Friday, September 14, 2012

The Cosmo story, the facade of online security, and the US Postal Service.

Mat Honan, who is making a career out of being hacked, has a solid profile of a juvenile delinquent hacker [1] - "Derek", alias Cosmo (Cosmo, the Hacker 'God' Who Fell to Earth (via Schneier).

"Derek" is a troubled kid, but, in addition to hurting a lot of people, he's also done us a favor. He's become the latest in a series of people exposing the facade of online security.

Unsurprisingly AOL is the worst -- until recently you could reset someone's account just by knowing their address. Apple, Amazon, Netflix and just about everyone else isn't much better. Only Google makes a good try at it, and they just plugged a big hole.

This won't surprise anyone who knows the history of credit card hacks (example). The reasons are fairly easy to understand:

  1. If your iCloud account is hacked, Apple loses approximately nothing.
  2. Good processes and security are expensive. You have to train staff. To prevent one hack you probably have to irreversibly piss off somewhere between 10 and 1000 customers. Each of these customers will rage to at least five friends.
  3. Less than 1 person in a zillion can manage password security, and that person's family will be completely screwed when they run off or die [2].

What we have here is a market failure. Market failures are one reason we have governments.

Governments, particularly post offices, have managed identities for a long time. Passports for example, are managed by Post and Passport Offices. There are laws and procedures in place.

Digital identity management in most nations will eventually be handled by some cooperative mixture of government and business within a regulatory framework. We'll use multi-factor authentication, and we will have "break the glass" functionality available through government when access is lost (for a fee).

Preposterous? No. Six years ago these kinds of proposals generated snort-milk-out-the-nose laughter. I don't hear the laughter any more. It will take a decade, just because these things always stagger on for longer than I can imagine, but it will eventually happen.

See also:

[1] Steve Jobs was the most famous member of this cohort.
[2] Number of people who have both a highly secure password system and a method to pass information to spouse in event of death or disability? Does your spouse have your list of ten Google two-factor bypass codes? What if s/he dies in the car crash with you? Does your estate have them?

No comments: