Why the United States Postal Service should manage our primary digital identity

For a non-expert, I do a fair bit of ruminating about the relationships between identities, credentials, and avatars/facets. Today a bug related to Google's (covert) Identity Integration initiatives, a recent flurry of stories on the endtimes of password based security, and the earth's orbit have got me chewing again.

I'll deal with the earth's orbit by making my solitary 2011 tech prediction. 2011 will be the year of two factor authentication and the gradual realization that management of digital identities is too important to be left to Google, Amazon and especially Citicorp, Facebook, and AT&T/Verizon.

So if we can't rely on Google (or Facebook) or Citicorp to manage our digital identity, including claim resolution and identity control, who can we rely on? What are the other alternatives, assuming that almost none of us will run an identity service out of our homes?

Obviously, government is an option. The (US) Federal government, for example, makes a robust claim on my identity. That claim, however, is so robust I would prefer to separate my obligatory IRS identities from all other identity related services. In any event direct US government identity management is a political non-starter. The right wing will start ranting about beastly numbers and rationalists will fret about the day Bush/Cheney II takes power.

That leaves business entities with strong governmental relationships, extensive regulation, and a pre-existing legal framework support that could be extended to support identity management.

An entity like, for example, the United States Postal Service (USPS).

You laugh. Ok, but consider the advantages:

1. The USPS has been in the business of managing confidential transactions for centuries.
2. There are post offices in every community that could support the person-present aspects of identity claims.
3. It's a regulated quasi-governmental agency that already exists.
4. The USPS manages passports
5. Much of the legal framework used to manage mail and address information could be extended to manage digital identities.
6. The USPS is dying and is desperate for a new mission.

I admit, it sounds crazy.

Except ... I'm far from the first person to think of this. It was proposed by (cough, choke, gag) Michael Chertoff ...

... former Department of Homeland Security Secretary Michael Chertoff ... mused that the USPS was ideally situated to take part in the evolution of the government’s role in validating identity. He points out that the Post office is already the primary issuer of passports – an extremely important piece of personal identity. In the speech he expands on that model as follows: “one of the things I hope to see is, as the Post Office re-engineers itself over the next, you know, few years, they increasingly look at whether they can be in the business of servicing identity management. They can – because every town has a post office.”....  DHS: Remarks by Homeland Security Secretary Michael Chertoff at University of Southern California National Center for Risk and Economic Analysis of Terrorism Events

I can't believe I find myself agreeing with Chertoff, but there you go. What a way to start 2011.

See also (Gordon's notes unless otherwise noted);

• The Buzz profile problem: I am Legion (2/2010)
• Trust and credential management: MyOpenID (9/2010)
• Google's two factor authentication and why you need four OpenID accounts [1]
• Gordon's Tech: Rogue Twitter/Google feedburner connection - first of the Great Google Identity Integration bugs (1/2011)
• Juggling identities: Udell, Cameron and Identity Woman (3/28/2008)
• Wanted: an identity management service. Business model included. (3/5/3008 - I suggest Denmark)
• Fraud technologies use persona cloning to attack social networks (11/2007)
• Gordon's Tech: After the Gmail hack - passwords and security (9/2010)
• Gordon's Tech: Yet another identity of mine: MyOpenID (12/2007, before I gave up on OpenID)
• Gordon's Tech: identity
• Gordon's Notes: Identity
• Gordon's Notes: Security

[1] Incidentally, now that my kateva.org Google Apps users have Blogger privileges, and since Blogger is supposedly an OpenID provider, I'm thinking of implementing this using Blogger/Google Apps/Kateva.org

Update 1/8/11: A few days after I wrote this news emerged of a federal identity and certificate management initiative. Maybe I'm psychic.

Gawker was hacked yesterday. Today LinkedIn?

Yesterday we learned Gawker was hacked. I got this message today ...

We have recently disabled your account for security reasons. To reset your password, follow these quick steps:
....
The LinkedIn Team

My LinkedIn password was not the same as the disposable Gawker password. It wasn't an ultra secure 64 character random string, but it was a 5th percentile good quality password, one of my class III credentials. It wouldn't fall to a standard attack.

So was LinkedIn hacked? Is this a false alarm? Are they being extra cautious after the Gawker hack?

There's another possibility. Since my Gmail account was hacked I don't enter my Google credentials on untrusted machines. Practically speaking, that means only OS X machines I control. Since that day I divide my credentials into five classes.

• I: You want it? Take it.
• II: I'd rather you didn't.
• III: Help!! Help!!
• IV: I'll fight you for it.
• V: Kreegah bundolo! Kill!!

Category IV and V credentials are only used on trusted machines. Category I is used everywhere. Category II and III I'll use on my work machine -- an XP box with corporate class antiviral software. In other words, a vulnerable machine.

The fourth possibility is that one of my Category III credentials has fallen to a keystroke logger on my corporate laptop.

Yech.

I've reset my LinkedIn password (and reviewed the list of reset emails), and, on reflection, I've moved those credentials into "Class IV". So I won't use those credentials on an untrusted machine.

What's next?

See also (my stuff):

• The Gawker hack - and two factor authentication (yesterday)
• Trust and credential management: MyOpenID (In the world of keystroke logging typical OpenID/OAuth use is fatally flawed.)
• Google's two factor authentication and why you need four OpenID accounts
• Google hack lessons - where the geek risks are
• After the Google Hack: Life in the transparent society
• My Google (gmail) account is hacked - by ductus.com

Update 12/14/10: LinkedIn wasn't hacked, unless you consider that they've hacked themselves. They'd matched every email address posted by the Gawker hackers, and reset the passwords associated with them. They explain that today (emphases mine) ...

We recently sent you a message stating that your LinkedIn password had been disabled for security reasons. (Note: If you have more than one email registered with us, you will receive more than one password reset message. You only need to act on one of them.)

This was in response to a security breach on a different site, Gawker.com, where a number of usernames and passwords were exposed. We want to make sure those leaked emails and passwords were not being used to attack any LinkedIn members.

There is no indication that your LinkedIn account has been affected, but since it shares an email with the compromised Gawker accounts, we decided to ensure its safety by asking you to reset its password ...

They would have done better to explain that yesterday. What a screw up.

The Gawker hack - and two factor authentication

I got my email from Gawker today

... the user name and password associated with your comment account were released on the internet...

Gawker was hacked - big time. Forbes has the gory details ...

The Real Lessons Of Gawker’s Security Mess - The Firewall - the world of security - Forbes

... Despite this, they do not really seem to be acknowledging the scale of what happened. They still try to put some blame back on users, suggesting that if they had a weak password they might be compromised. Well, that really does not make much of a difference when you expose the entire database table and have way too much faith in the 34 year old encryption algorithm reported to be used to safeguard the data...

Briefly, I take security far more seriously than Team Gawker. They were a big fat soft target.

I don't remember creating a Gawker account - I probably created it on io9 originally. I'm sure I used my throwaway password (still far more robust than most). I have retired that password, but it will now be a part of a future dictionary attack. I need to check that Emily doesn't use it any more either.

In the wake of these events there are typically calls to "use strong passwords". Except, of course, if the server side password store encryption is hacked then even the world's best password is useless. And, of course, there are keystroke loggers out there.

This is what I do now, but, really, we need two factor authentication urgently.

I did go through Gawker's password reset procedure, which seems to have given me a new username and password. There's no way currently to get to their accounts page so I'll just leave it as it is.

Update 12/14/10: This Lifehacker (Gawker) article on lessons learned from a hacked google account is quite ironic now. They didn't learn any lessons.

There've been two good commentaries today ...

• Coding Horror: The Dirty Truth About Web Passwords - not bad, but not as good as me. He's forgotten about keystroke loggers.
• Gawker hack analysis reveals incredibly weak passwords | Topics | Macworld: If the accounts were disposable, which they often are, there's no great problem with using a weak password. You don't put costume jewelry in a safe.

Why you will live in an iOS world

Five years ago, just before Microsoft Vista was released, our household CIO made a strategic decision. We would move to OS X.

It wasn't a hard decision. The cost of supporting both XP and OS X was too high, XP's security, debugging and maintenance issues were intractable, and OS X had a much more interesting software marketplace. Moving to OS X would dramatically reduce our cost of ownership, which was primarily the CIO's opportunity cost. Time spent managing XP meant less time spent on my health and on family joys and obligations. [6]

It worked beautifully. One of my best strategic decisions. Yes, I curse Apple with the best of them, but I know the alternatives. I'm not going anywhere.

Except I am going somewhere. I will fade. So will you, though there's a bit more hope for the under-30 crowd. We might be able to slow the natural deterioration of the human brain (aka "Alzheimer's" and its relatives [4]) by 2030. It's too late for the boomers though, and probably too late for Gen X.

Sure, I'm still the silverback of the geek tribe. I may have lost a step, but between experience and Google I still crush the tough ones with a single blow.

Not for long though. I give myself ten years at most. I won't be able to manage something like OS X version 20, and I don't want to be reliant on my geek inheritor - son #2.

We will need to simplify. In particular, we'll need to simplify our tech infrastructure (and our finances [1] and online identities [7] too).

So our next migration will be to iOS - a closed, curated, hard target, simpler world.

You'll be going there too -- even if you're not fading (yet). The weight of the Boomers [2] will shift the market to Apple's iOS and its emerging equivalents. Equivalents like ChromeOS, now turning into iOS for desktop device with its own App Store [5].

I still have a few years of OS X left, including, if all goes well, the 11" MacBook Air I've been studying. The household CIO's job, however, is to think strategically. Our future household acquisitions will shift more and more to iOS devices, possibly starting with iPad 2.0 (2011) [3].

I expect by 2018 we'll be living in largely iOS-equivalent world, and so will you.

-- footnotes

[1] I miss Quicken 1996 -- before Intuit went to the DarkSeid.
[2] The 2016 remake of Logan's Run will be a smash hit. 
[3] I bought iPad 1.0 for my 80yo mother -- same reasons.
[4] 1989 was when the National Institutes of Health needed to launch a "Manhattan Project" style dementia-management program. I wasn't the only person to say this at the time. 
[5] If their first netbook device doesn't come in under $150 with batteries Google is in deep trouble. Android is not an iOS-equivalent, it's a lot more like XP. 
[6] Pogue's 10 year tech retrospective is a beautiful summary of the costs of making the wrong household tech decisions. He misses the key point though. The real costs are not the purchase costs, or the immense amount of failed invention, or the landfill costs -- it's the opportunity costs of all the time lost to tech churn. I've a hunch this opportunity cost is important to understanding what happened to the world economy between 1994 and 2010. That's another post though!
[7] Digital identities proliferate like weeds. Do you know where all your identities are?

Trust and credential management: MyOpenID

I've been preoccupied lately with credential (un/password) management. I think the geek community has gotten confused by identity management isseus. We need to start with credential management, then associate identities (avatars, facets, personae, etc) with credentials.

I like my four un/pw proposa1 + one major password. So I wondered if anyone was going to do it.

That made me think again about MyOpenID, and what I wrote about Simplenote. I love Simplenote, but there are security risks to trusting them with a large volume of private information.

How much greater then, is the risk of trusting one's most precious credentials to MyOpenID.  What business model do they have? Why don't they already provide the approach I'm advocating? Should I be concerned that the MyOpenID blog link goes to a blog that never mentions the service?

To their credit MyOpenID provides an easy to find and use account deletion process. I have deleted my account. It just doesn't make sense to make a company that might vanish at any time a major holder of my digital identity.

See also:

• Gordon's Tech: security
• Gordon's Notes: security
• Gordon's Notes: Google's two factor authentication and why you need four OpenID accounts
• Gordon's Tech: My Google (gmail) account is hacked - by ductus.com
• Help

Google's two factor authentication and why you need four OpenID accounts

My Google account was hacked two weeks ago, so today Google is deploying two factor authentication to (paid) Google Apps.

What, you think that's coincidental? You underestimate my power (cue mad laughter).

This is a good thing, but it won't prevent a keystroke logger from pinching your password if you use an insecure (ex: XP) machine. On the other hand, maybe I'll switch to a trivial password and just rely on the more robust 2nd factor.

Which brings me to OpenID and OAuth. In my latest post-hack "what am I doing" post I warned against OpenID. The only thing worse than losing a critical password to keystroke logging is losing a critical OpenID password.

Since then I've been thinking about where we're going, and I think there's a place for OpenID/OAuth and two factor authentication.  More specifically, there's a role for multiple OAuth (I'll drop the /OpenID for now) accounts - one for each of the five credential classes.

What's a credential class? Think  in terms of how you'd feel about someone taking your credentials ...

I: You want it? Take it.

II: I'd rather you didn't.

III: Help!! Help!! 

IV: I'll fight you for it.

V: Kreegah bundolo! Kill!! 

We need a master account with Category V security. The One Ring account has two factor authentication and a robust reset procedure that might involving banks and other identity authentication services. It may be tied to a strong identity as well, but that's another post. You only enter these Category V credentials on a secure machine and an encrypted connection. The Master Account can be used to override and change the passwords on lesser accounts.

From the master account we have four other credentials (un/pw combinations), each with OpenID/OAuth services.

The Class IV credential service is what we use with Gmail and a range of high-end OpenID/OAuth services like banks. We enter these credentials only on a secure machine - but there's a degree of comfort from having a Class V account that can change passwords. On less secure machines maybe we use two factor authentication.

The Class III credentials are what we use anywhere that has credit card capabilities. Use these for Amazon and iTunes.

Class II credentials are for your spam only Yahoo email and the New York Times.

Class I credentials are for the Minneapolis Star Tribune.

In a world of widespread OAuth/OpenID type services and this type of master account we really need to know five passwords, and only three of them have to be decent passwords. We can manage that.

This is where we will go.

We can do it now of course, by setting up five Google accounts. It will probably get a lot easier when Google Apps start providing full Google account services for each user, with optional two factor authentication.

In fact, this is so simple I'm surprised MyOpenID doesn't do it already.

Maybe in two weeks.

After the hack: Why you REALLY shouldn't do personal business on a corporate machine

Corporations hate employees doing personal business on office machines.

I, of course, have never done this. I've certainly not checked my family calendar, or managed personal email, or browsed my Google Reader feeds on my corporate laptop, either at home or at the office.

Corporations hate this because employees should be working. Besides, it's an obvious security risk. Employees visiting off-color web sites are sure to bring viruses to work.

I agree. Sort of. Specifically I agree employees shouldn't use their Google credentials on corporate machines, and I agree there's a security risk -- for someone.

Mostly, though, the security risk is for the employee, not the corporation.

Let me explain why.

As best I can tell the average large publicly traded company admits to at least one major XP malware attack every 4-12 months. I expect the real number is twice that. That's a pretty high attack rate. A lot this of this malware, like Lemir.VA, incorporates a keylogger function. This malware captures usernames and passwords and sends them on.

If you check your family calendar at work, that would include your Google credentials. Your robust password is now meaningless; you will be hacked like I was.

That's at work. How about at home? Well, in our OS X/iOS household we haven't had a malware attack for over five ten years. My home is far more secure than my workplace.

It's safe to access Google from home. It's not safe to access Google from my office.

So you shouldn't use the office computer for personal work after all. It's in a very bad neighborhood, you really don't want to take your Google credentials there.

Thunder in the Cloud: Lessons from my hacked Google Account

It was just another week in the age of insecurity. Yet another low tech Windows-only trojan spread throughout American corporations, costing a day or so of economic output and probably acquiring a rich bounty of passwords. Twitter implemented a defective OAuth security framework. Oh, and my Google (Gmail) account was hacked.

The last of these was the most important.

Cough. Go head, laugh. Check back in three years and we'll talk. For now, trust me on this. There are some interesting implications.

First though, a quick review. Nothing obvious was done to my Cloud data by the hacker, I only know of the hack because of defenses Google put in place after they were hacked by China. Secondly I used a robust and unique password on my primary Google account and I'm a Phishing/social engineering hard target. So, in order of descending probability the security flaw was

• Keystroke logging > Google false alarm (no hack) > iPhone app credential theft > WiFi intercepts >> Google was hacked > password/brute force attack.

I changed my password, but that doesn't deal with the real security problems (keystroke logging, WiFi intercepts, App credential theft). The other changes I'm making are more important.

That's the background. Why is this interesting? It's interesting because of what we can infer about motives, and the implications for the future of Cloud computing, iOS devices, and Apple.

Consider first the motives. The hackers owned my Google credentials for 24 hours, but they did nothing. They didn't change my passwords, they didn't send any email. The most likely explanation is that the next move was to identify and attack our mutual fund accounts by taking advantage of harvested data (58,000 emails, hundreds of Googel Docs), accessible internet data, and the stupidity of mutual fund security systems.

We're not rich by American standards, but emptying our accounts would be a good return on investment for most organized criminal organizations.

Secondly if I can be hacked like this, anyone can. I am the canary in this coal mine, and I just keeled over.

Ok, maybe the impractically pure and young Cryptonomicon live-in-a-thumb-drive-VM-with-SSL geeks are relatively safe, but, practically speaking, everyone is vulnerable. Windows, OS X or Linux - it doesn't make a difference. (But the iPhone/"iTouch" and iPad do make a difference. More on that below.)

When history combines motive (huge revenue hits) with opportunity then "Houston, We have a Problem". Sometimes freaking out is not unwise. 2010 network security is a market failure. The business model of Cloud Computing is in deep trouble.

I think I know how this ends up. Somehow, some day, we will all have layers of identity and data protection, designed so that one layer can fall while others endure. Our most critical data may never be committed to the network, perhaps never on a digital device. If I were running Microsoft, Google or Apple I'd be spending millions on figuring out how to do make this relatively seamless.

That part is fuzzy. What's clear is good news for Apple, though everyone else isn't far behind. Untrusted devices, untrusted software, and untrusted networks are all dead. That means shared devices are dead too. Corporations need to own their machines and trust systems, we need to own our machines and trust systems, and when we have both a corporate and a personal identity we need two machines.

Practically speaking, we all need iPhone/iTouch/iPad class devices with screened and validated software that we carry everywhere [1]. That means the equivalent of iOS and App Store, but software apps that provide Google access need to be highly screened. Practically speaking, they need to come from Google or Apple.)

We need secure network access. For the moment, that means AT&T 3G rather than, say, Cafe WiFi (Witopia VPN is not quite ready for the mass market). Within the near term we need Apple to make VPN services a part of their MobileMe offering with seamless iOS integration. Apple currently provides remote MobileMe iPhone annihilation, we need the iPhone/iPod Touch FaceTime camera to start doing facial/iris biometrics.

Yes, Apple is oddly well positioned to provide all of these, though Google's ChromeOS mayb be close behind.

Funny coincidence isn't it? It's almost as though Apple thought this through a few years ago. I wonder what they're planning now to enforce trusted hardware. Oh, right, they bought the A4.

The page is turning on the remnants of 20th century computing. Welcome to the new world.

-- footnotes

[1] Really we need iPhone/iTouch class devices with optional external displays. Maybe in 2013.

See also:

Post-hack posts (past week):

• My Google (gmail) account is hacked - by ductus.com
• After the Google Hack: Life in the transparent society
• After the Gmail hack - passwords and security

Pre-hack posts

• CrashPlan Fail - you still can't remove an account
• Nimbophobia: Why you should fear the cloud - Google's performance problems
• Cloud data: Should I trust (Simplenote) Simperium?
• Cloud Lesson #72: The risk of letting Google own your web site

And some warnings of mine that were premature -- because Team Obama converted Great Depression II into the Great Recession.

• Dapocalypse Now
• Dapocalypse now. Grab your data and run. RUN.

After the Google Hack: Life in the transparent society

My Google Account (Gmail and more) was hacked on 9/3/10, a day before I wrote about the risks of online backup.

I had a 99th percentile password. It had six letters, four numbers, no words or meaningful sequences. It wouldn't be in a dictionary. On the other hand, like Schneier and other security gurus, I didn't change it often. I also had it stored locally on multiple desktop and iPhone apps. As far as I know it wasn't stored on any reasonably current web app.

If my password had been a bike lock, it would have been one of those high end models. Enough to secure a mid-range bike on the principle that better bikes with cheaper locks were easy to find.

That wasn't enough. For some reason a pro thief [2] decided to pinch my mid-range bike. They didn't do any damage, they didn't seem to send spam [1]. They seem to have unlocked my bike, peaked around, and locked it again.

Why would a pro bother? Trust me, I lead an intensely narrowcast life. It's interesting to only a few people, and boring to everyone else.

On the other hand, it wasn't always so. "I coulda been a contendah." I knew people who have had interesting lives, I still correspond with some. If a pro was interested in me, it was most likely because of someone like that. My visitor was probably looking for correspondence. Once they found it, or confirmed my dullness, they wouldn't have further interest in me.

Fortunately even that correspondence is quite dull.

I've changed my password. The new one is 99.9th percentile. Doesn't matter, I doubt I'm much more secure.

This isn't a complete surprise. Passwords died as a high end security measure about ten years ago. What's more surprising, except in retrospect, is that you don't have to really do anything or be anybody to get some high end attention. You only have to be within 1-2 degrees of separation of someone interesting. Security and "interest" are "social"; even a dull person like me can inherit the security risk of an interesting acquaintance or correspondent.

Welcome to the transparent society. If you put something in the Cloud, you should assume it's public. Draw your own conclusions about the corporate Cloud business model and online backup, and remember your Gmail is public.

footnotes --

[1] Of course they could erase the sent email queue, but I haven't gotten any bounce backs. Anyway, there are much easier ways to send spam.
[2] Russian pro, Chinese government equivalent, etc. Why pro? Because the hacker didn't change my password after they hacked the account, they didn't trash anything obvious, they didn't send out spam, and the access was by an abandoned domain. I'm not vulnerable to keystroke logger hacks except at my place of employment and wifi intercepts are relatively infrequent. Still, it's all probabilities.

Steve Jobs on Parental Controls - the Mac is dead

Sometimes, if you send an email to sjobs@mac.com, someone responds under the name Steve Jobs.

I assume it's mostly a PR person, but I suspect sometimes it is Steve Jobs. I bet Howard Hughes, in his prime, did something similar.

I've never written Jobs about my suffering with OS X Parental Controls or the MobileMe debacle that did me in. Still, I can imagine how the correspondence might go ...

Dear Steve, 

I've tried and tried to make Parental Controls work, but, honestly, they don't. If all the bugs were fixed the very latest version would probably work with the web of 2003. These days, however, all the web sites of interest use https encryption, which isn't supported by OS X Parental Controls.  MobileMe is one of the very worst offenders. Even when we hack around the limitations, Parental Controls is too broad. We want access to our Google Apps, but not to Google Image Search ....

"Jobs" would reply ...

 Buy the kid an iPad.

He'd be right. The family Mac is dead. iOS is the future.

I've wasted weeks of effort trying to make an OS X machine relatively child safe. I can do that with an iPhone or iPad in a few minutes -- assuming the iPhone is configured to sync to the cloud.

All I have to do is turn off three things: Safari, YouTube, and App Install [1]. Then I install purpose-specific apps that provide select services (NOT web apps). So I install Wikipanion instead of linking to Wikipedia. Wolfram Alpha instead of Google Search. Apple's Contacts and Calendar (sync to our Google Apps) rather than Google's web apps. The NYTimes app rather than a link to the NYT web site.

History has moved on.

[1] With iOS 3 if you disable App Installation on the iPhone you can't install from iTunes either. There's no UI indication of what the cause is, the iTunes App Install screen is just non-responsive.

The terror-industrial complex

Is this the last gasp of the Washington Post? At least they're going out in style.

Emphases mine. Clearly "top secret" is now meaningless.

A hidden world, growing beyond control | Top Secret America - washingtonpost.

The top-secret world the government created in response to the terrorist attacks of Sept. 11, 2001, has become so large, so unwieldy and so secretive that no one knows how much money it costs, how many people it employs, how many programs exist within it or exactly how many agencies do the same work.

These are some of the findings of a two-year investigation by The Washington Post that discovered what amounts to an alternative geography of the United States, a Top Secret America hidden from public view and lacking in thorough oversight. After nine years of unprecedented spending and growth, the result is that the system put in place to keep the United States safe is so massive that its effectiveness is impossible to determine.

The investigation's other findings include:

* Some 1,271 government organizations and 1,931 private companies work on programs related to counterterrorism, homeland security and intelligence in about 10,000 locations across the United States.

* An estimated 854,000 people, nearly 1.5 times as many people as live in Washington, D.C., hold top-secret security clearances.

* In Washington and the surrounding area, 33 building complexes for top-secret intelligence work are under construction or have been built since September 2001. Together they occupy the equivalent of almost three Pentagons or 22 U.S. Capitol buildings - about 17 million square feet of space...

Normally this would be a very sweet target for budget cutting, but now it's a form of bipartisan stimulus. Can't spend too much on security you know. (Of course this kind of Keystone Cops spending must actually reduce security).

WaPo has an online database summarizing what they learned from public records. The merely "secret" program was too vast to even consider.

Google's latest inadequate Buzz patch - Profile deletion

Google claims to be trying to fix the Buzz Problem, but they're refusing to reduce the link between a public Google Profile and any Buzz activity.

For Google the public Profile is the great search prize. They won't give this one up easily.

So at the moment the only way to truly remove your public Buzz trail is to delete your Google Profile:

Edit your (Google) profile - delete profile:

... This will disable Google Buzz integration in Gmail and delete your Google profile and Buzz posts. It will also disconnect any connected sites and unfollow you from anyone you are following...

You can now do this from your Google Dashboard, from Profile settings, and possibly from the Buzz tab displayed in Gmail (which I no longer see).

There are side-effects to Profile deletion. It appears it will not only remove your Buzz followers, it will also remove your Google Reader followers. It may also remove your authentication with various connected sites and your Gmail OpenID credentials. It also removes any value attached to your Profile before Google attached the Buzz stream to it.

Google needs to do two things that they are extremely reluctant to do:

• Near term: allow users to remove Buzz streams from the public profile.
• Longer term: allow users to associate multiple Google Profiles with a single Google account and to control which ones ares associated with various Google properties, authentication and sharing services, etc.

Until they do these things, they have earned their new Gordon's Corporate Evil Scale score of '8' - average for a publicly traded company and in spitting distance of Microsoft's '10'.

Update 2/20/10: A week after I removed my full name from my Google Profile a search on my name still retrieves the profile and the few Buzz posts I've left undeleted. Quite a screw-up.

The Buzz profile problem: I am Legion

My name is Legion; for we are many many (Mark 5-9).

I am father, brother, in-law, son, and spouse. I am coach. I am volunteer. I am citizen and activist. I am a physician. I am an (adjunct) professor. I am an oddity in a large, conservative, publicly traded corporation. In the corporation I am a team member, known to some customers, occasionally publicly facing, known in various ways and various places. I have other roles and have had many more over time.

I am Legion. So are most middle-aged persons.

Only one person knows all the roles and all of the stories that are not excruciatingly boring (hi Emily).

That’s the problem with Google Buzz, and why my Google Profile doesn’t include my pseudonymous (John Gordon) blog postings or my Google Shared items.

Buzz is tightly linked to my Google Profile, and my Profile is trivially discoverable. I don’t want corporate HR or a customer or business partner to instantly know that I’m a commie pinko Obamafanboy with a dysfunctional Steve Jobs relationship.

I have LinkedIn as my bland corporate face, and, despite Facebook’s innate evilness, a FB profile for friends and family. Inside the corporation I’ve a blog that serves as a limited persona.

We all have many roles, identities, avatars, personae, limited liability personae, characters, facets and so on. The problem with Buzz today is that it’s tied to the Google Profile, and that profile is the closest thing to my unified public face. It crosses boundaries. So it can only hold the limited information channels that are available to all.

Google gets some things right, and a ton of things wrong. They take a statistical, loosely-coupled, evolutionary approach to technology development (the exact inverse of Jobs the Intelligent Designer). I’m looking forward to where Buzz goes, but I’ll be cautious for a time. They can start by giving us more control over what aspects of the overall Buzz connection stream appear on our public profiles.

Update 2/11/10: More on the mess-up. Google really didn't think this through very well. They may end up feeding the families of a number of lawyers. I'm sure they weren't dumb enough to roll this out in the EU, but if they did the fines may be significant.

The Clampi Trojan says …. Get a Mac

A Windows 2003 server machine I use may, or may not, have been infected with the Clampi trojan (ilomi.b or ilomo.c, which depending on your font, may look a lot like llomi or IIlomi or ILomi).

I say “may not”, because the combination of “Windows 2003” and "antivirus” has a high rate of false positive claims that can wreak as much destruction as the antiviral software.

In researching the Clampi trojan Google suggested I read this summary (emphases mine) …

Clampi/Ligats/Ilomo Trojan - Research - SecureWorks

… Clampi’s recent success in infecting victims is accomplished by using domain administrator credentials (either stolen by the Trojan or re-used, or by virtue of the fact that a domain administrator has logged into an already infected system). Once domain administrator privileges are granted, the Trojan uses the SysInternals tool "psexec" to copy itself to all computers on the domain.

Clampi also serves as a proxy server used by criminals to anonymize their activity when logging into stolen accounts…

… Clampi is operated by a serious and sophisticated organized crime group from Eastern Europe and has been implicated in numerous high-dollar thefts from banking institutions. Any user whose system has been infected by Clampi should immediately change any and all passwords used on that system for any websites, but especially financial credentials.

… Most major anti-virus engines should be able to detect Clampi variants; however there is always a delay between a new Trojan release and the detection time.  Given the prevalence and seriousness of the Clampi Trojan, it is recommended that businesses that carry out online banking/financial transactions adopt a strategy to isolate workstations where these activities are carried out from possible Clampi or other data-stealing Trojan infections.

This may include using a dedicated workstation for accessing financial accounts which is isolated from the rest of the local network and the Internet except for the specific financial sites required to be accessed. Since Trojans can also be spread using removable drives, systems should be hardened against auto run-type threats. Businesses may even consider using an alternative operating system for workstations accessing sensitive or financial accounts.

Home Computer User Protection
SecureWorks CTU recommends that home computer users use a computer dedicated only to doing their online banking and bill pay.  They should not use that computer to surf the web and send and receive email, since web exploits and malicious email are two of the key malware infection vectors. 

As an alternative to operating a secure home PC for all important work, home users could, you know, buy a Mac. They would then have one machine to use for everything.[1]

Maybe Apple is funding Clampi development?

--

[1] The Mac’s vast security advantage comes from the “faster friend” security philosophy. When you and a friend are being chased by a bear, you don’t have to be faster than the bear, you have be faster than your friend. OS X 10.6 is, in practical terms, fundamentally more secure than XP, but not necessarily theoretically more secure than Microsoft’s very latest foul demon. The big Mac advantage is that the world’s criminals don’t own Apple machines, and have very little interest in targeting Macs as long as the vast majority of banks and corporations run some flavor of Windows. I’ve often wondered, incidentally, if Windows 98 isn’t now a very secure environment. I doubt many Trojans would infect it any more.

America, please grow a spine

Another mentally ill al Qaeda cannon fodder has tried to blow up an airplane. It's encouraging that they're still scraping the barrel to recruit suicide bombers.

Meanwhile, in America, there are rumors that we'll have to forsake electronics and all motion or access to personal goods for the last hour of flight. At one point it was rumored that we'd have to go without a book for the "last hour". We might as well scratch all children and many adults with medical, cognitive or psychiatric disorders from flying.

Oh, and I love they way they say "last hour" as though planes never spend 1-2 hours circling the airport or waiting for a gate.

Meanwhile anyone who's seen a movie or read a book about smuggling or prisons is waiting for the first bomb smuggled in by body cavity - or surgically embedded into the abdomen. The next generation of scanners will have to incorporate a rectal probe.

The TSA administrators can't be as stupid as they look. They must know there's really no practical way to secure an airplane (train, bus, public space) against a truly competent and determined attacker. The best we can do is balanced risk mitigation. As Schneier has told us so many times, the big changes post 9/11 were to secure the cockpit door and look to the courage of passengers.

So if the TSA administrators aren't stupid, where do these regs come from? They come from legislative pressure. Now, many of our legislators are stupid, but not all of them. So why do they do this?

Because they know if a plane blows up and they didn't max out on security theater they'll be out of office - because we American voters are who we are.

We gotta stop this. Voters and legislators alike need to grow an American spine -- before our fear and stupidity drives us off the deep end of history.

Update 12/29/09: Signs of vertebral development. The absurd early responses have been dropped. Also, rectal bombs have already been used in Saudi Arabia.

--
My Google Reader Shared items (feed)

Google Health and my Google password

Google is infamous for not providing direct customer service. If you lose control of your Google Account you can be in deep trouble very quickly.

I thought of that as I experimented with entering my recent (yechy) lipid results into Google Health. Google Health is a part of my suite of Google services; if I lose control of my Google Account I also lose control of my personal health record (PHR).

How long will Google be able to provide a "PHR" without support services? Will they run into regulatory issues now that legislators threaten to extend HIPAA rules into the PHR domain?

--
My Google Reader Shared items (feed)

Responding to Facebook’s lions: Stop friends using the apps

Facebook has made changes to their privacy settings that have two major consequences. The first is that the default settings now share much more information. The second is that users can no longer protect their social network from Facebook’s “Applications”.

Most of the media attention has been on how information is exposed to search engines such as Bing and Google. This is important, but there are complex workarounds. It’s not the most interesting or important consequence anyway.

The more important consequence is that Facebook’s shady App vendors (see: Scamville Furor, Facebook and the eBay disease) can no longer be blocked from accessing a player’s social network. So every App vendor has access to all player “friends” and all of the information they in turn make available in their public profiles. Remember that most of those public profiles now contain a great deal of personal data.

The Facebook Apps are “free”, but these vendors are not charities. They earn money by selling game goods, marketing extra-game services and products (some fraudulent), and by selling information. They will sell the social network information they harvest. They will also use that social network to find new “players” (aka “victims”).

To understand this it helps to think of Facebook as the African plains. In this metaphor Facebook users are rhinos and zebras and Facebook App vendors are lions.

Both rhinos and zebras graze on Facebook grass (photo sharing, social stories, contact information). They get along. So how are they different?

The rhinos don’t do Apps and they restrict access to their personal information. They’re tough and nasty; they don’t directly feed lions. The zebras, however, do Apps, and they travel in herds. They’re sleek, soft and vulnerable. Find one, you can find more. Lions eat zebras.

It’s messy for the zebras, but that’s how the market works. The Facebook ecosystem is a rich feeding ground, and lions have to eat.

Of course the Facebook ecosystem is more complex. Facebook rhinos and zebras are often friends and family. Even though lions don’t eat rhinos, FB lions find rhinos through their zebra friends. They then sell Rhino locations (information) to big game hunters (banks?) who sell Rhino horns for fertility potions (risk profiles).

The market world is different because rhinos and zebras can fight back. Not every vendor scores a 10 on Gordon’s scale of corporate evil; Google’s a mere 3 at the moment. There’s more than one way to make money – though the alternatives may mean a smaller IPO. On the other hand, Facebook’s current strategy runs the risk that IPO buyers will remember eBay.

It’s not clear that there’s anything to be done about Facebook. The corporate culture there is probably too much like 1990s Microsoft or 2010 Goldman Sachs for them to find another road. I’ve stopped encouraging my friends to join up with Facebook.

If you want to continue grazing Facebook’s grasslands however, and you don’t want to be lion fodder, there’s now only one possible response.

Convert your zebra friends to rhinos. Get them to stop using Apps. If they persist in using Apps, unfriend them. They’re leading the lions to you.

As of today, Facebook apps are the enemy.

Update: Great comment from Nettie. She refers us to Brad Stone's announcement of the EFF's complaint to the FTC - cosigned by ten other privacy organizations ...

... Ten other privacy organizations signed the complaint, including the Privacy Rights Clearinghouse, the American Library Association and the Consumer Federation of America. The Office of the Privacy Commissioner in Canada has also been looking into Facebook’s privacy guidelines...

I think it's fair to say that the fan has been hit. Like Nettie, I've noticed people drifting away from FB ...

Never a good feeling – an attack on my Google account

Someone just made 3 attempts to reset my Google Password. The reset notice I received includes this statement …

… If you've received this mail in error, it's likely that another user entered
your email address by mistake while trying to reset a password. If you didn't
initiate the request, you don't need to take any further action and can safely
disregard this email….

A mistake. Suurre it’s a mistake.

I have a robust Google password, but the risk here is that someone has access to a secondary account that receives my Google password reset requests. Those have robust passwords too, but there are always weaknesses.

Just to be on the safe side I’ve reviewed my Google accounts password recovery options and they look good.

Brrr. I hate passwords. I’d have bet good money in 1996 that we’d have robust biometric authentication by now. I’d have lost every penny. A good lesson about predicting the future.

Update 11/18/09: Amit Agarwal was hacked around the same time I was attacked. It's not clear how they hacked in.

Understanding secure systems: The Chromium extension example

This very brief Google Chromium blog posting gives a lovely view into modern secure system design ...

Chromium Blog: Security in Depth: The Extension System

... To help protect against vulnerabilities in benign-but-buggy extensions, we employ the time-tested principles of least privilege and privilege separation...

The original has wikipedia* links to relevant articles. These principles are broader than computer security. Think of them when you provide access to your Facebook information.

"Least privilege" and "Privilege Separation" should be a part of grade school and high school curriculum.

If you want lots more detail, the authors refer us to their academic treatise on securing browser extensions.

I love blogs.

*Yeah, Knol was a bad idea.
--
My Google Reader Shared items (feed)

American Express credit card information theft

We just received official notification that our AMEX credit card information was stolen. Inside job, as usual.

Same old, same old.

I'm astounded that web services expect me to give them my Google authentication credentials. They're conning us when they claim mere encryption will secure the data.

Incidentally, this emphasizes the stupidity of the "secret security question" fail (see US Bank security shield makes me scream). Not only do they make it easier to hack into user data, they do nothing to protect us from the commonplace insider thefts and other, old, tactics.

Update 9/24/09: When exploring the 5000 post Blogger bug, I found a 2003 post about an "epidemic" of credit card fraud.