Because of Bart I know I have a much better understanding of security and what I can do to keep myself more secure. My father-in-law, Ken, is one of my heroes, and he’s just as security conscious, if not more. You may remember him from the video, “Octogenarian Talks 1Password”. If you haven’t seen it, I put a link in the shownotes, it’s well worth watching and sharing with folks who think they’re too old to use a password manager.
This week he decided to take on Vanguard, the investment company. You see, they do these great webinars, but they deliver them in Flash. He’s been paying attention to Steve and me when we advise him, and he knows we purposely did not install Flash on his computer when we did a recent hardware upgrade for him.
He decided to take on Vanguard, the largest mutual fund company in the country. He started by writing to them and explaining that he was simply not going to put Flash on his newest computer, because he understood that it has a reputation for being compromised or hacked. A representative wrote back to him and said this:
After checking with our support team, Flash is the only format for viewing our webcasts. The alternative would be to use a non-Apple device, unless Apple has their own version of Flash player.
When Ken sent me this, I respectfully suggested that this guy didn’t know what he was talking about. I gave Ken a bit more ammunition for his quest. I sent him an excerpt from Wikipedia on Adobe Flash Security. The main point of the excerpt, which is linked to in the show notes, is that while Apple started the march to stamp out Flash back in 2010 when Steve Jobs said he wouldn’t put it on the iPhone, it also lists other companies and security researchers who recommend against Flash and how only 7-10 percent of websites still use it.
Ken took a screenshot of the text from Wikipedia and embedded it in this glorious letter. With permission, I give you Ken’s letter back to the representative at Vanguard:
Thanks for your email response on 2/17/17 to my request for help downloading Vanguard webcasts on Flash Player.
However, based on the on the information in the paragraph below I believe Vanguard should change their webcast provider to another.
Please, forward this email on to the manager of Vanguard’s Tech Division to consider a change. Currently I cannot view Vanguard’s webcasts for security reasons.
I look forward to Vanguard management’s response to my suggestion. Should I write directly to Vanguard CEO with my suggestion?
I love everything about this letter. It’s firm and yet polite and lets them know that he will indeed write to the CEO of necessary. He may not have immediate success in this quest, but I wanted to read it to you as inspiration to push companies to do better. In fact, if you use Vanguard for your investments, maybe you want to start pushing them yourself.
I have an anecdote of my own to add to the story. 2 years ago when we started with our current tax accountant, he used a service called ShareFile. ShareFile is owned by Citrix and it’s designed to allow you to securely share documents. I love that my tax guy uses ShareFile because it means I don’t have to drive to Los Angeles or mail my tax forms in with an envelope and a stamp like an animal.
The only problem was that there was no way to log OUT of ShareFile. I mentioned it to our tax guy the first year but nothing changed. The second year, I had the same problem. Then I noticed that if I hovered in the upper right of the window (where it was all white), my cursor changed from an arrow to a hand. On a lark, I clicked when it was a hand, and sure enough I had found a secret logout button. Many companies brand tools to look consistent with their own web page design. Our tax guy’s company had done just that and in doing so they had accidentally hidden the logout button, or possibly the branding had changed it to white on white text.
Fast forward to this year, and again there’s no logout button. I decided o run it up the flagpole yet again. I took screenshots, and drew a giant red arrow going from the hidden location down to the lower left status bar showing their URL and the words “/Auth/Logout” at the end. I imported him for the security of his own customers to send the image to his web master, that it would surely be a 30 second text edit to fix.
That was at noon on Tuesday, and by 3pm on Wednesday he wrote back announcing it was fixed, AND thanking me for bringing it to their attention. And get this – there were three OTHER buttons we couldn’t see. There’s Search, Apps and Help. Who knew!
The bottom line of the public service announcement is to push back when you see companies you pay doing silly things with their security. Don’t accept things as they are. Demand they get fixed like Ken and I do.