Georgia: In the “Better Late than Never” Category…

Seven years and six months into his administration, President Bush seems to have realized that Vladamir Putin isn’t always such a nice guy.  The Wall Street Journal reported today that the administration is putting all bilateral contacts with Russia under review.  This occurred after a near face-off between a Coast Guard cutter and the Russian navy.  As I have written previously, we are at least in part to blame for the fiasco in Georgia, and so this can be seen as corrective at best, and palliative at worst.  Just like his father, had President Bush sent strong messages (perhaps with soldiers) before the invasion, perhaps there never would have been one to begin with.

This was a win/win/win for Russia.  They managed to demonstrate to the west and elsewhere that they will have their views taken seriously, they invaded the portion of a neighbor that has many Russians, and they may well have destabilized alternative energy transmission paths that the U.S. proposed, demonstrating the old axiom that all war is over wealth.

President Clinton reminded us at the Democratic National Convention this week that we as a nation cannot go it alone, that it is not in our best interest to go it alone, and that cooperation amongst nations is best for the United States.  I am glad we are standing by Georgia, even if it is very late, and I hope that other countries will send stronger messages than they have until now.  I am referring in particular to Germany and France.

Beware Best Western

The customers of Best Western are the latest to have their identities stolen.  As the article goes on to say, the crime gangs are going to have a field day with such live and valuable information that included credit card numbers and home addresses.  There’s a clear lesson here in authorization: nobody needs to have access to the aggregate data that Best Western had.  It might be necessary to modify one or two reservations at once.  Perhaps it might even be necessary to know how much of a block is sold.  But the whole kitten caboodle?  Nobody needs that information.  Here are some protections Best Western could have taken:

  • Apply specific encryption of the credit card information and compartmentalize the use of any decryption key.  Hotels have need to retain credit card information in order to guarantee bookings.  Encrypting credit card data is nowhere near a perfect solution because there is relatively little clear text information and some of that can be guessed, like the first four digits.
  • Encrypt all backups and protect the decryption keys so that multilevel authorization is required to access them.  Many backups are stolen.  If they are stolen no encryption is perfect and so notification is necessary, but with encryption those whose information is stolen can take action, like have a house sitter or change credit card numbers.
  • Employ intrusion detection within the database.  When a specific user acts outside a profile, flag it and see what is going on.

In perhaps a more perfect world a separate identity provider could retain identifying characteristics of an individual such as address and credit card number.  Commerce likes some of this information because they can market to you, and absent legislation they have very little motivation to protect the information.

Another TSA Moron Story

We interrupt this serious consideration of our future presidents with Yet Another story of a stupid (and yet unnamed) TSA employee.  In this case, an inspector attempted to break into planes on the tarmac.  According to one report, the inspector “breached” seven out of nine planes.  But in process he may have damaged sensitive avionics.  This caused a delay O’Hare International Airport while the airline took corrective measures.  This was stupid but not tragic because nobody was hurt– this time.  It could have been both stupid and tragic had the inspector touched something he shouldn’t have, broken something, and contributed to the loss of life.  Wouldn’t that have been rich?

The really stupid part is that it is not a secret that the overwhelming majority of effort to secure airplanes on the tarmac is devoted to keeping the wrong people off of the tarmac in the first place.  That is largely not the responsibility of the airline, but that of the airport and the TSA.  Once the inspector was on the tarmac and unsupervised, the game should have ended.  It didn’t.

Why Extradition of Hackers Is Important

Each day we hear about different forms of fraud and theft on the Internet.  Someone in America gets phished from a computer in the UK that is controlled by another computer in Switzerland, that is controlled by an individual in Italy, and their bank account emptied to a mule in America, and the money ends up with some gang in Russia.

Even if you found the individual in Italy you have to answer this question: where was the crime committed?  The Convention on Cybercrime of the Council of Europe addresses this very question, and fosters cooperation amongst  cooperating societies.  Extradition is so rare that it is worth pointing out when it happens.  On the 30th of July a UK Court refused to block extradition to someone who is accused of having caused many hundreds of thousands of dollars to US government systems.  While in this case the government was a victim, something that happens all too often, far more often it’s individuals who are harmed.  In this case the person sounds a bit disturbed. Let’s hope that next time they extradite people who do this sort of thing to make money, and demonstrate to them that it is not worth the risk.

Because the risk of getting caught is so small, this is an instant where the penalties should be very high when intent on theft, fraud, or disruption of services is clearly evident.

Off to Dublin (well sort of)!

Today, the Internet Engineering Task Force begins its 72nd in person meeting.  The IETF as it is known is a standards organization that primarily focuses on, well, the Internet.  The work done in this body has included Multimedia Internet Mail Extensions, Internet Calendaring, Voice over IP, and many others.  Not all work done by the IETF has worked out.  An effort I worked on some time ago weeded out the stuff that either was never used or is no longer used.  One of the key areas that any standards organization struggles with is how much potentially useful stuff to let through versus sure bets.  Sure bets are those things where a necessary improvement or change is obvious to a casual observer.  The people who make those changes are not the ones with imagination.

It’s the people who use their imaginations who make the bucks.  Always has been.  The problem is that there are a lot of people who may have good imaginations, but are unable to convert a good idea into something that can be broadly adopted.  This is a problem for a standards organization because each standard takes time and effort to develop, and each failed standard diminishes confidence in the organization’s overall ability to produce good stuff.

On the whole the IETF has done demonstrably well, as demonstrated by the vast amount of money organizations have poured into personal attendance at the in person conferences, even though no attendance is required to participate.

This summer’s conference is being held in Dublin City West at a golf resort, a bit away from the major attractions.  There are two benefit of this: first the cost isn’t absolutely outrageous.  Second, if people know they the attractions are a bit far off, then fewer tourists will come.  I actually don’t mind the idea of an IETF in Buffalo in the winter, but I may be taking things a bit too far.

Among the many discussions that will take place at this conference include one about what to do about email whose domain cannot be ascertained to have authorized its release.  The standard in question that identifies email is called Domain Keys Identified Mail (DKIM), and is relatively new.  What to do, however, when DKIM is not employed or if the signature sent is broken in some way?  This is the province of a work called Author Domain Sender Policies (ADSP).  The specification provides a means for sending domains to communicate their intentions.  After a year of arguments we hope to have a standard.  Whether it proves useful or not will only be shown by the test of time.