Let’s not blame Yahoo! for a difficult policy problem

Yahoo! Many in the tech community are upset over reports from The New York Times and others that Yahoo! responded to an order issued by the Foreign Intelligence Surveillance Act Court (FISC) to search across their entire account base a specific “signatures” of people believed to be terrorists.

It is not clear what capabilities Yahoo! already has, but it would not be unreasonable to expect them to have the ability to scan incoming messages for spam and malware, for instance. What’s more, we are all the better for this sort of capability. Consider that around 85% of all email is spam, a small amount of which contains malware, and Yahoo! users don’t see most of that. Much of that can be rejected without Yahoo! having to look at the content by just examining the source IP address of the device attempting to send Yahoo! mail, but in all likelihood they do look at some, as many systems do. In fact one of the most popular open source systems in the early days known as SpamAssassin did just this. The challenge from a technical perspective is to implement such a mechanism without the mechanism itself having a large target surface.

If the government asking for certain messages sounds creepy, we have to ask what a signature is. A signature normally refers to characteristics of a communication that would either identify its source or that it has some quality. For instance, viruses all have signatures. In this case, what is claimed is that terrorists communicated in a certain way such that they could be identified. According to The Times, the government demonstrated probably cause that this was true, and that the signature was “highly unique”*. That is, the signature likely matches very few actual messages that the government would see, although we don’t know how small that number really is. Yahoo! has denied having a capability to scan across all messages in their system, but beyond that not enough is public to know what they would have done. It may well not have been reasonable to search specific accounts because one can easily create an account, and the terrorists may have many. The government publicly revealing either the probable cause or the signature would tantamount to alerting terrorists that they are in fact investigation, and that they can be tracked.

The risk to civil liberties is that there are no terrorists at all, and this is just a fishing expedition, or worse, persecution of some form. The FISC and its appellate courts are intended to provide some level of protection against abuse, but in all other cases, the public as a view to whether that abuse is actually occurring. Many have complained about a lack of transparent oversight of the FISC, but the question is how to have that oversight without alerting The Bad Guys.

The situation gets more complex if one considers that other countries would want the same right to demand information from their mail service providers that the U.S. enjoys, as Yahoo’s own transparency report demonstrates.

In short we are left with a set of difficult compromises that pit gathering of intelligence on terrorists and other criminals against the risk of government abuse. That’s not Yahoo!’s fault. This is a hard problem that requires thoughtful consideration of these trade offs, and the timing is right to think about this. Once again, the Foreign Intelligence Surveillance Act (FISA) will be up for reauthorization in Congress next year. And in this case, let’s at least consider the possibility that the government is trying to fulfill its responsibility of protecting its citizens and residents, and Yahoo! is trying to be a good citizen in looking at each individual request on its merits and in accordance with relevant laws.

* No I don’t know the difference between “unique” and “highly unique” either.

The Yahoo! Breach: What it means to you

Steps you should take after the Yahoo! breach.

yahoo Yesterday, Yahoo! announced that at least 500 million accounts have been breached. This means that information you gave Yahoo! may be in the hands of hackers, but it could also mean a lot more. The New York Times has an excellent interactive tool today that demonstrates how much of your information may have leaked, not just from Yahoo! but from other breaches.

Not only should people change their Yahoo! passwords, but it is also important for people to review all passwords and information shared with Yahoo! In particular:

Many people use the same password across multiple accounts. If you did this, you should change passwords on all systems where that password was used. When you do, you should see to it that no passwords are shared between two systems.
Hackers are smart. If you only tweak the same password just a little bit for use on multiple systems, a determined hacker or more likely a determined script may well break into other accounts. For example, if your Yahoo! password was DogCatY! and your E-Bay Password were DogCatEBay, you should assume the E-Bay account is broken as well.
This means you should keep a secure record of what passwords are used where, for just this sort of eventuality. By “secure” I mean encrypted and local. Having two pristine USB keys (one for backup) is ideal, where the contents are encrypted at the application layer. I also make use of Firefox’s password manager. That in itself is a risk, because if Firefox is hacked your passwords may be gone as well.
Unfortunately passwords may not be the only information hackers have. Yahoo! has previously made use of so-called “backup security questions”. Not only is it important to disable those questions, but it is important to first review them to see where else you may have used them. Security questions are a horrible idea for many reasons: they may reveal private aspects of your life, much of which might be discovered anyway. Sites like United Airlines recently implemented security questions. My recommendation: choose random answers and record them in a secure place that is separate from your passwords.
It is possible that hackers may have read any email you received on Yahoo! In particular, one should review any financial accounts where information is transmitted to Yahoo!
Use of cloud-based storage as a backup for your passwords should be viewed with great suspicion. There have been a number of such tools that themselves have been found to be vulnerable.
Hackers may have your cell phone number, for those who use SMS as secondary authentication. While SMS is not secure communication, the chances of it being hacked are relatively low. The safest practice is not to rely solely on SMS for authentication. My bank uses both a secret and an SMS message, relying on the tried and true two-factor authentication approach of something you have and something you know. A better solution is a secret and an app with a secure push notification. This is what MasterCard has done in Europe.

These suggestions are good for the sort of mass breach that we are seeing with Yahoo! In addition, one has to be careful with the amount of trust placed in a cell phone. If the phone is lost, you should assume that hackers will be able to get into it. Keeping a record of the applications you use, particularly those that have financial or security implications, will help you recover from the loss.

These suggestions are written with the notion that Yahoo! is not going to be the only site that will have had this problem. Although not to this scale, we’ve seen this sort of thing before, and we will see it again. I’ll have more to say about this from an industry perspective in a while.

Yahoo picture by Sebastian Bergmann – originally posted to Flickr as Yahoo!, CC BY-SA 2.0

How Important Is Your EMail Address To You?

Really it’s not clear to me if this is a generational thing or what, people tell me that email addresses are no longer that important to them, what with MySpace, FaceBook, and the like. Others just use SMS, where their cell phone number is the important for people to reach them. For some, however, their email address is their identity, and their only means of being reached by friends and family. That’s true for me, at least. I’ve had the same sets of email addresses for about 12 years– one for work, one main one for play, and a bunch of others for special use. This is nothing compared to my parents, who have had (roughly) the same phone number for almost forty years.

If your email address is important, here’s a question you should ask: is it important for you to control it from a legal standpoint? Why would you want to do this? Let’s look at a few cases:

Your Internet Service Provider (ISP) provides you your email address with your Internet service, be that DSL, Cable, or something else. What happens if you decide to change ISPs? Do you lose your email address? And do you care? Can someone else get your old email address, and what are they likely to receive?
You have a free email account from a service like Yahoo!, MSN, or Google, and the account gets broken into. The first thing the bad guy does is change all of the security questions that are meant to cover password recovery. How, then, are you able to prove to the service provider that the account was yours in the first place? Can you even get your old account shut down, so that the attacker can’t masquerade as you?
This is the inside-out version of (2): suppose someone claims you are masquerading as the legitimate owner of your account? Who do you go to in order to prove that you are the legitimate owner of the account?
Your mail service provider goes out of business, and the domain they have been using for you is sold.
There’s one special case I’ll mention, but let’s not try to solve it: you use your work email for all email, and you change jobs or are laid off. It’s a safe assumption that the primary use of your work email account should be work, and that you are taking a risk by using the account for more than work.

For all but the last case, you have a way of at least mitigating the problem by have your own domain name, like ofcourseimright.com. That is- go to a registrar that you trust and choose a domain name that will be yours as long as you pay the bill for the domain. However, is this just moving the problem? It could be if someone breaks into a registrar account that is not well secured. However, because you own the domain and the registrar does not, you are able to take at least some actions, should either your registrar not recognize you, or should your registrar itself go out of business (this has happened).

The hard part is finding someone to host your domain. This sounds like a royal pain in the butt. And it is! So why not just use your cell phone or a social network site? Cell numbers are at least portable in many countries. Social networking like Facebook is another matter, and can leave you with many of the same problems that email has, and more, as we have seen. Similarly, many financial services that play with your money, like PayPal and eBay, rely on you having a stable email address.

Loading ...

Can The Industry Stop break-ins on Facebook?

After my last post, a reasonable question is whether we in the industry have been goofing off on the job. After all, how could it be that someone got their account broken into? Everyone knows that passwords are a weak form of authentication. Most enterprises won’t allow it for employee access, and we would string a bank CSO up by his or her toenails if a bank only used passwords to access your information. They use at a bear minimum RSA one time password tokens or perhaps Smart Cards. So why are the rules different for Facebook?

They would say, I’m sure, that they do not hold the keys to your financial data. Only that may not be true. Have you entered credit card details into Facebook? Then in that case maybe they do hold the keys to your financial data. Even if you haven’t entered any financial data into Facebook? Are you using the same password for Facebook that you are for your financial institution? Many people are, and that is the problem.

Passwords have become, for want of a better term, an attractive nuisance. It’s not that the concept itself is terrible, but they are increasingly difficult to secure, as the number of accounts that people hold continues to skyrocket. Yes, the problem is getting worse, not better. My favorite example is the latest update to the Wall Street Journal iPhone app, where the upgrade description says, “Application Enhancements to Add Free Registration & the Ability for Subscribers and Users to Login”. What a lovely enhancement. Right up there with enhancing the keyboard I am typing on to give me electric shocks.

Facebook is at least making a feeble attempt to get around this problem by offering OpenID access in some limited way (I tried using it from this site, and FB is broken, even though I can get into all sorts of other sites, including LiveJournal). Still, it probably works for you if you are a Google, Yahoo!, or MySpace user, but for better or worse those sites themselves do not accept OpenID. (The better part is that no one can simply break into one account and gain access to all of these other sites. The worse part is that if you have some other OpenID, you can’t use it with these sites.)

OpenID has lots of problems, the biggest of which is that there is no standard privileged interface to the user. This is something that Google, Yahoo!, and MySpace might actually like, because it means that they provide the interface they want to provide. Unfortunately, programs, or more precisely the authors of programs, might find that a little irritating, since OpenID is so closely tied to the web that it is difficult to use for other applications (like email).

SAML and Higgins to the rescue? OAUTH? Blech.