How Much Do You Value Privacy?

People in my company travel a lot, and they like to have their itineraries easily accessible.  My wife wants to know when and where I will be, and that’s not at all unreasonable.  So, how best to process and share that information?  There are now several services that attempt to help you manage it.  One of those services, TripIt.Com, will take an email message as input, organize your itinerary, generate appropriate calendar events, and share that information with those you authorize.

The service is based in the U.S., and might actually share information with those you do not authorize, to market something to you- or worse.  If the information is stolen, as was the case with travel information from a hotel we discussed recently, it can be resold to burglars who know when you’re way.  That can be particularly nasty if in fact only you are away, and the rest of your family is not.

But before we panic and refuse to let any of this information out, one should ask just how secure that information is.  As it happens, travel itineraries are some of the least secure pieces of information you can possibly have.  All a thief really needs is an old ticket stub that has one’s frequent flyer number, and we’re off to the races.  In one case, it was shown that with this information a thief could even book a ticket for someone else.

So how, then, do we evaluate the risk of using a service like TripIt? First of all, TripIt does not use any form of encryption or certificate trust chain to verify their identity.  That means that all of your itinerary details go over the network in the clear.  But as it turns out, you’ve probably already transmitted all of your details in the clear to them by sending the itinerary in email.  Having had a quick look at their mail servers, they do not in fact verify their server identities through the use of STARTTLS, not that you as a user can easily determine this in advance.

Some people might have stopped now, but others have more tolerance for risk.

Perhaps a bigger problem with TripIt is that neither its password change page nor its login page make use of SSL.  That means that when enter your your password, the text of that password goes over the network in the clear, for all to see.  It also means that you cannot be sure that the server on the other end is actually that of TripIt.  To me this is a remarkable oversight.

For all of these concerns, you still get the ability to generate an iCal calendar subscription as well as the ability to share all of this information with friends and family.  Is it worth it?  One answer is that it depends on whether you actually want to enter the information yourself, whether you care about security concerns, and whether you like using calendaring clients.  It also depends on what other services are available.

Another service that is available is Dopplr.  It also attempts to be a social networking site, not unlike Linked In.  Dopplr allows you to share you itineraries with other people, tells you about their upcoming trips (if they’re sharing with you), and it lets you create an iCal subscription.

Dopplr also has some security problems, in that they do not use SSL to protect your password.  They also do not use SSL for their main pages.  They do, however, support OpenId, an attempt to do away with site passwords entirely.  I’ll say more about OpenId in the future, but for now I’ll state simply that just because something is new does not make it better.  It may be better or worse.

And so there you have it.  Two services, both with very similar offerings, and both with almost the same privacy risks.  One of them, by the way, could distinguish themselves by improving their privacy offering.  That would certainly win more of my business.

[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]

Social Contracts on Internet Security

Everyone and I mean EVERYONE tells you that the best thing you can do for yourself and others if you have a Windows system on the Internet is to run anti-virus software, and keep your patches current.  Otherwise your system can be a nuisance to others, as it is broken into and used as a bot to attack others.

That doesn’t work so well when the anti-virus software causes the user problems.  These systems take a performance hit, that is for sure.  But they can have bugs as well, as this page from McAfee  demonstrates.  What has happened here is that a program called “McScript_InUse.exe” has gone crazy, pegging the system’s CPU.  Not only does this kill performance of every other application on a system, but it can have an impact on your energy bill, because a 100% used CPU means that it will run faster with more fans on and more cooling required.

McAfee cannot be condemned for having bugs in their software, even though it is ironic that they exist in large part because Microsoft Windows has bugs that are taken advantage of.  It never-the-less brings up the question of whether such active scanning technology is the right approach, or whether we have to do better at providing better underlying security.  The extreme version of this would be provably secure programming, a field in which Dr. Gene Spafford (a network legend) has devoted his career.

In the meantime, however, we have to hold McAfee to a higher standard, just as we should Microsoft.  When people believe that they will be harmed by the very software that is meant to protect them and others, especially when the more negative consequences impact others, they will not upgrade.  We discussed this with the ETH Study, some time ago, and now we can expect additional consequences.

[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]

Obama v. McCain: Foreign Policy

How the United States deals with the world around us has been the principal province of the president, for as long as there has been a U.S.  It is an area in which most presidents learn it on the job, as was the case for Presidents Reagan & Clinton.  In other circumstances, presidents bring a strong policy background to the job, such as was the case with President George H. W. Bush.  (His son, President Bush, doesn’t seem to have learned anything, not really having understood anything prior to having taken office.)

Senator Barack Obama is only a little older than me.  Neither of us can seriously have understood at the time all of the implications of the Vietnam War, but both of us became well enough aware of the world around us to understand what was happening during the Carter administration (he might have even gotten it during the Ford administration).  He has spent some of his life outside of the United States, and he has spent some of his life in the time of the Cold War.

Senator John McCain is of a different era.  His views are informed by his having served in the Vietnam War and been captured and held by the Vietcong.  There are few people on earth who can relate to his nearly unique experiences.  McCain spent most of his life with the Cold War, and he was born outside of the United States.

Both of these men have interesting perspectives on foreign policy, but to be sure John McCain has been there a whole lot longer.  Which positions should we judge?  My own areas of interest revolve around the reconstituted Soviet Union, how we handle the Middle East, and how we engage the developing world.  I am also interested in continued development of international relationships to reduce cybercrime and cyber-terrorism.  As an expatriate foreign policy probably impacts me more than domestic policy, which is why it’s up front next to education.  But these days that should be the case with more Americans.  Our new found isolation in the world has empowered bad actors, like Hugo Chavez.

Senator McCain has been a strong proponent of America following international law and norms.  As a former prisoner he saw what happened personally when those norms weren’t followed.  The senator has always expressed strong concern about the way the Bush Administration treated detainees in Guantanamo Bay, and advanced legislation against such reckless behavior.

Senator McCain supported former Secretary of Defense Donald Rumsfeld and President Bush on both their decision to go to war and initial tactics.  This to me represents a remarkable failure on his part, because Mr. Rumsfeld failed to ask the very question that most foreign policy experts would ask: what happens after you invade?  We take over and then what?  The departure from the Powell Doctrine of overwhelming force to “shock and awe” only worked until the shock and awe wore off, if it worked at all.  The actual justification for the war is now thoroughly debunked, and the next president will have to clean up this president’s mess.

Senator McCain has been very vocal about Russia’s invasion of Georgia.  Here I am entire agreement with him, and I would perhaps have gone farther.  Russia has for years lost its luster to me, and the current president has lied – repeatedly – about Russia’s intent.  It’s all about reasserting Russia’s position as a super-power, taking control of her oil, and using economics as a policy weapon against the west.  As I wrote previously, we brought this on ourselves.  McCain has been there early on, as it is in his nature to address such threats.

Senator Obama has made statements to the same effect as of late, but has otherwise taken a less prominent stance.  Sometimes that’s not a bad thing.  If the current president plays “bad cop” in some way in the near future, Senator McCain will be left with fewer options than Senator Obama in January.  The reverse is also true.  President Bush can use the McCain’s stridency to say, “This is who you get later if you don’t solve the problem to my satisfaction.”  It’s right out of a West Wing Episode, and arguably out of the Iran Hostages playbook, where Iran resolved the matter the moment Ronald Reagan took office.

John McCain has also stated his preference for ending sugar, oil, and ethanol subsidies as part of his education plan.  Were those subsidies tied to quality standards I might have more sympathy for them, as I did with the Swiss.  Absent those, the American way of life is not on the line, and it would seem that commodity prices are doing just fine on their own at the moment, and so it’s free money to remove those subsidies.

Senator Obama is not without his own touch on foregin policy.  In 2006 he sponsored a bill that eventually became law to stablize the Congo.  He has stated that he is willing to meet with leaders of countries that we don’t especially love, like Cuba, North Korea, and Iran.  He has been extremely cagy about the terms of such meetings and he has parsed his words carefully since.  Normally such parsing drives me CRAZY, reminding me to look up what the definition of is is.  The art of foreign policy, however, is talking out of both sides of one’s mouth.  Senator McCain and our current president don’t do this, so far as I can tell.

And the Winner is…

While I find John McCain’s views on Iraq far from my own, his views on Russia seem to be more aligned than those of Barack Obama, and there can be no doubt as to who has more experience. Obama has nowhere near the amount of experience of his opponent, but he did get Iraq right, and he probably has a good handle on Africa.  Still I do not agree with his willingness to meet with just any ole dictator.

Today both candidates get passing grades on foreign policy, with McCain getting about a 80/100 and perhaps Obama getting 75.  So let’s give this round to McCain.

[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]

Why Extradition of Hackers Is Important

Each day we hear about different forms of fraud and theft on the Internet.  Someone in America gets phished from a computer in the UK that is controlled by another computer in Switzerland, that is controlled by an individual in Italy, and their bank account emptied to a mule in America, and the money ends up with some gang in Russia.

Even if you found the individual in Italy you have to answer this question: where was the crime committed?  The Convention on Cybercrime of the Council of Europe addresses this very question, and fosters cooperation amongst  cooperating societies.  Extradition is so rare that it is worth pointing out when it happens.  On the 30th of July a UK Court refused to block extradition to someone who is accused of having caused many hundreds of thousands of dollars to US government systems.  While in this case the government was a victim, something that happens all too often, far more often it’s individuals who are harmed.  In this case the person sounds a bit disturbed. Let’s hope that next time they extradite people who do this sort of thing to make money, and demonstrate to them that it is not worth the risk.

Because the risk of getting caught is so small, this is an instant where the penalties should be very high when intent on theft, fraud, or disruption of services is clearly evident.

[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]

Off to Dublin (well sort of)!

Today, the Internet Engineering Task Force begins its 72nd in person meeting.  The IETF as it is known is a standards organization that primarily focuses on, well, the Internet.  The work done in this body has included Multimedia Internet Mail Extensions, Internet Calendaring, Voice over IP, and many others.  Not all work done by the IETF has worked out.  An effort I worked on some time ago weeded out the stuff that either was never used or is no longer used.  One of the key areas that any standards organization struggles with is how much potentially useful stuff to let through versus sure bets.  Sure bets are those things where a necessary improvement or change is obvious to a casual observer.  The people who make those changes are not the ones with imagination.

It’s the people who use their imaginations who make the bucks.  Always has been.  The problem is that there are a lot of people who may have good imaginations, but are unable to convert a good idea into something that can be broadly adopted.  This is a problem for a standards organization because each standard takes time and effort to develop, and each failed standard diminishes confidence in the organization’s overall ability to produce good stuff.

On the whole the IETF has done demonstrably well, as demonstrated by the vast amount of money organizations have poured into personal attendance at the in person conferences, even though no attendance is required to participate.

This summer’s conference is being held in Dublin City West at a golf resort, a bit away from the major attractions.  There are two benefit of this: first the cost isn’t absolutely outrageous.  Second, if people know they the attractions are a bit far off, then fewer tourists will come.  I actually don’t mind the idea of an IETF in Buffalo in the winter, but I may be taking things a bit too far.

Among the many discussions that will take place at this conference include one about what to do about email whose domain cannot be ascertained to have authorized its release.  The standard in question that identifies email is called Domain Keys Identified Mail (DKIM), and is relatively new.  What to do, however, when DKIM is not employed or if the signature sent is broken in some way?  This is the province of a work called Author Domain Sender Policies (ADSP).  The specification provides a means for sending domains to communicate their intentions.  After a year of arguments we hope to have a standard.  Whether it proves useful or not will only be shown by the test of time.

[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]