Monthly Archives: May 2009

Sauce for the gander

It seems having the same sauce for the gander as the goose is ruffling some feathers at the U. of Chicago:

A group of University of Chicago students think it’s time the campus focused more on its men.

A third-year student from Lake Bluff has formed Men in Power, a student organization that promises to help men get ahead professionally. But the group’s emergence has been controversial, with some critics charging that its premise is misogynistic.

Others say it’s about time men are championed, noting that recent job losses hit men harder and that women earn far more bachelor’s and master’s degrees than do men.

I suspect this may be more attention seeking than anything else. But it does raise an interesting question; why is some gender disparity more problematic than others? Why is the dominance of men in the IT field worthy of efforts to rectify when a similar disparity in the fields of education and health care is not?

In the same article:

The group’s birth comes at a time when the recessionary ax has fallen especially hard on men. In April, the national unemployment rate for men was 10 percent compared with 7.6 percent for women, said Mark Perry, an economist at the University of Michigan in Flint.

That gap is an “all-time historical high,” said Perry, who attributed it in part to a loss of jobs in male-dominated fields such as manufacturing and construction.

At the same time, he noted, women today hold about three out of the four jobs in education and health care — both stable or expanding job fields.

Future employment is also an issue, some experts say. Since 1981, women have collected 135 for every 100 bachelor’s degrees awarded to men, according to Perry. The gap is even wider at the master’s level, with women trumping men 150 to 100, he said.

[Update] I didn’t notice at first, but the Mark Perry quoted in the article is the same Mark Perry of the Carpe Diem blog. That is one of the finest blogs out there if you want a different slant on how the economy works. It well worth checking out.

IdM Integration

Mark Diodati has this article about what he terms Identity 2.0, while I agree with his assessment that much of IdM seems frozen in time, I’m not sure I really agree with what he considers the new identity management. ESSO, for instance, is something I can’t really say has changed a whole lot in the last five years.

But Mark makes a great point about integration in IdM:

For example, organizations are integrating enterprise SSO with provisioning and strong authentication products to improve application security. Provisioning products provide better security because they can change passwords more frequently in both the target application and the user’s enterprise SSO wallet. Strong authentication systems (like OTPs) solve the “keys to the kingdom” problem — eliminating weak password-based authentication, which enables access to many applications.

Meanwhile, WAM and federation products are “best friends forever” because neither product provides the complete security package for Web applications, but when combined, work synergistically. WAM provides the authorization and session management, while federation provides the enterprise-to-enterprise (E2E) SSO functionality.

Another trend in the enterprise is the coupling of provisioning and strong authentication systems (e.g., OTP or smart card). When integrated, the provisioning system can manage most aspects of the authentication device. Two benefits are the elimination of near-duplicative identity management processes and timelier identity lifecycle management, which becomes especially important when employees are terminated.

Cheap and easy

Mark Dixon has an excellent point in this post on why we still use passwords:

It was ease of use, not a technology-driven obsession with safety,  that led to wide adoption of the seat belt.

I think we face the same thing with passwords.   Intellectually, it is simple to understand why we should get rid of passwords.   However, in practice, widespread adoption will be triggered more by ease of use than perception of safety.  When an easier method for authentication emerges, people will adopt it – not because it is safer, but because it is easier.  If that easier method is also more secure, voila!  We will have achieved our desired result.

While I agree with Mark’s point, there is an important distinction that is not getting made in this discussion, the difference between personal and professional accounts. And this distinction goes right to the heart of Mark’s argument.

For personal accounts (for example your Facebook, Yahoo, LinkedIn, or Twitter account) ease of use is the single biggest driver. People will not, in general, use another authentication technique that isn’t as easy as passwords. Actually it has to be easier than passwords by an order of magnitude or it won’t displace the incumbent technology. It also has to be understandable to the average user so they believe that it really is secure (one could argue this is really just another aspect of ease of use). Try explaining client certificate authentication to your grandmother if you don’t believe me.

Also, the sensitivity of the account really makes little difference. Most users won’t treat their on-line banking account any different than their Facebook account. Bank of America offers a SecureID option for their on-line banking. That should be a no-brainer right? I don’t have any numbers but I would be shocked if they were getting anywhere north of %1 adoption of SecureID by their customers.

For professional accounts (your PC, enterprise resources, or hosted service account) ease of use is not the primary driver, cost is. Cost is understood by most enterprises to mean the monetary cost of your credential plus the measurable cost to support you using it. I used the word “measurable” for a reason. Most companies don’t care how hard it is for you to understand and use a specific authentication mechanism if you are a salaried employee. That cost is hidden to them. On the other hand the cost to the company for you to call the help desk if you have an authentication problem is measurable and tracked along with the cost to issue new credentials when needed.

For both personal and professional accounts, passwords rule the roost because they are easy to use, cheap to deploy, cheap to support, and easy to understand.

But if an authentication mechanism becomes popular that is cheap to deploy and support, it may have a chance to displace passwords for professional accounts.

Nor anywhere else for that matter

Phil Windley has this interesting post on Cloud Security. There are a lot of good thoughts here, but this one stood out:

Host intrusion detection systems (HIDS) work fine on cloud infrastructure, but are hard to do at higher levels of the stack. Network intrusion detection systems (NIDS) are impossible to do at most providers. The traditional notion of “perimeter” is not necessarily available in the cloud.

Nor anywhere else for that matter, I would add. No notion is more irrelevant today than perimeter security, yet it continues to be the cornerstone of many organizations strategy. I always suggest keeping the perimeter in place but secure everything behind it as if it doesn’t exist.

Two years in jail for blogging harsh criticism?

Eugene Volokh blows the whistle on what had been an under the radar move to ban cyber-bullying. Unfortunately this effort could also be used to jail bloggers and twitters that are less than polite. From the Volokh Conspiracy Blog:

Federal Felony To Use Blogs, the Web, Etc. To Cause Substantial Emotional Distress Through “Severe, Repeated, and Hostile” Speech?

That’s what a House of Representatives bill, proposed by Rep. Linda T. Sanchez and 14 others, would do. Here’s the relevant text:

Whoever transmits in interstate or foreign commerce any communication, with the intent to coerce, intimidate, harass, or cause substantial emotional distress to a person, using electronic means to support severe, repeated, and hostile behavior, shall be fined under this title or imprisoned not more than two years, or both….

[“Communication”] means the electronic transmission, between or among points specified by the user, of information of the user’s choosing, without change in the form or content of the information as sent and received; …

[“Electronic means”] means any equipment dependent on electrical power to access an information service, including email, instant messaging, blogs, websites, telephones, and text messages.

“Severe, repeated, and hostile” sound likes half the stuff you see on the internet. I doubt that this bill would pass constitutional mustard. But if it did the ramifications are rather frightening.

ARS Technica has an excellent article on the subject here.

And what would any censorship effort be without the requisite mainstream media cheerleading? You can find that here.

The accidental identity thief

When is identity theft not identity theft? According to the supreme court it’s when there is no intent to steal a specific person’s identity. See this Wired article:

A unanimous Supreme Court ruled Monday the government has been overstepping the boundaries of identity theft legislation when targeting immigrants who use phony citizenship documents to acquire jobs.

The 2004 legislation, which typically carries a two-year maximum term, has also been threatened against illegal immigrants in exchange for them agreeing to be deported, like the 400 illegal immigrants working under false pretenses at an Iowa meatpacking plant last year.

The justices said that the government, in order to prove such charges, must demonstrate that a defendant “knowingly” hijacked the identity of somebody else. In the case before the justices, an Illinois illegal immigrant steelworker was charged under the statute after submitting a fake Social Security number that, without the worker’s knowledge, happened to match a real number.

Jeff’s OpenID account gets hacked

No, not me (at least not me so far as I know). The Jeff in question is Jeff Atwood of the Coding Horror blog (one of my favorite dev blogs). Jeff relates how his OpenID account was hacked here and here. It’s fascinating reading, especially because the hacker was of the friendly sort who apparently just did it to point the vulnerability.

The hacker was able to obtain the unsalted hash of Jeff’s password on a different site. He then looked up that password using one of the reverse hash web sites available. He then guessed Jeff’s OpenID provider and tried the password there. Since Jeff had used the same password in both places, the hacker was able to log into OpenID and impersonate Jeff at Jeff’s StackOverflow web site, which depends on OpenID.

Here is an interesting question: is it dangerous to reveal your preferred choice of OpenID providers? I suspect there is nothing dangerous about, given peoples propensity to flock to one of the big players anyway. Even if there are a plethora of OPs, the bad guys will just script a solution that tries a list known OPs until a hit is made.

A good question indeed

Mark Dixon responds to this Dave Kearns article comparing passwords to buggy whips by posing a very good question:

The big question is, “Replace username/password with what?”

I personally like the use of secure certificates, as illustrated in Henry Story’s use of certificates in his demonstration iPhone app I blogged about recently.  However, the mechanism for distributing, installing and managing such credentials for ordinary computer users seems like a daunting task.  I also personally like the Information Card concept, at least for the conceptual metaphor it uses.  But that isn’t a raging success and this technique is certainly burdened by its own challenges.

This is a question that is not asked enough, much less sufficiently answered. All of the competing approaches suffer from drawbacks that make them less acceptable in many cases.

Like Mark I also think highly of certificates as the solution. But there are significant lifecycle deployment issues that are too daunting for most users. There is also another issue that does not get enough attention, physical security. When using a certificate you are really dependent on the physical security of the container holding the private key. If it’s a smart phone in your possession, great. If it’s a laptop in your possession, also great. If it’s a beige box sitting unsecured in your cubicle while you are at lunch, not so great.

Information Cards are a good solution, but also suffer from the same physical security issues. Of course the card can be PIN protected, but a PIN is really just another password (albeit a local one) and now you get into some of the same issues as with passwords, for example the PIN for less frequently used cards written on a yellow stick attached to the monitor.

Biometrics is a hot area of research now. It seems every week some new breakthrough in earlobe recognition or some other phrenological magic is announced. But as of yet there are just too many problems with biometrics to displace passwords.

If cost is no issue OTP devices are a great way to go. But cost is always an issue.

Password authentication is like an impressionistic painting. The farther you move away from it, the better it starts to look.

The Voltron Flim-Flam

I love the term “Voltron Flim-Flam” that Jon Stokes coins in this ARS Technica article about massive privacy invading data collection efforts that just won’t die:

The story goes something like this: elements in the government become convinced of the (mistaken) proposition that if they can just build a big enough database to suck up all the digital data that citizens generate about themselves online, then they can use data mining technologies to spot bad guy plots and disrupt them before they come to fruition. So they set out to build such a giant database, until some enterprising reporters uncover the project and reveal its existence to the public. Public outrage and government inquiry ensue and the database project is shut down. Except that it isn’t shut down; it still goes on under another name, until it’s uncovered again a few years later and the whole outrage-inquiry-“shutdown” farce repeats.

So it was with home secretary Jacqui Smith’s apparent capitulation to privacy advocates, in which she said that the UK’s spy center would shut down its £1 billion Mastering the Internet (MTI) project, which had the ambitious goal of storing all British electronic communications, from phone conversations to website visits. Except that she didn’t shut it down… or at least, not really.

And here we come to a familiar variant on the basic plot outlined above, a variant that I’ve now dubbed the Voltron Flim-flam, which goes like this: because one giant, centralized database is politically untenable, you make multiple databases in different places and link them to a single front-end via a federated query service, so that they function together exactly like one giant database. The US most recently pulled this trick with Real ID, and it turns out that this is what the UK did with MTI.

[Emphasis added]

Why is the siren song of massive data collection so irresistible to the governments of nominally free societies?

Jurisdiction matters further

I wrote here about how legal jurisdiction affects privacy. Tim Cole writes here about how the EU Data Protection Directive affects cloud services:

Recently, at a press briefing by German IBM boss Stefan Jetter who waxed enthusiastic about Cloud Computing, an elderly journalist rose and asked him a show-stopper: “Where are my data when they’re out there in the Cloud?” Jetter did a double take, but my colleague pressed on: “I mean, physically, where are they?”

Of course, the answer is: On some nameless server somewhere, anywhere in a grid farm in Ohio or Dublin or… In fact, the usual answer is : Who cares?

Well, for one the German privacy protection agencies. Passing data across national boundaries can be a federal offense not only here. The EU Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) mandates that personal data may only be transferred to third countries if that country provides an adequate level of protection – something the U.S., just to name one, does not, at least not according to European standards, especially since foreigners do not benefit from the US Privacy Act of 1974.

This could well be problem for smaller cloud businesses that don’t have an EU hosting center. That means that they not only couldn’t serve EU based customers if their service included personal data, they also couldn’t serve multinational companies that had employees in the EU.