Authority and Compliance

Last week I was at one of my favorite retail stores, MicroCenter. I had scrambled the time in my mind and accidentally left an hour early to see the refugee family I volunteer with, so I decided to make use of my extra hour by stopping along the way. The family later cancelled with me, citing last minute plans, and apologized, but it was fine as I was able to pick up the latest copy of 2600.

2600 is known as the hacker quarterly, and features some really good essays on security, freedom, how to own poorly configured wireless routers, and news on various telecom topics. This part is fun because historically, computer and telephone networks are very closely related, but the connection is largely ignored in an era where computer history is deemed uninteresting.

I am somewhat of a suspicious person. I am mindful that Amazon has a record of everything I have ever purchased through them. And after I had applied for 20+ jobs out of college, I later went back and modified all of my data (since there is almost never an option to delete your account) so that my SSN and other person details would never reach the public if a data breach occurred at those companies or application services.

So what I found so impressive is that MicroCenter has absolutely mastered getting additional data from their customers. Their techniques are not original, but they are damn effective.

When you go through a checkout line, at any store, the cashier sits behind the checkout register. It is the area you are not allowed, it is a sensitive area where the register sits, and the table between you two is the domain of the financial transaction. However, it is not a transaction of equals because you are on their property, you are making purchases from them, and the transaction is guarded by law. When the cashier says you owe x amount, you pay x amount or you adjust what you are purchasing. In other words, the cashier is the authority, a representative of the property owner, and, typically, the adjudicator of the financial transaction.

My default when asked a question by the cashier is to comply. Why? Well, I’ll leave the gritty details to psychologists, but in my mind, I immediately assume they are asking a question out of the authority of their seat. If they are asking for information, I assume it is because they require that information as a condition of the financial transaction. After all, that is what they adjudicate. When cashiers ask for zip codes or phone numbers, as commonly occurs in other stores, too, I immediately, blindly provide that information, despite the fact that this information has absolutely nothing to do with the financial transaction.

MicroCenter always asks if you are a returning customer. If you say you are not, they begin asking for address details. If you say that you are, they ask for a detail that they can use to look you up in their system, such as phone number or address or name. Either way, the goal is to always, always associate your personal data with the transaction. For large electronic purchases, they claim it is for the warranty, although I am skeptical that this is actually necessary. I’d probably have to read the fine print on a warranty receipt or talk to a good lawyer who knows.

But on this day, I wasn’t buying any electronics. I was buying a small magazine. At the counter, I was immediately asked if I had purchased anything there before. I said yes, and the cashier proceeded to ask my name or address (I can’t remember exactly which). Notice that they never ask if you would like to provide the information, as this would imply that it is optional and would likely decrease their chances of getting it. They simply ask for the information, giving it the illusion of being mandatory. I immediately replied, “Oh, I won’t bother with that,” indicating I didn’t want to be looked up, and the cashier gently complied. I paid in cash.

Does that not make you sick? The authority of the cashier is limited, but these companies rely on the perception of authority to garner additional information from you. I can only imagine how much this actually happens in society, but even as a security-conscious individual, I still give in a lot. It’s slick marketing, that’s for sure. MicroCenter likes to send advertisements to you shortly after you’ve made a purchase and it’s been awhile since your previous purchase. Getting additional information from you is clearly policy, too, as I don’t believe I have ever not been asked for additional details to bring up my record. What if I don’t want my purchase history associated with the “account” I never agreed to setup? Well, they’ll never ask me about that. They will just make it sound mandatory. Who knows what they do with that information? Quite frankly, I’ve always wondered if an inventory item’s MAC address can be traced the bank account the item was purchased with. That’s paranoia talking, but I’ve worked with databases and I know what they are capable of.

Anyway, you get the idea. Fight the power, stay vigilant, fight for your rights, etc., etc. If I come across similar situations, I’ll be sure to record them here and provide some comments.

The Joys of Wireshark

Last night I decided I wanted to see what might appear over my network if I booted two of my computers up and started surfing the web. I hadn’t touched Wireshark in ages, but as I have recently committed myself to¬†Information Security, I thought I would let my curiosities run wild.

My router, a Century Link ZyXEL, is currently configured to allocate IP addresses statically, but I hadn’t checked which addresses were assigned to my devices. I logged into the router, stopped my capture session, and sure enough I found the admin username and password in plaintext in the HTTP POST call.

This makes sense since you aren’t typically accessing a router from outside your network, and it also makes sense because you need to set the router up before you have internet connection. The device needs to work without access to a certificate authority. What I do find very interesting, however, is that somewhere, somehow, the router is running a web server, which is the primary interface for configuration. Is there even a way to force a security connection over http without an external certificate authority for¬†https?

I can imagine any number of social engineering attempts at coffee shops where I could ask a savvy owner or manager to check the connection because “the wifi isn’t working for me”. One simple login from the owner/manager and the entire network could be compromised. Not that coffee shop wifi is secure anyway.

Since I am surrounded by XfinityWifi routers in my apartment, I wonder too whether the actual Xfinity logins are encrypted, though I don’t believe I have ever seen an Xfinity router that was. I’m going to assume that the logins are encrypted, but I am rather curious.