Can The Industry Stop break-ins on Facebook?

FacebookAfter my last post, a reasonable question is whether we in the industry have been goofing off on the job.  After all, how could it be that someone got their account broken into?  Everyone knows that passwords are a weak form of authentication.  Most enterprises won’t allow it for employee access, and we would string a bank CSO up by his or her toenails if a bank only used passwords to access your information. They use at a bear minimum RSA one time password tokens or perhaps Smart Cards.  So why are the rules different for Facebook?

They would say, I’m sure, that they do not hold the keys to your financial data.  Only that may not be true.  Have you entered credit card details into Facebook?  Then in that case maybe they do hold the keys to your financial data.  Even if you haven’t entered any financial data into Facebook?  Are you using the same password for Facebook that you are for your financial institution?  Many people are, and that is the problem.

Passwords have become, for want of a better term, an attractive nuisance.  It’s not that the concept itself is terrible, but they are increasingly difficult to secure, as the number of accounts that people hold continues to skyrocket.  Yes, the problem is getting worse, not better.  My favorite example is the latest update to the Wall Street Journal iPhone app, where the upgrade description says, “Application Enhancements to Add Free Registration & the Ability for Subscribers and Users to Login”.  What a lovely enhancement.  Right up there with enhancing the keyboard I am typing on to give me electric shocks.

Facebook is at least making a feeble attempt to get around this problem by offering OpenID access in some limited way (I tried using it from this site, and FB is broken, even though I can get into all sorts of other sites, including LiveJournal).  Still, it probably works for you if you are a Google, Yahoo!, or MySpace user, but for better or worse those sites themselves do not accept OpenID.  (The better part is that no one can simply break into one account and gain access to all of these other sites.  The worse part is that if you have some other OpenID, you can’t use it with these sites.)

OpenID has lots of problems, the biggest of which is that there is no standard privileged interface to the user.  This is something that Google, Yahoo!, and MySpace might actually like, because it means that they provide the interface they want to provide.  Unfortunately, programs, or more precisely the authors of programs, might find that a little irritating, since OpenID is so closely tied to the web that it is difficult to use for other applications (like email).

SAML and Higgins to the rescue?  OAUTH?  Blech.

Bamford’s latest update on the NSA

James Bamford is well known for his revealing of the National Security Agency in The Puzzle Palace, published in 1983.  He has written two updates since then, Body of Secrets and The Shadow Factory, the latest one covering the Bush Administration in some detail.  Bamford’s technical details in The Shadow Factory are nowhere near as good as they were in The Puzzle Palace, which is something that really attracted me to his writing.  Also, in this book, Bamford seems to play both sides of the fence, at one point arguing that the attacks on 9/11 were an intelligence failure, while at the same time arguing that we must safeguard our civil liberties.  This works, mostly because he successfully argues (in my opinion) that the government had all the power it needed to stop the attacks, but that incompetence ruled the day.

To be sure there are a few points I would take issue with.  For one, although I despise the name, it was probably a good idea to roll together many agencies into the Department of Homeland Security.  But quite frankly even that was done ineptly, as we have seen from auditor reports, again and again.

Returning to the Shadow Factory, in this update Bamford highlights the role of the Internet and the change in the nature of communications, where many communications have moved from sattelite to fiber, and from simple voice circuits to voice over IP.  He talks about certain organizations wanting to hire Cisco employees simply to reverse engineer IOS and find ways to install back doors.  I have no way of knowing if that has happened.

Bamford retreads much of the story about the illegal spying the NSA did within the United States, and how James Comey would not recertify the program.  While it makes my blood boil to think that anyone in government would think that such a program was legal (certified by the attorney general or not), that part of the story isn’t so much about the NSA as it is about Dick Cheney and David Attington.  Quite frankly I think Bob Woordward has covered that ground as well as could be covered.

Were I to give advice to Mr. Bamford it would be simply this: it is difficult to read just one of the three books he’s written, as either the earliest is woefully out of date, or the latest doesn’t stand on its own without having read the earliest.  A consolidated update that combines all three seems in order.

How Much Do You Value Privacy?

People in my company travel a lot, and they like to have their itineraries easily accessible.  My wife wants to know when and where I will be, and that’s not at all unreasonable.  So, how best to process and share that information?  There are now several services that attempt to help you manage it.  One of those services, TripIt.Com, will take an email message as input, organize your itinerary, generate appropriate calendar events, and share that information with those you authorize.

The service is based in the U.S., and might actually share information with those you do not authorize, to market something to you- or worse.  If the information is stolen, as was the case with travel information from a hotel we discussed recently, it can be resold to burglars who know when you’re way.  That can be particularly nasty if in fact only you are away, and the rest of your family is not.

But before we panic and refuse to let any of this information out, one should ask just how secure that information is.  As it happens, travel itineraries are some of the least secure pieces of information you can possibly have.  All a thief really needs is an old ticket stub that has one’s frequent flyer number, and we’re off to the races.  In one case, it was shown that with this information a thief could even book a ticket for someone else.

So how, then, do we evaluate the risk of using a service like TripIt? First of all, TripIt does not use any form of encryption or certificate trust chain to verify their identity.  That means that all of your itinerary details go over the network in the clear.  But as it turns out, you’ve probably already transmitted all of your details in the clear to them by sending the itinerary in email.  Having had a quick look at their mail servers, they do not in fact verify their server identities through the use of STARTTLS, not that you as a user can easily determine this in advance.

Some people might have stopped now, but others have more tolerance for risk.

Perhaps a bigger problem with TripIt is that neither its password change page nor its login page make use of SSL.  That means that when enter your your password, the text of that password goes over the network in the clear, for all to see.  It also means that you cannot be sure that the server on the other end is actually that of TripIt.  To me this is a remarkable oversight.

For all of these concerns, you still get the ability to generate an iCal calendar subscription as well as the ability to share all of this information with friends and family.  Is it worth it?  One answer is that it depends on whether you actually want to enter the information yourself, whether you care about security concerns, and whether you like using calendaring clients.  It also depends on what other services are available.

Another service that is available is Dopplr.  It also attempts to be a social networking site, not unlike Linked In.  Dopplr allows you to share you itineraries with other people, tells you about their upcoming trips (if they’re sharing with you), and it lets you create an iCal subscription.

Dopplr also has some security problems, in that they do not use SSL to protect your password.  They also do not use SSL for their main pages.  They do, however, support OpenId, an attempt to do away with site passwords entirely.  I’ll say more about OpenId in the future, but for now I’ll state simply that just because something is new does not make it better.  It may be better or worse.

And so there you have it.  Two services, both with very similar offerings, and both with almost the same privacy risks.  One of them, by the way, could distinguish themselves by improving their privacy offering.  That would certainly win more of my business.

The Do Nothing Presidency

Smoke Stack

Yesterday, the Bush Administration released a long awaited report by the Environmental Protection Agency, that says that Carbon Dioxide can and should be regulated.  One would think this a remarkable departure for an administration that has done everything within its power to destroy the environment, through drilling in fragile environmental areas, unmitigated logging, and the failure to protect endangered species.  There’s a catch: the Supreme Court ordered the EPA to develop the report, and in releasing it, in the same breath, the administration argued that regulation by the EPA to protect our children will hurt business and industrial growth.

Let’s review our tally for this administration:

  • Housing —  Failure to properly regulate the housing market has led to a massive series of bank failures.
  • The Energy Market — we are suffering from inflation due to a massive increase in oil prices, which itself is in part due to an inability of Americans to conserve.   The administration has done absolutely nothing to reduce consumption, or for that matter offer fuel alternatives.  Instead, they’ve argued that drilling in wilderness refuges will offer some form of relief, a claim that is disputed by every expert in the field, because it will offer no short term relief, while medium and long term relief are by no means at all assured.
  • Security— having gone to war twice and wasted billions of dollars on meaningless programs, the administration has managed to alienate America from the rest of the world, reducing people’s desires to visit, impacting tourism, and reducing our national credibility.  At the same time the Taliban has rebuilt itself, and we’ve lost our allies in Pakistan and now, seemingly Iraq (not that Prime Minister Maliki was every clearly an ally).
  • Education— No Child Left Behind has meant that our children haven’t gone forward as a group.  Our public education system remains in a shambles due to lack of incentives for good teachers, buildings that are falling apart, and a general willingness by this administration to divert funds to religious programs.
  • Public Transportation— our skies are more dangerous than they have been since the creation of the FAA.  More runway incursions, more close calls in the air, disgruntled workforces, and disgruntled passengers have left our air transportation system in a mess, while we’ve invested nearly nothing in ground public transport.
  • Public Welfare— with a remarkably lame response to Hurricane Katrina, the administration demonstrated that they could not be trusted with emergency crisis management.

In short, they did nothing except collect pay checks.  Perhaps Americans will pay more attention to our civic responsibilities the next time we hand someone the keys.

For the Umpteenth Time, IPv6 doesn’t do much for Security

If you read the wrong books or the wrong articles, some will claim that IPv6 has improved security over IPv4.  While this may be true in an extremely limited sense, for practical purposes there is no difference.  The only way in which IPv6 is really more secure that IPv4 is that one cannot easily port scan a subnet.  In some other ways, IPv4 might be more secure than certain implementations of IPv6, where the EUI-64 address is used as the lower 64 bits of the IP address, and thus enabling violation of privacy (e.g., tracking).  The most absurd statement I just recently read was that NAT causes Spam.  Where do these people get this stuff???