Analyzing the OneLogin hack

On June 2, OneLogin reported that hackers had gained access to their data – possibly including the keys to encrypted data.  OneLogin is a password manager product that allows the users to store their passwords in a single location, needing only to remember the single master password for OneLogin.

This situation perfectly exemplifies two issues we’ve already covered – security is not a product, security is a matter of internal ordering and self-perfection.

Services like OneLogin, among others, offer security as a product. In this case that product is password retrieval along with secure storage. The first element is an issue of user convenience, especially when the number of passwords keeps growing, and good password awareness requires that the passwords be complex and not shared between various logins. The second element, and the crucial one for our analysis, is the security of the password storage.

Reliance on security products, even in this tertiary way,[1] has resulted a behavior antithetical to the notion of securing access by reliance on passwords and encryption. No longer does a hacker need to break into a particular account, they can break into the third-party service that secures tens of thousands of accounts, each connected with multiple accounts. Instead of making the hack more difficult, the hack has been made easier. We see the same problem with the recent ransom tactics for movies, where the hackers gain access to the film by hacking a third-party, perhaps a CGI processing facility, where security is both weak, and where a single access point gains access to multiple targets – instead of hacking each film individually.

This leads us back to the question of how security ought to be. As per the classic Chinese model, security is primarily a matter of internal ordering, of self-perfection – and is not to be found outside of one’s own state/organization. The outsourcing of security is precisely what Xunzi and Han Feizi and Machiavelli argued so strongly against: one cannot make up for internal disorder by paying someone else to be orderly for them.

Given that OneLogin and other similar products do not provide a crucial service, one would expect that the use of such services will swiftly be prohibited to employees of major organizations – if it is not already. One would also hope for exceedingly harsh penalties against anyone who compromises security in such a way.

While many will focus on the security failure of OneLogin, that failure is inconsequential in the long-term. The real security failure happened when individuals outsourced their security to a third party – assuming that somehow, through a use of a magic-box, the security of the third-party can’t be compromised. This belief reflects the combination of security illiteracy and failure to engage a modicum of thought when considering the services provided. If these services truly were hacker-proof, why in the world are they not running the security for your organization or the US government? If Manning and Snowden could walk out with secrets from the US government, what stops a disgruntled employee from walking off with OneLogin information?

For the moment, the prevalence of magic-box ideology continues to pose a severe threat to security of individuals and organizations alike.


[1] not security, not login security, but access to login information for login security