1. We design only for the Lowest Common DenominatorWhen an account recovery loop is assembled by a service, it is the same loop regardless of who you are. Or how savvy you are. Or how likely you are to be targeted for a given threat. Why is this? Why not keep the base recovery experience as the one where you get if you can barely spell computer and these password things are scary. But why not let people with stronger needs self-identify? Allow people to ask to jump through more hoops, to supply more, and better, information in order to receive more, and better protection from targeted attacks? I know exactly why this kind of “better security” doesn’t happen. Because for every JLaw attack, where the security could have helped, there are 10,000 regular people who would turn on a feature like this and then get locked out of their account. There, I said it. The lowest common denominator is: that the public expects is that even if they do everything wrong, even if they cannot in any reasonable or provable way identify themselves as the actual owner of the account, they should still get their data back. And the cost of dealing with those 10,000 upset locked-out people, both in PR and support terms is very real. More real and more common than cost associated with the relatively few that get hacked.
2. We have purposely created a Stateless MachineWhen you choose to try to recover an account today, you generally do so in a vacuum. You are asked to identify yourself, and the information you give is often considered in isolation. Do these two strings representing your dog’s name and your first school match the hashed strings stored in our database? Yes? Great! Keys to the kingdom! Doesn’t matter that somebody has been trying and failing to do the same thing three times a day for the last week. No sense of suspicion is placed on this success as a possible culmination to all those failures. This is part of why an attacker can keep calling help desks over and over until they succeed, and why they can keep using online forms over and over until they succeed. Also — see #1, whereby it isn’t that unusual for people to really fail at knowing their recovery information and to still expect success. The whole reason these systems were built to be stateless is because they were built to scale. But those requirements need to be examined. It should also be a requirement to at least try to recognize when an attacker could be systematically probing recovery systems, ranging from digital forms to help desks, maybe even in-person resources, or direct emails to IT staff.
3. We keep the User in the darkIf somebody is systematically probing at a given user’s account, don’t you think it would be valuable to tell them, so that they can try to form their own understanding of their safety? If you’ve locked yourself out of your account, I’m sure you won’t mind the notifications. And if you haven’t locked yourself out of your account, those notifications may be very important. For example, receiving a notification from every one of your email accounts and your bank in a 24 hour period is something that may not be so significant to each system, but should ring serious bells for the individual. There are programs like Shared Signals that are evolving to help with cascading identity attacks, but for now, the only person who might see the pattern is the user. And they are not involved in the process.
4. Users don’t care until it’s too lateIt’s true. There are lots of optional things people could do to be safe that they never bother with. But perhaps, if there was a way to make users aware of recovery question guessing attempts against their account, users might get scared a little sooner, and carefully contemplate their options.
The WORST THING about this breachI understand the prosaic duh moment going on where people note that the best way to not have naked pictures stolen is to not have naked pictures taken. But this should in no way mask the failure that has taken place from an implementation standpoint. We need to safely store and share sensitive things. As a society. We need to trust that accounts we create and populate with our most treasured data are not just swiss cheese for anyone willing to stalk a specific target. The old canard of “Doctor it hurts when I do this”/ “then don’t do that” doesn’t help if the underlying problem is disease rather than a boo boo. This issue is not a boo boo, and turning the iphone camera off will not prevent the spread of the disease, it just prevents one symptom from showing.
RecommendationsIf the identity fairy came to visit and granted me three wishes, here is what I would wish for. These aren’t qualified recommendations in any sense — just a place to start.
- Provide options for users to customize their own recovery ritual.
- Include things like
- Turning on notifications for events like calls to the help desk or for use of the password reset form
- Adding additional or alternate recovery steps
- Additional identity proofing steps before help desk support will engage - like requiring a 2FA authentication before the call continues
- Requiring that KBA answers be retired (or at least flagged for review) after a certain number of incorrect guesses
- Turning on additional 2-factor authentication for services that may not normally be protected (see above for an example
- Include things like
- Architect for recognition of accounts that self-identify (or are verified) as likely targets
- Help Desks should be able to recognize high-fraud-risk accounts
- Audit and accountability should be elevated
- Work towards a point where the system figures out who the high-risk accounts are in real time
- Track the use of recovery mechanisms, and make the history available to the user.
- How many times has a recovery question been used
- How many times has the form been submitted with the user’s user name
- How many times and when has the help desk been notified
- The intermediate certificate that shows up in the certificate chain given by github.com is called “DigiCert High Assurance EV CA-1″.
- It was issued Nov 9 2006, expiring Nov 9 2021.
- It has a SHA-1 fingerprint of 4A 35 8B 25 35 28 61 42 F6 0F 4E 9B 57 E2 AE 11 6D AB F0 F5.
- It was issued by a CA certificate called “DigiCert High Assurance EV Root CA” with a serial number of “08 BB B0 25 47 13 4B C9 B1 10 D7 C1 A2 12 59 C5″.
- The certificate gets a little green checkmark to say that the certificate is valid. I assume this means that the certificate passed CRL and OSCP checks
- There is an intermediate cert on the website called “Digicert High Assurance EV CA-1″.
- It has a SHA-1 fingerprint of DB C7 E9 0B 0D A5 D8 8A 55 35 43 0E EB 66 5D 07 78 59 E8 E8.
- It was issued Nov 9, 2007, expiring Nov 9 2021.
- It was issued by a CA certificate called “DigiCert High Assurance EV Root CA” with a serial number of “03 37 B9 28 34 7C 60 A6 AE C5 AD B1 21 7F 38 60″
- The certificate gets a little green checkmark to say that the certificate is valid. I assume this means that the certificate passed CRL and OSCP checks
- I get a warning about a certificate when I try to use XCode to go to github.
- When I view the certificate, the operating system pronounces the cert as “valid”.
- Neither the thumbprint nor the issuer serial number match the values advertised by Digicert as the correct values for that intermediate CA certificate.
I received this phishing attempt a while ago – it made me smile, given that to me, the text is an obvious non sequitur. I thought the assurance at the bottom was an especially nice touch… the reply-to was constructed to look like it came from an IT guy too. The only thing that isn’t funny is the idea that not everyone can immediately see the contradiction in enrolling in order to reset your password.
- Excellent sound and picture quality everywhere.
- Control of the sound and picture from anywhere.
- No computers next to AV equipment.
- No visible wires. Anywhere.
The DetailsMy system works through the use of the following bits:
- Home Sharing: this is an iTunes feature that lets you broadcast music and video from an iTunes Library.
- Airplay: this is a feature of iPod/iPhone apps for music, photos, and movies that let you choose a remote output source.
- Remote: this is a free app from the app store (made by Apple) that lets you connect to and control both iTunes Libraries and devices like AppleTV.
- AppleTV: this is a device from Apple that streams audio and video from Home Sharing, Airplay, and other internet sources and outputs to HDMI and/or digital audio.
- Airport Express: this is a device from Apple that streams audio only from Home Sharing and Airplay sources using digital audio or RCA.
- All of the devices must both be on the same network and home sharing must be enabled with the same Apple ID. Apple sees all, would you expect anything else? Note that while Home Sharing Apple IDs must match, the Library itself can sync to the iTunes store with a different Apple ID, so this architecture does allow everyone to keep their own AppleIDs for apps etc.
- This solution only works with iTunes. If I watch a video on YouTube in my office browser, there is no way to get that sound to my office stereo (I can go to my living room and play it on the apple TV though, because the apple TV can directly stream from YouTube).
- As far as I know, there is no need for any Apple computers to use this setup. A PC running iTunes can replace either Gemini or Soyuz.
- You’ll pay as much for the Airport Express as your Apple TV even though it is lesser tech from an A/V perspective, because the Airport Express can also be configured as a wireless router.
- No proprietary cables are needed for these solutions, not that this saves you any money, the standard stuff costs a fortune. The cost of assorted speaker wire for 5.1 audio, HDMI cables, digital audio cables, and an RCA-to-mini-audio-jack collectively surpassed the cost of both the appletv and airport express combined.
- You stream photos to the AppleTV, both as a screensaver and for slideshows. I have my screensaver set up to stream photos from my Favorites list in Flickr, meaning every time I add to that list, I’m enriching the photography shown on my wall while music is being played, or while AppleTV is not busy with other things.
- If I stream video from an iTunes Library, it will be from Soyuz, which is hard-wired to my wifi router. Currently my plan is to rip my DVD collection to iTunes – at that point, I won’t even need a DVD player.
- The weakest link in this whole setup is iTunes itself. Maybe one day Apple will wake up to the fact that iTunes should be a personal DJ system – allowing you to classify, organize, and moderate your media content with the most sensitive of nuances — as you’re listening, not in advance. In my opinion, they’ve put a pinto at the center of their media empire, instead of the lotus esprit that they should be capable of.
Gotta love Gizmodo, this thread on possible shenanigans with the iPhone 4 ordering process netted this gem from a commenter:
I’ve never had a Facebook account. I can be patient. But those that still trust Facebook with personal information — and haven’t bothered to examine the minutia of the site’s privacy settings — will continue to have their personal information shared with 400 million users and thousands of advertisers, data aggregators and, well, pretty much anyone else on the Internet. At least until the wheels of justice grind to conclusion…< p>You may not have a Facebook account – but when everybody else around you does, it’s like pulling one string out of a rug — you can still see the pattern. You’re still in the photos. Your holidays may still be announced. Your birthday may still be announced. You’re still husband of, and father to, and friend of friend for all sorts of people who will share freely about you. Perhaps you aren’t as semantically dereferenceable as you otherwise would be – but you aren’t invisible either. On the other hand, if are ever accused of a crime, chances are that some other poor schmuck’s picture will end up on the evening news… that’s handy. One last point — Mike forgot to add governments to the list of places you are sharing your personal information with. Facebook gives governments the ability to collect and analyse the one thing that is still uncool for them to ask for – details of private lives. As long as we all remain overfed and obsessed with who won Survivor and how to get an iPad, nobody will mind that Facebook is the worlds greatest surveillance tool. I hope it stays that way for a very long time.
Joe Baguley from Quest put me onto this HYSTERICAL clip from a UK comedy radio duo on Identity Theft. It highlights the culpability question brilliantly:
Update: This one’s fantastic too, the “Identity Killer”: http://www.youtube.com/watch?v=20bpV50uZ5Y
Microsoft announced last Tuesday that CardSpace 2.0 beta would not be releasing at the same time as ADFS 2.0. That fact may not have immediate significance to you, but it certainly does to me. Microsoft, you’ve blown it.
On one hand, I’m immensely relieved. A premature release of CardSpace 2.0 would have removed personal card support from the desktop, meaning that CardSpace would have been relegated to nothing more than Home Realm discovery.
On the other hand… We won’t know for sure until ADFS 2.0 ships, but from what I and other people have seen from the beta and release candidate versions, Microsoft has broken backward compatibility with CardSpace 1.0. This means that unless Microsoft has taken recent steps to regress their information card issuance code, ADFS 2.0 will ship in information card limbo.
I am trying not to care and failing miserably. Let’s face it, Microsoft can release their software in whatever shape they see fit. If they want to, they can release an initial version of a client with no server, and then release a version of the server *years* later that can’t work with the initial client, and can’t be deployed with the later client because that later client “isn’t done yet”. I’m sure that the collateral damage is the least of their problems, and I actually know and understand better than most what internal and external pressures may have been brought to bear. Resources are precious, and both FIM and ADFS have slipped themselves, so somebody had to draw a line.
But see, people were waiting. Big companies, waiting to run information card pilots. Governments, excited to use ADFS 2.0 to implement higher-assurance consumer identity projects. There weren’t a huge number of interested parties, but dammit, they were BIG interested parties. Those interested parties need a sustainable closed circle — a production server and a production client. Not a production server that can only work with a client that “isn’t done yet”.
In the meantime, there is a very hardy little information card community that can at least now stop the horrible waiting and wondering game with respect to ADFS 2.0 and CardSpace 2.0. The choice for the immediate future is becoming clear: CardSpace 1.0 remains the defacto standard for information cards. The rest is moot. Regardless of the hole that Microsoft may have dug for itself, the quality and uniqueness of the interactions that the IMI spec makes possible are undeniable, and I hope inevitable in some variant. I continue to believe that this protocol represents our best hope to regain rational control over our own digital relationships.
It is entirely possible that companies like Azigo and Avoco Secure will see the silver lining here and do the extra work to shim up the ADFS server to work again with the rest of our ecosystem. We’re not out for the count, and at least now we finally know what the biggest player in our space plans, even if it is a big fat WTF…
Is it just me, or has the Burton Group gone dark? Outside of twitter, I haven’t heard anything from anybody on anything.
Are they publishing somewhere else now and just haven’t bothered to update their old blogs to help existing followers to make the move? Or maybe now that they are part of Gartner, we shouldn’t expect any kind of presence, just a set of reports in the mail and a webinar every so often?
It’s a bit of a boggling strategy, really. If there was any time for them to be pushing into the public eye, I would have guessed it to be now.
XAuth has had me fascinated since it was announced yesterday. If you haven’t heard of it yet, I think Dare Obasanjo’s summary is one of the better descriptions, although his site seems to be having issues this morning.
What is XAuth? It appears to be one service, running on one domain, that will maintain the login state of every user at (ideally) every consumer Identity Provider in the world, in real time. A service users have to opt out of. The goal is discovery of authenticated providers.
There are interesting nuances here. As far as I can tell, for the large providers who are already a fixture on the standard NASCAR page, adopting Xauth means that their logo can only be shown on fewer pages than they are today. This means that Google, Microsoft Live and Yahoo! are essentially volunteering to delist themselves from NASCAR pages when the user is not registered or not logged in. Meanwhile Facebook and Twitter, who are not at this time involved in XAuth, will be there on every single NASCAR page, holding their spot, nice and predictable, day in and day out. If you travel to Zoho, for example, and you are logged out of both Facebook and GMail, you will only see Facebook’s logo. And since xauth.org is by design a single point of failure, any service disruption that threatens revenue for the relying party is likely to result in an abrupt re-adoption of a static NASCAR page. So – what is it that these providers gain from such a dance?
They get to remove the user from the equation. Relying Parties and Identity Providers get to finally discover each other all by themselves, they can talk right over everybody’s heads without prompting users. In one sense, I completely get this! Business runs so much smoother when the decisions get made en masse. Asking the user is time-consuming, difficult, and frequently unappreciated. And eventually you just have to solve the problem and get stuff done.
XAuth, if it succeeds, will be the antithesis of user-centric identity. It is what happens when companies with businesses to run finally realize that asking users is a thankless, hopeless task that can only get in the way. We all know it is easier to ask forgiveness than permission – for better or worse, XAuth is that principle, taken to its logical conclusion.