Massive breach could involve 94 million credit cards

According to Britain's The Register,  the world's largest credit card heist might be twice as large as previously admitted. 

A retailer called TJX was able to create a system so badly conceived, designed and implemented that  94 million accounts could be stolen.  It is thought that the potential cost could reach 1 billion dollars – or even more.  The Register says

The world's largest credit card heist may be bigger than we thought. Much bigger.

According to court documents filed by a group of banks, more than 94 million accounts fell into the hands of criminals as a result of a massive security breach suffered by TJX, the Massachusetts-based retailer.

That's more than double what TJX fessed up to in March, when it estimated some 45.7 million card numbers were stolen during a 17-month span in which criminals had almost unfettered access to the company's back-end systems. Going by the smaller estimate, TJX still presided over the largest data security SNAFU in history. But credit card issuers are accusing TJX of employing fuzzy math in an attempt to contain the damage.

“Unlike other limited data breaches where ‘pastime hackers’ may have accessed data with no intention to commit fraud, in this case it is beyond doubt that there is an extremely high risk that the compromised data will be used for illegal purposes,” read the document, filed Tuesday in US District Court in Boston. “Faced with overwhelming exposure to losses it created, TJX continues to downplay the seriousness of the situation.”

TJX officials didn't return a call requesting comment for this story.

The new figures may mean TJX will have to pay more than previously estimated to clean up the mess. According to the document, Visa has incurred fraud losses of $68m to $83m resulting from the theft of 65 million accounts. That calculates to a cost of $1.04 to $1.28 per card. Applying the same rate to the 29 million MasterCard numbers lost, the total fraud losses alone could top more than $120m.

Research firms have estimated the total loss from the breach could reach $1bn once settlements, once legal settlements and lost sales are tallied. But that figure was at least partly based on the belief that fewer than 46 million accounts were intercepted (more…)

Interestingly, the actual court case is not focused on the systems themselves, but on the representations made about the systems to the banks.  According to eWeek, U.S. District Judge William Young told the plaintiffs,

“You're going to have to prove that TJX made negligent misrepresentations. That it was under a duty to speak and didn't speak and knew what its problems were and didn't say to MasterCard and Visa that they weren't encrypting and the like,” Young said. “That's why MasterCard and Visa acted to allow TJX to get into the electronic, plastic monetary exchange upon which the economic health of the nation now rests.

This was a case where the storage architecture was wrong.  The access architecture was wrong.  The security architecture was missing.  Information was collected and stored in a way that made it too easy to gain access to too much. 

Given the losses involved, if the banks lose against TJX, we can expect them to devise contracts strong enought that they can win against the next “TJX”.  So I'm hopeful that one way or the other, this breach, precisely because of its predictability and cost, will help bring the “need to know” principle into many more systems. 

I'd like to see us discussing potential architectures that can help here rather than leaving every retailer to fend for itself.

Guess what? Rabodeb is not his “real” name

A rivetting “natural” story of pseudonymity has risen to prime time in America's financial press – partly because government prosecutors have entered the fray. We're not talking here about a teenager, novelist, or garret inhabitant. This involves a corporate executive – John P. Mackey, co-founder of Whole Foods Market, who we have just found out goes by the name of “Rahodeb“. Continue reading Guess what? Rabodeb is not his “real” name

Including the whole spectrum of use cases

Mathew Martin, who writes Mostly Mr. SQL, clearly detests PKI certificates more than almost any living person.  He finds CardSpace guilty by association in a piece called GRRRR!  CardSpace.  What a useless steeming pile…

Ok. Cardspace/Infocard is like OpenId.  Password-less access to websites (or password-fewer access).

BUT

1. You must use SSL.  Even if you just want to secure your application against your clueless neighbor.  That is a minimum of $40.

2. You must decrypt the response on an account with NTFS access to the private key.  The NT Network Service account is not likely to have read access to the private key on a hosted account.  Good luck explain how and getting co-operation from your hosting provider.

3. Decryption must be done under FULL TRUST.  Many hosted accounts only let you run in medium trust and don’t let you create COM+ dlls, put stuff in the GAC, etc.

[Items 2 and 3 might not even be a good idea.  If the world at large manages to use your web application to maliciously download your SSL cert, I suppose they could do something evil, like pretend they are you]

4. To get rid of the “the website isn’t secure for banking or ecommerce” you have to spend $1000 on an EV SLL cert.  Oh, sure, pocket change.

5. And who is issuing managed cards? I can get an SSL based cert from Thawte that says I am the person that controls my email account, but I can’t find anyone who issues managed infocards anywhere.

I’ve about realize that I–a computer profession and programmer, will not be able to implement InfoCard/Cardspace in any form, not for my blog, not for my hobby website, nothing.  Either one has $1040 and ones own entire server or nothing.

If only the top 10 biggest websites can overcome the hurdles posed by infocard, what we are going to see is 5 websites accept infocard and everyone else (mom & pop websites) continue to use passwords and user ID’s. InfoCard will have a minimal impact on how authentication is done.

This is going to drive small websites into using OpenId.  Consumer will rapidly gain a few dozen OpenId cards.  The rising ubiquity of OpenId–which doesn’t try to be a waterproof authentication method–will take over the world, relegating InfoCard to “that way you logon to Live.com services”.

Come on Microsoft, when are we going to be able to run CardSpace/Info card in “real world” mode?

[Thanks to Self-issued.info for the logo]  [Actually, I take that back, it is a Microsoft trademark. The purple box is has a substantial amount of IP self legislation that goes with it.  According to MS’s lawyers, I am currently in violation of usage guide lines for the icon.  Let’s see how Microsoft silences critics of InfoCard.]

Let's start with the CardSpace requirement that a relying party support SSL.  I agree with Mathew that requiring use of SSL and PKI is overkill for the type of blogging and hobbyist use cases he describes.  While my identityblog certificate is fairly inexpensive (thanks to godaddy.com), the extra cost associated with it at textdrive (which hosts my system) is around $100.00 per year because of the need to have a dedicated outward facing IP address.  I don't mind the cost too much, since I know there are people who will hit on my site and I like the extra protection.  But this really isn't appropriate for everyone. 

This underlines the fact that identity and the identity metasystem involve a continuum of use cases and technologies – and we have to embrace the whole continuum.  By making certificates mandatory, we cut the continuum in half.  Luckily, we can fix that before we get into the wide deployment phase.

My conclusion is that rather than hard-wiring the requirements for identification of a relying party into the identity selector, we should have allowed each identity provider to decide what minimal requirements were appropriate. 

This ends up having advantages both at the low value and high value ends of the spectrum. 

For example, a bank's IP might decide to only release information to a relying party with an Extended Validation (EV) certificate.  If so, CardSpace would not illuminate the associated information card if an EV certificate were not in use at the relying party site.   [EV certificates are only granted to companies or other organizations after they follow an extensive procedure for proving their legitimacy.]

Meanwhile, a blogging reputation identity provider might be happy to release reputation to any site the user proposes, certificate or no certificate.

Of course, the relying party is always free to use a certificate and gain the extra protection that provides.

This change is actually part of CardSpace 1.1 – which people should be able to start experimenting with very soon now.  When combined with the release of great toolkits for all the important languages, I think this will bring quite a bit of lift-off.

As for point 4), let's look at what the CardSpace advisory actually says:

I think there's a big difference between “a major internet business” and a site doing “ecommerce”.  When I buy a tee-shirt from Mathew I don't expect him to be EV.  If he were trying to sell thousand dollar cameras, I would feel differently.  I'd want him to either be well identified, or to work through a site like eBay that would provide another way of establishing his reputation.  And in this case, I want to make sure I'm really talking to eBay, so once again would like to see an EV cert.

I don't think any “major internet business” or bank will have any difficulty whatsoever covering the cost of an EV cert.  The idea of using the superior certs came directly from them, since they're the ones whose users get phished.  I don't understand why, given his earlier rant against the poor validation proceedures in conventional certificates, Mathew rails against our support for EV.  Part of his earlier criticism of EV certs is that the browser doesn't show the meaning of the cert properly, a problem CardSpace has solved. Consider this recent Anti-Phishing Working Group report:

As for who is issuing managed cards, you'll be seeing many outfits doing it as we move toward the InfoCard tipping point.  We're in the sockets and ecosystem phase of Information Cards, but I can tell you many players get the potential of the technology and are integrating it into product.

As for OpenID versus Information Cards, I don't see them as opposites.  Go to signon.com today and you'll see it supports use of Information Cards for OpenID authentication.   This is nice because it gets you InfoCard safety along with OpenID long-tail support. Going forward, I think you'll see most OpenID vendors supporting OpenID managed cards that work with OpenID sites.

As for the Information Card Icon, our intention is that it be available to everyone who supports the technology.  There has been pushback on the language around the icon, and we'll be figuring out how we can get this thing right.  In the meantime, I wouldn't be worried about using it on a teeshirt or to criticise us – but I would be worried about using it at a phishing site. 

Unifying the experience of online identity

Jon Udel zeros in on the problem of web sites that introduce “novel” authentication schemes once these schemes start to proliferate.   I had the same concerns when I set out the seventh law of identity (consistent experience).  Jon says:

Several months ago my bank implemented an anti-phishing scheme called Site ID, and now my mortgage company has gone to a similar scheme called PassMark. Both required an enrollment procedure in which I had to choose private questions and give answers (e.g., mother’s maiden name) and then choose (and label) an image. The question-and-answer protocol mainly beefs up name/password security, and secondarily deters phishing — because I’d notice if a site I believed to be my bank or mortgage company suddenly didn’t use that protocol. The primary anti-phishing feature is the named image. The idea is that now I’ll be suspicious if one of these sites doesn’t show me the image and label that I chose.

When you’re talking about a single site, this idea arguably make sense. But it starts to break down when applied across sites. In my case, there’s dissonance created by different variants of the protocol: PassMark versus Site ID. Then there’s the fact that these aren’t my images, they’re generic clip art with no personal significance to me. Another variant of this approach, the Yahoo! Sign-In Seal, does allow me to choose a personally meaningful image — but only to verify Yahoo! sites.

These fragmentary approaches can’t provide the grounded and consistent experience that we so desperately need. One subtle aspect of that consistency, highlighted in Richard Turner’s CardSpace screencast, is the visual gestalt that’s created by the set of cards you hold. In the CardSpace identity selector, the images you see always appear together and form a pattern. Presumably the same will be true in the Higgins-based identity selector, though I haven’t seen that yet.

I can’t say for sure, because none of us is yet having this experience with our banks and mortgage companies, but the use of that pattern across interactions with many sites should provide that grounded and consistent experience. Note that the images forming that pattern can be personalized, as Kevin Hammond discusses in this item (via Kim Cameron) about adding a handmade image to a self-issued card. Can you do something similar with a managed card issued by an identity provider? I imagine it’s possible, but I’m not sure, maybe somebody on the CardSpace team can answer that.

In any event, the general problem isn’t just that PassMark or Site ID or Sign-In Seal are different schemes. Even if one of those were suddenly to become the standard used everywhere, the subjective feeling would still be that each site manages a piece of your identity but that nothing brings it all together under your control. We must have, and I’m increasingly hopeful that we will have, diverse and interoperable identity selectors, identity providers, relying parties, and trust protocols. But every participant in the identity metasystem must also have a set of core properties that are invariant. One of the key invariant properties is that it must bring your experience of online identity together and place it under your control.

The “novel authentication” approach used by PassMark and others doesn't scale any better than the “pocket full of dongles” solutions proposed by Dongle queens or – for that matter – than conventional usernames and passwords. 

So far Information Cards are the only technology that both prevents phishing and avoids the novel authentication and multiple dongle problems.

By the way – if what Jon calls the “dissonance” problem that arises from the use of different images and questions on web sites were to be overcome by reusing the same images and questions everywhere, things would only get worse!

Once sites begin to share the same “novel authentication” model, you no longer have novel authentication. 

In fact you return full circle to the deepest phishing problems.  Why? 

If you went to an evil site and set up your reusable images and questions, you would have taught the evil site how to impersonate you at legitimage sites.   Thus in spite of lots of effort, and lots of illusions, you would end up further behind than when you started.

Roland Dobbins on DDoS attacks and mitigations

Roland Dobbins has written to point out that the recent Russian cyber-attacks on Estonia are not the first launched by one state against another (he cites incidents during the Balkan confict, as well as China versus Japan).

Then he gives us an overview of DDoS attacks and mitigations:

DoS attacks are easy to trace as long as Service Providers (SPs) have the proper instrumentation and telemetry enabled on their routers – NetFlow is the most common way of doing this, along  with various open-source and commercial tools (nfdump/ nfsen, Panoptis, Arbor, Lancope, Narus, Q1).

Most DDoS attacks these days aren't spoofed, because a) there's no need, given the zillions of botted computers out there available for use as attack platforms and b) because many SPs have implemented antispoofing technologies such as uRPF, iACLs, etc.

However, antispoofing (BCP38/BCP84) isn't universally deployed, and so the ability to spoof combined with DNS servers which are misconfigured as open recursors means that attackers can launch very large (up to 25gb/sec that I know of) spoofed DDoS attacks, due to the amplification factor of the open DNS recursors.

There are various mitigation techniques employed such as  destination-based (destroys the village in order to save it) and/or source-based remotely-triggered blackholing (S/RTBH), plan old iACLs, and dedicated DDoS mitigation appliances; there's a lot of information-sharing and coordinated mitigation which takes place in the SP community, as well.

But there isn't nearly enough of any of these things, especially in the developing world.

Russian cyber-attacks on Estonia

Here is a report from the Guardian on what it calls the first cyber assault on a state. 

Whether it's the first or not, this type of attack is something we have known was going to be inevitable, something that was destined to become a standard characteristic of political conflict.

I came across the report while browsing a must-read new identity site called blindside (more on that later…).  Here are some excerpts from the Guardian's piece:

A three-week wave of massive cyber-attacks on the small Baltic country of Estonia, the first known incidence of such an assault on a state, is causing alarm across the western alliance, with Nato urgently examining the offensive and its implications.

While Russia and Estonia are embroiled in their worst dispute since the collapse of the Soviet Union, a row that erupted at the end of last month over the Estonians’ removal of the Bronze Soldier Soviet war memorial in central Tallinn, the country has been subjected to a barrage of cyber warfare, disabling the websites of government ministries, political parties, newspapers, banks, and companies.

Nato has dispatched some of its top cyber-terrorism experts to Tallinn to investigate and to help the Estonians beef up their electronic defences.
“This is an operational security issue, something we're taking very seriously,” said an official at Nato headquarters in Brussels. “It goes to the heart of the alliance's modus operandi.”

“Frankly it is clear that what happened in Estonia in the cyber-attacks is not acceptable and a very serious disturbance,” said a senior EU official…

“Not a single Nato defence minister would define a cyber-attack as a clear military action at present. However, this matter needs to be resolved in the near future…”

Estonia, a country of 1.4 million people, including a large ethnic Russian minority, is one of the most wired societies in Europe and a pioneer in the development of “e-government”. Being highly dependent on computers, it is also highly vulnerable to cyber-attack.

It is fascinating to think about how this kind of attack could be resisted:

With their reputation for electronic prowess, the Estonians have been quick to marshal their defences, mainly by closing down the sites under attack to foreign internet addresses, in order to try to keep them accessible to domestic users…

Attacks have apparently been launched from all over the world:

The crisis unleashed a wave of so-called DDoS, or Distributed Denial of Service, attacks, where websites are suddenly swamped by tens of thousands of visits, jamming and disabling them by overcrowding the bandwidths for the servers running the sites…

The attacks have been pouring in from all over the world, but Estonian officials and computer security experts say that, particularly in the early phase, some attackers were identified by their internet addresses – many of which were Russian, and some of which were from Russian state institutions…

“We have been lucky to survive this,” said Mikko Maddis, Estonia's defence ministry spokesman. “People started to fight a cyber-war against it right away. Ways were found to eliminate the attacker.”

I don't know enough about denial of service attacks to know how difficult it is to trace them. after the fact.  But presumably, since there is no need to receive responses in order to be successful in DOS, the attacker can spoof his source address with no problem.  This can't make things any easier.

Estonian officials say that one of the masterminds of the cyber-campaign, identified from his online name, is connected to the Russian security service. A 19-year-old was arrested in Tallinn at the weekend for his alleged involvement…

Expert opinion is divided on whether the identity of the cyber-warriors can be ascertained properly…

(A) Nato official familiar with the experts’ work said it was easy for them, with other organisations and internet providers, to track, trace, and identify the attackers.

But Mikko Hyppoenen, a Finnish expert, told the Helsingin Sanomat newspaper that it would be difficult to prove the Russian state's responsibility, and that the Kremlin could inflict much more serious cyber-damage if it chose to.  (More here…)

There was huge loss of life and bitterness between Russia and Estonia during the second world war, and there are still nationalist forces within Russia who would see this statue as symbolic of that historical reality.  It is perhaps not impossible that the DOS was mounted by individuals with those leanings rather than being government sponsored.  Someone with a clear target in mind, and the right technical collaborators, and who could muster bottoms up participation by thousands of sympathizers could likely put this kind of attack in place almost as quickly as a nation state.

Secret weapon against high tech

Thanks to Lars Iwer, a story from The Independent on breaching the invincible to get at the Crown Jewels.  By the way, how much does 120,000 carats weigh?  Answer here.  That's one big ring.

A thief has evaded one of the world's most expensive hi-tech security systems, and made off with €21m (£14.5m) worth of diamonds – thanks to a secret weapon rarely used on bank staff: personal charm.

In what may be the biggest robbery committed by one person, the conman burgled safety deposit boxes at an ABN Amro bank in Antwerp's diamond quarter, stealing gems weighing 120,000 carats. Posing as a successful businessman, the thief visited the bank frequently, befriending staff and gradually winning their confidence. He even brought them chocolates, according to one diamond industry official.

Now, embarrassed bank staff in Belgium's second city are wondering how they had been hoodwinked into giving a man with a false Argentine passport access to their vaults.

The prime suspect had been a regular customer at the bank for the past year, giving his name as Carlos Hector Flomenbaum from Argentina. The authorities, who have offered a €2m reward for information leading to an arrest, now know that a passport in that name was stolen in Israel a few years ago. Although not familiar to the local diamond dealers, the conman became one of several trusted traders given an electronic card to access the bank vault. The heist, believed to have been more than a year in the planning, has astounded diamond dealers.

(Continues…)

Being psychic, I sense a movie coming.

Beijing's new Internet identity system

According to the Financial Times, the Chinese government has clear digital identity ideas of its own. 

It's a simple solution, really.  Just make sure the government knows who everyone is and what they are doing all the time while they use the internet.  This applies as much to your identity as an “elf” as to your identity as a professional. 

Under a “real name verification system” to crack down on internet usage – and prevent internet addiction among the young – Chinese police are to check the identity card numbers of all would-be players of internet games.

While it is unclear how rigorously the system will be enforced, Monday’s move highlights Beijing’s desire to more closely regulate the internet and reduce the potential for anonymity…

The same crack down will help ensure Chinese bloggers aren't inconvenienced with the kinds of vexing issues we've faced here with the Sierra affair.

Chinese leaders recently announced a broad push to “purify” the internet of socially and politically suspect activity, and have been keen to push users to use their true identities online. Beijing is also looking at ways of implementing a “real name” system for bloggers to curb “irresponsible” commentary and intellectual property abuse.

It might sound a bit draconian to our ears, but Hu Qiheng of the China Internet Association said bloggers’ real names would be kept private “as long as they do no harm to the public interest”.  That's clearly benevolent, isn't it?  We all know what the public interest is.

According to FT: 

China’s 18-digit ID numbers are mainly based on place of birth, age and gender and are unique to each citizen, but widely available software can generate fake but plausible numbers.

Under the new system, Chinese police would check each number, a government official, Kou Xiaowei, said on Monday.

Players whose IDs showed they were under 18, or who submitted incorrect numbers, would be forced to play versions of online games featuring an anti-addiction system that encourages them to spend less time online, he said.

Minors who stayed online for more than three hours a day would have half of their game credits cancelled; those who played for more than five hours a day would have all of their credits taken away.

As far as I know, the proposal that age verification be used to combat addiction is entirely original (patented?)  The analysis of how this proposal stacks up against the Laws of Identity is left as an exercise for the reader.

More here…

Richard Gray on authentication and reputation

Richard Gray posted two comments that I found illuminating, even though I see things in a somewhat different light.  The first was a response to my Very Sad Story

One of the interesting points of this is that it highlights very strongly some of the meat space problems that I’m not sure any identity solution can solve. The problem in particular is that as much as we try to associate a digital identity with a real person, so long as the two can be separated without exposing the split we have no hope of succeeding.

For so long identity technical commentators have pushed the idea that a person’s digital identity and their real identity can be tightly bound together then suddenly, when the weakness is finally exposed everyone once again is forced to say ‘This digital identity is nothing more than a string puppet that I control. I didn’t do this thing, some other puppet master did.’

What’s the solution? I don’t know. Perhaps we need to stop talking about identities in this way. If a burglar stole my keys and broke into my home to use my telephone it would be my responsibility to demonstrate that but I doubt that I could be held responsible for what he said afterwards.  Alternatively we need non-repudiation to be a key feature of any authentication scheme that gets implemented.

In short, so long as we can separate ourselves from our digital identities, we should expect people not to trust them. We should in fact go to great lengths to ensure that people trust them only as much as they have to and no more.

 He continued in this line of thought over at Jon's blog:

As you don’t have CardSpace enabled here, you can’t actually verify that I am the said same Richard from Kim’s blog. However in a satisfyingly circular set of references I imagine that what follows will serve to authenticate me in exactly the manner that Stephen described. :)  [Hey Jon – take a look at Pamelaware - Kim]

I’m going to mark a line somewhere between the view that reputation will protect us from harm and that the damage that can be done will be reversible. Reputation is a great authenticating factor, indeed it fits most of the requirements of an identity. It's trusted by the recipient, it requires lots of effort to create, and is easy to test against. Amongst people who know each other well its probably the source of information that is relied upon the most. (”That doesn’t sound like them” is a common phrase)

However, this isn’t the way that our society appears to work. When my wife reads the celebrity magazines she is unlikely to rely on reputation as a measure for their actions. Worse than this, when she does use reputation, it is built from a collection of previous celebrity offerings.

To lay it out simply, no matter who should steal my identity (phone, passwords etc.) they would struggle to damage my relationship with my current employer as they know me and have a reputation to authenticate my actions with. They could do a very good job of destroying any hope I have of getting a job anywhere else though. Regardless of the truth I would be forced to explain myself at every subsequent meeting. The public won’t have done the background checks, they’ll only know what they’ve heard. Why would they take the risk and employ me, I *might* be lying.

Incredibly, the private reputation that Allen has built up (and Stephen and the rest of us rely on) has probably helped to save a large portion of his public reputation. Doing a google for “Allen Herrell” doesn’t find netizens baying for his blood, it finds a large collection of people who have rallied behind him to declare ‘He would not do this’.

Now what I’m about to say is going to seem a little crazy but please think it through to the end before cutting it down completely. So long as our online identities are fragile and easily compromised people will be wary to trust them. If we lower the probability of an identity failing, people will, as a result, place more faith in that identity. But if we can’t reduce the probability of failure to zero then when some pour soul suffers the inevitable failure of their identity, so many more people will have placed faith in it that undoing the damage may be almost impossible. It would seem then that the unreliability of our identity is in fact our last line of defence.

My point then is that while it is useful to spend time improving authentication schemes perhaps we are neglecting the importance of non-repudiation within the system. If it was impossible for anyone other than me to communicate my password string to an authentication system then that password would be fine for authentication and it wouldn’t even be necessary to encrypt the text wherever it was stored!

Jon Udell on the Sierra affair

Jon Udell put up this thought-inducing piece on the widely discussed Sierra affair earlier this week, picking up on my piece and the related comment by Richard Gray.   

Kim Cameron had the same reaction to the Sierra affair as I did: Stronger authentication, while no panacea, would be extremely helpful. Kim writes:

Maybe next time Allan and colleagues will be using Information Cards, not passwords, not shared secrets. This won’t extinguish either flaming or trolling, but it can sure make breaking in to someone’s site unbelievably harder.

Commenting on Kim’s entry, Richard Gray (or, more precisely, a source of keystrokes claiming to be one of many Richard Grays) objects on the grounds that all is hopeless so long as digital and real identities are separable:

For so long identity technical commentators have pushed the idea that a person’s digital identity and their real identity can be tightly bound together then suddenly, when the weakness is finally exposed everyone once again is forced to say ‘This digital identity is nothing more than a string puppet that I control. I didn’t do this thing, some other puppet master did.’

Yep, it’s a problem, and there’s no bulletproof solution, but we can and should make it a lot harder for the impersonating puppet master to seize control of the strings.

Elsewhere, Stephen O’Grady asks whether history (i.e., a person’s observable online track record) or technology (i.e., strong authentication) is the better defense.

My answer to Stephen is: You need both. I’ve never met Stephen in person, so in one sense, to me, he’s just another source of keystrokes claiming to represent a person. But behind those keystrokes there is a mind, and I’ve observed the workings of that mind for some years now, and that track record does, as Stephen says, powerfully authenticate him.

“Call me naive,” Stephen says, “but I’d like to think that my track record here counts for something.”

Reprising the comment I made on his blog: it counts for a lot, and I rely on mine in just the same way for the same reasons. But: counts for whom? Will the millions who were first introduced to Kathy Sierra and Chris Locke on CNN recently bother explore their track records and reach their own conclusions?

More to the point, what about Alan Herrell’s1 track record? I would be inclined to explore it but I can’t, now, without digging it out of the Google cache.

The best defense is a strong track record and an online identity that’s as securely yours as is feasible.

The identity metasystem that Kim Cameron has been defining, building, and evangelizing is an important step in the right direction. I thought so before I joined Microsoft, and I think so now.

It’s not a panacea. Security is a risk continuum with tradeoffs all along the way. Evaluating the risk and the tradeoffs, in meatspace or in cyberspace, is psychologically hard. Evaluating security technologies, in both realms, is intellectually hard. But in the long run we have no choice, we have to deal with these difficulties.

The other day I lifted this quote from my podcast with Phil Libin:

The basics of asymmetric cryptography are fundamental concepts that any member of society who wants to understand how the world works, or could work, needs to understand.

When Phil said, that my reaction was, “Oh, come on, I’d like to think that could happen but let’s get real. Even I have to stop and think about how that stuff works, and I’ve been aware of it for many years. How can we ever expect those concepts to penetrate the mass consciousness?”

At 21:10-23:00 in the podcast2, Phil answers in a fascinating way. Ask twenty random people on the street why the government can’t just print as much money as it wants, he said, and you’ll probably get “a reasonable explanation of inflation in some percentage of those cases.” That completely abstract principle, unknown before Adam Smith, has sunk in. Over time, Phil suggests, the principles of asymmetric cryptography, as they relate to digital identity, will sink in too. But not until those principles are embedded in common experiences, and described in common language.

Beyond Stephen O'Grady's piece, the reactions of Jon's readers are of interest too.  In fact, I'm going to post Richard's comments so that everyone gets to see them.