As many will have seen, Facebook won a court judgment today for $711 million from well-known spammer Sanford Wallace. It’s always nice when a spammer gets told “stop that”, but as bad as some people might think Wallace is, he is a walk in the park compared to the real villains out there. They are faceless, nameless, thugs who want to steal your money, your identity, and whatever else they think they can take from you and your family. They have no scruples and cannot be easily traced. The occasional bust makes the news across the world, which is one way of knowing that these miscreants are hard to find. The other way is that your mailbox is still collecting spam, some of it dangerous.
Category: Internet
Ole asks a great question
[not unusual for Ole, by the way.]
Why does security have to be so complicated?
Now knowing Ole as I do, this is of course rhetorical, but it does remind me of two conversations I’ve had. One was a long time ago. A friend of mine was part of a cable start-up team. Some of you will know who this was. He showed up at a conference with his big financial backer, and then told me, “Eliot, I’ve created the perfect parental control system.”
My response was simply, “Are you now – are you now or have you ever a child?” Nearly any child who is motivated enough will get around just about any parental block. Kids are smart.
The same is largely true with security. A former boss of mine once put it succinctly, that it’s either sex or money that motivate people, and that bad guys tend to use the former to get the latter. A great example are the miscreants who give away free porn by typing in CAPTCHA text, so they can get around some site’s security. I think it’s a little more than just those two motivations, but the point is that computers didn’t create crime. Crime has existed since Eve gave Adam the apple. The FaceBook scam occurs every day in the physical world without computers when eldery are taken advantage of in person. Computers simply provide a new attack vector for the same types of crimes.
Bad guys are as smart as good guys, but their best is probably no better than our best.
Financial Institutions and Passwords
You would think that financial institutions would want individuals to choose really strong passwords that are difficult to guess. But in at least one very big case, you would be wrong. What makes a strong password? Several things:
- A lot of characters. The more the merrier. The only limitation on this is that you have to remember All of That.
- A lot of randomness. That is, words in a dictionary are bad, because attackers will often go through dictionaries to attempt to guess passwords.
- Characters that are not letters or numbers. This increases the search space, given a certain sized password.
Now let’s review the actual guidance given by a very popular broker:
Your new password must:
- Include 6-8 characters AND numbers
- Include at least one number BETWEEN the first and last characters
- Contain no symbols (!,%,# etc.)
- Cannot match or be a subset of your Login ID
Examples of valid passwords: kev6in, 2be111, wil1iam
In other words, they’re violating two very big rules. The 6-8 character rule means that they are limiting the search space, and people cannot put together phrases, which are actually easier to remember than passwords. Removal of symbols from the search space makes it easier for attackers to perform a dictionary attack.
This site is not alone. Many sites have the same problem, and it is likely a problem with what their security professionals think is the industry standard. Well it’s a bad standard. Who takes on the risk? In the brokerage world, the chances are that you are assuming at least some risk.
Can The Industry Stop break-ins on Facebook?
After my last post, a reasonable question is whether we in the industry have been goofing off on the job. After all, how could it be that someone got their account broken into? Everyone knows that passwords are a weak form of authentication. Most enterprises won’t allow it for employee access, and we would string a bank CSO up by his or her toenails if a bank only used passwords to access your information. They use at a bear minimum RSA one time password tokens or perhaps Smart Cards. So why are the rules different for Facebook?
They would say, I’m sure, that they do not hold the keys to your financial data. Only that may not be true. Have you entered credit card details into Facebook? Then in that case maybe they do hold the keys to your financial data. Even if you haven’t entered any financial data into Facebook? Are you using the same password for Facebook that you are for your financial institution? Many people are, and that is the problem.
Passwords have become, for want of a better term, an attractive nuisance. It’s not that the concept itself is terrible, but they are increasingly difficult to secure, as the number of accounts that people hold continues to skyrocket. Yes, the problem is getting worse, not better. My favorite example is the latest update to the Wall Street Journal iPhone app, where the upgrade description says, “Application Enhancements to Add Free Registration & the Ability for Subscribers and Users to Login”. What a lovely enhancement. Right up there with enhancing the keyboard I am typing on to give me electric shocks.
Facebook is at least making a feeble attempt to get around this problem by offering OpenID access in some limited way (I tried using it from this site, and FB is broken, even though I can get into all sorts of other sites, including LiveJournal). Still, it probably works for you if you are a Google, Yahoo!, or MySpace user, but for better or worse those sites themselves do not accept OpenID. (The better part is that no one can simply break into one account and gain access to all of these other sites. The worse part is that if you have some other OpenID, you can’t use it with these sites.)
OpenID has lots of problems, the biggest of which is that there is no standard privileged interface to the user. This is something that Google, Yahoo!, and MySpace might actually like, because it means that they provide the interface they want to provide. Unfortunately, programs, or more precisely the authors of programs, might find that a little irritating, since OpenID is so closely tied to the web that it is difficult to use for other applications (like email).
SAML and Higgins to the rescue? OAUTH? Blech.
Should I renew the WSJ?
I have enjoyed the Wall Street Journal online edition for many years. Their reporting was poignant, accurate, and generally kept within the scope of how a particular effort would have some economic impact on peoples’ lives. There weren’t excessive numbers of fluffy stories, and the right wing bent of the editors was largely kept to the editorial page. The web site itself wasn’t flashy (pun intended), and gave me a pretty good understanding of the important events of the day.
Seemingly with the takeover of the News Corporation, however, the web site has taken a turn for the worse. With more flash, more video, and more interactive grahics, it has become hard to actually find the news stories. With me reading less and less, I wonder, therefore, why I should pay more and more. The price of the Online Journal this year is going up by a honking 50%.
With the former editor of the Wall Street Journal under the previous ownership now at the Washington Post, I wonder if I should read that web site instead. And so my question to you; what is your primary news source? And what is your primary online news source in print? Aside from the WSJ, I also read the New York Times and Google News. Of course, one can always count on CNN for the “Man bites dog” stories…