Category: Privacy

Breached

My blog was hacked over the weekend.  It was apparently a cross-site scripting attack carried out through a vulnerability in WordPress.  WordPress has released a fix (Version 2.3.1) and I've now installed it.

ZDNet broke the news on Monday – I was awakened by PR people.  The headline read, “Microsoft privacy guru's site hacked”.  Fifteen minutes of fame:

IdentityBlog.com, a Web site run by Microsoft’s chief architect of identity and access, has been hacked and defaced.

The site, which is used by Microsoft’s Kim Cameron to promote discussion around privacy, access and security issues, now contains an “owned by me” message and a link to a third-party site (see screenshot).

Naturally there were more than a few congratulatory messages like this one from “Living in Tension” (whose tagline says he has “Christ in one hand, and the world in the other):

Several years of working in the Information Technology world have unintentionally transformed me into a OSS , Linux, security zealot…

… Tasty little tidbits like this are just too good to be true

I wonder if he would have put it this way had he known my blog is run by commercial hosters (TextDrive) using Unix BSD, MySQL, PHP and WordPress – all OSS products.  There is no Microsoft software involved at the server end – just open source.  

The discussion list at ZDNet is amusing and sobering at the same time.  Of course it starts with a nice “ROTFLMAO” from someone called “Beyond the vista, a Leopard is stalking”: 

This one was priceless . How can Microsoft's Security Guru site get hacked ? Oh my all the MS fanboys claim that Microsoft products are so secure .

<NOT!>

But then “ye”, who checks his facts before opening his mouth, has a big ‘aha’:

How can this be? It runs on UNIX!

FreeBSD Apache 29-Jun-2007

Why it's the very same BSD UNIX upon which OS X is based. The very one we've heard makes OS X so ultra secure and hack proof.

This is too much for poor “Stalking Leopard” to bear:

How about explaining as to what a Microsoft employee would be doing using a UNIX server ? I don't think microsoft would be too happy hearing about their employee using… more than their inherently safe IIS server.

Gosh, is the “Stalking Leopard”  caught in a reverse-borg timewarp?

By this point “fredfarkwater” seems to have had enough:

What kind of F-in idiots write in this blog? Apple this or MS that or Linux there….. What difference doesn't it make what OS/platform you choose if it does the job you want it to? A computer is just a computer, a tool, you idiot brainless toads! A system is only as secure as you make it as stated here. You *ucking moron's need a life and to grow up and use these blogs for positive purposes rather than your childish jibbish!

But as passionate as Fred's advice might be, it doesn't seem to be able to save “Linux Geek”, who at this point proclaims:

This is a shining example why you should host on Linux + Apache .

For those who still don't get it, this shows the superiority of Linux and OSS against M$ products.

Back comes a salvo of “It's on Unix”, by mharr; “lol” by toadlife; and “Shut up Fool!” by John E. Wahd.

“Ye” and marksashton are similarly incredulous:

You do realize that you just made an idiot of yourself, right?

Man you are just too much. I'm sure all of the people who use Linux are embarassed by you and people like you who spew such nonsense.

Insults fly fast and furious until “Linux User” tells “Linux Geek”:

I really hope you know  just how idiotic you look with this post! What an ID10T.

It seems the last death rattle of the performance has sounded, but then there's a short “second breath” when “myOSX” has a brainwave:

Maybe he moved the site after it got hacked ???

After that's nixed by “ye”, “Scrat” concludes:

So it appears that dentityblog.com was being hosted by TextDrive, Inc using Apache on FreeBSD.

Bad Microsoft!

The truth of the matter is very simple.  I like WordPress, even if it has had some security problems, and I don't want to give it up.

My site practices Data Rejection, so there is no “honeypot” to protect.  My main interest is in having an application I like to use and being part of the blogosphere conversation.  If I'm breached from time to time, it will raise a few eyebrows, as it has done this week, but hopefully even that can help propagate my main message:  always design systems on the basis they will be breached – and still be safe.

Although in the past I have often hosted operational systems myself, in this project I have wanted to understand all the ins and outs and constraints of using a hosted service.  I'm pretty happy with TextDrive and think they're very professional.

After the breach at St. Francis dam
I accept that I'm a target.  Given the current state of blogging software I expect I'll be breached again (this is the second time my site has been hacked through a WordPress vulnerability). 

But,  I'm happy to work with WordPress and others to solve the problems, because there are no silver bullets when it comes to security, as I hope Linux Geek learns, especially in environments where there is a lot of innovation.

That elusive privacy

Craig Burton amused me recently by demonstrating conclusively that my use of a digital birthday for non-disclosure reasons couldn't survive social networking for longer than five digital minutes!  Here's what he says about it in his new wordpress blog (and he's setting up infocard login as we speak)…

Pamela Dingle pointed this post out to me early in Sept. We both decided not to write about it and make fun of Kim and Jackson for violating privacy guidelines so blatantly. But Kim got a good laugh out of my pointing that out so – while late – here it is. Pictures, dates the whole thing. Who cares about privacy anyway eh?

Continue reading That elusive privacy

Massive breach could involve 94 million credit cards

According to Britain's The Register,  the world's largest credit card heist might be twice as large as previously admitted. 

A retailer called TJX was able to create a system so badly conceived, designed and implemented that  94 million accounts could be stolen.  It is thought that the potential cost could reach 1 billion dollars – or even more.  The Register says

The world's largest credit card heist may be bigger than we thought. Much bigger.

According to court documents filed by a group of banks, more than 94 million accounts fell into the hands of criminals as a result of a massive security breach suffered by TJX, the Massachusetts-based retailer.

That's more than double what TJX fessed up to in March, when it estimated some 45.7 million card numbers were stolen during a 17-month span in which criminals had almost unfettered access to the company's back-end systems. Going by the smaller estimate, TJX still presided over the largest data security SNAFU in history. But credit card issuers are accusing TJX of employing fuzzy math in an attempt to contain the damage.

“Unlike other limited data breaches where ‘pastime hackers’ may have accessed data with no intention to commit fraud, in this case it is beyond doubt that there is an extremely high risk that the compromised data will be used for illegal purposes,” read the document, filed Tuesday in US District Court in Boston. “Faced with overwhelming exposure to losses it created, TJX continues to downplay the seriousness of the situation.”

TJX officials didn't return a call requesting comment for this story.

The new figures may mean TJX will have to pay more than previously estimated to clean up the mess. According to the document, Visa has incurred fraud losses of $68m to $83m resulting from the theft of 65 million accounts. That calculates to a cost of $1.04 to $1.28 per card. Applying the same rate to the 29 million MasterCard numbers lost, the total fraud losses alone could top more than $120m.

Research firms have estimated the total loss from the breach could reach $1bn once settlements, once legal settlements and lost sales are tallied. But that figure was at least partly based on the belief that fewer than 46 million accounts were intercepted (more…)

Interestingly, the actual court case is not focused on the systems themselves, but on the representations made about the systems to the banks.  According to eWeek, U.S. District Judge William Young told the plaintiffs,

“You're going to have to prove that TJX made negligent misrepresentations. That it was under a duty to speak and didn't speak and knew what its problems were and didn't say to MasterCard and Visa that they weren't encrypting and the like,” Young said. “That's why MasterCard and Visa acted to allow TJX to get into the electronic, plastic monetary exchange upon which the economic health of the nation now rests.

This was a case where the storage architecture was wrong.  The access architecture was wrong.  The security architecture was missing.  Information was collected and stored in a way that made it too easy to gain access to too much. 

Given the losses involved, if the banks lose against TJX, we can expect them to devise contracts strong enought that they can win against the next “TJX”.  So I'm hopeful that one way or the other, this breach, precisely because of its predictability and cost, will help bring the “need to know” principle into many more systems. 

I'd like to see us discussing potential architectures that can help here rather than leaving every retailer to fend for itself.

B.C. to test virtual digital ID card

Here's a story by the Canadian Broadcasting Corporation (CBC) on the British Columbia government's IDM project.  Dick Hardt of sxip played the key and even charismatic role in developing a catalytic relationship between industry and government.

British Columbia will test a virtual ID “card” that enables citizens to connect with the government's online services more safely and easily, a top technology official said.

The government plans to begin tests on an “information card” early in the new year, said Ian Bailey, director of application architecture for the province's Office of the Chief Information Officer.

The cards are in the early stages, and “there's going to be some challenges,” Bailey said.

An information card is not a card at all: it's more like a document delivered to users’ computers which they can then use to access government websites.

It's meant to replace the current method of access, which involves logging on to a site with a name and password, and has a digital signature that can't be changed or reproduced, Bailey said.

“It will give us better privacy protection for individuals,” he said.

Among other attributes, Bailey said using an information card means:

  • The government won't know which sites the user visits.
  • The user is in control of shared information.
  • The cards won't have to reveal users’ birthdates or addresses, or a student's school. Instead, it could simply confirm the user is over 19, a B.C. resident or a student.

He compared using the card to using a driver's licence for identification since, in both cases, the government does not know what the citizen is doing. Continue reading B.C. to test virtual digital ID card

Business, Model, Scenario and Technology

Reading more of the discussion about Identity Oracles, I've come to agree with the importance of having separate names for the business model and the underlying technology that would be used to deliver services.  So I buy Dave Kearns's advice

Drop it while you can, Kim. Bob's right on this one. The “Identity Oracle” is a business model, not a technology feature.

Why was I conflating things?

Well, when we were devising the technology for claims transformers, we were specifically trying to enable the scenario of providing answers to questions without releasing the information on which the answers are based (in other words, support derived claims).  We intended the claims transformer to be the technology component that could supply such answers. 

I saw the name “Identity Oracle” as describing the scenario.

Now I see the advantages of having very precise naming for a number of interrelated things.  It can leave us with this taxonomy: 

Reading Dave Kearn's post on how a service like HealthVault might evolve in the direction of an Identity Oracle, I couldn't help wondering about the problems of liability implied by some of these behaviors.

For example, consider a health-related Identity Oracle that could answer the question, “Can Kim take drug X without fear of drug interactions?”.  The resultant “yes” or “no” would be a lot more privacy friendly than releasing all of Kim's drug prescriptions and the medical information necessary to adequately answer the question. 

However, the Identity Oracle presumably assumes more liability by “selling” its “yes” or “no” conclusion than it would by releasing simple facts (assuming the right permissions and use restrictions were in place). 

In other words, success of this model will involve a transfer of liability from the party currently making a decision to the oracle.  This liability has to be factored into the cost structure of the identity oracle business model, and the resultant pricing must make sense to the requesting party.

Zend PHP Information Cards

Dr. Dobb's Journal is dear to my heart.  My wife Adele Freedman, an architecture critic, always used to point to the copies I left lying around and tell our friends, “Check it out.  It's amazing to watch him read it.  No two words fit together.”

But to me it was like candy.  So it was exciting to read the following article today on Dobb's Portal:

Microsoft and Zend Technologies have announced a collaboration to enable support for information cards by PHP developers through a component built for Zend Framework. Using this as a stand-alone component or as part of the Framework, PHP developers will be able to specify a Web site's security policy and accept information cards from trusted third parties.

“Microsoft and Zend are making a commitment to deliver information card support to PHP developers, which will reduce development costs and help make the Web safer and more secure for people,” said Vijay Rajagopalan, principal architect for Platform & Interoperability Strategy at Microsoft.

The cooperative work on information cards extends Microsoft's previous interoperability efforts in this area. Microsoft, in collaboration with Fraunhofer Institute FOKUS and ThoughtWorks, has developed open source interoperability projects on information cards for systems based on Java and Ruby.

“Web sites developed on ASP.NET can already accept information cards,” Rajagopalan explained. “With this work, a Java-based Web site, for example, built on the Sun Java System Web Server, Apache Tomcat or IBM WebSphere Application Server can now accept a digital information card for security-enhanced identity. A Web site built on Ruby on Rails can accept an information card. There is also an open source information card library project implemented in C, developed by Ping Identity Corp.”

Information about Microsoft open source interoperability identity card projects can be found at:

When support for information cards within the Zend Framework (an open source PHP application framework for developing Web applications and Web services) is enabled, users who access PHP-enabled Web sites will receive consistent user control of their digital identities and improved confidence in the authentication process for remote applications, all with greater security than password-based Web logins offer. Zend Technologies’ implementation of information cards lets users provide their digital identities in a familiar, security-enhanced way. They are analogous to business cards, credit cards or membership cards that people use every day.

I guess everyone familiar with this blog knows I've developed a deep affection for PHP myself, so I'm very happy to see this.

Bob Blakley on the Identity Oracle

As you can read here, Bob Blakley thrashes me for my characterization of an Identity Oracle as “his sexy name for the claims transformer generating “minimal disclosure tokens”.   He thinks I'm being geeky, and I probably am, but hey, geeks are people too.

He puts it this way:

 This statement is utterly and completely wrong.  An Identity Oracle is NOT a “claims transformer generating minimal disclosure tokens”.  It’s not even a claims transformer.  It’s not even a server.  It’s not even technology.

“It's not even technology.”  I guess it “just happens”.  Reminds me of how Bentley Motorcars describe what others would call a factory:

This isn’t a factory visit. It’s the Bentley Experience.

But let's not turn our backs on Bob's pain:

I’ve said twenty times from various stages and in writing on my personal blog and here that as long as we continue to try to solve privacy problems using technology, we are going to continue to fail, and the Internet will continue to lack an identity layer, and it will continue to be a privacy hazard.  Identity and privacy are not technology problems – they’re social, legal, and economic problems – and no technology can solve these problems.

Of course I agree that technology can't solve problems, only its design and usage can.  Although identity and privacy are social, legal and economic problems, they are technical ones too.

It's paradoxical that I have to be the person to suggest that The Burton Group take in a bit of lawyer Lawrence Lessig's thinking about these matters, nicely summarized here:

Lessig… addresses the two forms of code that dominate the Internet: legal code (law) and machine code (the technology supporting the Internet).  As Lessig points out, the influence of both must be understood, as both will determine the shape of the future.

That has become a bit of a mantra for me, and one of the reasons why, when I see interesting policy ideas, I try to understand how they relate to “code”.

Anyway, let's get to all the good points Bob makes.  Here's the basic dialog a service has with the Identity Oracle: Continue reading Bob Blakley on the Identity Oracle

Burton Group goes to Mainstreet

In this cogent article, the New York Times’ Denise Caruso distinguishes herself with a compelling treatment of complex identity and privacy issues.  For instance, her characterization of Mint.com is enough to turn the Flying Nun into a paranoid: 

“In exchange for customers uploading their account information and allowing sponsors to offer them specialized services, Mint will connect nightly to their credit-card providers, banks and credit unions. Then it automatically updates transactions and accounts, balances their checkbooks, categorizes their transactions, compares cash with debt and, based on their personal spending habits, shops for better rates on new accounts and credit cards.”

I sure would like to know more about how mint.com protects itself, who oversees it, how it protects me, and most important, what it does and doesn't and will never do with the massively detailed personal information it collects.  Today, not even my accountant or my wife scrutinizes my credit card spending.

To the rescue

Just as the reader is losing all hope, in rides – are you ready? – Mike Neuenschwander from the Burton Group.   He puts forward the ideas all of us in the community are working on, but with a twist that is very novel – and perhaps even “American”:

“We’re in a situation where business holds all the cards…  â€œBusinesses put the deal in front of the consumer, they control the playing field and the consumer doesn’t have any say in how the deal plays out.”

ONE way to change this, he said, is to make people more like organizations.

To this end, Mr. Neuenschwander and his colleagues have floated the intriguing concept of the L.L.P.: the Limited Liability Persona. This persona would be a legally recognized virtual person in which users could “invest” the financial or identity resources of their choosing.

Once their individual personas are created, consumers would be able to use them as their legal “alter ego,” even in financial transactions. “My L.L.P. would have its own mailing address, its own tax ID number, and that’s the information I’d give when I’m online,” Mr. Neuenschwander said. Other benefits include the ability for “personas” to limit their financial exposure in ways that individuals cannot. Continue reading Burton Group goes to Mainstreet

EPIC opposes Google / Doubleclick merger

Last week the Electronic Privacy Information Center (EPIC) made an agenda-setting intervention on the newest dangers in digital privacy.  EPIC is perhaps the world’s most influential privacy advocacy group,  and presented its brief to a US Senate hearing looking into Google’s proposed acquisition of Doubleclick

According to USA Today,

“The Federal Trade Commission is already reviewing whether the Google-DoubleClick combination would violate antitrust law.  Consumer groups are pressing the agency to also scrutinize Google's privacy practices.  Marc Rotenberg, executive director of the Electronic Privacy Information Center, told the Senate committee that Google should be required to strengthen its privacy practices as a condition of the acquisition.”

Continue reading EPIC opposes Google / Doubleclick merger

Digital gifts for my digital birthday

When I do a telephone transfer at my bank, they ask me to prove I'm legitimate by giving them a few pieces of information – including my birth date.  I also know that by combining birth date, surname and zip code, marketers can uniquely identify almost the whole population.  To my way of thinking, this puts it in the same class as a social security number, and I'm careful about who I give it to.

So when signing up for Facebook I didn't consider for one moment the idea of publishing my natural birth date.   Nor did I read the terms of service.  If sites hide away their terms of service, I figure that means they don't expect me to read them anyway. Continue reading Digital gifts for my digital birthday