Scott has been receiving emails from Sprint for several months now. The emails are kind and courteous and they thank him for his payment. They’re in plain text, no links. It’s not spam. It’s a real email from Sprint. The problem is that it’s not for Scott’s account. The emails are intended for another Sprint customer, but are for some reason being sent to Scott. Scott emailed Sprint’s customer service about the situation, but armed with only Scott’s email address that they had been sending payment receipt emails to, they just couldn’t figure out who should actually be getting the emails.
So Scott and I decided to set out and see what we could find out from just the email address. First, we went on to Sprint’s site and saw the login area of the webpage:
The "forgot username" link looked inviting, so we clicked there. Now all we have to do is enter the email address:
Email address entered and sent. Shortly afterward we received an email with the username. Success! But wait, what’s this? The email conveniently contained a link to the forgot password page:
Ok, Sprint, now you’re just making this too easy. We entered the email address and username and then received another email with a customized link to set a new password. Yes, that’s all it took. We now have full access to this guy’s account and all because he put in the wrong email address. We’re nice guys and all, so we logged out and sent an email to Sprint with the username to see if they would finally rectify the situation.
So here’s the question of the day: Is Sprint’s site truly secure? Should an email address really be treated as the key to the kingdom and allow anyone with access to the email address access to everything else? Shouldn’t at least one security question (no matter how secure (or insecure) they actually are) have been asked somewhere in this process? The concept of security and usability being at odds has been floated around a lot. Making something more secure tends to make it less user friendly and vice versa and while everyone wants their web site and application and product to be as easy to use as possible, security simply shouldn’t take a back seat.
In a world where multi-factor authentication is readily available, something like this just shouldn’t happen. There are plenty of different one time security tokens (some with screens and some that act as virtual keyboards), finger print scanners, and many other solutions that are orders of magnitude more secure than a password (especially passwords with an email address backdoor).
So when you’re designing your next web site, or web application, or regular desktop application, stop and think through all the different avenues that deal with authentication and security. Think about what can be done if an attacker has only one authentication factor, or if an attacker gains control of the email address associated to a user’s account, or if an attacker figures out one or more answers to your security questions. Are you comfortable with what the attacker can or cannot access? Is a little loss in usability and ease of use worth the extra security to prevent these sorts of attacks?
What scares me is that had Scott and I been not so nice of guys, we could have signed this poor sap up for Sprint’s Family Locator service and tracked him and his family right on their web site:
This is basically the US government’s way to turn state drivers licenses into national ID card and link them through one huge national database. And how will these IDs be used?
Once the IDs and database are in place, their uses will inevitably expand to facilitate a wide range of surveillance activities. Remember, the Social Security number started innocuously enough, but it has become a prerequisite for a host of government services and been coopted by private companies to create massive databases of personal information. A national ID poses similar dangers; for example, because “common machine-readable technology” will be required on every ID, the government and businesses will be able to easily read your private information off the cards in myriad contexts.
Social Security numbers are one of the worst privacy and security threats out there. Way too many businesses use them as IDs and as a means of authentication even though they are nothing of the sort. You might be saying, “Ok, Mike, yeah that sucks, but at least we’ll be more secure with REAL ID cards, right?”
And what will you get in return? Not improved national security, because IDs do nothing to stop those who haven’t already been identified as threats, and wrongdoers will still be able to create fake documents. In fact, the IDs and database will simply create an irresistible target for identity thieves.
So basically they’ll just become another way for you to lose your identity… and cost you money… and lose your privacy. As RealNightmare.org puts it, REAL ID is:
REAL INVASIVE - Will create America’s first national identity card, increase the thread of identity theft, enable the routine tracking of individuals, and propel us toward a surveillance society
REAL RED TAPE - Will mean bureaucratic nightmares, long lines, repeat trips, and higher fees for individuals trying to get licenses and IDs
REAL EXPENSIVE - With a cost in the billions, REAL ID is a hidden tax increase that will force Americans to either pay higher fees to get their IDs, or pay more in state taxes.
REAL POINTLESS - Will do little if anything to protect against terrorism
Sounds pretty hopeless, eh? At least, the second version of REAL ID isn’t as bad as the first version:
Original legislation contained one of the most controversial elements which did not make it into the final legislation that was signed into law. It would have required states to sign a new compact known as the Driver License Agreement (DLA) as written by the Joint Driver’s License Compact/ Non-Resident Violators Compact Executive Board with the support of AAMVA which would have required states to give reciprocity to those provinces and territories in Canada and those states in Mexico that joined the DLA and complied with its provisions. As a part of the DLA, states would be required to network their databases with these provinces, territories and Mexican states. The databases that are accessible would include sensitive information such as Social Security numbers, home addresses and other information. The foreign states and provinces are not required to abide with the Drivers Privacy Protection Act (DPPA) and are free to access and use the sensitive information as they see fit.
As they see fit? Mexico can do with my social security number as they see fit? Ugh…
If you’re sick and tired of all the identity problems and privacy invasions that already exist and don’t want to see the US become any more Orwellian, help repeal the REAL ID Act. There are states and congressmen that recognize this as a flawed system, but the gov’t isn’t backing down yet. There are several other resources like UnRealID.com, RealNightmare.org, and NO2RealID.org. Do yourself a favor and find out the truth about REAL ID before it’s too late.
There’s a relatively new concept out there called “data decay” (there isn’t even a Wikipedia entry for it yet!) that deals with the process of how data gradually becomes incorrect and out of date over time and how it should be handled. Here’s one example from Two Sides to Data Decay:
Approximately 10 years ago, I lived in an apartment just outside of Boston. At the time, the ZIP code for the address of the building in which I lived was 02146. A few years after I moved, the U.S. Postal Service decided to split the area covered by that ZIP code into two parts. The southern section kept the 02146 code, while the northern area – where my former apartment building is – was assigned a new ZIP code: 02446
This example is interesting becomes it raises the two problems caused by this event:
After he moved, the address that everyone had on file for him would then be incorrect.
After he moved and after the zip codes were reassigned, his old address while correctly zoned at the time he lived there is incorrectly zoned any time after the reassignment. So processing of the original zip code performed after the zip code reassignments would either incorrectly include the new zip code when processing the original zip code’s area or would be skewed when comparing new data with the original zip code to old data with the same zip code since the old data for the original zip code included more area.
It’s actually a pretty surprisingly complex situation and I urge you to read the whole article. Bruce Schneier approaches data decay from a different perspective in the this Educause Podcast. He considers the problem of when computers should forget data. Is it relevant and safe for computers to remember things forever:
All process today produce data. It stays around. It festers. How we deal with it. How we recycle it, reuse it, dispose of it. What the regulations are concerning it are central to the Information Age… Twenty, thirty, fifty years from now we’re going to be cleaning up massive data problems just like we’re cleaning up massive pollution problems today… Some people have written about the fact that computers should be programmed to forget things. That remembering stuff forever isn’t necessarily goodness.
I’ve posted about backing up before and take great strides in keeping all my data safe and secure, but I think that Bruce has a point here. I don’t know if I want everything about me stored in some database forever. But at the same time how should data like that gracefully decay without simply vanishing or becoming useless?
Third party cookies are almost never a good thing. Basically, a third party cookie is a cookie that doesn’t come directly from the server you’re interacting with (hence, it’s from a “third party”). Usually, what that means is that it’s a cookie from an advertiser like DoubleClick and is there to record every website that you go to that has an image or something from their server. Definitely not good.
But what is good is that it’s not too hard to protect against. In IE, just go to Tools -> Internet Options -> Privacy (tab). From here you can either set your Internet Zone to “High” or “Block All Cookies” or you can click on the “Advanced” button and set the cookie policy yourself:
In FireFox, it’s a little different story. The FireFox developers didn’t think that a “block third party cookies” option was a complete enough solution since there will always be some way around it, so they buried the option. To access it you need to browse to the URL “about:config”. From there, filter on “cookie” and you’ll see the option:
Set the “network.cookie.cookieBehavior” option to 1 as described in this page. If you want an even more robust solution, you can use the CookieSafe FireFox plugin to protect yourself that much more.
Lawrence Lessig, known for his work on copyrights, recently posted on following the rules where he discusses when it’s done, why it’s done and why it’s not done. To help illustrate his point, he posted a video of a news segment (which I’ll also include here) on the Texas legislature and their blatent disregard for the rules (rules that they themselves voted on).
It’s pretty disgusting how the laws are getting increasingly strict for regular citizens to vote and increasingly harsh when regular citizens bend the rules when voting and then having our lawmakers act like this. Then to top it off, state representative Riddle tries to justify it all by saying how grueling their schedule is. It’s pretty incredible.What I would like answered is how are we to ask our senators and representatives to make a difference when they may not even be the one casting their own vote? Admittedly I don’t know how widespread this problem is, but it seems that we need our own lawmakers to start following the rules before we can ask them to help pass and enforce laws on our behalf.
We know how the telecoms were involved with the surveillance by the government. Well, last Thursday the Senate advanced legislation to give telecoms immunity for helping the government in these illegal activities… immunity not just for future involvement, but for their past involvement as well. This is nothing but bad. Thankfully, the mainstream media is giving their two cents worth. Here’s some excerpts of the excerpts:
[Telecom immunity] is not primarily about protecting patriotic businessmen, as Mr. Bush claims. It’s about ensuring that Mr. Bush and his aides never have to go to court to explain how many laws they’ve broken. It is a collusion between lawmakers and the White House that means that no one is ever held accountable.
All those who deliberately broke the surveillance laws should be held to account. If not, we are simply inviting more privacy abuses in the future.
Just because he’s the president doesn’t mean he can do an end run on the Constitution, and ignorance and fear of political retribution isn’t an excuse for violating our rights.
And to make a bad situation worse, it was recently uncovered that these privacy invasions had begun well before Sept 11th, which was the commonly held impetus for all of this:
Until a few days ago, it had been widely assumed that the Bush administration began its secret surveillance of citizens’ telephone calls and e-mails in the aftermath of the terror attacks of Sept. 11, 2001. That was bad enough, given that the law requires government agents to first obtain a court warrant before spying on communications. But new court papers indicate that the illegal spying might have been going on for months before 9/11.
Now it appears that 9/11 may well have been used to cover a program that was in place months in advance, when there was no good argument for warrantless surveillance.
There has been a blog post floating around recently which discusses the many pitfalls of OpenID. The article breaks the problems down into seven areas: security, privacy, trust, usability, adoption, availability and patent. There are some valid points and some not so valid points., many of these issues are simple policy issues. They can be resolved by implementation decisions by the OpenID provider. Let’s dig in a bit…
1. Security
The main problem here is that of phishing. You’re trusting that the site you’re at will faithfully send you to your OpenID provider and not some man-in-the-middle masquerading as your provider. However, as I’ve shown before, VeriSign PiP doesn’t allow referring websites to redirect to the VeriSign site in order to log you in. You already have to be logged in. So as long as users know of this behavior of the VeriSign PiP OpenID provider, they can’t be phished by phony redirects.
2. Privacy
This one breaks down to recyclying of user ids and providers being able to track every site you use your OpenID at. Also, there’s the issue of if your provider gets hacked and all your login history gets exposed. Gary Krall, the technical director of VeriSign PiP, has told me how they don’t recycle user ids for this very same reason. And there’s no reason that other providers can’t do this as well. The usage history (which I talked about here) is kind of a mixed blessing. This allows you to see if your OpenID has been compromised, but also allows your provider to track your every move when using your OpenID. Sure all this information may be in a central location, but is this really any worse than what we have now? How often do you reuse the same username and email (and maybe even password) when registering from site to site? How much information can a google search already return on your activities? And I would expect OpenID providers to take more precautions and be much more secure than some run of the mill web 2.0 website that I have an account at.
3. Trust
Here it’s the problem of trust and identity and which is required for which. This is another case where the provider could verify your real identity when issuing OpenIDs, but they simply don’t. This may be a case where people are trying to make OpenID deal with more than its designed to. OpenID is meant to facilitate you being able to prove you own an identity similar to an email verification loop. It’s not supposed to be able to prove that the identity is actually you. That would most likely require an offline action.
4. Usability
Here the claim is that using OpenID is no easier than using a password manager and that using OpenID is actually a double login since it doesn’t fill out your account information for you at each website. In this case, OpenID is more convenient because its very existence absolves the need for a password manager. And again, the OpenID provider can help provide the referring website with account information as I’ve shown before. Sure it can never completely fill out the account information for all websites it may encounter, but there’s simple no way to do this. It’s simply not possible to have every mapping of every field in your provider to every other field in every website you may encounter.
5. Adoption
Basically, there are many more OpenID providers than OpenID enabled websites. The blog post is trying to claim that if your website supports OpenID then users will just use OpenID to sign in. And since the users don’t have an account, they aren’t locked into your website and so won’t be compelled to come back. However, I have about 140 accounts in my account manager app and I consistently only go to maybe 10 or 20 of the sites. Just because I create a username and a password at a website does not compel me to go back to that website. If the site has good content and is well designed then I’ll go back. Contrary to their point, if the website supports OpenID I’d be more likely to go back to that site since I don’t have to create and manage yet another username/password pair.
6. Availability
This addresses the problem of needing your OpenID provider up and running every time you need to use your OpenID. If it goes down temporarily or permanently, you can’t log in. This is a valid point, but again if the provider does things right, this won’t be a problem.
7. Patent
Now this could get bad. There are several patent claims on OpenID which threaten its longevity. This is a problem that will play out in court (if it gets that far) and that no OpenID provider can fix.
So to sum up everything here, out of the box OpenID has several problems. However, if the OpenID provider implements it right and uses some offline methods, it can be as good or better than other authentication methods out there.
It’s amazing that AT&T would only fix their TOS after feeling tremendous pressure and criticism worldwide for their recent update to their TOS. Now, apparently, they agree with the rest of the world that freedom of expression is a good thing:
AT&T respects freedom of expression and believes it is a foundation of our free society to express differing points of view. AT&T will not terminate, disconnect or suspend service because of the views you or we express on public policy matters, political issues or political campaigns.
Aw, that just gives me a nice warm and fuzzy. How about you? I wish that AT&T would have added this statement for the right reasons and done this from the start, instead of adding this as damage control. And how can they even try to claim this at all? As Cory Doctorow said:
I wish they’d kept this in mind when they were illegally wiretapping the entire Internet for the NSA
Today the EFF confronted congress on the government’s surveillance of Americans and on the repercussions to those Americans’ privacy that could result. The government is collecting vast amounts of personal data and storing them in those oh so secure government databases:
We have all heard about security problems with government databases. A report from the Department of Homeland Security found 477 breaches in 2006 alone.
These databases are a black hat hacker’s dream come true. This is, of course, why OpenID is such a great idea. Sure it has its problems, but using OpenID means that login data doesn’t need to be distributed across the Internet at every website you visit. This decreases the black hats’ vector of attack tremendously. If I could have all of my login data being held at VeriSign, instead of having some of it at Yahoo, some at Tumblr, and some at Facebook… I’d be fine with that.
Anyway, while the distributed login data issue has a solution in sight, the government surveillance issue does not. The RESTORE Act will hopefully reinstate those checks and balances that were lost when the Protect America Act granted the telecoms immunity when helping the NSA spy on Americans. So I’ve said it before, and I’ll say it again: Support the EFF!
Aaron Lerch recently wrestled with whether he should show ads on his site. Sure the temptation of making a few bucks off your blog or website is tempting; I’ve considered it myself from time to time. But often times there are unforeseen effects caused by the addition of ads to your site:
they can cause your site to load slower or to have no content show up at all until the ad is loaded
they can be annoying to the visitor by making use of animation or other similarly annoying tactics
they take up valuable real estate on your site
they can be a security risk
That’s right, ads can always be used as another vector to infiltrate your computer. It’s third party content being displayed on your site and often times you have no control where the ads link to making the situation even worse. As reportedearlier in the year, Google AdWords isn’t too thorough on checking up on who they sell ads to.
In the reported case, the attackers had the Google ad first pass through their site which would try to exploit a vulnerability in IE, then would forward the user onto to a legitimate page. Of course, the attackers don’t need to forward the user on. They can keep the user there and have their way with them, but the forwarding at least makes the ad look authentic. And this was made worse by a nice Google “feature” in AdWords:
Normally, when a viewer hovers over a hyperlink, the name of the site that the computer user is about to access appears in the bottom left corner of the browser window. But hovering over Google’s sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors will be taken first.
Yup, Google always has the user’s best interest at heart. Of course there are still ways to protect yourself from at least the more well known domains: update your hosts file. Your hosts file is the first place your computer goes to when resolving domain names. It’s basically the first tier in your DNS cache. So how do you protect yourself? Just make all the evil domains resolve back to localhost. If you don’t have a web server on your box, the connection will timeout and the ad won’t be retrieved. The advertiser’s domain won’t even be contacted. Can’t get much more protected than that.
But not everyone is protected. Not all of your users will be protected. So if you have ads on your site or are thinking about adding ads, carefully consider what you’ll be exposing your visitors to before adding them.
It’s Time to Get Serious About Security
