Identity as a weapon

Writing about the recent phenomenon that is #Gamergate, Kirk Hamilton makes some interesting points about identity:

It makes sense that doxxing—sharing someone’s address and other personal information against their will—is one of the primary instruments wielded in this battle. Doxxers use identity as a weapon, and so much of this conflict is, at its core, about identity. There’s the stated claim that the gamer identity is under attack, and also the pervading sense that this “war” is less about journalistic ethics and more about the murk of entrenched identity politics. Video games have hugely informed our generation’s cultural identity, and so cultural criticism of games feels somehow personal, like we’re the ones being criticized. I get it. I do.

He’s describing a tectonic shift in gamer culture as gaming goes from being largely white, male and young, to being increasingly diverse of race, gender and age. The cultural realignment of broadly defined identity can be expected to set off aftershocks that ripple through adjacent populations and disciplines. In this case, there was an identity quake of about 6 on the Richter scale in the gamer subculture that is rippling through journalism, hardware manufacturing, marketing, law enforcement, and on down to individual people. Among the results is a much wider public perception of the danger one’s personal details represents when in the hands of people you don’t trust.

Gaming is a very geeky subculture. It is assumed by many that the Gamergaters would have no trouble getting anyone’s personal information. Another result then is a social laboratory environment in which we get to see how that assumption affects behavior. Certainly Felicia Day held this belief when she wrote:

I haven’t been able to stomach the risk of being afraid to get out of my car in my own driveway because I’ve expressed an opinion that someone on the internet didn’t agree with.

HOW SICK IS THAT?

I have allowed a handful of anonymous people censor me. They have forced me, out of fear, into seeing myself a potential victim.

And that makes me loathe not THEM, but MYSELF.

Within moments of posting this, someone tweeted Felicia’s address.

From its beginnings, the Internet was designed and built functionality first, with security and privacy a very distant second, if at all.  SSL was an afterthought.  DNSSEC was an afterthought.  The original Internet anticipated how functions would work, not how they could be exploited.

Then we built Internet commerce on that shaky foundation and following the same template.  There is a strong parallel between the architecture of the commercial web and toxic waste dumping of the late 20th century.  Both involved the externalization of costs extracted from a manufacturing process.  The manufacturing of things based on atoms resulted in escrowing those costs as time capsules of toxic waste that would become the problem of some future people in return for larger profits today.   In the case of bits, widespread failure to implement even basic security to protect personal data generates larger profits today but also creates a situation in which the incremental cost of retrofitting security into large established systems is cost prohibitive.  Since that personal data can be used as easily to harm people as to help them, large databases of personal information which lack adequate security are akin to undiscovered pools of toxic waste – cheaper to build today, someone else’s future problem if it is abused.

We are now in the stage where the toxicity of bad security is leaking into the digital groundwater.  Those regular reports of massive breaches on high-profile web sites are today’s digital version of yesterday’s cancer clusters.  They are the early warning signs that a Security Cleanup Superfund is needed.  Except that the maps we draw will have corporate names like Hannaford, Sony, Target and Lowe’s instead of geographic names like Love Canal and Lemon Lane.

We ramping up quickly to build the Internet of Things according to the same old template.  We hear about a new “smart” version of an ordinary device just about every day.  Just as rapidly we hear about these same devices being hacked, or that the security is so bad that no hacking is required.  Since the prevailing model is that the devices are modern Trojan Horses, built first as a portal to your most intimate data and second with the functionality for which you bought it, they represent simultaneously our greatest opportunity and our greatest threat on the network to date.

So when I write about false parallels between the worlds of atoms and bits, or the need to build privacy-protecting or privacy-enhancing architectures, I feel a sense of urgency.  I am very aware that the work underway at IIW, NSTIC, OIX and elsewhere in the Identity world potentially powers the world of tomorrow.  As Dave Birch says, identity is the new money.

But I’m also keenly aware that identity can be turned into a weapon.  I’m generally lonely in that view but the Gamergaters have demonstrated how effective even a small amount of identity information can be as a weapon.  People are taking notice.  If we embark to build Personal Clouds using the same template we’ve always used, if we assume that privacy and security are legal and policy rather than technical problems, if the individual does not have sovereign ownership of their personal data, then we might as well be honest about what it is we are building.  Research into personal data technologies without design goals of privacy, sovereignty and agency, and lacking state of the art security controls would be a digital Manhattan Project.  The commercially successful implementation of such a security-free Personal Cloud would be Cyberspace’s atomic bomb, capable of devastating millions of lives at one shot.

So, yeah, identity is the new money.  We definitely need to figure out the functionality of identity and the benefits it will bring to the digital world.  But the systems must be designed first for security, privacy, and personal sovereignty because it is from these attributes that functionality arises, not the other way around.

The latest malvertising incident and why you should care

Today’s news from Net-Security.org is that newly discovered malware was found on Google’s ad network and its purpose is to hijack your router’s DNS settings causing all devices behind your firewall to use poisoned DNS resolvers. That means even if *you* run NoScript, AdBlockPlus, HTTPS Everywhere, Ghostery, anti virus and avoid sketchy sites, a visitor on your guest network or even some anonymous neighbor leaching off your wireless signal can compromise your router.

Awesome.

Article: Attackers change home routers’ DNS settings via malicious code injected in ads

If all my ads were not so personalized and relevant, I’d be upset about this. But it’s SO worth it, right?

The funny thing is that the attackers have FAR more privileged access to your device and your data than do the malvertisers and yet so far they just want to take over your device and empty your bank account. If the attackers ever decide to go after your *data* they’ll not only find out your daughter is pregnant before you do, they’ll make her pay $100 to not tell you about it. Then you get an email asking what your conservative employer might think of your risque purchase history. They clean out your bank account and ruin you, it’s a 1-time profit. But if they blackmail you with your data they get a long-term income stream. They get a pension fund. Forget about calf-cow relationships. Start thinking ant-aphid.

But we’re good because there are lines – somewhere – that even creepy, invasive, malvertising adtech won’t cross and that will stop the spread of cybercrime over advertising infrastructure. Right? We’re good because the adtech industry is hard at work distancing themselves from organized crime and building security, accountability and user choice into the advertising system.

“Wake up T.Rob, you’re daydreaming again!”

Oh, right. I live in Bizarro World where adtech doesn’t acknowledge any responsibility for building the rails malware rides in on. They would side with us in our battle against against organized cybercrime, except they are too busy making advertising even more invasive: Targeted Online Marketing Got Creepier Again!

Note the exclamation point at the end.  Almost seems like the author is excited about this in a good way.  In fact, that’s the case.

So if you think of it – yes, it is very creepy. It goes to the extent that marketers will start knowing more about you than you do yourself.

But on the other hand we think it’s a great step forward. First of all it means that marketers are interested in finding out what we want to be offered. They are actually listening to us. Secondly this also means more targeted communications. Instead of being bombarded with advertisements you have zero interest in, you may find that eventually you start enjoy advertising as it fits seamlessly into what you are looking for.

But the Adtech folks aren’t stopping with impressively better tech, they are hitting new efficiency levels as well, as noted in Obama-Grade Ad Tech Coming to a Local Campaign Near You. “It’s been a challenge for even mid-range campaigns to be able to afford these online advertising capabilities. Today, it doesn’t matter if you’re running for city council or congress, because now you can reach voters in one of the most effective ways possible regardless of your campaign budget.”

Or if you go to Ad:Tech NYC next week, you can learn about the new frontier of tracking consumers offline in  Behavioral Breadcrumbs: New Tools to Read Digital Signals:

Most traditional digital tracking and measurement only works as long as a consumer sits in front of a browser. What happens when they disconnect? A new breed of technologies helps extend scalable insight into consumer behaviors beyond the screen. From RFID to Wifi to optical tracking, this panel will discuss methods that identify consumer behaviors, help test and ultimately measure.

Key Takeaways:

  1. Market to consumers using signals they’re pushing.
  2. Track behaviors using consumer signals.
  3. Create a type of interactivity and measurability in your campaigns.

I’m sorry, but I’m not PUSHING signal to your RFID reader, WiFi access point, or optical recognition tracker.

If you want to know what consumers pushing signals looks like, go talk to the folks at Customer Commons, whose QR-coded badges broadcast the intention to not be tracked in exactly these ways.  Does your optical tracker honor these signals?  I’m guessing not.

If you want to know what consumers pushing signals looks like, talk to the Respect Network who are building a platform specifically to exchange user-generated signal with marketers and businesses.

If you want to know what consumers pushing signals looks like, talk to me or my colleagues at Qredo who are building out the world’s first and best fully-encrypted, end-to-end communications and Personal Cloud platform that is mutually authenticated at the endpoints and yet the data and metadata are completely anonymous in the cloud servers.  We’re all about quality signal.

Most of all, if you want to know what consumers pushing signals looks like, read The Intention Economy.  Here’s a hint: when we customers push signals, it’s intentional, deliberate, and we like you for receiving them. If you have to hunt for the signal, if we don’t like that you received it, if stealth is involved, if it feels at all creepy to any of the participants, it probably isn’t being pushed.

I’m not going to reach anyone who honestly believes that signals received over passive RFID scans, Wifi hotspot scanning, and optical recognition tracking are being “pushed” by consumers.  However, there must be some marketing and advertising people who realize how incredibly wrong that characterization is and why.  To those people I plead: please side with the consumers against organized cybercrime.  Quit acting as the R&D arm of cybercrime who watch you lay the tracks, then ride them direct to your audience, poisoning the well for all involved.

We are on the verge of computerizing the consumer side of commerce.  When we computerized the supply side 30 or so years ago, it transformed the world.  But the consumer side is much larger and the transformation potentially that much richer.  Consumers want to build systems that send you signal.  Stop trying to sneak in and steal it and just partner with us.  Once we have some trust and accountability between us, organized cybercrime will have to do their own R&D.  And if you are wondering how to make those connections you’re in luck.  The next Internet Identity Workshop is next week.  The place is practically littered with common ground for us to meet on.

Marketers and advertisers, now you get to choose who you want to work with and for.  The customers, entrepreneurs, and identity geeks in the VRM community at IIW?  Or organized cybercrime?  Choose wisely because you’re running out of Mulligans on these compromised ad networks.

Webinar: Security Defenses that Withstand the Test of Time

IIB-Security-Webinar-Banner

Please join AJ Aronoff and me for a Prolifics webinar: IIB: Security Defenses that Withstand the Test of Time

For the last 7 years my security focus has mainly been intrusion prevention.  That’s all the controls you use to keep unauthorized people out of the messaging network.  I’m happy to report that things have improved on that front.  IBM has greatly improved the software and customers are enabling the security controls in record numbers.  (Not that the secured systems are yet in the majority, but it’s MUCH better than before.)

Unfortunately, intrusion prevention is only one part of the story.  A comprehensive security design also includes intrusion detection, forensic capability and incident recovery.  One reason that these are needed is that the state of the art is a moving target.  Attack technology always gets better, defensive technology moves to keep up or stay ahead.  Over time the configuration you implement today gets weaker as the state of the art continues to advance.

This webinar will focus less on the specific controls and more on how to maintain security effectiveness over time.  We will be addressing IBM Information Broker (the software formerly known as WebSphere Message Broker) but since it is built on top of WebSphere MQ the content will also be useful for WMQ admins who do not have IIB.  I hope to “see” you there!

Much thanks to my friends at Prolifics for sponsoring the webinar.

Do We Need an Alternative to HTTPS and TLS?

“Do We Need an Alternative to HTTPS and TLS?”  This question came up in the Personal Clouds list recently.  Thanks to the well publicized problems with Certificate Authorities, variations on this question are a common theme among many of the communities in which I participate.  The CA has become the whipping boy for all the ills of authentication and network security.  Let’s just get rid of it, right?  It’s not that simple.

[Read more…]

My RBAC Manifesto

No one component taken out of context makes the Personal Cloud.

No one component taken out of context makes the Personal Cloud.

I’ve been following the Role Based Access Control thread on the Personal Clouds List and just sort of biting my tongue so as not to sidetrack any productive discussion there.  However, I cringe every time a new email comes out comparing Clique Space to RBAC.  One is a model, one is an implementation.  To compare them is like saying “China is not capitalism.”

I have issues on several levels with the whole discussion.  First, I believe that Role Based Access Control will be essential to the Personal Cloud architecture.  With all of the different functions proposed for Personal Cloud, it doesn’t seem scalable with the other types of access control.  Furthermore, there is no “personal cloud” if all the parts of it are developed in a vacuum.  Even though your component of the Personal Cloud may be simple enough to not require RBAC, how will it fit into the greater architecture?  For example, a smart light switch may have one role – either you can access it or not.  That’s a use case that screams out for simple Access Control Lists right up until you try to integrate it into a larger home automation system.  It isn’t so much that the switch now needs roles, but rather that the ability to manipulate or inquire on the switch from within the home automation system is itself a role of that larger system.  So as a designer the question becomes: In a larger cloud context where the owner manages using RBAC, do you want your device or component to be the only thing that requires the homeowner to program specific Access Control Lists?  How user friendly is that?

My answer to this is that as designers we need to recognize up front that the complexity of the Personal Cloud requires something more manageable than individual access control lists and then design our components to live in that greater context.

[Read more…]

Duking it out with miicard

In my never-ending quest to make the world make sense, I have turned my attention to miicard.com once again.  They are pretty good, use HTTPS where it counts, don’t email my stored password around, and I even let them verify bank accounts.  But they are not without some issues.  In the interest of cutting to the chase, I’ve emailed James Varga (CEO) & Stuart Fraser (CTO) links to this post.

[Read more…]

Minimal web security recommendations

For many years now, I have made an effort to contact owners of unsecure web sites and attempt to persuade them to fix the sites.  Lately as I have become increasingly involved with the Personal Clouds and Vendor Relationship Management communities, I have found many unsecure web sites within that community.  These communities are relatively new, fast growing and potentially transformative of Internet commerce and culture at large, so it’s important that security does not become a choke point for growth.  It is also my contention that the consolidation of one’s information into a personal cloud results in greater risk and therefore requires consistently strong and effective security design.  With this in mind, I offer my minimal list of requirements for any non-trivial web site.

[Read more…]