Recently we've been talking about attacks (and potential attacks) on identity information and identity stores. It's important to put these issues in a much broader context.
Over the last months we've heard more than one expert say that phishing and the associated identity attack technology sector is growing an order of magnitude faster than the rest of high technology. If you want to depress yourself, think about it as an expanding market sector. Today everyone knows about phishing. Within the last year it has merited an industry organization with over a thousand members – including all the best banks – and an online site that maintains the latest in information. This is a tipping-point phenomenon.
Everything points to the fact that things are going to get worse before they get better. As all aspects of commercial distribution migrate to the cloud, the opportunity to benefit criminally from digital identity attacks will become continuously greater. At the same time, the international character of the internet offers the technically sophisticated criminal expanding opportunities. And a surfeit of highly gifted and trained individuals in societies with few conventional technology opportunities provides pools of talent in which international crime cartels can invest.
The identity system we have been discussing in this conversation is clearly one of the fundamental technologies needed to counter these threats. But for the same reasons, we must base our thinking on the premise that the identity system itself will be the most attacked component of distributed computing.
Being comfortable with a bull's-eye on your back
I'm totally certain that everyone who braves these pages knows how rife with implications this statement is for all of us who are concerned with identity. But the computer industry as a whole still has a long way to go in understanding how profound these problems are. Here is a not atypical quote from a casual commentator:
2004 was the year the hackers went “phishing” to con us into handing over our online banking details and despite belonging to the species allegedly at top of the food chain, an astonishing number of people obliged.
It's true that some of the ploys have been a little pathetic. But if the effect of those is to convince you that you can easily tell what's real from what isn't, you've been duped already. As an unenthusiastic inspector of identity attacks, I can guarantee that no matter how smart and attentive you are, there are ruses more than capable of torpedoing your self-esteem.
To take a very simple example, suppose you have a browser with an address bar showing you the DNS name of the site you are visiting. And suppose there is a “lock icon” which appears when a “secure connection” is in place. What is to prevent a piece of code running on your machine from overwriting the DNS name and throwing up a fake lock icon – so you are convinced you are visiting one secure site when you are actually visiting another insecure one? And so on.
Of course our usual immediate reaction to this type of problem is to find the most expedient single thing we can do to fix it. In the example just given, the response might be to write a new “safe address bar”. And who am I to criticise this, except that in the end, the proliferation of address bars makes things worse. By inventing one, we have unintentionally made possible the new exploit of getting people to install an address bar with evil intent built right into it. Further, who now can tell which address bar is evil and which one is not?
Beyond compensation and mere tactics
The point I am trying to make is that the new distributed identity system needs to be something other than an “expedient compensation”, something beyond a tactical riposte in the fight for security. And since the identity system has to work on all platforms, it must be safe on all platforms. The properties that lead to its safety can't be obscurantist or derive from the fact that the underlying platform or software still has a small adoption.
Returning to the discussion we've just had about the problems with today's browsers, I would summarize my thinking by saying we have done a pretty good job of cryptographically securing the channel between web servers and browsers – a channel that might extend for thousands of miles. But we haven't done a very good job at all of setting up the two or three foot channel between the browser and the human who uses it. And this is the channel that is attacked by phishers.
No wonder. What identities is the user dealing with as she navigates the web? How well is identity information conveyed to her? Do our systems interface with users in a manner that studies have proven to work? Identity information currently takes the form of certificates. Do studies show that certificates are meaningful to users? What exactly are we doing?
Whatever it is, a real identity system needs us to do a lot better. In particular, the identity system must extend to and integrate the human user.
The Law of Human Integration
The universal identity system MUST define the human user to be a component of the distributed system, integrated through unambiguous human-machine communications mechanisms offering protection against identity attacks.
One of the people who has thought long and hard about these issues is Carl Ellison. He has coined the term Ceremony for interactions that span a mixed network of human and cybernetic system components. Carl worked on this idea when he was at Intel and I interview him about his work here.