Stefan H. Farr, founder of cybersecurity company Identity Plus, is the latest member to join Security Baron’s Expert Network, where he will verify our VPN and password manager reviews.
We sat down with Farr to ask him a few questions about cybersecurity, his career, and how people can stay safe online.
Tell us more about Identity Plus and what kinds of products and services you provide.
Identity Plus was born to try a different approach to cybersecurity: instead of trying to detect and defend against attacks, an approach which is mostly reactive, it enables services to selectively communicate only with devices that are known to be good – effectively eliminating the threat in the first place. Current cybersecurity solutions strive to identify the crime and come up with mechanisms to stop the crime in action.
This mechanism is a function of crime, and it is built on allowing crime to happen – we need crime to identify crime and whenever the “way to do crime” changes we have a new crime to recognize and defend against. The equivalent would be trying to “bulletproof” everything in reality (theft, robbery, rape – infinite options) knowing full well it is not possible – so they factor in collateral damage, a risk based approach, I am sure you heard of it.
An identity based security would allow us to anonymously flag civil people and treat bad actors or unknown actors with caution and prevent crime by eliminating the criminal, not the crime. It is still early stage because it is difficult to transpose the concept to current technologies and workflows in such a way as to not disrupt business as usual, but we will get there.
What do you wish more people knew about their online security?
It is interesting you are asking what I want people to know about security, because my intention with Identity Plus is to eliminate the need for people to be security conscious online. If you think about it, in reality, you don’t want to be concerned with your personal security. Of course in a dark alley the thought passes through your head, but on your day to day you need not be concerned with security and that is good.
It would be impossible to live like that, it would be like a war zone where all your creativity and time would go into finding ways to keep yourself and your loved ones safe. It is technology’s duty to provide that to us in cyberspace as well, an Internet where we need not be concerned with security.
Sadly, as of yet it is not the case, so indeed we need to keep a certain online discipline and hygiene to protect our personal, real, selves. First of all, I’d like people to understand that no matter what experts say, people are not to blame for cybersecurity, technology is. No matter what we do, we cannot remember complicated passwords so we will make up simple ones, that are easy to crack.
We will inevitably reuse them (cause we cannot remember many of them either) and some sites will lose them. 2 factor authentication helps, but it is rather cumbersome to use on a day to day basis, so as of yet, there is no perfect solution and experts hide behind the human factor.
Knowing that there is no perfect solution is very important because that drives a certain conduit.
You should have two buckets online: one containing the majority of your sites where you keep no valuables and the other, carefully selected sites, those things that are more important. Treat the former one regularly (no extra effort) but go the extra mile with the second group, your secure bucket: separate passwords, complicated ones and two-factor authentication.
In the low security bucket, make sure that you only keep things that cannot hurt you if they get lost. Of course it is going to be unpleasant to lose things or to have things leaked about you, but if those things cannot hurt you too much it is OK.
People should also understand that some things can really hurt you online. Besides the obvious (having money stolen from a credit card), information about you can really hurt you in the long term. Income information, health records, genetic information, relationships can seriously narrow options in the future – impossibility to get a credit, health insurance, a job perhaps. Always carefully weigh the benefits of sharing such information and especially who that information is shared with. When you do share stuff like that, keep those you share such information in your secure bucket.
Differentiate your social media behavior too. Keep a small pool of friends with whom you share personal information, and use other means to reach the public. It is not complicated: keep Facebook for friends (your actual friends / family in reality – a few tens) and keep Linkedin, twitter for public. Again, only share things to the public that cannot hurt you – in this category I would be cautious with Facebook too, but that is the general idea, try limiting the exposure of important information to the public.
Nothing is free, is another concept that needs to go deep into people’s brains. A company needs resources to run their services. If they don’t charge YOU for their services than it is very likely that what they sell is you, to someone else, of course. In real life there are very, very few things that are free, simply because it is very complicated to sell the real you, so if you do the parallel it will bring out the sad online reality.
When companies talk about privacy and security, take it with a grain of salt. All secure communications as of yet have been shown to be hijackable or hackable. End to end encryption is never really end-to-end, someone else has a key. VPNs will not protect your privacy – they do provide a certain “kind” of privacy protection, but generally not the kind people seek (we can talk about this subject in detail, but it is a long story in itself).
Privacy online is a real problem.
Do keep offline backups where possible, especially with 2 factor authentication. In some cases it can be difficult to impossible to recover online accounts that are locked with 2FA.
Use virtual credit cards to pay online, there are many options nowadays. If that is not available, have a card for the online and only keep limited amounts on it.
A very important aspect to understand, especially for kids, but also for adults is that over the Internet, anybody can be anybody. This kind of misunderstood anonymity is only good to avoid accountability when performing malicious things. It is practically impossible to employ when you are legitimately using the Internet – once you logged in anywhere you are trackable – so it only favors the bad guys. But we have it, so we must be conscious about fact that whenever we use the internet legitimately we are exposed to those that use it otherwise.
Recently, phishing scams have gotten increasingly more sophisticated, tripping up even tech-savvy users. How can people recognize and prevent phishing scams?
Phishing is a massive problem and a great danger, because it is very difficult, often impossible to detect. Of course there are clumsy phishing emails which contain obvious signs and are relatively easy to detect – bad language, unfounded promises and the like but when phishing is well done, even security professionals will fall for it. My guide to phishing is simple and generally effective: when they are stakes, even small ones, double check.
Never take an action on impulse. Look it up, and verify the details. The more details you check the more difficult it is to get fooled because the perfect scenario constructed in a perfect phishing email starts to show its cracks. Research and double check. If you know the person, call them on their phone. Never click offer links in emails – I know it is tempting, but it is also very dangerous, especially if it is a shortlink (there are terribly effective in phishing).
If you like the details select the text and search for it in Google, you are likely to find it in the first lines if it is legitimate. Use web email clients for less secure emails (emails you sign up with everywhere) and stick to the rules for your business emails. You will likely fall for the bait sooner or later, but if you keep these rules you will have a good chance to fend off the danger before it is too late.
What initially got you interested in cybersecurity?
My path into security is not the typical one: kid growing up hacking things, then gets into trouble, then becomes ethical and such. I started my career as a software engineer / computer scientist – working as a developer but with a lot of academic interest in the subject – not so much security, but rather the wider technology – application and networking protocols, architecture, encryption, all in considerable detail.
When I started coding, security was not an issue, at all. Initially there wasn’t even an Internet. Gradually though, as things evolved these concepts started to take root in the technical circles. As a developer, I was relatively security conscious but it was the concept of privacy that drew me nearer to this space.
As a science and technology lover, I tend to look at things in a broad manner – both topologically and temporally – and I found the ambitions and the actions of the likes of Google and Facebook to be extremely dangerous with respect to the future. The smooth manner in which these organizations took dominance over social dynamics seemed akin to the birth of a tyranny – an information driven one. My natural response, as a developer, was to create a social network that was designed from the ground up in such a way that it could not access people’s communication.
The principle behind it was that there were two layers of encryption and the key exchange between parties was conducted over two channels, one of which was outside the network itself. As such, the network could not possible get hold of one of the keys, thus being able to give 100% assurance that communication was private, even from itself. To this day there isn’t a platform that can guarantee the privacy of compunction to that degree. It was a great deal more than what end-to-end encryption means today which is more like a promise than an actual guarantee. It did not become a success :), it appears that a promise is good enough for people, but the reason why I paused (I have not abandoned the concept, still) was not the difficulty of making it popular.
At the time, I was going through a rough period from a technology perspective. My phone kept displaying dubious ads and I was simply unable to find the cause or fix it. About the same time they were several ransomware victims in my close circle of friends and family and people were looking at me helplessly to give them a solution. I couldn’t. Having more than 15 years of experience with technology and pretty thorough understanding of how things worked, for me, this was a shockingly unpleasant revelation: there wasn’t a single thing I could do to protect myself or my friends, there wasn’t a tool I could suggest to ease their loss, all I could do was to suggest to them how to prepare for the next time they will encounter the same problem. We are sitting ducks. At that moment it became clear to me that this domain was in dire need of contributors and fresh ideas.
Gabe Turner is an attorney and journalist with a passion for home tech and secure, efficient living. Since graduating from NYU Law, he has maintained a paradoxical existence of trying to live life adventurously while remaining staunchly risk-averse. He is torn by the dual desires of wanting to only be in Brooklyn writing about housing policy and smart home tech and aspiring to visit his friends scattered across the globe. Gabe believes that stable, safe communities are the cornerstone to a vibrant and healthy society, and it is this passion that brought him to contribute to Security Baron.