Is there really anything surprising about the diplomatic cable leaks?

Is the U.S. going after Julian Assange, founder of WikiLEAKS, by leaning on our British and Swedish friends?  It is too soon to tell, but as recent history demonstrates, we will eventually know the truth.  The New York Times and many other news outlets have been reporting on both the content and the legality of the release of over 250,000 U.S. government diplomatic cables.  Meanwhile, Julian Assange sits in a UK jail, awaiting a bail hearing relating to an extradition request by Sweden where two women have separately accused him of sexual assault.

My real question: does anyone really find any of the information that has been released all that surprising?  It shows to me a diplomatic core largely doing its job, collecting information, feeding it to their superiors for further analysis, and taking instructions.  Is anyone really surprised that Saudi Arabia isn’t getting along with Iran, or that the administration has a low opinion of Vladamir Putin?

Sometimes an airing of dirty laundry has positive consequences.  Perhaps other countries will think about standing up to Iran more than they have been.  Perhaps Russians will reconsider their views of Vladamir Putin.  Perhaps the U.S. will consider not providing a lowly private so much unaudited access to information that assuredly isn’t relevant to his job.  Certainly the late night shows needed fresh material!

How Important Is Your EMail Address To You?

Really it’s not clear to me if this is a generational thing or what, people tell me that email addresses are no longer that important to them, what with MySpace, FaceBook, and the like.  Others just use SMS, where their cell phone number is the important for people to reach them.  For some, however, their email address is their identity, and their only means of being reached by friends and family.  That’s true for me, at least.  I’ve had the same sets of email addresses for about 12 years– one for work, one main one for play, and a bunch of others for special use.  This is nothing compared to my parents, who have had (roughly) the same phone number for almost forty years.

If your email address is important, here’s a question you should ask: is it important for you to control it from a legal standpoint?  Why would you want to do this?  Let’s look at a few cases:

  1. Your Internet Service Provider (ISP) provides you your email address with your Internet service, be that DSL, Cable, or something else.  What happens if you decide to change ISPs?  Do you lose your email address?  And do you care?  Can someone else get your old email address, and what are they likely to receive?
  2. You have a free email account from a service like Yahoo!, MSN, or Google, and the account gets broken into.  The first thing the bad guy does is change all of the security questions that are meant to cover password recovery.  How, then, are you able to prove to the service provider that the account was yours in the first place?  Can you even get your old account shut down, so that the attacker can’t masquerade as you?
  3. This is the inside-out version of (2): suppose someone claims you are masquerading as the legitimate owner of your account?  Who do you go to in order to prove that you are the legitimate owner of the account?
  4. Your mail service provider goes out of business, and the domain they have been using for you is sold.
  5. There’s one special case I’ll mention, but let’s not try to solve it: you use your work email for all email, and you change jobs or are laid off.  It’s a safe assumption that the primary use of your work email account should be work, and that you are taking a risk by using the account for more than work.

For all but the last case, you have a way of  at least mitigating the problem by have your own domain name, like ofcourseimright.com.  That is- go to a registrar that you trust and choose a domain name that will be yours as long as you pay the bill for the domain.  However, is this just moving the problem?  It could be if someone breaks into a registrar account that is not well secured.  However, because you own the domain and the registrar does not, you are able to take at least some actions, should either your registrar not recognize you, or should your registrar itself go out of business (this has happened).

The hard part is finding someone to host your domain.  This sounds like a royal pain in the butt.  And it is!  So why not just use your cell phone or a social network site?  Cell numbers are at least portable in many countries.  Social networking like Facebook is another matter, and can leave you with many of the same problems that email has, and more, as we have seen.  Similarly, many financial services that play with your money, like PayPal and eBay, rely on you having a stable email address.

My online identity is tied to...

View Results

Loading ... Loading ...

Unwitting Mules and Computers

Scales of JusticeWhen I first traveled through Switzerland some 16 years ago, I went to France for the day, leaving from Geneva.  On entering France, the guards saw a long, curly haired, American in a rental car, and they assumed I would be carrying drugs, so they took apart the car.  I didn’t mind it until it occurred to me that perhaps the last guy who rented might have left something behind.  Fortunately, none of that happened.

Last year, I attended one of my favorite conferences, the Workshop on the Economics of Information Security (WEIS08).  I met there a number of good folk from the law enforcement community, and some talked about some of their successful investigations into crime on the computer.  In one case, the investigators found megabytes of illicit material on someone’s hard drive.  An astute and bright man from Microsoft by the name of Stuart Schechter pointedly asked the question how the investigators knew that the owner of the PC had stored the illicit material.  The implication here would be that bad guys could be using the computer without the knowledge of its owner.  The  detective answered that such evidence is only one component used to charge and/or convict someone.

Now comes a case reported by AP in neighboring Massachusetts where this scenario has been brought to the fore.  Michael Fiola, an employee of the state government, was fired, arrested, and shunned because some criminal broke into his computer.

What are the lessons to be learned?  There is this common notion by many that end users aren’t generally the victims of the people who break into their computers.  Not so in this case.  There is also a belief that faith in government prosecutors alone will get an innocent person out of trouble.  Not so in this case.  They did eventually drop the charges, but only at the cost of his entire savings, large amounts of stress, etc.

This is not the only such case in which this has happened.  So, do you know what’s on your computer?  Are you sure?

Ole asks a great question

[not unusual for Ole, by the way.]

Why does security have to be so complicated?

Now knowing Ole as I do, this is of course rhetorical, but it does remind me of two conversations I’ve  had.  One was a long time ago.  A friend of mine was part of a cable start-up team.  Some of you will know who this was.  He showed up at a conference with his big financial backer, and then told me, “Eliot, I’ve created the perfect parental control system.”

My response was simply, “Are you now – are you now or have you ever a child?”  Nearly any child who is motivated enough will get around just about any parental block.  Kids are smart.

The same is largely true with security.  A former boss of mine once put it succinctly, that it’s either sex or money that motivate people, and that bad guys tend to use the former to get the latter.  A great example are the miscreants who give away free porn by typing in CAPTCHA text, so they can get around some site’s security.  I think it’s a little more than just those two motivations, but the point is that computers didn’t create crime.  Crime has existed since Eve gave Adam the apple.  The FaceBook scam occurs every day in the physical world without computers when eldery are taken advantage of in person.  Computers simply provide a new attack vector for the same types of crimes.

Bad guys are as smart as good guys, but their best is probably no better than our best.

A lesson in transitive trust

CybercrimeGrowing up in the New York area in the 1970s, one never really paid attention to all the crime that occurred.  There just was so much of it.  Even when I lived in California, while a murder would make the local news, it wasn’t something that would shake the community.  A murder in the Zürich area, however, is rare.  Maybe it’s because everyone has a gun, as my friend Neal might say.  Who knows?  The point is that people here are not inured to that level of violence.

Now we are discovering the online version of that.  When last we left our situation, we were trying to figure out how best to protect ourselves from evil bad guys by limiting the damage dumb passwords can do.  Since then, it has been widely reported that 10,000 Hotmail account passwords were stolen.  But they weren’t the only ones.  Many of the people who use Hotmail accounts also have GMail and Yahoo! accounts, and many of those passwords are the same.  Why?  Because humans don’t like having to remember lots and lots of passwords.  And of course, if you were one of those people who used the same password between both and linked your Yahoo or GMail account to Facebook, that means that your Facebook account could have been compromised as well.  And that means that your friends may have been attacked, as we previously discussed.

How could this be worse?  Let’s add Paypal into the mix.  If you use the same password for eBay as you used for Yahoo!, now all of a sudden, you have invited someone to empty your bank account.  Had Paypal implemented an OpenID consumer for login, an attacker wouldn’t even need your password.

Now let’s aggregate all of the people who do that.  The popular OpenID providers include Google, Yahoo, and Verisign.  As the number of providers increases, the concentration of risk of any one single failure decreases.  Concentration of risk is a fancy way of saying that one is putting all of one’s egg in one basket.  On the other hand, from the perspective of a web site that uses OpenID or some other federated mechanism such as SAML, the information received from any random Identity Provider (IdP) could reasonably be considered suspect.

This leads to a few conclusions:

  • A large number of Identity Providers will require a service that provides some indication as to the reliability of the information returned by a given IdP.
  • The insurance and credit industries can’t manage concentrated risk.  We’ve seen what happens in the housing market.  The Internet can reproduce those conditions.  Hence, there will be limitations on transitive trust imposed.

Conveniently, you are not without any protection, nor are the banks.  There are large federated market places already out there.  Perhaps the two biggest are eBay and Amazon.  Amazon has the advantage of requiring a physical address to deliver to, for most goods, the exceptions being software, soft-copy books and downloadable movies.  In each of these cases, the transaction value tends to be fairly low, and the resale value of most of these items is 0.  It’s the resale value that’s important, because the miscreants in this business don’t want 150 copies of Quicken for themselves, nor can they really sell off an episode of House.

Paypal is another matter.  If someone has broken into your Paypal account, here is what they can do:

  • Empty it of any credit it might have;
  • Charge against your credit cards; and/or
  • Take money from your bank.

If you’re paying attention and act quickly, you might prevent some of these nasties from happening.  But first you will have to read a tome that is their agreement.  In all likelihood you have no recourse to whatever final decision they make.  If you’re not paying attention, your account and those associated with it become an excellent opportunity for money laundering.  What does it mean to pay attention?  It means that you are receiving and reading email from paypal.com.  That means that they have to have a current email address.  When was the last time you checked that they do?  Assuming that they do, it also means that you have to read what you are receiving.  Now- I don’t know about you, but I’ve been spammed to death by people claiming to be PayPal.  Remember, how this posted started by talking about being inured to crime?  Well, here we go again.