“保持美国人联系”大流行援助将于6月30日结束 (‘Keep Americans Connected’ Pandemic Aid Ends June 30th)

As potentially millions of people are receiving reduced hours, layoffs, no ability to qualify for aid, delayed unemployment checks if applicable and forced to hear talk about “culling our elderly and disabled”; our global phone companies are taking the calloused approach of demanding payment. Specifically in the United States, deferment aid is expiring with phone companies stating if they do not receive payment by June 30th, they are shutting off service. Most of our internet accounts are connected by MFA (disabling is a security risk), which without cell phone service and no way to pay, outlines a death sentence to our online connectivity. Especially when some of my fellow security tribal members rate paranoid (“aware”) and avoid soft tokens, try googling Duo Mobile Breach to experience the wonders of SEO. For most of us out of work, having our phone service turned off is a game stopper for any of us trying to use email, social networking platforms or even try to claim unemployement, job applications and various important employment related, potentially life saving communication, school, etc.

由于可能有数以百万计的人正在减少工作时间，裁员，没有资格获得援助，延迟适用的失业检查，并被迫听取有关“ 淘汰我们的老年人和残疾人 ”的言论； 我们的全球电话公司正在采取苛刻的要求付款方式。 特别是在美国，电话公司表示如果6月30日前仍未收到付款，则延期援助将到期，它们将关闭服务。 我们的大多数互联网帐户都是通过MFA(禁用是一种安全风险)进行连接，MFA没有手机服务，也没有付款方式，概述了我们在线连接的死刑。 尤其是当我的一些安全部落成员对偏执狂(“感知”)评分并避免使用软令牌时，请尝试使用Google Duo Mobile Breach来体验SEO的奇迹 。 对于大多数人来说，关掉电话服务是我们中任何一个试图使用电子邮件，社交网络甚至试图要求失业，求职以及与各种重要就业相关的，可能挽救生命的通讯，学校等

拥有Internet帐户通常需要物理手机服务 (Having an Internet Account usually Requires Physical Cell Phone Service)

Thought we were done with the days when internet required a phone line? That mirage only lasted for a few years with multitudes of companies adopting the exact same MFA solution: Cell Phone SMS. No big deal. We can improve upon that with soft tokens, forcing millions to hand over the handshake of authentication to third parties. Nothing could ever go wrong!With many utilities and other cellular phone companies demanding sudden payment because of the pandemic grace period ending (today’s pdf of website accounts available upon request) and with no way to pay, millions of people will likely lose service, access to their online lives and suffer an inability to access online accounts due to improper MFA strategies that have been festering for years. By the way, your cell phone company will only keep your number for 30 days after disconnect. Not to mention those who actually memorize their passwords instead of using a password database will likely actually forget credentials over time. This is, in part, why I prefer hard tokens. And local password databases instead of online databases, that require MFA and other bells and whistles like browser plugins that delete credentials upon removal of the plugin. Safe. Kinda. The act of using accounts on the internet should never be tied to a requirement for phone service in today’s world; and trust me, most platforms check for and disallow VOIP phones so don’t be cheeky and think you can pull a Skype move from 2005 and have only a soft phone. What happens to mothers who lose cell phone access who can no longer ensure their children take online classes due to this issue? What about the people who do not have resources, have no support, and have no one else to rely on? Parental aid is not a given for adults, nor should it be expected.

以为我们已经完成了互联网需要电话线的日子？ 在众多采用完全相同的MFA解决方案的公司(手机短信)中，这种幻影只持续了几年。 没什么大不了的。 我们可以使用软令牌来改善这一点，迫使数以百万计的人将身份验证的握手移交给第三方。 万无一失！由于大流行宽限期结束 (今天可根据要求提供网站帐户的pdf文件)，许多公用事业公司和其他移动电话公司要求突然付款，并且无付款方式，因此数百万人可能会失去服务，访问权限他们的在线生活受到困扰，并且由于多年错误的MFA策略而无法访问在线帐户。 顺便说一句，您的手机公司只会在断开连接后将您的电话号码保留30天。 更不用说那些真正记住密码而不使用密码数据库的人可能会随着时间的流逝而忘记凭证。 这就是部分原因，为什么我更喜欢硬令牌。 还有本地密码数据库，而不是在线数据库，它们需要MFA和其他功能，例如浏览器插件，在删除插件后会删除凭据。 安全。 金田 在互联网上使用帐户的行为绝不应与当今世界对电话服务的要求联系在一起； 相信我，大多数平台都会检查并禁止VOIP电话，所以不要厚脸皮，以为您可以从2005年开始使用Skype，并且只有一部软电话。 对于失去手机访问权限的母亲，由于这个问题而不能再确保孩子上网上课怎么办？ 没有资源，没有支持，没有其他人可依靠的人呢？ 父母没有给成年人提供帮助，也不应该期望得到父母的帮助。

The biggest question I have as a cyber security profesional is why a corporation’s service offering, like mobile phone use, is a requirement for internet access. At this stage, in being connected to our jobs, emotional, social, and financial well being the internet should be considered a basic human right. At this point in time, the internet is much more than an entertainment offering. Also ISP’s should quit modem crowding. That gets really old. :)For some people vulnerable to illness, online access and phone service is a matter of Life and Death because it is how they receive food, how they communicate the world and gain support from friends/family. Why does it make sense to take that sense of security away from people in times such as this? If anyone needs bailouts right now, its the cell phone companies who need a lot more regulation or the app developers or corporate execs who choose technology as a service instead of honing that expertise in-house. Could we also perhaps throw in the ability to monitor, maintain and revoke sim pins, look serial numbers for devices in national databases to have more control over device spoofing and fraud as individuals since the the theft is considered too insignificant to persue via law enforcement?

作为网络安全专业人员，我最大的问题是为什么企业的服务产品(例如使用手机)是互联网访问的要求。 在现阶段，在与我们的工作联系在一起时，情感，社交和财务状况良好，互联网应被视为一项基本人权。 在这个时间点上，互联网不仅仅是娱乐产品。 ISP也应退出调制解调器拥挤状态。 那真的很老。 :)对于某些易患疾病的人来说，在线访问和电话服务是生死攸关的问题，因为这是他们获取食物，如何与世界交流以及获得朋友/家人支持的方式。 为什么在这样的时候将安全感从人们那里带走呢？ 如果有人现在需要纾困，那就是需要更多法规的手机公司，还是选择技术即服务而不是在内部培养专业知识的应用开发商或企业高管。 因为盗窃被认为是微不足道的，无法通过执法来进行，我们是否还可以提供监视，维护和撤消sim引脚，在国家数据库中查找设备序列号的能力，从而更好地控制个人的设备欺骗和欺诈行为？

破解演变而来的多因素身份验证 (Multi-Factor Authentication Evolved from Cracking)

MFA is an authentication strategy that factors in: 1.“Something you have”(hard token key fob, phone, device)2. “Something you know” (password, captchas, secret questions, using hashing algorithms that force authentication at an interval like bcrypt, etc)3. “Something you are” (biometrics)

MFA是一种身份验证策略 ，其考虑因素包括：1. “您拥有的东西” (硬令牌密钥卡，电话，设备)2。 “您知道的事情” (密码，验证码，秘密问题，使用强制以诸如bcrypt之类的时间间隔进行身份验证的哈希算法)3。 “你是什么” (生物统计学)

Note that this automatically does not equate to something like the password in addition to another factor. Multi-factor authentication could easily be something you have, like an RFID key badge and your retina or fingerprint. For the purposes of this article, please understand that in the early days Multifactor authentication, 2FA was used interchangeabley with MFA to equate to the same use of the same strategy. Also, in the days were cracking was more common (likely due to algorhytms that aided cracking due to speed (SHA1 SHA2, etc etc etc); eventually an older hashing algorhytm, bcrypt was brought back from the dead because of its inherent ability to increment authentication attempts.

请注意，除其他因素外，这自动不等于密码之类的东西。 多因素身份验证很容易就可以实现，例如RFID钥匙徽章和视网膜或指纹。 出于本文的目的，请理解，在早期的多因素身份验证中，2FA与MFA可以互换使用，以等同于相同策略的相同用法。 另外，在破解的日子更普遍 (可能是由于算法促进了速度的提高(SHA1 SHA2等)；最终，较旧的哈希算法bcrypt由于其固有的增量能力而从死里复活。身份验证尝试。

This is also my favorite family reunion story. You’re welcome.

这也是我最喜欢的家庭团圆故事。 别客气。

有缺陷的设计策略 (Flawed Design Strategy)

In today’s world, many corporate organizations fail to implement MFA properly, sometimes sending a verification code to a device that is also authenticating to an interface in the sense that if an attacker took control of a machine that is also being used as the something you have factor, all that is then needed for authentication is someone’s password which many have been exposed in data breaches recently or phishing escapades to qualify the need for MFA in a more intense manner. The qualification for requiring MFA reduces the RISK that an account is compromised due to needing factors are are considered failproof when used in combination, however, more and more ‘attack code’ has been released that bypasses MFA altogether. That means that likely in the future we will evolve to use Multi Factor Authentication in the truest sense, likely depending on a spiderweb of layered identification qualifiers. One of those factors is, and has been, geolocation but if a box is backdoored that is only a small matter, also potentially war driving to gain access to someone’s wireless network to spin up a clone of their entire system, on their network, knowing their credentials to impersonate their digital identity… Oldie but Goodie methods to bypass some of these controls.

在当今世界，许多公司组织无法正确实施MFA，有时会向验证接口的设备发送验证码，这意味着如果攻击者控制了一台同时用作您所拥有的机器的机器一个重要的因素是，身份验证所需要的只是某人的密码，该密码最近在数据泄露或网上诱骗中暴露了出来，以更严格的方式满足对MFA的需求。 结合使用MFA的资格，可以减少因组合因素而导致帐户被盗的风险，但是，越来越多的“攻击代码”被完全绕过MFA。 这意味着将来可能会演变为以最真实的意义使用多因素身份验证，这可能取决于分层标识限定符的蜘蛛网。 其中一个因素是地理位置，但过去一直如此，但是如果将盒子装上后门，这只是一个小问题，那么潜在的战争驱动就是要获取某人的无线网络的访问权，从而在其网络上旋转整个系统的克隆，这是已知的他们的凭证来模仿他们的数字身份……Oldie但Goodie的方法绕过了其中一些控制。

手机提供商有责任使我们保持在线 (Cell Phone Providers Have a Duty to Keep us Online)

Because of the way corporations have designed their authentication platforms, millions of people will likely lose access to their internet accounts on June 30th due to MFA requirements, and it has nothing to do with a lack of cyber hygiene on the part of the end user. It has everything to do with the lack of technical leadership at the scale that is creative, organized and disciplined enough to adopt adequate solutions for logic failures such as this, unique to their own organizational footprint. Because of this shortfall, mass implemented MFA solutions require cell phone service (hard phones) to access internet accounts as a “security measure” that has soft qualifiers. Soon, millions are going to lose access to their internet accounts, and likely legislation will follow when in reality proper planning could of prevented this to begin with. The loss of access to internet accounts fueled by a financial tragedy we have not seen in around 100 years, and with the technical deficit non-strategic leadership leaves us as a legacy we have in the United States to adopt wholesale security solutions when maybe the one sized fits all t-shirt doesn’t actually fit.

由于公司设计了身份验证平台的方式，由于MFA的要求，数百万的人可能会在6月30日失去对Internet帐户的访问权限，而这与最终用户缺乏网络卫生状况无关。 它与缺乏足够的创造性，组织性和纪律性的规模的技术领导能力有关，以针对此类逻辑故障采用适当的解决方案，这对于他们自己的组织足迹是唯一的。 由于存在这种不足，大规模实施的MFA解决方案要求手机服务(硬电话)访问互联网帐户，作为具有软限定符的“安全措施”。 很快，数以百万计的人将失去对他们的Internet帐户的访问权限，并且可能在实际中进行适当的规划以阻止这种情况的开始时遵循立法。 我们在大约100年内从未发生过一场金融悲剧，导致无法访问互联网帐户，并且由于技术赤字，非战略领导层使我们成为了美国的遗产，在可能的情况下，我们将采用批发安全解决方案尺寸适合所有T恤，实际上并不适合。

您现在可以做什么 (What you can do right now)

Check to see if your cell phone provider is on the following listand remind them of your obligation to keep you connected until the pandemic ends, and it hasn’t ended, by the way. The infection rates are going up, our economy is terribly impacted and we need to stay online if we are going to fight this.

检查一下您的手机提供商是否在下面的列表中，并提醒他们您有义务保持联系，直到大流行结束为止，直到大流行还没有结束。 感染率正在上升，我们的经济受到严重影响，如果要与之抗争，我们就必须保持在线状态。

Prior to getting disconnected, consider using a friends phone for MFA, as you will likely need a hard phone to keep your service alive. Most voip services are detected and rejected. If you do not have a hard phone to use, update your security questions with random answers that you have recorded locally in a password database, and chose a complex password with appropriate entropy that is unique for each and every account.

在断开连接之前，请考虑使用MFA的朋友电话，因为您可能需要硬电话才能保持服务正常运行。 大多数voip服务都会被检测到并被拒绝。 如果您没有硬电话，请使用在密码数据库中本地记录的随机答案来更新安全性问题 ，然后选择一个具有适当熵的复杂密码，该密码对于每个帐户都是唯一的。

If your phone ends up getting disconnected: Stay calm. Do not panic. All impassable issues are solved with time and stoicism. Be strong, you’re stronger than you think. Pick up a book to satisfy your technology cravings to escape into another world for awhile.

如果您的手机最终断开连接：请保持冷静。 不要恐慌。 所有无法逾越的问题都需要时间和坚忍来解决。 坚强，你比想像中要强大。 拿起一本书来满足您对技术的渴望，可以暂时逃脱到另一个世界。

提醒“ 保持美国人联系”的承诺 (Remind of Pledge to ‘Keep Americans Connected’)

Make notes of each conversation, name, extension, employee number, supervisors name, call center location, date and time of call, call summary in data log. Remind the call center of anyverbal agreements they made in prior phone calls in promising to extend pandemic deferments, ask to speak to a supervisor, ask them to pull the phone calls of prior engagements to verify the use of their verbal contract. In most states this is a legal requirement that they have adhere to, employee incompetance does not excuse them from their obligation under the law, if applicable.Record a date and time they will follow up with you, get their direct line. Remind them the made a pledge under ‘Keep Americans Connected’ promise to not disconnect service due to the pandemic. The arbitrary date given for expiry of their pledge (June 30th, 2020) should not matter as the infection rates are increasing in this very moment, and many are still financially impacted without a source of income. Also, you will lose access to all of your internet accounts if service is turned off due to MFA design flaws by interface and application developers that are not the fault of the consumer.

在数据日志中记录每个对话，姓名，分机号，员工编号，主管姓名，呼叫中心位置，通话日期和时间以及通话摘要。 提醒呼叫中心他们在先前的电话中达成的任何口头协议 ，以延长延缓大流行的时间，要求与主管交谈，要求他们撤回先前业务的电话以验证其口头合同的使用。 在大多数州，这是他们遵守的一项法律要求，如果员工不称职，则不能免除他们在法律下的义务(如果适用)。记录下他们与您联系的日期和时间，以取得直接联系。 提醒他们在“保持美国人联系”中做出的保证不会由于大流行而中断服务的承诺。 承诺到期的任意日期(2020年6月30日)应该无关紧要，因为此时的感染率正在上升，而且许多人仍在经济上受到影响，而没有收入来源。 此外，如果由于界面和应用程序开发人员的MFA设计缺陷(并非用户的过错)而关闭了服务，则您将无法访问所有Internet帐户。

The information will be important once you make a report to the:FCC, FTC, BBB, Consumer Financial Protection Bureau, and your State Atty General (note all requests are public record, so keep it professional/factual) for breach of contract, fraudulent promises to the consumer.

一旦您向以下国家/地区举报： FCC ， FTC ， BBB ， 消费者金融保护局 和州总检察长 (请注意，所有请求均为公开记录，因此请保持专业性/事实性)，对于违反合同，欺诈性行为 ，该信息将非常重要。对消费者的承诺。

公司可以做什么 (What Corporations Can Do)

1. Provide better backup account options than six digit recovery pin along with unavailable customer service and terrible chat bots.
   提供比六位数恢复密码更好的备份帐户选项，以及不可用的客户服务和糟糕的聊天机器人。
2. Improve on the security question process (no answer should ever be real information and should always be unique).
   改进安全性问题的处理过程(没有答案应该是真实的信息，并且应该始终是唯一的)。
3. Bad automation will always show patterns. Look for them.
   不良的自动化将始终显示模式。 寻找他们。
4. Implement MFA properly. Potentially in layered spiderwebs of qualifiers.
   正确实施MFA。 可能在限定符的分层蜘蛛网中。
5. Rethink soft tokens due to the ease of compromise and potential mishandling of authentication by third parties. We should encourage inherent security knowledge rather than dependency, especially if we are afraid of insider threat that should include the vendors of vendors.
   由于易受折衷以及第三方可能对身份验证的错误处理，因此重新考虑软令牌。 我们应该鼓励内在的安全知识，而不是依赖关系，尤其是当我们担心内部威胁应该包括供应商的供应商时。
6. Dependency makes you money, but is teaching the consumer to offload complexity to third parties a good thing? Doesn’t it make end users, and ultimately corporations weaker?
   依赖使您赚钱，但是教导消费者将复杂性转移给第三方是件好事吗？ 难道不是使最终用户，最终使公司变得更弱吗？
7. Consider layered MFA rather than geolocation, lowly 2FA, and code bases which can or will be exploited.
   考虑分层的MFA而不是地理位置，较低的2FA和可以或将要利用的代码库。

8. Hire true hackers willing to break your traffic data metrics out of curiosity by red wagons filled with cell phones (example of creatity we need to see more of).

   雇用真正的黑客，他们愿意通过充满手机的红色旅行车出于好奇心打破您的流量数据指标(我们需要更多了解创造力的示例)。

9. Stop playing the insurance check box game and hire a true strategist willing to treat your fortress like the unique landscape that it is. Stop hiring the standard fare. Look for people on Linkedin and in unknown sources that a background check will flesh out. Stop relying on resume keywords. Some of the most brilliant security minds I have ever met (maybe including myself), were a few eggs short of the dozen. :) Personality goes a long way, but in the security world, its only a nice to have. Security stands as checks and balances, diligent, detailed, oppositional personalities are rare resources. Being popular should never be a requirement.
   停止玩保险复选框游戏，并聘请一位真正的战略家，愿意将您的堡垒像其独特的风景一样对待。 停止租用标准票价。 在Linkedin上寻找人员，并在未知来源中寻找背景调查将充实的人员。 不再依赖简历关键字。 我见过的一些最杰出的安全思想(也许包括我自己)，只差几十个。 :)个性有很长的路要走，但是在安全领域，这只是一个好东西。 安全就是制衡，勤奋，细致，对立的个性是稀有资源。 受欢迎永远不是必须的。

/soapbox off.

/ soapbox关闭。

I m avoiding talking about my own woes at this time, but lets just say I hope things get better soon for all of us. Wishing you well in these times.

目前，我避免谈论自己的困境，而只能说我希望我们所有人的情况会很快好起来。 在此期间祝您一切顺利。