The Pebble and the Avalanche

Abandoning Flickr

One of the more pointless efforts to "secure" online accounts are the "security questions," in which system administrators ask pointless questions such as "What is your favorite candy?" and store the answer. Of course, this all presupposes that two years later I remember the answer that I give today; not only do my favorite foods change over time, but I don't even have a favorite candy. All this is done in lieu of real security, but frankly your bank is unwilling to spend the money to actually secure your account.

Your mother's maiden name and your social security number is recorded in dozens if not hundreds of different databases. I know of security professionals that choose a different mother's maiden name for each entity that demands it. I do, too.

I have my own little ways to answer these other bogus security questions, but apparently Yahoo/Flickr has caught on to the methods that I and apparently many others use to get past the nonsense — and Yahoo/Flickr won't let me register for a new Yahoo/Flickr account unless I follow their strict rules for answering security questions. It's hard to imagine, but even though they offer a free account the cost in aggravation is too high, and I've decided to look for a photo-sharing site that doesn't require such obnoxious security measures. Not to mention, of course, that I have no intention of creating a database just to record my bogus answers to their bogus security quetsions.

Topics:  · security

Link to this story · Leave comment or trackback

Smaller Files Mean Easier Security

One of the fun parts of writing a book is when someone "gets it" and learns to apply the ideas.

I've just received an interesting missive from Tracy Snell, who has just left his post as CTO of Interactions:

I've used MobileMe for years and one thing I loved was the OSX keychain syncing. It's worked pretty well, but to have my keychains synced across all the Macs I use I was welded to MobileMe.  Kept hearing good things about 1passwd. So I installed it recently and it is nice.
Former versions were just a nice front end on the OSX keychain, but now it uses its own keychain format. Suddenly I lost sync across machines! So I go digging and find out that their new format is not one monolithic file storing all the keys but instead each key gets its own file. [This] makes syncing and merging a trivial issue. Just store your 1passwd keychain on DropBox or iDisk and you're done. You don't risk a corrupted keychain if you have a failure in the middle of a sync. Dawned on my last night it was a great example of disaggregation.

In other words, the location of the password keychain is no longer tied to the Mac, and the keychain entries are more robust and easier to synchronize.

And I guess I congratulate the makers of 1passwd as well, at least in theory, but don't forget to read some reviews before you try this product.

Topics:  · internet · security

Link to this story · Leave comment or trackback

Thoughts and Actions: Fifteen Years in the Slammer for You Tube Video

An Egyptian student, studying in Florida, just received a fifteen year sentence for posting a video on You Tube. The video explained how to build an Improvised Explosive Device and also advocated terrorism.

This is a thought crime: the intention of the defendant was on trial, not just his actions. He hasn't done much more than collect information and publish it. Furthermore others have done the same. Reporters drop hints all the time about how these bombs are built; one of my favorite libraries has British manuals on how to destroy railroads (written in Dutch, for distribution during World War II); a recent book on the building of the first atomic bomb gives away a wealth of detail, including previously elusive detail on the shape of the crucial beryllium initiator. Are all these people to stay out of jail because they didn't also preach jihad?

What about my old copy of Rogers Manual Industrial Chemistry, which contains a section on "war gasses" — if I sell it on Amazon, am I guilty of something? Why aren't the staff of Amazon in jail for selling copies of The Anarchist Cookbook and the U.S. Army's Field Manual FM 5-31: Boobytraps?

While there certainly are limits to free speech in the U.S., such as shouting "Fire!" in a crowded theater, these limits restrict the very outer limits of behavior, and even so these limits are the subject of controversy.

Conspiracy to plant bombs is one thing, and as much as I find charges of "conspiracy" to be slippery I'd still be unsurprised to see the defendant and his co-conspirator in the slammer. But since when has it been illegal to disseminate knowledge? And why is this defendant in jail while the staff of The New York Times is not? While intent is important in many criminal and civil cases — e.g., "Did the defendant fire his gun because he believed his life was in danger?" — when it comes to First Amendment and other freedoms, the introduction of "intent" crimes is a very slippery slope.

Topics:  · government · security

Link to this story · Leave comment or trackback

Comments: 1, Trackbacks: 0

Speech Technology, the Police, and the Subways

I've been wondering about the New York Police Department's plans to "monitor" mobile phone calls in "high-risk" areas; at least some New Yorkers offer mildly-enthusiastic endorsement of the idea.

Of course this is a tremendous invasion of privacy; once the door opens, you can expect the police to push this precedent to monitor calls in "high-drug-use" locations, near "vulnerable children," and so on and so forth — it's a process as inevitable as gravity. I am certain that open-source phones (such as the Google Android) will include encryption in the very near future if this initiative goes through. But more fundamentally, I find it hard to believe that it would be effective — I really have to wonder whether terrorists use mobile phones speak "in the clear."

Regardless, I wonder most of all about the technology. What will the NYPD monitor? Will they monitor to see if anyone is calling known terrorists? Will they do traffic analysis — look for patterns that indicate terrorist activity? (I find it hard to believe that enough is known about these patterns, assuming they exist in the first place.) Or will they attempt to use speech technology?

If the NYPD does attempt to use speech technology, will they succeed? I am skeptical: mobile calls with inherent poor quality; lots of noise in the background; many accents; rapid speech; a huge amount of speech which leads directly to a huge number of false positives. On the other hand, national intelligence agencies around the world have programs in place to solve these speech technology problems, and perhaps these agencies will share some of solutions with local police forces.

Will New Yorkers stand for this invasion of privacy? Of course; they have already surrendered their right to privacy of their persons, as the NYPD can and does search anyone on the subway for no reason at all. Citizens will be offered the choice of further invasion of privacy vs. the "choice" of not being able to commute to work — no real choice at all.

Topics:  · government · security · speech+technology

Link to this story · Leave comment or trackback

More on Chase

Another bit of backwardness from Chase: they've outsourced their security to the Philipines; nothing wrong with that in theory, of course. But Chase failed to properly integrate that outsourced security with the rest of their operations, which is one of the key steps to making disaggregation work. (There's a chance they've fixed this problem by now, but I wouldn't hold my breath.)

As a result, identify thieves managed to penetrate Chase security, steal $40,000 from some poor sod, and (I will guess) as usual for identify theft Chase put the burden of proof that theft ocurred on the victim — all this while the account management team desperately tried to prevent the security team from allowing the theft.

Topics:  · business · security

Link to this story · Leave comment or trackback

Craigslist Goes to War on an Economic Seesaw

TechDirt posted a short article about Craigslist and its war against spam. According to the article, certain parts of Craigslist have been entirely overrun by spammers: the personals and services sections now consist of 90% spam; now the job postings are under attack. Although the article focuses on the sophisticated set of tools that spammers created to attack Craigslist and some of Craiglist's countermeasures, what I find interesting is not the specifics but the broad principles that underlie Craiglist's defenses and the implications for overall Internet and financial security.

Craigslist, Google's Gmail, and other Internet companies that provide no-cost communications services on the Internet have straightforward and fairly foolproof tools to authenticate users — that is, my Gmail account isn't likely to be read by someone pretending to be me. But these no-cost services lack any decent method to identify users, which makes it impossible to determine if a single person opens a thousand Gmail accounts or posts a thousand times to Craigslist.

The Internet services companies tend to follow a common pattern as they attempt to cope with a wave of spam. At first, they attempt to introduce non-monetary costs to slow down the spammers; a typical method is to use "captcha," an image containing a distorted passphrase, and require that users enter the passphrase. This slows down spammers at first, but spammers rapidly evolve techniques to avoid the costs. The companies then start to use internal tools, such as statistics and pattern matching, to catch abuse. As shown in the case with Craigslist, spammers continue to evolve and learn to evade detection. The spammers and the companies are on an economic seesaw: the companies increase costs and spam volume drops; the spammers learn to decrease costs and spam increases.

At that point, some companies disaggregate their identification procedures — they introduce costs and identification through other companies' security systems. For example, Google requires that I use a cell phone to register for a new email address. This might seem to make sense: after all, when I purchase a cell phone, I have to convince the cell phone company to give me the phone and I have to pay real money to make the cell phone work. Google can rely on the phone company to extract money from me, a trivial amount if I just want a single account but quite expensive if I want thousands of them; and besides, the costly phone number serves to identify me.

Spammers seem to have solved the "problem" posed by that particular obstacle and the war continues. What's interesting is that Google, Craigslist, and similar companies could solve the spam problem immediately by taking a single, simple step: they could require that each spammer appear in person in a local company office in order to get an email address or place a job posting.

Absurd? Of course. These companies thrive because they provide low-cost or no-cost services while their internal cost are extremely low. Office visits would impose huge costs on both parties and kill the companies outright.

However, this problem extends beyond the Internet to the "real world." One reason for identify theft is that companies find it too expensive to have an applicant for a credit card show up in person. Instead, they rely on phone calls, faxes, email, and "secrets" such as social security numbers. The credit card companies impose some costs and accept some costs, but only as long as it makes financial sense; and if they make a mistake and someone impersonates you — well, after all, you're not even the company's customer, so why should they care if the theft costs you money and drives you mad?

A problem that stretches across different industries, extends throughout the world, and costs billions of dollars a year suggests that a solution can be found and there's money to be made in solving it. One solution is secure physical identification "tokens," that is, something you must own, that costs something (either time, money, or both) to obtain, and is both difficult to forge and easy to verify. A stand-alone company could use these to provide identification services to a wide range of different companies, and while the initial cost for an individual to claim a token can be set rather high, a shared service means that the cost is paid once instead of each and every time. For example, the service could sell (or give away) wallet-sized cards that contain a little window that shows a continually-evolving 6 digit number. Anyone who claims to be me must know this number and the card's account number. While cards can be lost or stolen, of course, judicious use of a identification "tokens" could turn spam from lucrative thievery into a bad memory.

Topics:  · security

Link to this story · Leave comment or trackback

Comments: 1, Trackbacks: 0

Get your Gaff[e]: Illinois Announces Phishing Licenses

Government always lags business when it comes to practices and procedures, efficiency, and simply having a clue about what's what. Last week's physical and electronic mail brought me two reminders of just how clueless the government can be, in the form of two major invitations for phishing and identity theft, courtesy of local and state governments.

The first gaffe was from the City of Chicago. The City sent out — unsolicited — email to anyone who had purchased city stickers online in the past, and this email included a link to click on in order to purchase a new city sticker. This spam violated several fundamental rules; the most important rule is the one that we've been trying to drum into people's heads, which is not to follow links you receive in unsolicited email. Of course, now that the City of Chicago has established the notion that city licenses of any sort are available online by following links in unsolicited email, phishing scams and outright theft will follow as night follows day.

But the State of Illinois outdid the City with a truly egregious breach of security. The State sent out postcards (!) to physicians with a web site and a PIN number, informing the physicians they must renew their licenses online. I've got one of these postcards here in my hand (image of front, image of back); the web site the State sends you to isn't even in the .il.us domain — it's a .com domain. With the list of physicians in the State of Illinois part of the public record and available commercially from any number of sources, this new initiative is an open invitation for phishing scams to (a) steal valid physician license numbers, which can be used to purchase drugs, and (b) steal the credit card numbers of the physicians to pay for the drugs. That's a brilliant "two-fer," and I must congratulate the person or persons unknown here in Illinois who managed to open the door to a flood of new phishing scams.

Topics:  · government · security

Link to this story · Leave comment or trackback

Is Terrorism Effective?

This paper argues that "disaggregating the terrorist campaign by objective type" shows that terror campaigns against civilians are generally ineffective.

I actually don't agree with the author because he failed to disaggregation far enough. For example, the author accepts the English-language version of the stated goals of Islamist terror organizations, whereas these organizations often issue more radical versions of their objective in Arabic; it's necessary to separate and analyze these two different versions of objectives. And, of course, people who commit massive acts of murder in the hope of (eventual) favorable publicity are not necessarily forthcoming about their true objectives...

Topics:  · security

Link to this story · Leave comment or trackback

Ghost Mortgages: Was New Century Plagued by Fraud?

This is a tale of disaggregation, fraud, and meaningless numbers.

First, the disaggregation. New Century Financial Corporation, which is now struggling in its subprime mortgage market niche, specialized in the financial end of the mortgages and relied on hundreds of small brokerage firms to actually sell the mortgage. This is familiar business model — the disaggregation of sales, marketing, and manufacturing — and often a quite successful one.

But what happens if the mortgages are made to ghosts? According to the Wall Street Journal [the online version is subscription only, sorry!], a substantial fraction of the mortgages were made to people who never even made their first payments:

Borrowers failed to make even the first payment on 2.5% of New Century's loans.

Since most people who borrow in good faith will typically make at least a few payments before defaulting, the Journal raises the suspicion that New Century was careless in its selection of mortgage brokers and as a result suffered fraud.

I'm going to raise two different issues. First, disaggregation almost always requires some feedback, some way of tying the disaggregated parts together. If I decide to make bolts in one factory and nuts in another, I need to find a way to test to make certain the nuts and bolts fit together. Similarly, if New Century decides to allow outside brokers to sell New Century mortgages, then New Century must make certain that the mortgages these brokers generate meet New Century's standards.

Secondly, the number "2.5%" is utterly meaningless without any context. What is the first-payment default rate for "normal," non-sub-prime mortgages? What is the rate for other sub-prime mortgage lenders? Without any context, I don't know if this shocking number represents the worst in the entire sub-prime loan industry — or the very best. And given that New Century turned a profit until its recent problems, it may be that their business model allowed them to absorb the costs of a higher-than-usual rate in return for a higher number of profitable mortgages. That is, they knowingly accepted a higher rate because it permitted them to capture higher profits by reducing overall costs and increasing overall sales.

So, while the Journal article is filled with the usual pathos of senior citizens who can't afford their mortgage payments, one of the central indictments of the article — that New Century allowed itself to be defrauded, and that the fraud they permitted was bad for the company — remains unsupported to date.

Topics:  · finance · security

Link to this story · Leave comment or trackback

Comments: 1, Trackbacks: 0

Another Minute Passes

The mainstream press distinguishes itself from the blogosphere by touting its reliability; a news story read by a man in a high-priced suit on television, or by a trained speaker over the radio, is supposed to carry more weight than a story put out by some random individual typing away in his bedroom slippers late at night.

Except that I haven't seen any evidence for this when it comes to vetting the advertising I hear on the radio. Even Chicago's premier news stations have oddball advertising. I've heard advertising for homeopathic medications with outlandish claims, and get-rich-quick schemes that I'd toss aside in a moment if they'd arrived by email. Clearly, no one at the radio station spends any time thinking about the quality of advertising they accept. Advertisements that I'd reject as utterly bogus are played time and again.

The latest of these is a series of ads that touts another get-rich-quick scheme: buying and selling Internet domain names. My first reaction when I heard the ad was that the business of buying and selling Florida swamp land has been disaggregated from any real property and moved to the virtual reality of the Internet.

In my opinion, anyone who participates in such a scheme just proves that another minute has passed ("there's a sucker born every minute"); but what I fail to understand is why local radio stations play these ads. Are they oblivious, are they avaricious, or are they just sloppy? It's not just that I think the people who participate in this scheme will, for the most part, lose money; that's Darwin at work and I can even argue that it's a good thing to fleece fools of their money. But I suspect that the Internet will suffer collateral damage as dimwits join the current crop of — shall we say marginally honest? — individuals who use Internet names in a mostly vain attempt to make money fast.

Topics:  · security

Link to this story · Leave comment or trackback