April « 2007 « D-kriptik Blog

Archive for April, 2007

Kids and their identities

Saturday, April 28th, 2007

I found this study interesting because it is essentially a long discussion on managing identity. While it is in the context of teenagers, I think this discussion applies to most anyone and everyone interacting in the online world. Also of note, this paper brings up how parents do pay attention to what their kids do online and that kids do utilize the features of the online world to provide a physical safety buffer.

Anyway, a couple of choice paragraphs, just because they tie in with recent postings.

This differential between the sexes was reinforced by comments from our focus groups. When teens, particularly girls, talked about protection of their privacy online, their main concern was the protection of their physical self – if a piece of information could easily lead to them being contacted in person, girls would not share it readily. A middle school girl explains “If they can access you, like person to person or in any way other than [the internet], it’s not okay…Like if they can…talk to you, if they can find out where you live, that’s not okay. If you’re putting anyone in danger, it’s not all right.” But for modes of communication that were not physical or “real world,” girls were more likely to share information of that type.

Ok, so pseudonyms can provide some level of freedom from physical intimidation, and even kids get this. Good to know.

Studies of child victimization have shown that incidences of sexual abuse, physical abuse and other forms of maltreatment have been declining since the early 1990’s.3 Research has also shown that acquaintances and family members are responsible for most of the physical crimes committed against children.[...]

Translation, insiders pose the overwhelming threat to kids (and not random people on the Internet), but kids are generally safer today than they were 15 years ago. No shock there. (This came up in the context of Tor recently.)

Which makes me start thinking of insider risks. While we generally speak of these in terms of companies and governments, they apply to any organization, including families. For example, look at this discussion and think how it maps to the preceding.

Staff employees pose perhaps the greatest risk in terms of access and potential damage to critical information systems. As vetted members of the organization, employees are in a position of trust and are expected to have a vested interest in the productivity and success of the group. Considered “members of the family,” they are often above suspicion-the last to be considered when systems malfunction or fail.

This makes me wonder something. Since most attacks on kids come from insiders and in a very social context that perhaps has less reporting rules, whistleblowing and outside help seem particularly important. Here, the Internet seems to be a powerful tool, providing access to a wealth of information and a means of communication. Which brings many questions to mind, for example, in the realm of anonymity and pseudonymity… How often do victims utilize anonymity and pseudonymity in order to call attention to or get help for their situations? Do the initial steps towards breaking out of such a world involve anonymously reaching out to the outside world for help, such as researching ways to escape from abusive relationships?

And, now some idealism…

So much has been made of the evils of the Internet, and, in particular, the anonymity and pseudonymity provided by the Internet. “Mean” people willing to pounce on anyone and everyone while hiding behind pseudonyms. Pedophiles lurking around every corner. “Dangerous” information available at one’s fingertips. Criminals able to hide from law enforcement. And so on.

But, how scary is the Internet really? I’d say that pseudonym of yours just might be a great leveler of the playing field. Take away the physical threats and suddenly the world seems a lot less scary a place. Take away the source of our basic biases (e.g., looks, sex, age, race, etc.) and suddenly the world seems a lot more focused on skills, reputations, etc. Able to make our own choices about what information we access and with whom we associate (indiscriminate of physical borders) and suddenly we are all that much more freer to live our lives.

With these kids growing up in a pseudonymous world and, by virtue, gaining a strong understanding of identity, what we really need to do now is provide such people much more control over their identities. And, to do so, we need the capability of strong pseudonymity all over the place. Which helps set the stage for a much more cypherpunkly world, even if it is a decade or so later than some expected. HA!

Back to reality…

As I write this, e-gold is being smacked down.

Posted in Anonymity & Privacy, Security | No Comments »

Choking

Saturday, April 28th, 2007

I was reminded the other day that security is about people…

I was eating at a chain restaurant (TGIFs) with my mother the other day. At some point, my mother started choking on a piece of food. (I say this matter of fact, but it is actually quite frightening.)

Now, those who have seen somebody choking know this simple fact, someone choking cannot speak. They can motion for help, all of their expressions can indicate they need help, they can even mouth help, but they can’t say “help!” And, my mother was exhibiting all these signs. (The silence of it all is quite surreal. You generally think of someone screaming for help, but that is not the case in these situations.)

Like most of us, I knew of the Heimlich Maneuver, but I hadn’t actually had to perform, or even practiced (at least since grade school), the Heimlich Maneuver. So my first instinct was to reach out for help while I tried to provide help myself.

It was strange, but at that moment I had a very clear recollection of something I had read a while back (in Gladwell’s Blink, I think) about how one of the keys to getting help in such an emergency was to directly pinpoint someone and ask them for help. Reaching out to a large group was too risky, as people generally looked around and assumed someone else would help if help was necessary. You had to give someone direct responsibility for providing help.

So, I grab an older waiter walking by and ask if him if he knew the Heimlich because my mother was choking and we needed help immediately. He said no at first and went off to get help.

In the meantime, I started giving my best approximation of the Heimlich to my mother. My arms were too low at first and you worry about being too forceful. Thankfully, my mother knew more about the Heimlich than me, so she moved my arms upward and indicted that I need to apply more force. I did so.

The waiter quickly returned and indicated that he thought he knew the Heimlich better than me but had told me no because he had never had to actually perform it.

By the time I thought it was taking too long for me to successfully utilize the Heimlich and decided to give someone or something else a try, my attempts turned successful, the food was dislodged, and my mother could breath.

(This all sounds drawn out, but it actually happened in a matter of seconds. Time seems to move slowly in such situations.)

My mother was embarrassed. The waiter was sympathetic. I was just plain relieved. The danger had passed.

Of course, today I read the Wikipedia entry for Heimlich Maneuver and looked at this paper by the Red Cross.

CHOKING

Choking is a common breathing emergency. When a person shows signs that he or she is choking, responders must act quickly to relieve the obstruction.

CONSCIOUS CHOKING

This sequence and choice of skills are reflected the American Red Cross Conscious Choking Algorithm (Figure 5) and are based upon review of the current science on care and education and the expert input of American Cross volunteers and professional staff.

If a person can cough forcefully, encourage the person to do so.

If a person cannot cough forcefully, speak or breathe, the person may be choking. There are several techniques for clearing an obstruction: back blows, abdominal thrusts and chest thrusts. Because there is no evidence which technique is better and there is clear evidence that in many victims if one method does not work another method sometimes does, the technique for conscious choking is a series of back blows followed by abdominal thrusts (p. III-6). In addition when you approach a victim from the front, as taught, you are in a natural position to deliver back blows first.

Back Blows and Abdominal Thrusts

The responder should take a position slightly behind the victim. Provide support by placing one arm diagonally across the chest and lean the person forward.

The responder should firmly strike the person between the shoulder blades with the heel of the other hand five times. If the back blows do not dislodge the object, give five abdominal thrusts. Continue to give sets of five back blows and five abdominal thrusts until the object is dislodged and the person can cough forcefully speak or breathe, or until the person becomes unconscious.

Special Situations–If a victim is pregnant or the responder cannot fully reach around the victim, chest thrusts should be used instead of abdominal thrusts.

A few lessons from this -

Being prepared is important. Not only to prevent security incidents, but also to be ready to handle them.
Education matters. Part of being prepared is knowing what to do.
Practice matters. Reading about something is often quite different from actually doing it.
There is no better teacher than experience.
Availability is part of security, IT or otherwise.
There is nothing wrong with asking for help, but be prepared to help yourself as well.

Posted in Security | No Comments »

Irritated anon ramble

Tuesday, April 24th, 2007

First, I wanted to note I just wrapped up an effort that involved design review, and now I am beginning an effort that is primarily development. For whatever reason, writing code generally stops me from writing blog posts. (Almost every long period of silence on this blog stemmed from such times.) So, this is probably the last post for a while, unless I break from that trend.

Next, I thought it prudent to point out that I am not static and my view of the world does change. In particular, my current views on anonymity and pseudonymity may not mesh with everything I have said in the past. More so, I often use flawed language to talk about these concepts, although, internally, my logic may be consistent to me (see my previous post for an example of this, and see the second to last paragraph of this post for clarification).

Now, I have yet to figure it out, but people seem to get offended or irritated when I comment on anonymity and pseudonymity, and then I suffer through discussions of little merit blunted only by imperial pints of Guinness or gorgeous faces. This may become more so when I wonder out loud about things like showing ID in airports (thoughts about which seem to frighten people), but even the basic terminology seems to cause unhappy feelings among those that know of such things. Most of these people are quite bright and yet they seem to debate basics with me (much like these discussions about whether availability is part of security), so I wonder if the stupidity really lies with me.

Anyway, here I endeavor to explain myself with regards to actions, and anonymity and pseudonymity. I do so in a ramble, which might make labeling this as an explanation more of a pipe dream than a reality. Regardless, onward…

When it comes to anonymity and pseudonymity and my discussion here, I am talking from the perspective of actions, and, in particular, the unlinking of actions from the entities performing, or requesting to be performed, said actions. So, from that window, lets see what we can see.

With respect to actions, anonymity refers to the ability to take, or request to be taken, actions that cannot be linked to an entity as the originator of said actions. For my purposes here, anonymity can be thought of as having this core property – that actions cannot be linked to the entity that performed, or requested to be performed, said actions given knowledge of the actions and/or the entity but not the link between them. There are degrees of “cannot,” of course – we are not speaking in absolutes. For example, compare the degree of “cannot” when using a single proxy server to mask your IP from a web server versus using Tor to mask your IP from a web server. And, before someone points out that I have said nothing about recipients here, I treat the act of receiving as an action in and of itself – think dead drops.

For example, say you want sender anonymity in email, and you use a remailer chain as part of this goal. What is the action here that is to be anonymous? The act of sending the email from you to the recipient is to be anonymized such that the exit of your message from the remailer chain cannot be linked back to the entry of your message into that chain. Well, what does that action include? Simple enough – the sending of the message by the sender to the first remailer in the remailer chain, the progression of the message through said chain, and the message’s delivery to the recipient’s mail server from the final remailer in the chain.

Ok, so it should be noted that just because an action itself is anonymous does not mean the actions before and after that action are anonymous. Sticking with our email example, the entry into the remailer chain is not anonymous – this action can be observed and linked to the sender of the message.

It should also be noted that just because an action itself can be anonymous does not mean it has to be used for anonymity. Which also means that just because anonymity is possible does not mean it is a given. Back to our email example, the content of the message being sent anonymously may be in plaintext and contain, say, your home phone number. As such, the final remailer (and other observers) as well as the recipient can know who you, the sender, are.

Now, I don’t feel anonymity precludes the ability to tie actions together. Not knowing the entity performing an action is not the same as not knowing two actions are part of a particular sequence of actions, but it may be that this sequence of actions itself could be labeled as a distinct action. Back to the anonymous email example, the action of sending an email is composed of many actions, such as the hop from remailer to remailer through the chain. As distinct actions start to be bound together though, an identity begins to take shape and we cross over into the world of pseudonymity.

With respect to actions, pseudonymity refers to the ability to take, or request to be taken, actions that can be linked to an identity. For my purposes, pseudonymity can be thought of as having this core property – that an identity cannot be linked to the entity assuming that identity given knowledge of the entity and/or the identity but not the link between them. Like with anonymity, there are degrees of “cannot.” For example, if a trusted third party provides your pseudonym service, such as a webmail service like gmail, then perhaps a court order could be used to force that third party to reveal you as the owner of that pseudonym. Or, take IM services, which sometimes provide a searchable database to map names to pseudonyms.

Unlike with anonymity, the logic of coming to that core property of concern to us for pseudonymity is not necessarily transparent, so lets elaborate slightly. When we are dealing strictly with actions, pseudonymity is dealing with identities and actions taken by those identities. Since identities and actions are linked together, we can think of actions as indistinct from identities, and, thus, the disconnect between an entity and its actions must stem from a disconnect between an entity and its identity, from which reasoning that property is derived.

So, back to our email and remailer example, I may use a distinctive writing style and dedicated private key (to sign all my email messages from that nym) and then send it through a remailer chain, such that all messages can be fairly well established as originating from this nym, but mapping that nym back to me is difficult (assuming I don’t make it easy by, say, including my home phone number in such messages, or writing said messages in a style that clearly belongs to me, with me being the person behind the nym).

Clearly, pseudonymity does not mind actions being tied to an identity. In fact, this linking is a major reason pseudonymity is chosen over anonymity in many cases. History, reputation, and all those fun things are often quite important in the world and these can all be bound to an identity, even if that identity cannot be mapped back to an entity.

Now, you are probably saying something to yourself here – anonymity and pseudonymity seem like different ways of looking at the same thing, which, here, is unlinking actions from entities. True enough. From this actions perspective, I would go as far as to say pseudonymity and anonymity are equivalent. The reasoning is quite simple –

Anonymity says nothing about identity, it just unlinks actions from entities. Pseudonymity links actions to identities, but unlinks identities from entities. If an action is bound to an identity but that identity is not bound to an entity, then that action is not bound to an entity either. In other words, being pseudonymous is also being anonymous.

Going the other way, pseudonymity links identities to actions. As such, those actions themselves can be thought of as identities. (This can be illustrated by thinking of assigning a distinct action to each and every instance of an action.) With actions being identities, then the unlinking of actions from entities provided by anonymity is, in effect, pseudonymity.

With everything pseudonymous also anonymous, and everything anonymous also pseudonymous, anonymity and pseudonymity are one in the same; however, there is still a very important distinction here – anonymity knows nothing about identity, while pseudonymity is built from identity. If the identity behind actions is meaningless to you, then you are looking for anonymity in actions. Sure, this will also be pseudonymity, but the identities will be reduced to meaninglessness, which begs the question of why to even think about pseudonymity. And so on in the other direction. (Many people don’t agree with me here.)

(Such disagreements led to arguments over my comments on voting back in a post from over a year ago. While my language was poorly chosen and probably just plain wrong, I still think my point remains – pseudonymity is a more appropriate way to think of USA style voting than anonymity. Think “blind signatures for untraceable payments.” Or, via Emergent Chaos, look at kits put out there by Credentica. Or even just think about authorization of action as identity, like your driver’s license.)

Ok, so you are probably noticing something else – anonymity is often a building block in breaking the link between an identity and an entity, which is to say, anonymity is a tool for creating unlinkable pseudonyms. For example, creating and using a webmail account through Tor. The webmail account is pseudonymous, and accessing it through Tor helps to break the link between yourself and your webmail pseudonym.

And now you are asking yourself, why even talk about them separately? In fact, why point out actions as pseudonymous versus anonymous, when distinguishing between them seems by itself to be a contradiction? Easy – it comes down to goals and, by virtue, what perspective makes sense for those goals. If your goal is to do away with, or ignore, identity, then anonymity may be the most appropriate perspective – you want actions to be identities, or completely ephemeral pseudonyms. Other than that, pseudonymity is most likely the appropriate perspective. For example, generally speaking, Tor is anonymous, but web browsing is not. As such, generally speaking, Tor exit node operators should not maintain logs, but web site operators should. And, as a user of Tor browsing the web, these two realities can help to both set the user’s expectations and achieve that user’s goals.

Finally, you are probably realizing the most important point – pseudonymity is far more interesting than anonymity. In fact, you are probably recognizing that virtually everything you do in cyberspace is pseudonymous. You may even be thinking about how you use pseudonymity in meatspace as well. Good for you. We are now on the same page.

Posted in Anonymity & Privacy, Security | 2 Comments »

Anon web, looking part, door

Friday, April 20th, 2007

Anonymity on the web is virtually impossible. Pseudonymity is what you get. This point is illustrated here.

[...]Some users configure their web browsers to block cookies entirely or least for certain websites (like banner providers). They’re attempting to protect their privacy, imagine that. Anyway, there seems to be a way to track users with Basic Auth instead of cookies.[...]

Embedding an identifiers into a web site is not hard. Basic authentication credentials are one way to accomplish this. Inserting an identifier into the links of dynamically generated pages is another.

For example, instead of <a href=”http://www.d-kriptik.com/nopage.html”>, which is generic, you could use something like <a href=”http://www.d-kriptik.com/12345/nopage.html”>, where “123456″ is an identifier generated and embedded into links when someone requests a generic page that has no such identifier embedded in the request. Most web bulletin boards do something like this. Amazon does this too.

However, depending on your purposes (and traffic), you don’t need to be so creative. Just watching the usage of a web site without any sort of embedded identifiers will often reveal this level of detail as well.

Anyway, I really enjoy reading Jeremiah Grossman’s blog and RSnake’s blog. Great stuff.

These kids understand looking the part.

Teen #1: Hey, man, I think we should get our important stuff laminated. No one ever questions lamination.
Teen #2: Yeah, I could get my hall pass and be at a club and the bouncer would let me in.
Teen #1: Yeah, because of the lamination.

Finally, remember this?

Everyone thought the doors were incredibly cool. Oh, and they were. Upon entering a secure area (that is, anywhere except the lobby), one simply waved his RFID-enabled access card across the sensor and the doors slid open almost instantly. When leaving an area, motion detectors automatically opened up the doors. The only thing that was missing was the cool “whoosh” noise and an access panel that could be shot with a phaser to permanently seal or, depending on the plot, automatically open the door. Despite that flaw, the doors just felt secure.

That is, until one of G.R.G.’s colleagues had an idea. He grabbed one of those bank-branded folding yardsticks from the freebie table and headed on over to one of the security doors. He slipped the yardstick right through where the sliding doors met and the motion detector promptly noticed the yardstick and opened the door. He had unfettered access to the entire building thanks to a free folding yardstick.

It always makes me laugh.

Posted in Anonymity & Privacy, Security | 1 Comment »

General IT support

Friday, April 20th, 2007

We receive a number of requests for general IT support, such as the following found in one of my inboxes yesterday.

We are looking at outsourcing our IT needs. Please contact me during normal business hours.

While my initial goal with D-kriptik was to help everyone out with IT, it seems others in NY did a much better job at getting their names out there and being accepted in this role. As such, we were never able to pay the bills with such work. Unfortunately, that means this line of service has been deprecated to some extent.

So, my usual response is in the realm of the following.

Thank you for your inquiry.

Just to let you know, IT security has been our primary focus for quite some time now. That was not really by choice, but by client demand – it comes down to what people know you for, and that is what people knew me for. So, if you are looking help with IT security for a small business, we are a good fit.

As far as general IT support, other than continuing to support existing clients, we are not looking to take on any more recurring general IT support contracts. That said, if you need some short term general IT support, we would be happy to help out a local business. Having been in the shoes of a system administrator at a previous employer (and now at my own company), I know the ropes.

Please let me know if this seems in line with your needs, and, if it is, we can chat about specifics and see if there is a good fit between our companies. Thanks again.

I realize these inquiries are my own fault – the web site has not been updated in some time; however, I am both lazy to update the site and still have a desire to help people with IT in general as much as can fit in with our core line of work. (I really do want to help out local small businesses with their IT needs.) Not to mention, I feel it is very important to be a jack of all IT trades in order to work in IT security.

Posted in D-Kriptik | No Comments »

Rambling authentication

Thursday, April 19th, 2007

A few random thoughts about authentication. I tell stories too, as people seem to like those. I think my previous post inspired this. And, I was poking around at SPKI a couple of weeks ago too. Anyway, there is no point, and I could be totally off base. This is just a ramble.

I was thinking about meatspace identification and authentication. It seems we, as people, utilize the characteristics that identify us to also authenticate us, such as our biometrics, styles, etc., in meatspace.

So, we have –

Identifier – the combined attributes that serve to distinguish an entity from other entities. For example, my face, way of speaking, body language, etc. all come together to make me different from everyone else.
Authenticator – possession of these unique attributes serves to authenticate an entity’s identity. For example, only I can have my face, way speaking, body language, etc., and so these serve to authenticate me as possessing my identity.

(I am implying uniqueness here, but that is not necessarily at the individual entity level. For example, identifying and authenticating someone as a police officer requires a unique set of attributes that only police officers are supposed to possess.)

There are two important notes here -

The identifier and the authenticator are the same.
The identifier and the authenticator are public.

The reason the identifier and the authenticator can be the same is that the authentication mechanism, that is, our ability to take this information presented by an entity and use it to confirm that an identity is bound to said entity, makes it difficult to create forgeries of the identifier/authenticator. This may not always be the case though. For example, if you see someone once briefly across a room, you may not be able to identify them again reliably – there has not been enough time to train your authentication mechanism with the person’s information.

Also of note, we may assume many different identities. For example, your identity at work might differ completely from your identity at play – in fact, people from the one context might not recognize you in the other. (I know some people don’t like it, but I sometimes refer to such identities as pseudonyms.)

Moving along, we have these identities. Now, we can build reputations for these identities based on our interactions with, and observations of, these identities, or based on feedback from other identities. We can assign properties to these identities. These identities provide a means for accountability.

Let me illustrate all this with an example of something that happened to me recently…

There are two parties on Saturday night that I normally attend in secession. One is a rock, new wave, electro gig, the other is a deep house after hours. I normally sit back and soak the atmosphere at the former, while I run around dancing at the latter.

One night, a group of people from the new wave party ended up at the deep house party. When they saw me, they came running over and expressed the following.

They “knew me” from a few parties. (No, I did not know them.)

They were surprised to see me at the deep house party. They did not think that was “my thing.”

They were shocked to see me dancing. They did not think that I danced.

They were nervous about the crowd at the deep house party. Seeing me made them feel both comfortable and safe.

So, I mentioned assigning properties to entities. My example above illustrates some such properties built from my reputation. Probably a much more obvious property is names. We call people Alice and Bob. As more people come about, longer names come about, or names and locations. You call someone Bob Alice, or refer to Bob from the area Eve.

And, we can bring in third parties to link these properties to us. In my example above, people directly tied properties to me, and could have conveyed these properties to others. Another example comes in the form of IDentification (ID) issued by third parties, like governments or insurance companies, that bind us to properties we possess.

So, I bring up IDs. Now, think about what those IDs in your pocket let you do. An ID authorizes me to drive a certain type of vehicle. An ID can link me to a name and address that can be used to locate me can in order to provide physical accountability. An ID can link me to a particular age in order to for an establishment to determine if I am old or young enough to enter. And so forth.

This is important. Notice what IDs are used for – linking specific properties to an identity. IDs don’t identify us – our faces, etc. do that. Rather, IDs identify properties we possess.

Ok, so now enter into cyberspace.

Identifier – a unique label that distinguishes an entity from other entities in a system. For example, a unique number assigned to me.
Authenticator – possession of something, or multiple somethings, whether a secret, a token, fingerprint, etc., that serves to authenticate an entity’s identity. For example, proving possession of a secret character string that is associated with a username.

There are sort of two important notes here -

The identifier and the authenticator are different.
The identifier may be public, but the authenticator is kept secret or difficult to forge or both.

In cyberspace, we use external identities, as we, people, cannot physically enter into cyberspace at this time. And, in the digital world, creating copies is trivial. By virtue, if an identifier, which is public, is the same as an authenticator, which would also then be public, then an entity could just copy the identifier/authenticator and assume the identity.

Herein lies what I think is an issue when translating authentication mechanisms from the people world to the digital world. People are used to identifiers being the same as authenticators in many circumstances, so the separation of the two makes for a difficult conceptual leap. For example, if a web site looks a bank’s web site, most people will interact with it like it is a bank’s web site. That is how they both identify and authenticate the site. Sure, fraudsters can look the part in real life too, but the digital world lends itself to copies and scalability.

Another difficulty is that there is confusion about just what ID provides in meatspace. We use ID differently than we think we use ID. Unfortunately, when we come to the digital world, we try to map how we think we use ID to how we use ID. For example, a web site presents me a certificate saying this site’s name is its name. But, often we don’t care about names, we care about the accountability of the operators of that web site. That certificate says nothing meaningful to us about that accountability. On the other hand, looking at your driver’s license and establishing your name and address does say something to me about your accountability.

It should be noted that identifiers and authenticators from meatspace and cyberspace come together frequently enough. For example, IMers get quite good at recognizing each other’s mannerisms, such that they can spot when someone other than the usual entity has assumed a particular handle. Biometric authentication in digital systems works in much the same way, although the authentication algorithms may be a bit less sophisticated than people’s internal algorithms.

The following serves as an example of identity, authentication, and reputation…

I have had a number of nyms that have had very distinct reputations. Some used digital signatures to bind messages to an identity, others used content, and others used both. Which worked better really depended on who I was communicating with – for example, cypherpunks probably understand public key crypto but people on a jazz mailing list may not (the latter is an assumption based on complaints a friend of mine used to make about the technical competence of people on a jazz mailing list).

Anyway, for one nym that used both digital signatures and content to establish its identity, I signed all messages with a particular PGP key and used the same person to rewrite my messages. One time, when the person I used to rewrite my messages was unavailable, I asked someone else to fill in, and I signed the end product with the same PGP key. That message resulted in paranoia flying about that the nym had been compromised, etc., and that nym never really recovered. Still, I kept the nym around so as to be able to spark more paranoia every once in a while.

Posted in Authentication & Identity, Security | No Comments »

Double-eged sword?

Friday, April 13th, 2007

I have had a number of people ping me about my thoughts on the response to the Kathy Sierra situation, as she details here.

First and foremost, I hope Sierra starts writing again. I enjoyed her ideas and her optimism.

That said, I am not going to run into a tirade defending free speech, although I believe in it. (I also believe in my ability to not listen.) This blog is not about politics, but, if you want such a defense, this post over at Emergent Chaos is a good start.

Now, if you don’t buy into free speech, then you may as well stop reading now; however, if you do buy into it, well, lets talk a little about the rhetoric flying around the blog world. I guess this post, which is Sierra discussing her future options, works to that end.

2) “Ghost write” for someone or something else. I got myself into the Technorati Top 50, I could help someone else (if it’s for the right reasons) raise their readership.

3) Create a fake persona and write as that fake person. Unfortunately, almost everything I do has a look and style, and I don’t think the quality of my writing is suddenly going to improve, so it would be pretty obvious that it was me. Still… a rape fantasy about a fake person who lives thousands of miles from where I do would not effect me as deeply or as personally as when the dream/imagery is about the real me I don’t like this idea as much because anonymity–NOT Owning Your Own Words–is one of the biggest contributors to the problems that have driven me and thousands of others off their blogs or other online communities.

Now, I realize some in the blogosphere have called speaking anonymously an act of cowardice – the “say it to your face” tough guys out there – and even Sierra seems to lament considering pseudonymity as an option. But, step back for a moment and realize something – these tough guys are in positions of power, which makes it is easy for them to proclaim a “say it to your face” world. Someone subject to power rather than wielding it may not be in such an easy position to speak their mind – they have to fear what those with power over them will do to them if they speak. They could be ostracized. They could be fired. They could be beaten. They could be jailed. They could be killed. Pseudonymity and anonymity provide a means for people to speak without such fears. It gave Sierra’s attackers a way to be threatening, to be sure, but it also could have given Sierra herself a way to speak without fear.

Which is to say, free speech does not only apply to the powerful. Such a thing is not free speech, it is restricted speech. No, free speech applies to everyone. And, pseudonymity and anonymity provide tools to help make that possible, even under the most tyrannical of regimes, whether a parent, a boy/girlfriend, or a government. (I just don’t see how one can say they believe in free speech and yet not defend anonymity and pseudonymity with regards to speech – that seems a contradiction.)

Sierra wonders about how many bloggers have been driven away by anonymous attackers, but I wonder the opposite – how many blogs out there have only come to be because of pseudonymity? I’d wager far more blogs exist because of pseudonymity than have been driven away by it. I’d bet some of the most repected bloggers out there are posting under pseudonyms, just like some of the most respected cypherpunks post under pseudonyms.

And, since I mention pseudonyms in the same sentence with respect, it should be noted that nyms are identities. They can own their words. They can build reputations. They can even be held accountable in many ways. This is not a hypothetical – eBay, Slashdot, the USA founders use(d) nyms.

As to the “bloggers’ code of conduct“, I will say only this (at the risk of my blogospere neighbors labeling me “unamerican,” I mean, “uncivil”) – I defer to the year and a half of content here to provide the reputation, and, by virtue, code of conduct, for this blog. We have said stupid things, smart things, incoherent things, irrelevant things, and just plain annoying things, and we will continue to do so. Email-to-blog transitions have been covered. So have comments. And that says it all.

Posted in Anonymity & Privacy, Off-topic | 2 Comments »

Bands, banks, and what not

Tuesday, April 10th, 2007

I started this post a couple of days back and then got tied up with work before I actually posted it. I guess I could edit it some more, but this is just a blog anyway. So here goes.

I was reading this post over at 1 Raindrop.

Bands = Wired, Factors = Tired, Passwords Only = Expired

IT Security groups so often end up in drilling down one particular rabbit hole that they lose sight of the big picture. Sometimes some basic authN schemes from multiple communication bands will add more strength than increasing the strength of a single component.

First thing that popped into my head, OOB. Remember this post?

The general idea is that I send my OpenPGP public key to my buddy via, say, email. Now, my buddy has no way of knowing whether the key received via email is actually from me – for example, someone else could have sent them a OpenPGP public key and claimed it was from me, or someone could be sitting in between us and replaced my key with their own. So, I call my buddy (or vice versa) and read off the key’s fingerprint while my buddy verifies that the key received has that fingerprint, usually by visually matching what I am reading off.

Anyway, I took away three points from the overall discussion and the examples given. One had to do with bands, but the other two had to do with authentication and notification.

Point 1: Authentication matters. Knowing identifying information is not the same authenticating; however, identifying information can be used for authentication if it provides a means to confirm that identity. The authentication itself would be the act of performing that confirmation. For example, someone that knows my name, birthday, SSN, phone number, and address is not necessarily me and should not be allowed to carry out actions in my name; however, if my address or phone number can be verified in some manner, then sending me a letter, or giving me a phone call, asking for confirmation of actions attempted in my name could serve to authenticate/authorize those actions.

The value of an identity comes from three items that can be tied to an identity – reputation, accountability, and access control. Authentication binds an identity to an entity, which allows for reputation, accountability, and access control of that entity.

Point 2: Notification matters. Even if someone has obtained the ability to conduct some action in my name, if I was notified of said action, even after the fact, then I could appropriately react to it. For example, credit card statements provide this ability to me for credit cards I know of, as I can audit the statements at the end of the month or online and dispute fraudulent charges. If people performed the same type of monthly (or more often) check on their credit reports, the window of opportunity for an attacker to gain credit in one’s name and utilize said credit is greatly reduced.

This feeds back to the accountability (and reputation) of an identity, providing an entity knowledge of actions being attempted under that entity’s identity.

Point 3: OOB communication can provide a convenient way to increase the difficulty of attacking a particular system. Piping the control and status information (i.e., authentication information from point 1, or notification information from point 2) on bands separate from data (or other control/status) can be useful for providing, say, defense in depth, as, say, phone companies learned from whistles. For example, say all online banking transactions resulted in a phone call to my home before the transaction would be performed. Just compromising my online banking account or my computer is not necessarily (skype anyone?) enough to rob me now. However, an easy design flaw could happen here too – say, if instead of all online banking transactions requiring call confirmation, only monetary one’s do. If changing one’s home phone was an online banking transaction capability, then an attacker could simply change the phone number to something under their control and then perform a monetary transaction.

Anyway, the real point of this post is to allow me to reference a story I wrote a while back, which was rejected from Daily Dave, but has now found a home in this blog.

Date: Wed, 10 May 2006 20:48:18 -0400
From: xxxxxxxx <xxxxxxxx@xxxxxxxx.xxx>
[...]
CC: dailydave@xxxxxxxx.xxxxxxxx.com
Subject: Re: [Dailydave] Scam artists, your web browser, and you
[...]

On 10 May 2006 10:50:10 -0400, Dave Aitel wrote:
> I called up the credit card company
> and told them the story and they said “Well, whatever. Just tell us if
> they charge you”.
>
> See, this is why I don’t get carding and the big fuss over it. I’m not
> liable for that money, and the credit card companies clearly don’t
> care if I hand my number out to the world.

I had a similar experience back a few years ago. I was looking at the charges posted to my account, and there was some random $50 charge on there from a few days back. I had not bought anything with that credit card number a few days back, so I called up the credit card company and let them know.

The credit card company wanted to confirm that I was not forgetting that I had made a purchase, so they called up the company that charged my card while I was on the line. It turned out to be a mail order pet supply shop, and the charge was for some sort of specialized dog food. I did not have any dogs at the time, but, even if I had, I would not have been mail ordering dog food.

Besides getting the details on filing a dispute, I asked for my account’s credit card number to be canceled and a new one issued. The credit card company explained to me that this charge might be a freak occurrence and asked me if I sure I wanted to get a new card. I was quite sure.

Some time later, I received a call from a cruise company letting me know that my (now canceled) number had been declined for a thousand dollar charge and asking me for new billing information. Needless to say, it was not me trying to take a vacation.

-

I can’t say this radically changed the way I used credit cards, but it did result in me checking my accounts quite regularly online for strange activity and actually looking over the statement received at the end of the month. So far, my vigilance has been for nothing – I have not had any other rogue charges.

My impression is that the credit card companies themselves take the approach of trying to detect unusual behavior on an account and blocking such transactions until the account holder can be contacted for verification. I have no idea how effective the approach is, but I know the credit card companies I deal with have been quite accurate in identifying activity that is way out of the norm for me. (Take that cruise charge above, I can imagine it would have been flagged for verification, if the card number itself have not already been closed out.) I guess the rest of the fraudulent transactions are just consider part of their costs, much like retail stores factor in the cost of shoplifted goods.

-Andrew

So, this sort of verification is already performed by credit card companies in some instances. They call your home phone number and ask you to verbally sign off on transactions they have flagged as suspicious. Besides verification, these types of communications are also used by financial institutions for notification purposes. For example, multiple failed attempts to enter a PIN may result in a phone call, or letter, to your home from a financial institution.

Posted in Authentication & Identity, Security | No Comments »

ANI patch

Tuesday, April 3rd, 2007

If you don’t live in a void, then you have heard about the animated cursor (ANI) vulnerability. You know, say, visit a web site, trivially get pwned. You might want to download this patch released by Microsoft today.

Who Should Read this Document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately

Affected Software:
•Microsoft Windows 2000 Service Pack 4 – Download the update
•Microsoft Windows XP Service Pack 2 – Download the update
•Microsoft Windows XP Professional x64 Edition and Microsoft Windows XP Professional x64 Edition Service Pack 2 – Download the update
•Microsoft Windows Server 2003, Microsoft Windows Server 2003 Service Pack 1, and Microsoft Windows Server 2003 Service Pack 2 – Download the update
•Microsoft Windows Server 2003 for Itanium-based Systems, Microsoft Windows Server 2003 with SP1 for Itanium-based Systems, and Microsoft Windows Server 2003 with SP2 for Itanium-based Systems – Download the update
•Microsoft Windows Server 2003 x64 Edition and Microsoft Windows Server 2003 x64 Edition Service Pack 2 – Download the update
•Windows Vista – Download the update
•Windows Vista x64 Edition – Download the update

And, yes, exploits have been floating around in the wild.

Posted in Security | No Comments »

D-kriptik Blog