Month: June 2008

Cherry-picking identity providers in the open eco-system

Recap from a story developing last week:

  • MSFT announced that it was accepting OpenIDs for the new HealthVault service, a cloud-based solution for managing health records. But not just any OpenID: only accounts issued by Trustbearer and Verisign are accepted. Both companies have two-factor authentication with portable hardware tokens.
  • The blog ConnectID objected to the restriction, claiming that it violates the spirit of “open” in OpenID. Why is the user not free to choose any identity he/she prefers to use?
  • MSFT’s identity architect fired back, joined by another blogger, both arguing that cherry-picking identity providers is fair game.

Underlying this exchange is a misunderstanding: agreement on protocols is necessary but not sufficient for identity federation. Accepting an identity issued by another company is a risk management decision– or under a broader perspective, it is a business decision. The mere fact that the aspiring ID provider has successfully implemented some protocol, is compliant with this other standard or runs the most popular software package for authentication is not enough.

Authentication is a security-critical function. Getting it wrong leaves any resource protected by that system vulnerable. And if something does break, it will always be the service provider’s problem downstream, even they are provably not at fault. Suppose that HealthVault accepted identities from Keys-Are-Us, a hypothetical incompetent OpenID provider operating out of a basement. This is an external dependency; when Keys-Are-Us makes an assertion about the identity of the user, HealthVault will accept that assertion on face value and provide access to controlled resources such as health records. This is essentially betting on the ability of this shady outfit to properly run an identity management system. If Keys-Are-Us experiences a security breach, and the health records accessed by unauthorized persons as a result, MSFT is still on the hook. Yes, in principle it was not their fault: Keys-Are-Us made the error. But try getting that message across to the media and blogosphere pouncing on the incident as another indication of everything that is wrong with the Internet. More importantly, by agreeing to accept identities from Keys-Are-Us, HealthVault is implicated in the risk management decision.

Case in point, HealthVault accepts Windows Live ID, the identity management service operated by MSFT. (Full disclosure: this blogger worked on WLID security in a former life.) Because both of these organizations roll up to the same corporate entity, HealthVault designers have visibility into and more importantly, influence over the risks of accepting these identities. Similarly the Verisign and Trustbearer systems are known quantities, and their reliance on hardware tokens makes it possible to gauge the security assurance level in a way that is not possible for random OpenID provider.

cemp

Charter and Project Canoe: one step forward, two steps back

Charter communications announced that it was canceling a controversial plan to sell advertisers information about the web usage patterns of customers. The plan had sparked backlash from privacy advocates, soon spreading to regulatory agencies, culminating in Connecticut Attorney General formally asking Charter to throw in the towel. As CNN/Money reports the market barely shrugged, sending the stock down a mere 3.5%, leaving it trading well above its 52-week low. All of that effort for nothing? Once the dust settles, Charter may be remembered for successfully generating free PR (but not necessarily of the desirable variety) and positioning itself as an ISP ready to make aggressive, ill-advised moves in the name of monetizing existing subscribers with complete disregard for privacy.

With the ink on that story barely drying, another news item from Reuters reports on privacy concerns about US cable providers have teaming up to mine the TV viewership data from their subscribers. Objective: stop the advertising revenue from shifting over to the web. Individual, targeting is the main differentiating factor for advertisement the web, whether this is done by profiling users over time or derived from point-in-time context, such as a search query. By contrast mass media suffers from its “broadcast” nature where many people by definition will see the same content. The ability to tailor the message to the audience is very crude by comparison, despite heavy investments to improve that over the years. For example today newspaper can target particular zipcode– it is possible to get New York Times to print a full page ad but only for certain zipcodes in Manhattan. Impressive as that sounds for an old school newspaper, this is primitive compared to the level of customization on the web.

There are two pieces to the puzzle: first one is being able to understand the audience better and the second one is being able to deliver unique, personalized content for each subscriber. Digital cable in principle already solves the second problem. Unlike analog systems where all channels are delivered to the user at all times and a “tuner” picks out the particular one, with digital cable the subscribers set-top unit requests a particular channel from the provider. That also allows solving the first problem: getting to know the subscriber. DVRs were the first devices with visibility into everything a user is watching and the ability to call home with this information. TiVo unwittingly created the first privacy scare over DVR tracking by commenting on the 2004 Super Bowl. Cable providers have long been able to derive similar conclusions. (The DVR does have an advantage in that it can report on multiple-views, including the number of times a recorded program is watched and when. But then again many DVRs today are bundled with cable packages and cobranded by the provider so it is not clear who is calling the shots on the device logic.)

With both pieces in place, what remains is creating the platform. Enter Project Canoe. Backing this new initiative are Time Warner, Comcast, Cox, Cablevision — and Charter. From a privacy perspective there is good reason for concern. The extent of data mining is unclear. A key question is whether it will be limited to TV content. Several of these companies are both cable providers and broadband Internet providers. Charter crossed the line once before backing down. The current attitude is summed up in this quote:

“The cable industry is betting that full disclosure to subscribers about the information being collected, the ability for them to opt out, and the attraction of more relevant ads would help overcome potential misgivings.

The problem is few people read the disclosures and even fewer understand the extent of data collection and its implications to make an informed decision on whether this practice is consistent with the person’s personal values on privacy. Even for users who decide to take issue, some fraction will be deterred by the difficulty of the opt-out process. Quoting an analyst about the initiative the article concludes:

“It’s all but certain that the cable operators will have to set a third-party clearing house for information to safeguard privacy concerns,” Moffett said.

The article does not speculate on which independent entity would be stepping up to the plate for that role. In general the idea of trusted third-parties safeguarding information is very attractive in principle, but so far there have been no takers. Even the organization trying to offer a much simpler service, third-party verification of privacy practices have been dogged by skepticism about their effectiveness.

cemp

Debt collectors: next weak link for data security?

NetworkWorld has two interesting articles about the information debt collectors have access to and the risks posed by this concentration of data.

Call it the second wave of data breaches. The first wave were compliments of massive aggregators experiencing major data breaches (Choicepoint, Acxiom, Lexis-Nexis) and briefly putting the issue of data security on the map, before it faded away in the collective consciousness again. These companies, until recently having no direct consumer facing operations and dealing only in B2B markets, were forced into the limelight for their 15 minutes of infamy/congressional grilling. Nothing quite encourages better security as public scrutiny. But the data aggregators much like the credit reporting bureaus essentially constitute an oligopoly immune to competition. Much as consumers have no choice in opting out of having their credit history collected by the “triumvirate” (Equifax/TransUnion/Experian) they have no meaningful choice over having their information compiled and commoditized. In fact owing to the lack of anything comparable FCRA, there is even less accountability with data providers. Given this lack of economic incentives, it remains to be seen if the security lock down and public floggings after the data breaches will have any effect. Meanwhile the Network World article draws attention to debt collectors— who often receive their data from the major brokers and often end-up spreading it around n the name of tracking down missing payments– as the next problem spot. Quote:

“As IT director for a medium-sized collection agency, I can tell you that there are indeed many large databases out there that we use for ‘skip tracing’. . . [and] anybody posing as a business can get access to them.”

“So what information can be acquired? […] Social Security numbers, known accounts (but not account numbers), known aliases, all of present and past addresses, the names of people living near the debtor (known as “nearbys”), people in the same town with the same last name (known as “possibles” as they might be related to the debtor), companies having made recent queries against the debtor’s credit and recent employers.”

The earlier article by the same author establishes the position of debt collection agencies as the downstream beneficiaries from the main artery of information flow. Barriers to entry are remarkably low:

It turns out pretty much anyone can set up a collections operation by buying a package of bad debts for around $40,000, hiring collectors who will work on commission, and applying for the appropriate city and state licenses. Once a company is set up it can buy access to Axciom and Experian and other databases and start hunting down defaulters.

There is a circularity to all of this. Defaults may be one of the expected consequences of easy credit. That credit is made possible only by the massive databases that allow any business anywhere in the country to make a decision within minutes about the creditworthiness of any customer that walks in the door. Proponents justify the existence of data collection and mining operations by that one benefit: a portable “reputation score” that travels with the individual, attached to their social security number and unlocking doors at every step– such as the doors to a new home or a new car. The information no doubt is important for efficient functioning of the system; the subprime debacle showed what happens when lending decisions are made without regard for credit rating. (Oddly enough in that case the easy access to information made no difference; since the mortgage was getting securitized with an over-inflated rating, the lenders had no incentive to check on the odds of payment.) When debt collection agencies purchase and share that data, they are trying to solve a problem that would not have existed unless extensive credit data were available in the first place to make bad lending decisions an endemic problem.

cemp

Changing of the guard at Microsoft

Gates officially steps down from day-to-day responsibilities at Microsoft today.

For those of us who spent any significant amount of time at MSFT, this is a watershed event. Even after Steve Ballmer became the chief executive officer, Gates had remained actively involved in technology decisions and product reviews. More than anyone else, he was the heart and soul of the company. After his ambitious vision– a personal computer on every desk running MSFT software– was accomplished for all purposes, the company had difficulty articulating a new direction or rallying around an equally compelling objective.

cemp

Update: Comcast changes traffic management policy

(Follow-up to earlier posts on interference with Slingbox traffic)

Comcast had announced that it was making changes to the way network traffic was managed. Perhaps as a result of this change, this blogger has observed that a Slingbox located in a Philadelphia residence with Comcast broadband access no longer shows the strict cap at 350kbps for upstream bandwidth. During sustained streaming, bandwidth reported by Sling Player application regularly hovered around 800kbps. On the downside, the change in video quality between this new unrestricted stream and the artificially capped one was barely perceptible.

cemp

3G iPhone and location privacy

An article from New York magazine rediscovers the age-old problem of location privacy in mobile devices. Titled iTagged: get ready for the stalkverse the alarmist piece vividly attempts to describe the dangers of having everyone else learn about our location:

Technology was certainly not supposed to know you were at the laundromat. Or the Yankees game. Or your co-worker’s apartment when you were supposed to be working late. But now when you’re at the laundromat, everyone will know.

All true but this is not a new problem being introduced by the iPhone. It is not even being aggravated by the phone having GPS. Global Positioning System sounds like a very neat feature but remains largely a red herring from the privacy point of view, because it is neither necessary or sufficient for tracking. It is not necessary because mobile operators have been legally required by FCC to be capable of locating their subscribers based on triangulating a position from cell phone towers. Dubbed enhanced-911 or E911 these regulations had a very simple objective: knowing where to send the ambulance, fire engine and police car when a 911 call is received. While the USA lagged and to this day continues to lag Europe and Japan in wireless adoption, the FCC correctly predicted that in the future more and more calls would be placed over phones that were not bound to a fixed location that could be looked up in the phone directory.

Not surprisingly the reception was mixed. Privacy advocates feared that they could be used for tracking individuals without oversight. (One ancient article from Infoworld points out that judges must approve any law enforcement access to location data.) Public safety groups pointed to scenarios when E911 was used to locate individuals in kidnapping cases and even urge users to change the settings on their phone to enable location at all times. These regulations were phased in over time, requiring that 95% of handsets sold in 2005 must be capable of radiolocation. Considering that the average lifetime of a handset is 18 months, a reasonable assumption is that all phones in use today support the feature. No GPS required.

GPS is also not enough because it requires line of sight to satellites– forget about it working indoors– and can be frustratingly slow to develop an initial fix. At best GPS adds to tracking capabilities when the subscriber is attending Burning Man, out of the range of cell phone towers. Of course without reception the phone has no way to report back the location to the would-be-stalkers in real time, but presumably it could store that  information for future upload when the handset has service again.

Where the iPhone could have a disruptive effect is the integration of the feature and its social acceptability. Some handsets today allow using the phone for driving directions, with real-time position information, placing the carriers in direct competition with the dedicated GPS units such as Garmin.  A few carriers such as Nextel directly advertise tracking as a feature for fleet management. These are strictly business applications; phones are carried by employees in charge of some asset that is owned by the company and the intention is tracking the asset more than the individual. Poster child is the trucking company with 18 wheelers criss-crossing the country that wants to know exactly where each truck is so they can re-route the one closest to Dubuque to pick up another load.

iPhone is strictly a consumer technology and one that defines the cutting edge. The moment a popular application comes along that requires the user to opt-in to location tracking, it will create social pressure for others to do the same. It will define the new standard for what is “acceptable” for location privacy. This is the main takeaway from the article:

Because you’ll be letting them know. Maybe not yet; you’re still shy, and think the laundromat is boring. But in a year or two, when everyone is doing it, that shyness will start to seem stupid. It will begin to seem rude not to tell—I mean, what’s wrong with the laundromat?

And some predictions for awkward consequences:

The initial etiquette screwups are going to be exquisite: not just the stalking, but the brand-new form or snubbing where you can see your friends gathering without you. You’ll feel wildly self-conscious for about six months. But soon it’s all going to seem normal and automatic.

Such a race-to-the-bottom is not unknown in privacy. The moment people started putting their personal lives up for display on Facebook, it created a pressure on others to become even more transparent. How long until there is a Facebook gadget that charts your location on a map? Forget about Dopplr and depending on the user to diligently report their wanderings; the next web 2.0 application with no regard for privacy can tap into that information straight from the iPhone.

cemp

Charging by the gigabyte and end of the free bandwidth lunch

This Sunday an article in the NYT takes up the question of bandwidth pricing, joining earlier speculation on this blog about the twilight of flat fee subscription models. The article with the self-explanatory title “To curb Internet traffic, access provider are beginning to charge by the gigabyte” cites an experiment Time Warner is running in Beaumont where customers can choose between 5GB, 20GB or 40GB capped monthly plans. In case you have never heard of Beaumont: the article states that it is a city in Texas with around 100K population– exactly the type of place to run such an experiment without attracting a lot of attention or generating resentment from a cosmopolitan audience spoiled on the comforts of streaming YouTube videos all day long. It is a good, balanced piece aside from the author’s confusion between BitTorrent the protocol verses BitTorrent the company when recounting the Comcast debacle

These magic 5/20/40GB numbers also raise the question of exactly what the average bandwidth usage is. There seems to be few academic papers in this area. One TTime-Warner exedcutive quoted in the article says:

“Average customers are way below the caps… These caps give them years’ worth of growth before they’d ever pay any surcharges.”

The only figure cited in the article is that 95% of customers use under 40GB of traffic each month. (It is not clear if this is downstream, upstream or combined.) Chances are Time-Warner has sliced and diced the bandwidth usage data very carefully before choosing these numbers and associated prices that range from $30 to $50, and the $1 per GB overage fees for exceeding the caps. One problem is there is no single average Internet user, as the author of the NYT piece argues very convincingly. The novice checking email and movie times could be happy with the 5GB cap but an addict streaming videos or watching TV shows on Hulu.com is likely to run over even the more generous limits. One Netflix download is a couple of GB. Watching a handful of movies every month may not break the bank in this model but at the surcharge rates of 1$/GB, suddenly a movie ticket or rental from the local store is competitive with what used to be “free, unlimited” instant viewing. More importantly there is a network version of Parkinson’s law which states that content expands to saturate the bandwidth available. As the capacity of networks increase, more bandwidth-hungry application are introduced.

So far it is an experiment but if this model goes mainstream, it would threaten the revenue stream for media companies. Netflix and Hulu are dependent on consumers being able to stream their content. Until now subscribers did not have to dutifully count their bytes the way cell-phone users count their minutes. An iTunes download is not competing for scarce bandwidth quoates with a high-definition movie from XBox Live Marketplace. Even if the bandwidth is not capped but throttled in the interest of fairness, it will create a mindset of scarcity and zero-sum choices between different options. On the bright side, broadband users may become more discerning and not forward that inane lolcatz video around one more time.

The alternative is for the content providers to compensate the ISPs. In this model Netflix would pay Comcast directly and those downloads would not count towards the monthly quota. In effect this is a type of revenue sharing or extortion depending on which side of the deal one is focusing on. It also creates a troubling situation for network neutrality. When some content is “free” and others require payment in scarce bandwidth allocation, speakers that are not able to pay ISPs to absorb access costs are in effect disadvantaged. Critics might content the same situation applies today, in that companies with large data centers and fat egress pipes are better able to push their content to an audience. Yet those correspond to capital invesments in the endpoints, fully under control of the speaker. An ISP metering bandwidth is situated between the content provider’s data center and the target audience, able to manipulate economic incentives for accessing that content regardless of how state-of-the-art the data center originating the content may have been. This is a case where artificially created bandwidth scarcity may have the effect of picking winners and losers between business models, as well as content providers.

cemp

LifeLock: the plot thickens

(Follow-up from earlier post)

The past few weeks had more developments on the story of LifeLock, the company that promises identity theft protection and challenges would-be criminals with the social security number of the CEO. New York Times published an article on May 24th covering this story. The overall tone of the article is fairly negative on the value proposition of this service:

“…a fraud alert is more like a burglar alarm. And if the alert repeatedly fires off false alarms, forcing creditors to constantly double-check the identities of LifeLock customers who have never been victims of fraud, it is possible that those credit issuers will pay less attention to them. Experian is so worried about this, along with other issues, that it has filed suit against LifeLock.”

Strangely the company has found a new ally in Bruce Schneier who came out swinging in defense of LifeLock.  BS portrays the issue purely as a conflict of business models between the triumvirate of credit reporting bureaus (Equifax, Experian and TransUnion) and Lifelock. Credit reporting agencies prefer that the process of completing a credit check and clearing an applicant is easy. Lifelock’s mission in life is to make that process as difficult as possible for the lender, in order to reduce the risk that the application was fraudulent.

“The reason lenders don’t routinely verify your identity before issuing you credit is that it takes time, costs money and is one more hurdle between you and another credit card. (Buy, buy, buy — it’s the American way.) So in the eyes of credit bureaus, LifeLock’s customers are inferior goods; selling their data isn’t as valuable. LifeLock also opts its customers out of pre-approved credit card offers, further making them less valuable in the eyes of credit bureaus.”

And later in the same approving vein: (links in the original)

“It’s pretty ironic of the credit bureaus to attack LifeLock on its marketing practices, since they know all about profiting from the fear of identity theft. Facta also forced the credit bureaus to give Americans a free credit report once a year upon request. Through deceptive marketing techniques, they’ve turned this requirement into a multimillion-dollar business.”

One point where everyone is in agreement is that the services are not worth it from a purely financial point of view. Most of the actions taken on behalf of subscribers by the commercial services can also be taken by individuals directly for free. Convenience is the main selling point. For example anyone can request to have an alert put on their credit file but these expire after 90 days.

The original Wired article covering allegations that the service does not work appears to have been removed. Not to worry: Kim Zetter (full disclosure– she is a friend) writing on the ThreatLevel blog has missile lock on the company. In a series of posts, she highlighted an original piece from the Phoenix New Times that surfaced questionable past connections of the co-founder. LifeLock announced in response that he was resigning from the company.

cemp

Debian/OpenSSL vulnerability: subtle and fatal (1/2)

Most vulnerabilities in COTS software are quite blatant about their root causes and direct in their impact. A remote code execution vulnerability can be traced to a low level programming error and its immediate effect is likely an 0wned machine, or the next billion dollar self-propagating malware. Once in a while, a new extremely creative type of bug is introduced that defies this pattern. The flaw in the OpenSSL random number generator that affected Debian and Ubuntu is one of those rarities.

The short version: Debian developers attempted to fix a problem in OpenSSL that was flagged by static analysis software. (For other takes on the problem: my colleague Ben Laurie has taken the Debian maintainers to task and added some clarifications about the response, XKCD has neatly summed up the issue with a comic strip and Garntner argued that this incident is indicative of a deeper problems in open-source, just in time for a Coverity report that gave glowing reviews to open source projects for fixing issues identified by their technology.) It turned out the fix was much worse than the ailment

  • Motivation: specific problem flagged by the automatic analysis of source code was an instance of using uninitialized memory– something that ought not occur in an ordinary application and is almost always a bug. But a library implementing cryptographic functionality has unusual requirements. In this case the OpenSSL designers were intentionally using uninitialized memory to seed the randomness pool. C/C++ language lawyers will jump up and down at this point screaming that use of uninitialized variables on the stack is undefined by the language. “Undefined” meaning that the compiler is free to optimize out the code, insert an easter egg, cause the application to crash if it reaches that instruction etc. Pragmatically speaking on most CPUs, operating systems and compilers that OpenSSL will likely reach, the memory ends up retaining the junk that was written last time, and this unpredictability is exactly what is required for randomness.
  • Neglected wisdom: important point is that the bug was not causing OpenSSL to crash or misbehave. In the worst case, the memory region contained predictable data such as all zeroes, so there was no benefit in seeding a randomness pool with that. No problem because there were many other sources of randomness used. This is a good time to remember the classic engineering adage: “if it ain’t broke, don’t fix it.” Debian developers did “fix” it, but in doing so they removed the addition of all entropy to the pool, instead of simply removing the one instance that was questionable.
  • Outcome: OpenSSL random number generator was completely broken. This is a major problem when dealing with cryptography. Everything depends on keeping secrets; encryption only works to protect data from people who do not have the decryption key. When keys are not just random patterns but generated according to a very predictable pattern, they are no longer a secret. The surprising part is that the code did not have a “vulnerability” in the classical sense: OpenSSL would not crash on malformed data because of this, it would not start running somebody else’s code or cause the machine to become the latest inductee into a botnet. A security researcher looking for yet another buffer overrun would be disappointed to realize that nothing of the sort was introduced as a result of the Debian update.

(continued)

cemp

“Unauthorized charger” and other device restrictions

One of the common complaints about electronic gadgets is that nearly each one requires a different power adapter. The diversity can not be explained by the difference in power consumption; a laptop that burns 90W could just easily be powered by an adapter that is rated to 100W. The price would at best go up increase very slightly with maximum rating and this difference would be likely compensated for by the economy of scales from standardizing on a small number of models. Yet manufacturers continue to insist on not standardizing their adapters in the hopes of generating additional revenue.

Mobile phones are an interesting case. As smart-phones proliferate they require both power and data connectivity. The other end of the data connection is likely going to be USB. A sufficiently arrogant company could insist on their own Firewire (or is that IEEE1394?) technology in left field as the original iPods were but most consumer electronics have settled on USB2.0 fortunately. Speaking of the iPod it was one of the first that combined data and power into a single cable. Mobile phones are following suit now.

So it is something of surprise to see the Razor V3m display “unauthorized charger” when connected to a MacBook Pro. It is not a smart-phone so there is hardly any data to synchronize but USB is still good as a power source. There is no good reason for the phone to reject it. If this is by design and not just flakiness on the part of the handset, it is yet another pointless attempt to go against the current of interoperability in order to lock in consumers into a single brand of peripherals.

cemp