Take my advice: The only safe ID is a fake ID
So says Alex... Graham... Dan...
Something for the Weekend, Sir? My name is McLeod. Graham McLeod. If you're looking me up in a list, you'll find me under M as "McLeod, Graham".
This is in contrast to "Dabbs, Alistair" – which I understand is now the title of an IT publication. At least it is according to an email I received this week, which began thus:
With Dabbs, Alistair having such a strong focus and interest in news surrounding telecoms, technology and the Internet, please find below the newest announcement for consideration to be published in Dabbs, Alistair.
Ah, good old Merge, Mail.
To come clean, I haven't used any of my McLeod aliases for several years now, otherwise I wouldn't be telling you about them. I invented Graham as an alternative byline to quieten shouty editors when writing for competing computer publications. It also came in handy as a killable identity with which I could sign up to accept junk email in return for downloading free white papers. Ahem.
When I started out on my fabulously successful career as a world-renowned computer journalist – before seeing it comprehensively destroyed by Google's insistence on putting my Register columns at the top of "Dabbs, Alistair" search results – my occasional aliases were predictable and eminently identifiable for what they were. This included classic false bylines such as:
These wore thin pretty quickly as you can imagine. Security experts tell me that making login IDs and passwords unique is no guarantee in itself that they can't be guessed, and my hackneyed aliases were neither original nor unguessable. You know a pseudonym is a failure when it gets automatically concatenated into the nickname philspace397. So I moved on to slightly more elaborate alternative identities such as:
I also abide by a tip passed to me last century which involves delicately misspelling your address details. As long as the house number and postcode are correct, envelopes bearing a homophonic variant of the street name will always be delivered safely. The idea is to help identify the provenance of junk mail and determine whether your details have been sold on to other junk mailers.
In the GDPR age, the equivalent is to create a variety of email aliases for your inbox – a free but mostly unadvertised feature of almost every non-enterprise email system in existence – so that you can trace who is illegally selling your data to whom. For frequent users of social media, this is mandatory.
There may be all sorts of other reasons for wanting to do this beyond simply tracking who's misusing your personal information. You may recall that I routinely inform Starbucks baristas that I am called "Alex" otherwise I have to endure the following examples of relentless emotional abuse:
Often a false name is employed as protection from the trolling hordes. Sometimes it's to separate a professional profile from a silly one*. One of my favourite current examples of the latter is a French sexologist called Dr JP Dranok, who is one of the two public faces (the other being '80s Italian porn star Rocco Siffredi) for a penis enlargement gel marketed under the brand Activ Forte.
California cracks down on Internet of Crap passwords with new law to stop the botnetsREAD MORE
DRANOK is an unusual surname by French standards. Is it Scandinavian? Eastern European, perhaps? Well, if you reverse it, you get KONARD… which by amazing coincidence sounds exactly the same as the French word CONNARD.
It rather suggests that anyone spending their money on Activ Forte in the expectation that they'll end up with a pecker of Siffredi proportions is probably a bit of a dranok themselves.
So it comes as a big surprise to almost nobody that a survey earlier this year found that 41 per cent of internet users entering personal information online tend to falsify their details. Wonderfully, only 30 per cent of respondents did so out of security concerns, which means another 11 per cent did so out of sheer unbridled mischief.
I love you, 11 per cent. You are my kind of people.
The state of California is trying to help things along by obliging electronic device manufacturers to stop shipping them with factory-default passwords such as admin, password or 0000. Instead, they must force users to conjure up a new, unique password before allowing them to access the product for the first time.
Manufacturers are being given until 2020 to adhere to the new regulation. This is just as well as it usually takes most users that long to think up a password that conforms to the minimum uppercase + lowercase + number + punctuation + Hebrew emoji requirement.
Cybersecurity experts have piled in to shower praise on California's legal move.
Amit Sethi, senior principal consultant at Synopsys, said: "It is unlikely to make connected devices more secure." Bill Evans, senior director at One Identity, reckoned: "Lazy admins will simply change them back to a standard set of credentials and render the solution moot." Nabil Hannan, managing principal at Synopsys, observed: "As interesting as this is, it unfortunately doesn't solve the problem." And Javvad Malik, security advocate at AlienVault, warned: "There are probably other issues that will come to light in this regard over the years as more and more devices have internet-capabilities built in; so regulation at this stage would seem premature."
So, a winner all round. Well done, California, we're all behind you.
As for me, I have plenty more aliases at my disposal. In the event that you are required to prune a mailing list or check dubious user IDs, I apologise in advance. The next time you come across Janus, Hugh or Scrotum, Harry or even Gleeballs, Dan... you'll know it's me.
* Oh how I wish I'd begun writing these Friday columns as one of the McLeod siblings; instead, I am forced to hide my serious writing behind aliases.
Sponsored: Becoming a Pragmatic Security Leader