Network Security Blog

I’m mildly annoyed, but I find it hard to get too worked up over this issue: Jim Brady from WashingtonPost.com wants to know who the people are who are leaving comments on his site. He wants to know who the real person is making comments, not so he can track them, but so that he can make them accountable for their comments. That’s a laudable goal, but does this guy really have any idea how the Internet works?

Mr. Brady laments the fact that people are as anonymous as they want to be on the Internet and that the people who comment on his site are leaving nasty, bitter, derisive comments. He wants to have some sort of tracking system where he can positively identify everyone who comments on his site and block the problem children. As he sees it, this sort of accountability is the only way to ‘raise the level of discourse’ on his site. As if accountability would somehow accomplish this goal. Does he understand human psychology any better than he understands the Internet?

This isn’t a privacy issue; without major changes to the Internet, Mr. Brady’s wish is never going to become a reality. There are too many built in safeguards and too much complexity on the Internet to make positive identification of his commenters a reality any time soon. The WashingtonPost.com site has already experimented with blocking IP blocks and found that’s a good way to block large chunks of the Internet from his site. They’re experimenting with other technologies, but that’s not enough for him. I wonder if they’re looking at OpenID at all to solve his problems.

Online identity is a huge issue, one that’s not going to be solved because some editor wants track his commenters, even if it is the Washington Post. Mr. Brady has bigger problems though. First, he obviously doesn’t understand the Internet if he thinks there’s much possibility of reliably tracking users on the Internet. Anyone with even a modicum of computer knowledge could probably find a way around any tracking technology the Post puts in place. Even if they can’t, I’d be willing to bet there’d be a Firefox plugin or other application that gets around the technology. Oh, wait, we already have BugMeNot.

The second problem is that Mr. Brady is trying to solve a social issue with technology. This is the same trap we often fall into as security practitioners, trying to solve a people problem with more applications. And he’ll probably find out the same thing we keep finding over and over: technology fixes for people problems don’t work. People are going to find ways around the technology if it’s stopping them from doing what they want, period. If someone wants to be anonymous, they’ll find a way. We’ve found that with almost every technology that’s ever been used to secure a corporation. You put a block on a website, your users find a proxy. You try to keep users from installing software, they find a friend in IT to help them. They will find a way around technology if it gets between them and what they need/want to do. The technology is just a speed bump, and its an annoying one at that.

The real problem for WashingtonPost.com is that it takes people engaged with their readers to deal with this problem. It requires having someone monitoring the comments, deleting inappropriate posts and replying to the ones that are appropriate. He’s not going to get his tracking mechanism any time soon and rather than lament the lack of accountability, he needs to understand the real problem and deal with it as a human issue. People have been commenting anonymously to newspapers for as long as they’ve existed. How many of the letters the Post gets on a weekly basis have no return address and no indication of who sent them? The difference between the real world and the virtual one is that the editor has to consciously pick which comments get printed in the paper. That same power exists in the virtual world, it just takes human interaction in the form of comment moderation. Funny to think that the more things change, the more they stay the same.

It’s pretty certain that WashingtonPost.com is spending a fair amount of money on technologies to combat aggressive, insulting commenters on their site. They’re probably spending more on technologies and the people managing them then it would cost to hire one or more people to be responsible for moderating the comments. It’s easier to ask for the money to purchase a magic technology that will solve a problem than it is to ask for more people to get actively engaged. After all, technologies have a very clear cut reason for existing where as people have all these nasty issues that come with them, like personalities and mistakes. But if you want to solve a people problem, only people can deal with it.

By the way, does anyone really believe the Washington Post and other sites wouldn’t use all the identity information they collect for marketing if Jim Brady had his way? Me neither.

It’s been a little while since Captain Privacy donned his uniform, and now it’s got a star instead of two gold bars; he’s been promoted to General Privacy by his friends in the Security Catalysts Community. Seriously though, I’d stopped writing about privacy issues as much since I was getting a little bit of a reputation for being a privacy nut. Maybe it was deserved, maybe not, I’ll let you be the judge of that.

One thing I’ve said many times in my writing and podcasting is that I don’t have a problem with the police, the FBI or even the White House getting access to my personal information. I believe that law enforcement has a vital, legitimate need to access personal information and to sometimes snoop on our conversations. My conversations usually happen pretty publicly, so they won’t learn much; the bad guys aren’t nearly as accommodating as I am, so the cops need to resort to wiretaps. And I’m okay with that, there’s just one thing I want to see as part of the process and that’s judicial oversight. And apparently I’m not the only one, since the New Jersey Supreme Court unanimously ruled that NJ cops need a subpoena and need to notify the target when they go after private electronic information.

Why am I such a strident defender of oversight? I’m a paid paranoid, I spend my days trying to think of how the bad guys are going to abuse the systems to get a little bit of profit. I hear about, read about, talk about people who abuse the system regularly to get profit, revenge, curiosity or plain stupidity. Some times it’s really as easy as greed, but sometimes there are more complex emotions in play. The end result is that systems get abused and we end up paying as a society in the form of lost money, lost credit cards or lost personal information. Oversight is one way to prevent these sorts of abuses from happening; a person who knows they’re being watched is less likely to commit the crime in the first place.

If you think cops are any better than the greater population, think again. They’re human, they make mistakes, they succumb to temptation. I’ve read several times that the personality profiles of cops and robbers are only separated by a few degrees, and it’s a law enforcement officer’s respect for the law that separates him from the criminals. If law enforcement officers didn’t occasionally step over the line, there’d be no need for Internal Affairs departments, would there?

We need to have judicial oversight of the police, the FBI and the CIA to make sure that members of our law enforcement agencies don’t abuse their powers. Whether by design or by mistake, people will succumb to the temptation to abuse the power of their position. I don’t believe the judiciary is there to punish law enforcement agent when they do step over the line, it’s there to draw boundaries around what is and is not acceptable use of the power to look at personal information. The judiciary is the branch of government that exists to create the lines so that we can live in a free and open society. It’s one of the paradoxes of a free and open society that you need rules and boundaries to be free and open.

We’ve drifted into a societal attitude over the last seven years where it’s more important to catch the ‘terrorists’, who ever they are, than to respect the rights of the average citizen. Never mind that the idea of ‘terrorist’ is so ill defined that almost anyone who harbors any ill will towards a group could be branded as such. It’s the fact that the goal, perfect safety for everyone, has become more important than the means, which right now is often spying on American citizens. I think it’s time for the pendulum to start swinging the other way; we need to realize that the trade off for safety has been some of our fundamental freedoms. We can’t let law enforcement of any stripe just spy on anyone and everyone in the name of catching ‘terrorists’ or ‘criminals’.

New Jersey is one of the first states in quite some time to realize that the laws we have currently don’t have direct correlations when you try to apply them to cyberspace. A law that talks about reading someone’s snail mail doesn’t exactly translate well when you’re talking about email. And since it’s open to interpretation, it’s often been interpreted to be in favor of law enforcement. After all, it’s not really your email when it’s sitting on your ISP’s servers, is it? And it’s for law enforcement to help them catch crooks, so it’s okay, isn’t it? It depends on so many circumstances and that’s why we need the judiciary to draw boundaries for law enforcement and for citizens.

I guess my inner privacy geek has been wanting to get out a little more than I realized. All I really want is a little balance, but if you’ve got law enforcement or the Executive Branch calling all the shots without judicial oversight, it’s one-sided, there is no balance. In the computer security arena, the balance is between security and usability or business need in most cases. It’s great to be secure, but if you can’t use your systems or make a profit, it’s of absolutely no use. In a society it’s a balance between security and being able to live a enjoyable, prosperous (profitable?) life; if you can’t live that life because the cost of security is too high, it’s not worth the trade off. You need to be secure, but you also need to be able to live your own life.

I’ll have to show my friend John this one and hope he doesn’t bring the Google car back around for a more in depth picture taking experience.  Of course, the post linking to pictures of John with the Googlemobile was one of those I lost , so here are the pictures  (1, 2, 3).  If this doesn’t make you think twice about your privacy, nothing will.

One of the basic tenets I’ve been living with for a while is if it’s online, it’s public.  I consider everything I write online to be available to the public, whether it’s something I blog about, something I write on a closed mailing list or something I put on a social networking site.  Most people don’t realize how true that really is and that their data is only a couple of lines of code from being posted all over the Internet at the best of times.  Half a million MySpace users found out this week exactly how true that is; the photos they considered private were recently placed online in a 17 Gb file. 

One of the things I find mildly surprising is that creator of the file, DMaul, says he hasn’t found any photos that we’re “obviously illegal”.  I guess that means the folks doing bad things on the Internet are smart enough not to place photographic proof on a social networking site.  The good news is even if your pictures were amongst those downloaded, the sheer size of the file is enough to keep most people from downloading it.  Someone might index the files and place them in an online database though, which would make things interesting again.

The average end user thinks their information is safe with their social media company, if they think about it at all.  But this isn’t the case, whether due to a vulnerability similar to what MySpace suffered or a business model that makes your private information a commodity like Facebook’s Beacon.   This is a lesson we’ll have to teach our friends and end users, along with others like “never accept links from a stranger” and “don’t open unknown files”.

Dan Goodin was at the Fortify documentary earlier this week and draws some of the same conclusions I do about the loss of JC Penney’s customer data.  And more importantly, he actually knows the names of the players, something I’m terrible at remembering.

NotEnough commented on my earlier post that GE Money is offering a year’s credit monitoring for those affected, which he says is not long enough.  He’s specifically talking about SSN’s, which don’t have a expiration date, can be set aside for a year or two and used to commit identity fraud when no one’s actively looking for that data set anymore.  This is part of why statistical correlation between a specific breach and identity theft is so hard.  I’d like to see if anyone has done an academic survey of the difference in level of identity theft in populations that have been victims of a breach and the general population, specifically over the long term.  

It’s becoming more obvious to me that despite many companies best efforts, my data is going to be at risk at some point in my lifetime.  That feels cynical, but as a security professional, I know it’s just realistic.  There are too many places that my data is being stored, too many connections being made, too many possible points of failure in the systems.  I’ve never been a big fan of paying a monthly fee to make sure my credit is safe, but given that my information may already be a commodity somewhere in cyberspace (or Russia), a small inconvenience and a few dollars a month might not be a bad price to pay for peace of mind.  Corporate America obviously can’t keep my data and credit safe, so it’s up to me to take steps of my own.

Rich Mogull recently switched to Debix and I’ll get him to talk about why and what they offer on the next podcast.  At this point, I’m not even sure what the proper questions are to ask when choosing a credit protection service, but I’m sure Rich’ll help me understand.  I already know I’m not going to choose LifeLock, but I am interested in knowing what other solutions are out there.  I want something I can live with long term, especially since the problem isn’t going to go away any time soon.

Technorati Tags: security, McKeay, JC Penney, identity theft

I’ve mentioned once or twice before that I use Firefox with the NoScript plugin.  I take into account that many sites need to run a few scripts to run properly, and I’ll even allow for one or two more if I want to watch a video.  But I have never run into such an overbearing number of scripts that need to be enabled as when I tried to see a video on the basics of Data Portability.  If it was only three or four scripts that I needed to allow to use this site, I’d consider it.  But this ReadWriteWeb needs 11 different scripts from different sites before it’ll run properly.  Or so I assume, since I’m stopping at even temporarily allowing half that number.

I’m interested in learning more about data portability, just not at the expense of giving up that much my information.  All those tracking/analytic scripts make me feel like they’ve got a microscope on me when I visit the site.  Too bad, since the article makes the video seem worth watching.

Oh yes, these are the people I want to trust with unlimited access to my communications, a bunch of FBI offices that can’t even pay their wiretapping bills on time.  If the FBI has troubles figuring out which accounts bills are being paid from, how can we expect them to even know if they’re watching the right people?  And even if they are tapping the right phones, can they be trusted to keep that information safe once they have it?  I guess I’ll just have to add this to the long list of reasons why wholesale wiretapping by the government is a bad idea.  Item #43:  Can’t pay the bills.

Rich’s latest post hits one of my pet peeves right on the head:  Credit card fraud is not identity theft.  Even in the security industry we tend to use the two terms interchangeably, but they’re really not all that closely related.  Credit card fraud is a serious, and growing, concern, but for the victim it’s nothing compared to having your identity stolen.  In fact, many of us have probably already been victims of credit card fraud and didn’t even know it; most of the banks and credit card processors have enough processes in place to catch unusual transactions on your account and put a halt on them before you ever see them on your bill.  After all, it’s much better for them to take the hit and transfer the liability back to the merchant than it is to annoy a customer with bills that are bogus.  You did know that credit card fraud gets charged back to the merchant, didn’t you?  The logic is that they should have caught the fraudulent transaction rather than letting it pass.

The closest I’ve come to identity theft myself was someone in Los Angeles who was using my social security number to get a job over a decade ago.  I had some ’splaining to do with the IRS, but the person had been nice enough to not try using my SSN to get credit or buy a house.  It was relatively easy to deal with, though I have a sneaking suspicion that there was an employer in SoCal who had a lot more explaining to do than I did. 

If your at all worried about identity theft, and you probably should be, make sure to run your annual free credit reports at the very least.  Or take a look at the ID Theft Secrets Blog and follow the steps they outlined just a few days ago.  You might just cut down on your junk mail some too if you opt out of all those pre-approved credit card applications.

A friend of mine, Jeremiah Owyang, finally managed to bully me into signing up for Facebook.  Some of the privacy concerns I would express to the average Internet user don’t really apply to me, since so much of my life is already on the blog for everyone to see, so I figured something like Facebook couldn’t be that much more of an invasion of privacy.  I’ve made about 20 people my friends in Facebook, mostly by looking at some of their profiles and adding people I already know, but I’ve had a couple people add me as friends who I barely know. 

Of course, since I signed up on Wednesday, the source code for Facebook was leaked by the weekend.  It looks like it was a simple case of human error, but if your an intensive Facebook user, this might be enough to give you a little pause.  As I said, I’m not putting anything there that I haven’t already put somewhere else, but if you’re like a lot of users, you put your whole life up for your friends to see.  And if Facebook has another human error incident, it could be your home address or embarrassing posts that are exposed next time.

Always assume that everything you put online is viewable by everyone, not just your friends, and act accordingly.  It’s better to have your friends have to IM you to ask for your phone number than to put it out where every crackpot in the world could see it, despite the best policies and intentions. 

If you think I’m a paranoid, privacy nut, then you won’t want to watch this flash animation by Mark Fiore.  But if you think that there’s even a possibility that the federal government may have gone over the edge with recent legislative acts giving the NSA and White House expanded domestic spying rights, you’ll think this is hilarious in a scary sort of way.