Beware Best Western

The customers of Best Western are the latest to have their identities stolen. As the article goes on to say, the crime gangs are going to have a field day with such live and valuable information that included credit card numbers and home addresses. There’s a clear lesson here in authorization: nobody needs to have access to the aggregate data that Best Western had. It might be necessary to modify one or two reservations at once. Perhaps it might even be necessary to know how much of a block is sold. But the whole kitten caboodle? Nobody needs that information. Here are some protections Best Western could have taken:

Apply specific encryption of the credit card information and compartmentalize the use of any decryption key. Hotels have need to retain credit card information in order to guarantee bookings. Encrypting credit card data is nowhere near a perfect solution because there is relatively little clear text information and some of that can be guessed, like the first four digits.
Encrypt all backups and protect the decryption keys so that multilevel authorization is required to access them. Many backups are stolen. If they are stolen no encryption is perfect and so notification is necessary, but with encryption those whose information is stolen can take action, like have a house sitter or change credit card numbers.
Employ intrusion detection within the database. When a specific user acts outside a profile, flag it and see what is going on.

In perhaps a more perfect world a separate identity provider could retain identifying characteristics of an individual such as address and credit card number. Commerce likes some of this information because they can market to you, and absent legislation they have very little motivation to protect the information.

Another TSA Moron Story

We interrupt this serious consideration of our future presidents with Yet Another story of a stupid (and yet unnamed) TSA employee. In this case, an inspector attempted to break into planes on the tarmac. According to one report, the inspector “breached” seven out of nine planes. But in process he may have damaged sensitive avionics. This caused a delay O’Hare International Airport while the airline took corrective measures. This was stupid but not tragic because nobody was hurt– this time. It could have been both stupid and tragic had the inspector touched something he shouldn’t have, broken something, and contributed to the loss of life. Wouldn’t that have been rich?

The really stupid part is that it is not a secret that the overwhelming majority of effort to secure airplanes on the tarmac is devoted to keeping the wrong people off of the tarmac in the first place. That is largely not the responsibility of the airline, but that of the airport and the TSA. Once the inspector was on the tarmac and unsupervised, the game should have ended. It didn’t.

Why Extradition of Hackers Is Important

Each day we hear about different forms of fraud and theft on the Internet. Someone in America gets phished from a computer in the UK that is controlled by another computer in Switzerland, that is controlled by an individual in Italy, and their bank account emptied to a mule in America, and the money ends up with some gang in Russia.

Even if you found the individual in Italy you have to answer this question: where was the crime committed? The Convention on Cybercrime of the Council of Europe addresses this very question, and fosters cooperation amongst cooperating societies. Extradition is so rare that it is worth pointing out when it happens. On the 30th of July a UK Court refused to block extradition to someone who is accused of having caused many hundreds of thousands of dollars to US government systems. While in this case the government was a victim, something that happens all too often, far more often it’s individuals who are harmed. In this case the person sounds a bit disturbed. Let’s hope that next time they extradite people who do this sort of thing to make money, and demonstrate to them that it is not worth the risk.

Because the risk of getting caught is so small, this is an instant where the penalties should be very high when intent on theft, fraud, or disruption of services is clearly evident.

Off to Dublin (well sort of)!

Today, the Internet Engineering Task Force begins its 72nd in person meeting. The IETF as it is known is a standards organization that primarily focuses on, well, the Internet. The work done in this body has included Multimedia Internet Mail Extensions, Internet Calendaring, Voice over IP, and many others. Not all work done by the IETF has worked out. An effort I worked on some time ago weeded out the stuff that either was never used or is no longer used. One of the key areas that any standards organization struggles with is how much potentially useful stuff to let through versus sure bets. Sure bets are those things where a necessary improvement or change is obvious to a casual observer. The people who make those changes are not the ones with imagination.

It’s the people who use their imaginations who make the bucks. Always has been. The problem is that there are a lot of people who may have good imaginations, but are unable to convert a good idea into something that can be broadly adopted. This is a problem for a standards organization because each standard takes time and effort to develop, and each failed standard diminishes confidence in the organization’s overall ability to produce good stuff.

On the whole the IETF has done demonstrably well, as demonstrated by the vast amount of money organizations have poured into personal attendance at the in person conferences, even though no attendance is required to participate.

This summer’s conference is being held in Dublin City West at a golf resort, a bit away from the major attractions. There are two benefit of this: first the cost isn’t absolutely outrageous. Second, if people know they the attractions are a bit far off, then fewer tourists will come. I actually don’t mind the idea of an IETF in Buffalo in the winter, but I may be taking things a bit too far.

Among the many discussions that will take place at this conference include one about what to do about email whose domain cannot be ascertained to have authorized its release. The standard in question that identifies email is called Domain Keys Identified Mail (DKIM), and is relatively new. What to do, however, when DKIM is not employed or if the signature sent is broken in some way? This is the province of a work called Author Domain Sender Policies (ADSP). The specification provides a means for sending domains to communicate their intentions. After a year of arguments we hope to have a standard. Whether it proves useful or not will only be shown by the test of time.

Exclusionary Rule In Trouble

The police are supposed to be our protectors, but in the control of a despot, they are oppressors. The Supreme Court formally recognized early in the 20th Century that the police could not be allowed to get away with crimes in order to find and convict the guilty. Thus was born the Exclusionary Rule. Prosecutors and law enforcement officials have, on the one hand, complained about the rule, and on the other hand, managed to provide generally strong protection against criminals without having to violate it. According to this article by the New York Times, the United States is unique in its adherence to the rule. The article goes on to say that we may not adhere in the same way for long.

While it might sound reasonable to allow a judge to hold a hearing to determine whether or not tainted evidence should be allowed, we should remember that the rule is there to protect us against wanton police abuse and corruption, that the government has a vast amount of coercive power, and that it incredibly hard to identify abuse, absent the rule. A police officer already has enormous abilities to cite, arrest, and search individuals, pragmatically speaking without cause. Now the Court will consider weakening protections against those cases where the situation is blatant.

Keeping in mind that no rule is perfect, and that some criminals have been able to use the exclusionary rule to get their cases dismissed, the Court should tread carefully in an area where despotism looms, especially when we can argue that the rule has done its job well.