Subscriptions and Increasingly Intangible Intangibles: Where Does it Stop?

Without wanting to say too much about my age, I was part of the first generation to play computer games as kids. Yeah [says the guys adopting his Grandpa Simpson voice]: Back then, you bought it and could keep playing it ad nauseam, which included table-top games like Monopoly and console games like Pacman on my Atari 2600.

Well, the least one can say is that those days are gone… far gone. In today’s world, the way software and media are increasingly packaged basically did away not only with physical copies but with perpetual licenses altogether, rather turning everything into a something “as a service”.

You want a movie? Blockbuster’s gone, so are most DVDs and Blu-Ray discs, as most everyone turned to the likes of Netflix to watch movies and tv shows. Streaming is now the standard way to go about it. Heck, a friend was recently telling me Disney recently decided to do away with one of their stapes and stop selling copies of their movies on DVDs and the like. From now on (or soon anyway), you want to watch a Disney flick, you catch it in theaters or you stream it on Disney+. That’s it.

I think this speaks volumes about what’s been going on with media over the past 20 years or so. With the advent of the Internet, we collectively realized that no one needs to own… anything, really.

in today’s world, that even extends to software, of course. With quite a few companies discontinuing their apps and desktop software, rather opting to provide an equivalent that you can use through a browser, for example, the very concept of buying something that you control, call your own and can decide to keep around (or not) is quickly disappearing, software-wise anyway.

Of course, once you no longer own it, the producer of software can modify it at will, or even discontinue certain whole functionalities, at which point there’s fairly little you can really do about it. You really liked that cross-cell funky calculation function in that online application? Well, too bad, the producer elected to discontinue it, starting… oh yeah… yesterday. Don’t like it? Too bad for you.

Recently, I even saw this pushed one step further, when I realized a computer I was under the impression I had purchased (ah ah, fool) simply essentially disappeared overnight from STEAM, the widely used gaming platform. Yup, the game editor decided to pull that particular title and, of yeah, the effect was to essentially prevent those who had “purchased” it (or rather thought they did) to access or use it any longer. You liked that game? Too bad, it’s gone.

Heck, I’ve even read about certain car manufacturers abroad “innovating” (see those quotes?), by charging car “buyers” (see em’ again?) a monthly fee for the benefit of certain functionalities in their new vehicles, such as heated seats for $18 a month, etc. Yeah, seems in today’s world, businesses all want in on that subscription model. It’s just too good to pass on, it seems. Anyway, I don’t pretend telling anyone anything about this they didn’t already know. Just slightly amusing (if not outright tragic) to realize this is happening and that there precious little you and I can do about it. It’s just, as they say, the way it goes.

2FA Codes by SMS: the Illusion of Better Security?

Even though two-factor authentication (“2FA“) is great to secure apps and online accounts, it’s not perfect and hacks do remain possible, even when this is available and turned on by a user. That said, by and large, the odds of getting hacked once you turn on 2FA (for an app or a service) drop dramatically. In today’s world, given the ever-increasing number of computer intrusions, anyone not turning on 2FA for all their accounts is playing with fire, even more so for professionals and businesses.

Though users have a role to play, as you generally need to turn this feature on (at least your organization must), a recent article in TechRepulic pointed to the fact that 2FA is often not as strong as users may think, in particular for apps and services for which 2FA allows transmission of 2FA codes by texts (SMS).

By now, most experts agree that allowing users to get their 2FA codes by SMS, as opposed to generating and receiving them by a dedicated utilities such as Google Authenticator, is a bad idea. In fact, it seems allowing this greatly reduces the level of security you get when turning on 2FA. Using 2FA with an authenticator app -great! Using 2FA and getting your codes through SMS -not so much.

The issue here lies in certain businesses (including banks!) electing to still allow 2FA by SMS, presumably to avoid annoying certain customers that may find using an authenticator app bothersome. To appease these users, the feature is allowed to endure to this day, thereby potentially endangering the data of all users.

Basically, we should all turn on 2FA on all apps and online services that allow it (most do in today’s age) AND check whether each app/service allows sending code by SMS. Often, you (or your organization) may be able to deactivate that functionality, thereby requiring codes to be issued by an authenticator app. If an app/service insists on allowing the issuance of 2FA codes by SMS, you may want to look for an alternate product/service. This is especially important if the data accessed through this tool is sensitive or, God forbid, a third parties’, such client-data or personal information of your customers, etc.

Given the ever-increasing legal requirements to adequately protect data hosted by organizations, implementing adequate (I mean really adequate) cybersecurity it becoming everyone’s business. Don’t be content with activating 2FA, make sure it is actually secure and not just “technically” considered 2FA.

Remember: not all 2FA is good enough. If you get your codes by SMS (or can), you may be getting the poor man’s 2FA, thereby putting your data (or that of your clients) at risk.

Cybersecurity 101: Common Sense Can Make All the Difference

The Slaw blog had a good basic post yesterday morning on cybersecurity for law firms. It made me want to share some of their advice, to which I’d add a few of my own and which may apply not only to professionals but also to any type of organization.

As you may notice, a lot of this is basically common sense, as applied in the digital age:

  • Start by asking yourself what type of data your organization handles, and contemplate what problems you may have were it to fall in other hands or become unavailable;
  • Inventory all devices which your organization uses, including in particular those that connect to its systems and/or the Internet and make sure your personnel knows the dangers associated with plugging anything new (for ex., an infected USB stick);
  • Realize that anything you plug into the Internet (i.e. make accessible) may become a point of entry for eventual hackers or infections, in particular any devices that have not been fully updated (including any firmware and software running on it) – make sure all your hardware and software are regularly updated (starting with your router and computers/servers);
  • Stop allowing or using weak passwords and force everyone to use a solid password manager;
  • Better yet, have everyone in the organization access every tool that can be through Two Factor Authentication (2FA);
  • Acknowledge that employees require on-going cybersecurity training and reminders, and actually schedule it so that it does happen, at least every year,. Including as to things like:
    • The risks associated with using passwords (such as weak or reused ones);
    • Problems which may be triggered by navigating one’s browser to a malicious site or clicking on a link in an email;
    • The dangers of activating, opening or clicking on attachments;
    • The concept of social engineering and its role in many attacks;
  • Know in advance who you will call in case of an incident to investigate or remedy, and make sure your personnel knows what your game plan is;
  • Do not assume you are safe because no one would bother attacking you, as we’re all potential victims of cybersecurity incidents, as anyone can fall victim to an attack without even having been specifically targeted.

With Québec’s passing of a new personal information stature, further to Bill 64, I’d say now’s a good time to brush-up on your cybersecurity practices and safeguards!