.

As Strother Martin’s character “Captain” famously proclaimed in the 1967 film “Cool Hand Luke” – “What we’ve got here is failure to communicate.”

Part of the problem is that Google’s algorithms appear outwardly to be tuned toward topics where specific answers are not controversial. It’s one thing to see a range of user-perceived answers to a question like “What is the best flavor of ice cream?” But when it comes to the truth of the Holocaust for example, there is no room for maneuvering, any more than there is when answering other fact-based questions, such as “Is the moon made of green cheese?”

Many observers are calling for Google to manually eliminate or manually downrank outright lies like the Holocaust denials.

I am unenthusiastic about such approaches. I would much prefer that scalable, automated methods be employed in these contexts whenever possible. Some governments are already proposing false “solutions” that amount to horrific new censorship regimes (that could easily make the existing and terrible EU “Right To Be Forgotten” look like a veritable picnic by comparison).

I would much prefer to see this set of issues resolved via various forms of labeling to indicate highly ranked items that are definitively false (please see: Action Items: What Google, Facebook, and Others Should Be Doing RIGHT NOW About Fake News).

Also important could be explicit notices from Google indicating that they are not endorsing such links in any way and do not represent them as being “correct answers” to the associated queries. A general educational outreach by Google to help users better understand Google’s view of what highly ranked search results actually represent, could also potentially be very useful.

As emotionally upsetting as the fake news and fake information situation has become, especially given the prominent rise of violent, racist, often politically motivated lies in this context, there are definitely ways forward out of this current set of dilemmas, so long as both we and the firms involved acknowledge that serious actions are needed and that the status quo is definitely no longer acceptable.

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

Administrivia: Observing Google: “Tough Love”

Lately I’ve been receiving a significant spike in email from readers asking various forms of the question:

What is your true stance regarding Google?

In particular, they seem unable to grasp how I can send out one blog post or other item that is significantly critical of some aspect of Google, then another post that is highly complimentary of a different aspect.

I view the question as frankly rather shallow and illogical. One might as well ask “What is your true opinion of life?”

Google is a great firm — a very large company of enormous complexity, operating at the leading edge of technology’s intersection with privacy, security, and one way or another, most other aspects of society.

It would be foolhardy in the extreme to evaluate Google as if it were some sort of monolithic whole (though the true “Google Haters” seem to do exactly that most of the time).

As for myself, when I believe that Google is making a mistake that is causing them to fall short of the high standards of which I feel they’re capable, I explicitly tell them so and I pull no punches in that analysis. When my view is that they’re doing great work (which is overwhelmingly more often the case) it’s my pleasure to say so clearly and explicitly.

If you wish to call this something akin to “tough love” regarding Google on my part, I won’t argue.

Be seeing you.

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!