{"id":790,"date":"2009-10-11T19:41:43","date_gmt":"2009-10-11T17:41:43","guid":{"rendered":"http:\/\/www.ofcourseimright.com\/?p=790"},"modified":"2009-10-11T19:41:43","modified_gmt":"2009-10-11T17:41:43","slug":"a-lesson-in-transitive-trust","status":"publish","type":"post","link":"https:\/\/ofcourseimright.com\/?p=790","title":{"rendered":"A lesson in transitive trust"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-full wp-image-26\" title=\"Cybercrime\" src=\"http:\/\/www.ofcourseimright.com\/blog\/wp-content\/uploads\/2008\/06\/cybercrime.jpg\" alt=\"Cybercrime\" width=\"96\" height=\"132\" \/>Growing up in the New York area in the 1970s, one never really paid attention to all the crime that occurred.\u00a0 There just was so much of it.\u00a0 Even when I lived in California, while a murder would make the local news, it wasn&#8217;t something that would shake the community.\u00a0 A murder in the Z\u00fcrich area, however, is rare.\u00a0 Maybe it&#8217;s because everyone has a gun, as my friend Neal might say.\u00a0 Who knows?\u00a0 The point is that people here are not inured to that level of violence.<\/p>\n<p>Now we are discovering the online version of that.\u00a0 When last we left our situation, we were trying to figure out how best to protect ourselves from evil bad guys by limiting the damage dumb passwords can do.\u00a0 Since then, it has been widely reported that <a href=\"http:\/\/www.telegraph.co.uk\/technology\/6265025\/10000-Hotmail-account-passwords-stolen.html\">10,000 Hotmail account passwords were stolen<\/a>.\u00a0 But they weren&#8217;t the only ones.\u00a0 Many of the people who use <a href=\"http:\/\/www.hotmail.com\">Hotmail<\/a> accounts also have <a href=\"http:\/\/www.gmail.com\">GMail<\/a> and <a href=\"http:\/\/www.yahoo.com\">Yahoo!<\/a> accounts, and many of those passwords are the same.\u00a0 Why?\u00a0 Because humans don&#8217;t like having to remember lots and lots of passwords.\u00a0 And of course, if you were one of those people who used the same password between both <em>and<\/em> linked your Yahoo or GMail account to Facebook, that means that your Facebook account could have been compromised as well.\u00a0 And that means that your friends may have been attacked, as we previously <a href=\"http:\/\/www.ofcourseimright.com\/?p=779\">discussed<\/a>.<\/p>\n<p>How could this be worse?\u00a0 Let&#8217;s add Paypal into the mix.\u00a0 If you use the same password for eBay as you used for Yahoo!, now all of a sudden, you have invited someone to empty your bank account.\u00a0 Had <a href=\"http:\/\/www.paypal.com\">Paypal<\/a> implemented an OpenID consumer for login, an attacker wouldn&#8217;t even need your password.<\/p>\n<p>Now let&#8217;s aggregate all of the people who do that.\u00a0 The popular OpenID providers include Google, Yahoo, and Verisign.\u00a0 As the number of providers increases, the concentration of risk of any one single failure decreases.\u00a0 Concentration of risk is a fancy way of saying that one is putting all of one&#8217;s egg in one basket.\u00a0 On the other hand, from the perspective of a web site that uses OpenID or some other federated mechanism such as SAML, the information received from any random Identity Provider (IdP) could reasonably be considered suspect.<\/p>\n<p>This leads to a few conclusions:<\/p>\n<ul>\n<li>A large number of Identity Providers will require a service that provides some indication as to the reliability of the information returned by a given IdP.<\/li>\n<li>The insurance and credit industries can&#8217;t manage concentrated risk.\u00a0 We&#8217;ve seen what happens in the housing market.\u00a0 The Internet can reproduce those conditions.\u00a0 Hence, there will be limitations on transitive trust imposed.<\/li>\n<\/ul>\n<p>Conveniently, you are not without any protection, nor are the banks.\u00a0 There are large federated market places already out there.\u00a0 Perhaps the two biggest are eBay and Amazon.\u00a0 Amazon has the advantage of requiring a physical address to deliver to, for <em>most<\/em> goods, the exceptions being software, soft-copy books and downloadable movies.\u00a0 In each of these cases, the transaction value tends to be fairly low, and the <em>resale<\/em> value of most of these items is 0.\u00a0 It&#8217;s the resale value that&#8217;s important, because the miscreants in this business don&#8217;t want 150 copies of Quicken for themselves, nor can they really sell off an episode of House.<\/p>\n<p>Paypal is another matter.\u00a0 If someone has broken into your Paypal account, here is what they can do:<\/p>\n<ul>\n<li>Empty it of any credit it might have;<\/li>\n<li>Charge against your credit cards; and\/or<\/li>\n<li>Take money from your bank.<\/li>\n<\/ul>\n<p>If you&#8217;re paying attention and act quickly, you <em>might<\/em> prevent some of these nasties from happening.\u00a0 But first you will have to read a tome that is their <a href=\"https:\/\/www.paypal.com\/ch\/cgi-bin\/webscr?cmd=p\/gen\/ua\/ua-outside\">agreement<\/a>.\u00a0 In all likelihood you have no recourse to whatever final decision they make.\u00a0 If you&#8217;re not paying attention, your account and those associated with it become an excellent opportunity for money laundering.\u00a0 What does it mean to pay attention?\u00a0 It means that you are receiving and reading email from paypal.com.\u00a0 That means that they have to have a current email address.\u00a0 When was the last time you checked that they do?\u00a0 Assuming that they do, it also means that you have to read what you are receiving.\u00a0 Now- I don&#8217;t know about you, but I&#8217;ve been spammed to death by people claiming to be PayPal.\u00a0 Remember, how this posted started by talking about being inured to crime?\u00a0 Well, here we go again.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Growing up in the New York area in the 1970s, one never really paid attention to all the crime that occurred.\u00a0 There just was so much of it.\u00a0 Even when I lived in California, while a murder would make the local news, it wasn&#8217;t something that would shake the community.\u00a0 A murder in the Z\u00fcrich &hellip; <a href=\"https:\/\/ofcourseimright.com\/?p=790\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;A lesson in transitive trust&#8221;<\/span><\/a><\/p>\n","protected":false},"author":172,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[50,11,9],"tags":[278,32,222,170,277,8,496],"class_list":["post-790","post","type-post","status-publish","format-standard","hentry","category-complexity","category-internet-consumer-identity","category-security","tag-amazon","tag-cybercrime","tag-facebook","tag-openid","tag-paypal","tag-phishing","tag-security"],"_links":{"self":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/790","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/users\/172"}],"replies":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=790"}],"version-history":[{"count":4,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/790\/revisions"}],"predecessor-version":[{"id":798,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/790\/revisions\/798"}],"wp:attachment":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=790"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=790"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=790"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}