A lesson in transitive trust

Growing up in the New York area in the 1970s, one never really paid attention to all the crime that occurred. There just was so much of it. Even when I lived in California, while a murder would make the local news, it wasn’t something that would shake the community. A murder in the Zürich area, however, is rare. Maybe it’s because everyone has a gun, as my friend Neal might say. Who knows? The point is that people here are not inured to that level of violence.

Now we are discovering the online version of that. When last we left our situation, we were trying to figure out how best to protect ourselves from evil bad guys by limiting the damage dumb passwords can do. Since then, it has been widely reported that 10,000 Hotmail account passwords were stolen. But they weren’t the only ones. Many of the people who use Hotmail accounts also have GMail and Yahoo! accounts, and many of those passwords are the same. Why? Because humans don’t like having to remember lots and lots of passwords. And of course, if you were one of those people who used the same password between both and linked your Yahoo or GMail account to Facebook, that means that your Facebook account could have been compromised as well. And that means that your friends may have been attacked, as we previously discussed.

How could this be worse? Let’s add Paypal into the mix. If you use the same password for eBay as you used for Yahoo!, now all of a sudden, you have invited someone to empty your bank account. Had Paypal implemented an OpenID consumer for login, an attacker wouldn’t even need your password.

Now let’s aggregate all of the people who do that. The popular OpenID providers include Google, Yahoo, and Verisign. As the number of providers increases, the concentration of risk of any one single failure decreases. Concentration of risk is a fancy way of saying that one is putting all of one’s egg in one basket. On the other hand, from the perspective of a web site that uses OpenID or some other federated mechanism such as SAML, the information received from any random Identity Provider (IdP) could reasonably be considered suspect.

This leads to a few conclusions:

A large number of Identity Providers will require a service that provides some indication as to the reliability of the information returned by a given IdP.
The insurance and credit industries can’t manage concentrated risk. We’ve seen what happens in the housing market. The Internet can reproduce those conditions. Hence, there will be limitations on transitive trust imposed.

Conveniently, you are not without any protection, nor are the banks. There are large federated market places already out there. Perhaps the two biggest are eBay and Amazon. Amazon has the advantage of requiring a physical address to deliver to, for most goods, the exceptions being software, soft-copy books and downloadable movies. In each of these cases, the transaction value tends to be fairly low, and the resale value of most of these items is 0. It’s the resale value that’s important, because the miscreants in this business don’t want 150 copies of Quicken for themselves, nor can they really sell off an episode of House.

Paypal is another matter. If someone has broken into your Paypal account, here is what they can do:

Empty it of any credit it might have;
Charge against your credit cards; and/or
Take money from your bank.

If you’re paying attention and act quickly, you might prevent some of these nasties from happening. But first you will have to read a tome that is their agreement. In all likelihood you have no recourse to whatever final decision they make. If you’re not paying attention, your account and those associated with it become an excellent opportunity for money laundering. What does it mean to pay attention? It means that you are receiving and reading email from paypal.com. That means that they have to have a current email address. When was the last time you checked that they do? Assuming that they do, it also means that you have to read what you are receiving. Now- I don’t know about you, but I’ve been spammed to death by people claiming to be PayPal. Remember, how this posted started by talking about being inured to crime? Well, here we go again.

Time to Takedown: Successes and Failures

Takedown is a term used by Internet service providers and law enforcement officials that means the involuntary removal of a computer from the Internet. For instance, if a computer has been compromised and is attacking other computers, a takedown is seemingly appropriate. Tyler Moore and Richard Clayton have done some analysis on how long it takes to get a site off the net when it is doing something anti-social. They look at about six different circumstances: phishing, defamation, child pornography, copyright violation, spam and bot sites, and generally fraudulent web sites.

Not surprisingly, firms such as banks that actively defend their brand are able to expunge hosts serving bogus content the fastest, and service providers are the most cooperative (the numbers cross jurisdictional boundaries). Sites harboring material that exploit of children takes 10-100 times longer than banks. That’s an enormous difference. There are several likely reasons for this difference. First, banks are acting in their clear best interest and do not mind shouting at whoever they need to shout at to get rid of material. They’ve also likely developed strong relationships with service providers to speed the process.

The data on child protection is somewhat skewed by a single source, and that source had substantial jurisdictional issues, in as much as they did not feel empowered to deal directly with certain governments and service providers outside the UK, and in particular in the United States. Worse, images that were removed had a tendency to re-appear on the very same web sites, indicating that either the site was re-compromised or it was poorly managed or both.

The data points to a clear need for stronger coordination by service providers throughout the world to protect children. The fact that banks are able to be more successful in removing content that offends them demonstrates that it is possible when self-interest is a factor.

In the area of copyright violation, the RIAA has had success in removing sites that are clearly violating copyrights. By injecting themselves into P2P networks the RIAA has been able to determine many sources of copyright violation. The paper does not have a data source to analyze takedown periods.

Off To New Hampshire

Many of us are geeks. We like to think that just because we have a good idea other people will like it as well. We’re particularly bad at user interface design and understanding the underlying economic drivers for technology. As a case and point, why is it that IPv6 hasn’t taken IPv4’s place, even thought it has been in existence for nearly fifteen years and solves a real problem of address space shortage? The answer can be found, I believe, in economics, which is to say that the motivations have not been there to spend the money to get people to move from one system to the other.

On Tuesday I am off to New Hampshire via Boston to attend the Workshop on Economics of Information Security (WEIS). In past conferences, WEIS has covered such topics as when to disclose vulnerabilities, the economics of the insurance industry and cyberthreat insurance, digital media protection mechanisms, and the risks of new technology introduction. One past paper that I particularly enjoyed discussed the risks of homo- versus heterogeneity in an enterprise. It has long been an axiom that if you wanted to protect yourself from systemic failure you used redundant systems that are built using different methods. In airplanes the rule is meant to keep passengers alive (although Airbus has flouted this idea, according to the Telegraph).

Cyberthreat insurance people take this to the extreme by not particularly liking even the idea of interoperability. Their logic goes that any interoperating system can continue a cascading failure, and that is potentially true. Of course, while an insurance salesman might want you to not have an accident, his management need some accidents to prove that insurance is necessary. The extreme case of a cascading failure, however, has insurance people shaking in their boots. They get away with insuring households and businesses against losses by (a) applying a reserve and (b) knowing that a fire or other natural accident can only cause so much damage in a local area. In the case of a computer virus, they have no reason to believe that there is any locality, and so the policies tend to be very restrictive.

I have a few economic questions of my own to ask. What will it take to motivate the adoption by a service provider of a new authentication mechanism that would provide benefit to OTHER service providers? In other words, how will service providers serve the common good? In general, by the way, they do. They recognize rightly that if they don’t cooperate on their own they will be made to do so under far less favorable terms. But here is something new, and not old. Introduction of new technology and new ways to cooperate is not exactly what they’re all looking for. I am. If we can find improved methods of authentication for end users we can surely reduce the value a PC represents to a criminal.

Of course this means we have to create a new authentication mechanism that actually does improve matters, but as my favorite theoreticians say, let’s assume that’s true, nevermind reality. What then has to happen for the mechanism to be adopted by consumers and providers alike?

Going back to that earlier question of what will it take for IPv6 to get deployed, in this year’s WEIS Jean Camp, Hillary Elmore, and Brandon Stephens have produced a paper that puts the question into a formal economics context. While the work is neither the beginning nor the end of the discussion, it is a very good continuation.

You can soon expect a post that discusses the outcome of this year’s conference.