Use crypto. Not too confusing. Mostly asymmetric.

A little ways back, Gunnar Peterson said “passwords are like hamburgers, taste great but kill us in long run wean off password now or colonoscopy later.” I responded: “Use crypto. Not too confusing. Mostly asymmetric.” I’d like to expand on that a little. Not quite so much as Michael Pollan, but a little.

The first sentence, “use crypto” is a simple one. It means more security requires getting away from sending strings as a way to authenticate people at a distance. This applies (obviously) to passwords, but also to SSNs, mother’s “maiden” names, your first car, and will apply to biometrics. Sending a string which represents an image of a fingerprint is no harder to fake than sending a password. Stronger authenticators will need to involve an algorithm and a key.

The second, “not too confusing” is a little more subtle, because there are layers of confusing. There’s developer confusion as the system is implemented, adding pieces, like captchas, without a threat model. There’s user confusion as to what program popped that demand for credentials, what site they’re connecting to, or what password they’re supposed to use. There’s also confusion about what makes a good password when one site demands no fewer than 10 characters and another insists on no more. But regardless, it’s essential that a a strong authentication system be understood by at least 99% of its users, and that the authentication is either mutual or resistant to replay, reflection and man-in-the-middle attacks. In this, “TOFU” is better than PKI. I prefer to call TOFO “persistence” or “key persistence” This is in keeping with Pollan’s belief that things with names are better than things with acronyms.

Finally, “mostly asymmetric.” There are three main building blocks in crypto. They are one way functions, symmetric and asymmetric ciphers. Asymmetric systems are those with two mathematically related keys, only one of which is kept secret. These are better because forgery attacks are harder; because only one party holds a given key. (Systems that use one way functions can also deliver this property.) There are a few reasons to avoid asymmetric ciphers, mostly having to do with the compute capabilities of really small devices like a smartcard or very power limited devices like pacemakers.

So there you have it: Use crypto. Not too confusing. Mostly asymmetric.

Jon Callas on Comedies, Tragedy and PKI

Prompted by Peter Gutmann:

[0] I’ve never understood why this is a comedy of errors, it seems more like a tragedy of errors to me.

Jon Callas of PGP fame wrote the following for the cryptography mail list, which I’m posting in full with his permission:

That is because a tragedy involves someone dying. Strictly speaking, a tragedy involves a Great Person who is brought to their undoing and death because of some small fatal flaw in their otherwise sterling character.

In contrast, comedies involve no one dying, but the entertaining exploits of flawed people in flawed circumstances.

PKI is not a tragedy, it’s comedy. No one dies in PKI. They may get embarrassed or lose money, but that happens in comedy. It’s the basis of many timeless comedies.

Specifically, PKI is a farce. In the same strict definition of dramatic types, a farce is a comedy in which small silly things are compounded on top of each other, over and over. The term farce itself comes from the French “to stuff” and is comedically like stuffing more and more feathers into a pillow until the thing explodes.

So farces involve ludicrous situations, buffoonery, wildly improbable/implausible situations, and crude characterizations of well-known comedic types. Farces typically also involve mistaken identity, disguises, verbal humor including sexual innuendo all in a fast-paced plot that doesn’t let up piling things on top of each other until the whole thing bursts at the seams.

PKI has figured in tragedy, most notably when Polonius asked Hamlet, “What are you signing, milord?” and he answered, “OIDs, OIDs, OIDs,” but that was considered comic relief. Farcical use of PKI is far more common.

We all know the words to Gilbert’s patter-song, “I Am the Very Model of a Certificate Authority,” and Wilde’s genius shows throughout “The Importance of Being Trusted.” Lady Bracknell’s snarky comment, “To lose one HSM, Mr. Worthing, may be regarded as a misfortune, but lose your backup smacks of carelessness,” is pretty much the basis of the WebTrust audit practice even to this day.

More to the point, not only did Cyrano issue bogus short-lived certificates to help woo Roxane, but Mozart and Da Ponte wrote an entire farcical opera on the subject of abuse of issuance, “EV Fan Tutti.” There are some who assert that he did this under the control of the Freemasons, who were then trying to gain control of the Austro-Hungarian authentication systems. These were each farcical social commentary on the identity trust policies of the day.

Mozart touched upon this again (libretto by Bretzner this time) in “The Revocation of the Seraglio,” but this was comic veneer over the discontent that the so-called Aluminum Bavariati had with the trade certifications in siding sales throughout the German states, as well as export control policies since Aluminum was an expensive strategic metal of the time. People suspected the Freemasons were behind it all yet again. Nonetheless, it was all farce.

Most of us would like to forget some of the more grotesque twentieth-century farces, like the thirties short where Moe, Larry, and Shemp start the “Daddy-O” DNS registration company and CA or the “23 Skidoo” DNA-sequencing firm as a way out of the Great Depression. But S.J. Perleman’s “Three Shares in a Boat” shows a real-world use of a threshold scheme. I don’t think anyone said it better than W.C. Fields did in “Never Give a Sucker an Even Break” and “You Can’t Cheat an Honest Man.”

I think you’ll have to agree that unlike history, which starts out as tragedy and replays itself as farce, PKI has always been farce over the centuries. It might actually end up as tragedy, but so far so good. I’m sure that if we look further, the Athenians had the same issues with it that we do today, and that Sophocles had his own farcical commentary.

Credit Scores and Deceptive Advertising

Frank Pasquale follows a Joe Nocera article on credit scores with a great roundup of issues that the credit system imposes on American citizens, including arbitrariness, discriminatory effects and self-fulfilling prophecies. His article is worth a look even if you think you understand credit scores.

I’d like to add one more danger of credit scores: deceptive advertising. The way it works is that a bank advertises a great rate for those with “perfect credit.” What it doesn’t advertise is what the curve of credit scores versus rates looks like. There are two issues here. The first is that the market is inefficient, as figuring out what actual rates are often involves talking to a human, and usually disclosing enough personal information to make a fraudster drool. Inefficient markets favor the side with more information (the loan offerer) and lead to less trade than more transparent markets.

The second issue is that everyone is mislead by the headline rate. I’ve looked for data on what fraction of Americans are listed as having “perfect credit” or data on the distribution of interest rates people are really paying, and I’ve been unable to find it. For publicly traded companies, it’s sometimes possible to reverse engineer some of this, but not very much.

Showing ID In Washington State

Back in October, I endorsed Pete Holmes for Seattle City Attorney, because of slimy conduct by his opponent. It turns out that his opponent was not the only one mis-conducting themselves. The Seattle PD hid evidence from him, and then claimed it was destroyed. They have since changed their story to (apparent) lies about “computer problems.” See “Local computer security expert investigates police practices” in the Seattle PI. Some choice quotes:

…a charge was leveled against him in Seattle Municipal Court for obstructing a public officer. Controversial laws known as obstruction, “stop and frisk” and “stop and identify” statutes have been abused in other cities like New York, studies and news stories show. An obstruction case cited in a 2008 Seattle Post-Intelligencer investigation ended with a federal jury hitting Seattle police with a six-figure penalty.

Rachner’s criminal defense attorney sought dismissal of his gross misdemeanor charge, citing the Washington State Supreme Court decision that says arresting a person for nothing more than withholding identification is unconstitutional. One reason cited by the court: This practice allows police too much discretion to pick targets and punish with arrest. Also, the state constitution is more protective of these rights than the U.S. constitution.

The microphone picks up Letizia explaining the arrest to Rachner and a police sergeant, citing only the failure to provide identification as the reason Rachner was in handcuffs. No other provocations before the arrest were documented.

“The explanation is our servers failed,” said Seattle Police spokesman Sgt. Sean Whitcomb. “Data was lost, more than his, and it took some time to recover it.” “There is absolutely nothing in the activity log to support that claim,” said Rachner. “Moreover, if the video was unavailable, it was dishonest of them to claim the video could no longer be obtained because it was past the 90-day retention period. It is completely at odds with what they told me in writing.”

I say these are lies because their story keeps changing.

I hate paying the salaries of people who can’t tell me the truth, and I think I’ll be writing city hall for an explanation. If you live in Seattle, I suggest you do the same.

News from RSA: U-Prove

In “U-Prove Minimal Disclosure availability,” Kim Cameron says:

This blog is about technology issues, problems, plans for the future, speculative possibilities, long term ideas – all things that should make any self-respecting product marketer with concrete goals and metrics run for the hills! But today, just for once, I’m going to pick up an actual Microsoft press release and lay it on you. The reason? Microsoft has just done something very special, and the fact that the announcement was a key part of the RSA Conference Keynote is itself important.

Further, Charney explained that identity solutions that provide more secure and private access to both on-site and cloud applications are key to enabling a safer, more trusted enterprise and Internet. As part of that effort, Microsoft today released a community technology preview of the U-Prove technology, which enables online providers to better protect privacy and enhance security through the minimal disclosure of information in online transactions. To encourage broad community evaluation and input, Microsoft announced it is providing core portions of the U-Prove intellectual property under the Open Specification Promise, as well as releasing open source software development kits in C# and Java editions. Charney encouraged the industry, developers and IT professionals to develop identity solutions that help protect individual privacy.

Kim then goes on to analyze the announcement, which is a heck of an important one.

Disclaimer: I work for Microsoft, and am friends with many of the people involved. I still think this is tremendously important.

Can I see some ID?

Or, Security and Privacy are Complimentary, Part MCVII:

Later, I met one executive who told me that at the same time of my incident at another restaurant owned by the corporation, a server was using stolen credit card numbers by wearing a small camera on him. He would always check ID’s and would quickly flash the ID and credit card in front of the camera. That way, he could sell the credit card number and address of someone who had no reason to report their card as stolen. Presumably they could then use it on the internet as many sites require the billing address when using a credit card. The corporation decided that there was too much liability in a restaurant employee having access to someone’s drivers license and began specifically requesting servers to not do so except to verify that the person was of legal drinking age. (“How I Learned To Start Worrying And Hate Showing My ID“, Consumerist)

I hadn’t thought about this particular aspect of stealing credit cards. It seems pretty helpful to have address and date of birth. When I think about this, the chaotic nature of how those around us accumulate and use information is hard to predict or track. There’s a value of minimal disclosure here. It’s yet another example of how protecting privacy protects security as well. Asking people to be aware of what emerges from the chaotic swirl of information is expensive.

Historically, the card brands have demanded that their cards be honored based only on the card system. They used to back you if a store asked for ID. As the system has come under attack, they’ve backed away from that, but the current state is hard to discern.

Consistency is an important part of how people form mental models. The whole world is making different demands about what’s secret (is your address a security string? Your frequent flyer number? The first street you lived on?) The demands banks and merchants are changing rapidly from a consumer perspective. (Quick, do you know what the CARD act changes?) When the rules for consumers are chaotic, what emerges is misconceptions, superstition and best practices.

In the world of security, we’re going to have to work hard to provide a comprehensible set of workable and effective advice for people to follow.

We Take Your Privacy Seriously

So after BNY Melon dropped a tape with my social security number and those of millions of my closest neighbors, they bought me a one year subscription to Experian’s “Triple Alert” credit monitoring service. Today, I got email telling me that there was new information, and so I went to login.

Boy, am I glad to know they take my privacy seriously, because otherwise, their failure to fill out fields in their certificate might really worry me.

I mean, I’m not annoyed that BNY Mellon treated my information negligently. Oh, no. I expect that. I am a little annoyed that having done so, they offered me a year of “monitoring” rather than prevention. I’m annoyed that it’s a year, when there’s no evidence that risk of harm falls after a year. And I’m annoyed that the company offering monitoring doesn’t bother to get the little things right.

[Update: This may be a broader issue of all non-EV certs being treated like this. I admit, I rarely check because I rarely care. But when I do care, I reasonably expect it to be done right.]

Fingerprinted and Facebooked at the Border

According to the Wall St Journal, “Iranian Crackdown Goes Global ,” Iran is monitoring Facebook, and in a move reminiscent of the Soviets, arresting people whose relatives criticize the regime online.

That trend is part of a disturbing tendency to criminalize thoughts, intents, and violations of social norms, those things which are bad because they are prohibited, not bad in themselves. It’s important if we want to export freedom of speech and freedom from self-incrimination, to push for an international norm of limiting the powers of governments, not of people. Of course, since the main way that the international reach of governments is limited is through treaties negotiated by, umm, governments, I don’t expect a lot of that soon.

Not to mention the creation of fake Facebook accounts by Iranian intelligence.

But most interesting is this:

Five interviewees who traveled to Iran in recent months said they were forced by police at Tehran’s airport to log in to their Facebook accounts. Several reported having their passports confiscated because of harsh criticism they had posted online about the way the Iranian government had handled its controversial elections earlier this year.


One 28-year-old physician who lives in Dubai said that in July he was asked to log on to his Facebook account by a security guard upon arrival in Tehran’s airport. At first, he says, he lied and said he didn’t have one. So the guard took him to a small room with a laptop and did a Google search for his name. His Facebook account turned up, he says, and his passport was confiscated.

Deny thy father and refuse thy gene sequence?

There’s a fascinating article in the NYTimes magazine, “Who Knew I Was Not the Father?” It’s all the impact of cheap paternity testing on conceptions of fatherhood. Men now have a cheap and easy way to discovering that children they thought were theirs really carry someone else’s genes.

This raises the question, what is fatherhood? Is it the genes or the relationship? There’s obviously elements of both, but perhaps there’s a rule in here: adding identity to a system makes the system more brittle.

Bob Blakley Gets Future Shock Dead Wrong

Bob Blakley has a very thought provoking piece, “Gartner Gets Privacy Dead Wrong.” I really, really like a lot of what he has to say about the technical frame versus the social frame. It’s a very useful perspective, and I went back and forth for a while with titles for my post (The runner up was “Fast, Cheap and out of Bob’s Control.”)

I think, however, that my frame for a response will be Alvin Toeffler’s excellent analysis of Future Shock. In it, he describes our lives as most people in the professional class move more and more often for work. How the traditional means of social cohesion — church, scouts, the PTA, bridge clubs, the local watering hole — all down as we expect to be gone in just a few years. How we have friends we see annually at a conference or in airports. He explained that ongoing acceleration and the removal of support structures would lead to isolation, alienation and an ongoing and increasing state of future shock.

A great many Americans on the coasts live in many micro-societies. We have our professional groups and sub-groups. We have hobbies. We may have college buddies in the same areas as we are. We pick a fat demogauge to listen to: Rush Limbaugh or Michael Moore as suits our fancy. But our social spaces are massively fragmented. And so when Bob says:

But he’s right that we’d better behave. When we see someone else’s private information, we’d better avert our gaze. We’d better not gossip about it. We’d better be sociable. Because otherwise we won’t need the telescreen – we’ll already have each other. And we’ll get the society we deserve.

We no longer have a society, or the society. We have teabaggers screaming at Obamaphiles. We have neighbors suing neighbors. We call the cops rather than walking next door. We run background checks on our scoutmasters, all because we no longer have a society which links us tightly enough that we can avoid these things.

And amidst all of this which society will create and drive the social norms for privacy? Will it be the one that lets cops beat protesters at the G20? The one that convinced Bob to join Facebook? The one that leads me to tweet?

In a world where some people say “I’ve got nothing to hide” and others pay for post office boxes, I don’t know how we can settle on a single societal norm. And in a world in which cheesy-looking web sites get more personal data — no really, listen to Alessandro Acquisti, or read the summary of “Online Data Present a Privacy Minefield” on All Things Considered. In a world in which cheesy-looking web sites get more data, I’m not sure the social frame will save us.

Dear ChoicePoint: Lying like a cheap rug undercuts all that

ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged that in April 2008 the company switched off an internal electronic monitoring system designed to watch customer accounts for signs of unauthorized or suspicious activity. According to the FTC, that safety system remained inactive for four months, during which time unauthorized individuals used stolen credentials to look up personal information on 13,750 people in one of ChoicePoint’s consumer databases.

In a written statement, ChoicePoint blamed the incident on a government customer that failed to properly safeguard one of its user IDs needed to access ChoicePoint’s AutoTrack XP Product…

Really? You’re blaming customers? Saying it’s not your fault? Claiming to be the victim? Ummm, lemme use small words here: you’ve played that card. Shot that wad. From 2004 onwards, you own all failures. You should have had systems to watch for unauthorized access, and failure to properly safeguard credentials.

Oh wait. You did. We agree on that need. You had a system to do that, and you turned it off. So really, all that work you’ve done to convince people you’d turned a corner? This undercuts that. You need to come out with an explanation of why you turned off that system, and you need to do it this week. It needs to be comprehensible to the techies who are taking you to task all over the blogosphere. No legal defensiveness. Tell people what happened. This:

The FTC expressed concerns that not detecting the former government customer’s inappropriate access was inconsistent with ChoicePoint’s obligations under the Final Order, which ChoicePoint denies. Notably, the Supplemental Order does not allege any current or ongoing violations of ChoicePoint’s Final Order. Following the incident and acquisition by Reed Elsevier, new policies and practices were put into place to enhance the strength and quality of ChoicePoint’s security. As part of that effort, certain security enhancements were made to the ChoicePoint product at issue including providing additional information and steps customers could take to further safeguard their IDs and passwords.

is incomprehensible. Your customers know what you did. Why not talk about both what you did and what you turned off, and most importantly, why? I bet there are real reasons, but your lawyers ain’t saying. How many false positives was that system shooting out? What did it cost to investigate them?

Either come clean, or suck it up, and be glad it was only $275,000.

For more, “ChoicePoint Breach Exposed 13,750 Consumer Records,” or our prior posts on Choicepoint.

[Update: Comments from ChoicePoint in the comments.]

PS to C: This is, once again, my opinion, on my blog, and has nothing to do with my employer.

Caster Semenya, Alan Turing and “ID Management” products

caster-semenya-cover-girl.jpgSouth African runner Caster Semenya won the womens 800-meter, and the attention raised questions about her gender. Most of us tend to think of gender as pretty simple. You’re male or you’re female, and that’s all there is to it. The issue is black and white, if you’ll excuse the irony.

There are reports that:

Two Australian newspapers reported Friday that gender tests show the world champion athlete has no ovaries or uterus and internal testes that produce large amounts of testosterone. … Semenya is hardly alone. Estimates vary, but about 1 percent of people are born with abnormal sex organs, experts say. These people may have the physical characteristics of both genders or a chromosomal disorder or simply ambiguous features. (“When someone is raised female and the genes say XY,” AP)

For more on the medical end of this, see for example the “Consensus statement on management of intersex disorders” in the Journal of the American Academy of Pediatrics.

The athletics associations rules don’t cover all of these situations well. The real world is far messier and more complex than most people have cause to address. There are a great many apparently simple things that are really complicated as you dig in.

What the sports associations and news media are doing to Semenya is reprehensible. (There are over 10,000 stories listed on Google News, versus 13,000 for Derek Jeter, who just broke a Yankees record.) She didn’t come into running knowing that she had no ovaries. Having to deal with the identity issues that her testing brings up under the harsh light of the entire world (including me) is simply unfair.

It’s unfair in almost the same way as the British government’s treatment of Alan Turing, the mathematician who Time named one of the 100 most important people of the 20th century for his fundamental work on computers and cryptanalysis. Turing was also a convicted homosexual who committed suicide because of his “treatment” with estrogen, which caused him to become impotent and to develop breasts.

This week, Gordon Brown issued an apology entitled “Treatment of Alan Turing was ‘appalling’:”

While Turing was dealt with under the law of the time and we can’t put the clock back, his treatment was of course utterly unfair and I am pleased to have the chance to say how deeply sorry I and we all are for what happened to him. Alan and the many thousands of other gay men who were convicted as he was convicted under homophobic laws were treated terribly. Over the years millions more lived in fear of conviction.

I am proud that those days are gone and that in the last 12 years this government has done so much to make life fairer and more equal for our LGBT community. This recognition of Alan’s status as one of Britain’s most famous victims of homophobia is another step towards equality and long overdue.

Sports officialdom and state governments are different. Sports are voluntary associations, although athletes have little influence on the choices of international sports functionaries. Either way, watching the chaotic world crash onto the inflexible bureaucracies is tremendously frustrating to me.

As more and more of the world is processed by Turing Machines, assumptions that seem obvious to the programmer are exposed harshly at the edges. A friend with a Juris Doctorate recently applied for a job online. The form had a field “year you graduated from high school” that had to be filled out before she went on. Trouble is, she never did quite finish high school. She had the really relevant qualification-a J.D. from a good school. But she had an emotionally wrenching choice of lying on the form or not applying for the job. She eventually chose to lie, and sent a note to the HR people saying she’d done so and explaining why. I doubt the fellow who wrote that code ever heard about it.

I have a challenge to anyone involved in creating an online identity management system: How well does your system handle Semenya?

The typical answer is either that “that’s configurable, although we don’t know if anyone’s done exactly that” or “she’s an edge case, and we deal with the 95% case really well.” If you have a better answer, I’d really like to know about it. And as a product guy, those are likely the decisions I’d make to ship.

I’ll close by echoing Brown’s words: We’re sorry, you deserve so much better.

Renaming the blog to Emergent Chaos (I)

In 2007, Artist Kristin Sue Lucas went before a judge to get a name change to…Kristin Sue Lucas. She’s put together a show called “Refresh” and one called “Before and After.” My favorite part is where the judge wrestles with the question “what happens when you change a thing to itself:”

JR: And I don’t mind the time. I just don’t know that I have the
legal authority to change your name when it’s not a change. The
code sections talk about changing. Can I give you an order that
doesn’t change your name at all? That keeps your name the same? Is
that the same as granting a name change? And I think not. And I’m
going to do this, I’m going to continue this matter for two
weeks… and try to think about these issues in this time…

Via guerrilla-innovation.

What’s in a name?

Brian Jones Tamanaha has an interesting post about our database-driven society. The core of it is that English is bad at recording some names. The solution? Force people to change their official names for the convenience of the database:

During public hearings on the voter identification legislation in the House, state Rep. Betty Brown, R-Terrell, suggested that Asian-Americans might want to adopt names that are “easier for Americans to deal with” when they want to vote so their names will match what is on registration rolls.

Brown made her statements during testimony from Ramey Ko, representing the Organization of Chinese Americans….

“… do you think that it would behoove you and your citizens to adopt a name that we could deal with more readily here?”

Quotes from “Lawmaker suggests Asian-descendant voters should adopt names easier for Americans to deal with’,” Houston Chronicle Texas Politics blog.

Of course, this is nothing new. Once

Or read Brian’s “Any Suggestions for My New User-Friendly Name?

Dear $LOCALBANK That I Use

Keeping a database of all of your ATM PINs in a clear (or possibly encrypted but easily reversible) text database is not a good idea. I honestly can’t see any use value for this, especially when they won’t tell you what your PIN is even if you have multiple forms of government issued identification.
No thanks; No love