Archive for the ‘sordid tales’ Category
Tuesday, August 2nd, 2011
Google Plus started out so well! It was pleasant, easy, and there was a lovely gratification in adding people to circles and being added in return. It felt like finally, perhaps somebody at Google had figured out how to be social! People were sharing, and communicating, and suddenly it seemed like maybe there might be an alternative to Facebook that had a chance.
And then…. Google started enforcing their real names policy. Obsessively. The fly in the ointment? While Google can state that they require real names, they have no definitive way to determine which names are real. The result is an offensively discriminatory process of identifying names that don’t appear to conform and requiring proof of identity only from those people.
My question to Google: what exactly are you trying to accomplish? Because I thought you were trying to create a welcoming place where insights and observations were shared with fellow end users who have formed a relationship with each other. A place where users invite each other to talk and manage relationships themselves.
Instead, the real names policy is a gating factor, at a time when the service is just struggling to gain critical mass. You have real people with odd names being banned from using plus and required to prove their identity. You have people with excellent internet reputations banned because they publish under a nickname. The result is a ridiculously easy-to-game entrance requirement that punishes those who genuinely want to express their individuality, while offering a loophole the size of a planet for anyone else to slide through.
And for what? In the identity industry we often talk about trading value for value. In theory, users are willing to take extra steps in order to get extra value. Is Google Plus about high assurance transactions for which the friction, pain and invasiveness associated with identity vetting is a worthwhile trade? No. Completely outside of any question of whether a real names policy is right or wrong, enforcement of this policy is bad for business, if the business is supposed to be that of creating a popular and well-used platform that keeps users inside their Google bubble all the time.
The people I want in my social circles prove themselves over time. They say smart things and engage in positive ways. Requiring government identification before engaging in casual conversation would be considered horribly antisocial in real life – why does Google think it’s ok in the social networking world? They are choking the life and personality out of their own service, before it has even had the chance to flourish.
Is it worth trying to communicate the facepalm that is Google Plus’s real names enforcement to Google in some quantifiable sense? Perhaps the numbers-oriented folks at Google might look at a huge number of accounts that have been banned from the plus service and say “hey, maybe that’s bad”? If so it might be worth adding that nickname in parentheses to your profile. If Google is going to force identity vetting, they should be prepared to do it for all 20 million accounts. And they should be prepared to monitor, and maintain, and police, and arbitrate. And what will be the result? An accountable digital space. Sounds like a blast, right? Party at Google Plus, bring your flights of fancy along for the ride…
Monday, August 24th, 2009
Have you ever had to enter CHARACTERS from your password to log in? No? Me either. How would you feel if you entered your credit card number into your credit card provider’s website and instead of the usual password you were given this screen:
This is the second screen of my credit card provider’s authentication workflow. They are asking me to answer my “Personal Identification Question”, and asking me to type 3 random digits of my password instead of my entire password. The ramifications of this set of implementation choices just blows my mind. Three strikes and you’re out, if you ask me:
1. Downright Terrible Personal Identification Questions
Anyone who reads my blog can probably figure out my favorite hobby, I even mention it on my about page. That question was one of five terrible security questions. Three of the questions are standard web access management fare. They aren’t great, but at least the 8-character minimum character limit keeps away answers like “golf”, “ford”, and “rex”. The other two questions are in my mind criminal however. No financial institution should give a customer the option to use their mother or father’s name as a method of personal identification. I can’t believe anyone put those questions into production. The worst part: because of the list given, those two questions are the only ones that can be answered in a straightforward way while also fitting the complexity rules.
2. Removing The Guesswork from Password Hacking
Then there is the 8-character password. I could have sworn that one of the variables that make a password tough to brute force is the fact that the length is unknown. If you *know* you’re working with 8 characters, you can seriously narrow down your brute force parameters. Plus the only punctuation allowed is an underscore. Ouch.
3. One-way Hashes are *so* 2008
Since my bank is performing character matches on my password, there is no way that they are using a one-way hash algorythm to store my password. If they were, they would be able to match the whole thing or nothing at all. Instead, they have chosen to be able to retrieve my password and play with it. I can only hope that it isn’t stored in clear text, but frankly anyone who asks “What is my mother’s name” as a security question can’t be too worried about security. Don’t get me wrong, HSBC is very worried about the appearance of security, in fact I was forced to positively acknowledge a big long page of statements about how firewalls are used, and how they require me to use 128-bit encryption. In spite off all the assurances, it seems to me that I’m at risk in a number of ways now, and all so that the password interface can be turned into a primitive and easily overcome turing test.
So, what am I missing? Is there some brilliant element to this setup that makes up for the sins that appear to have been committed? Something that will make me happy my credit is in the hands of this company? I hope so, because right now I feel like maybe it’s time to do my best ‘rat leaving a sinking ship’ impression.
Tuesday, July 21st, 2009
Tell me what you think of the following series of events:
- I receive an email with a link in it, promising money.
- I click on the link and see a screen purporting to be my bank and asking for my username and password.
- Not trusting the page to actually be my bank, I go independently to my bank site and authenticate.
- Clicking again on the link from my email, I hope to see that the bank authentication page is gone, and that I am taken directly to the step where I answer the “security question” and get my money. Instead, however, I find that even though I have an existing valid bank session set up in my browser, I am still taken to a login page and forced to re-enter my credentials before the transaction will work.
I know what you’re saying! Don’t do it! It’s a phishing attack! Sadly, this is actually what happens if you are the recipient of a Certapay INTERAC email money transfer in Canada. It is a phisher’s wildest dream come true, don’t you think? Even those familiar with the process will eventually stop looking at URLs and just click through the brightly colored screens to enter their banking credentials.
The whole setup is ripe for abuse. Why, dear god, is there no way to accept a payment without typing in your banking credentials? There certainly needs to be an authorization step, but forcing an authentication step to be bundled is both lazy and dangerous. The worst part is that the banks are complicit in this.
The best irony of all is the email fraud section of their website security page, under the “How to Protect yourself” section says:
- Do not share or provide your personal information.
Oh, you mean like my usernames and passwords for my entire BANK ACCOUNT????
Monday, March 9th, 2009
I love this story, especially the point that was made about the difference between the power to terminate a user for any reason, versus the power to terminate a user for no reason.
I also think that this is the worst fear of all of us who are investing our time, if not our money, into faceless distant services that we can only hope and assume will treat us well. We all assume that at the very least we should be able to seek justice – but justice takes time and human care, two things that are hard to come by when every communication is digital. Has Google addressed this black hole of a process and provided some way to allow banned users to at least have a conversation with someone who could conceivably reverse the decision? We can only hope.
Aaron Greenspan – Why I Sued Google and Won
Thursday, March 5th, 2009
This morning I attempted to login to Flickr, and something was different. My security seal was gone. I have to say that the designer earned his/her paycheque — The visual cue worked perfectly. My screen went from this: To this
Great! I have become aware of a possible scary event! Now how do I act?
The help file says to restart your browser and manually type in the Yahoo! URL. This makes sense as an obvious countermeasure against phishing – but it didn’t help me. My seal is just gone. The help file opines:
- Your cookies were cleared. In some rare instances, if you use certain web browsers and you clear your cookies, you may lose your sign-in seal and you will need to re-create it. Clearing cookies should not remove the seal for most users; however, if your seal disappears, please check that your browser is not set to clear cookies on browser close.
Hold on — I always clear my cookies on browser close. That’s all it takes to remove my security seal??? Why has it stuck around for the last six months only to disappear today? Color me confused.
Now that I’ve looked at it in detail, I think the Yahoo! Security Seal is actually a really good security measure. It is simple, it is effective for what it is intended, and the actions expected in the case where the ‘danger event’ occurs are reasonable and effective. Problem is, I’m already disincented to recreate my seal. Why place any trust in something that can disappear for all sorts of other reasons besides being phished? How many times will users act correctly in the case of the seal disappearing, only to find out that they’ve been on a fool’s errand? And now they have to set up the security device all over again? From a signalling perspective, it’s an epic FAIL followed by a barrier to continuation. I just don’t think that’s going to fly.
Monday, February 23rd, 2009
You security people may write great crypto, but you have some serious communications problems.
I recently updated my certificate at pamelaproject.com, and got the following error message upon attempting to commit code to subversion:
Being the owner of the domain, I know a few things:
- If the subversion client had bothered to use PKI to validate this certificate, they would not be giving me this warning, because this certificate was issued by a trusted authority. I know because I paid for it.
- Since this subversion client never automatically validates the issuer of any certificate, the error message shown here is utterly misleading. A more accurate error message would be to note that the certificate has changed; I doubt the software was doing anything that would warrant a stronger assertion.
Still, I wondered — what would I do if this message popped up on the screen, and I actually took it seriously?
According to the security message, I should manually validate the fingerprint of the certificate before continuing. How hard could it be to (a) find out what that actually meant, (b) learn how to do it, and (c) actually verify my own certificate?
Plan A: Hit the “help” button
I clicked on the oh-so-convenient help button in netbeans. It didn’t tell me how to be secure, it simply told me the different ways in which I could make the error page go away. This gave me no satisfaction on points a, b, or c.
Plan B: Google it
I searched for combinations of ‘validate certificate fingerprint manually’. The first hit was google asserting its own specific certificate fingerprint – didn’t help. The next 6 pages of hits were various combinations of people asking for help or expressing frustration at this message. I didn’t read all of these, but of the ones I did read, the answer given was to the wrong question. People were advised on how to make the error screen go away, not how to ensure that the error was unfounded.
So far, I still couldn’t even answer the simple question of what it means to manually validate a fingerprint. Finally, deep in the search results, I found this:
Buried in the page was this paragraph:
…the key should be authenticated manually by contacting the CA administrator and comparing the fingerprints of the certificate.
This was the closest thing I have found to an explanation of what would have to happen in order for me to reach my goal. It seems that I would have to contact the site admin, and have them tell me the actual fingerprint of the actual certificate so that I could visually confirm that the fingerprint shown in the error message was the same as the fingerprint of the site.
Luckily in this case I am the site admin. It’s hard to imagine that many people would refrain from using a their subversion client for the time it would take to identify and communicate with a site owner. I also wonder whether if you were actually the target of a MITM attack, whether this means that DNS is poisoned and you couldn’t actually trust either email or a the same domain’s website page with a phone number.
Not that we’re done yet: How many site owners would know how to generate a fingerprint from their certificate in order to satisy a request from a user? A bunch more searching got me to the point where I could generate an MD5 fingerprint with this command:
$ openssl x509 -noout -fingerprint -in cert.pub
Users are never going to jump through the hoops I just jumped through to obey the spirit of this message and nobody on the software side cares whether users obey the spirit of this message either. It doesn’t even matter that the meaning of the message was incorrect – because there is no obvious path to take that could actually result in users responsibly acting on any variation of the message. This popup is nothing but an inconvenience with no security value whatsoever.
Someday, somebody is going to win the Nobel Prize for making certificates usable. I hope it happens soon. They will have earned the distinction.
Wednesday, January 21st, 2009
100 million credit cards compromised. Just like that. Heartland Payment Systems was hacked in May, and now the following January they are famous for all the wrong reasons.
What gets me about this, is that this processor was storing and forwarding the exact same set of data that the consumer provided. Why??? Why not alter that data at each step, such that the data needed for processing is not the same set of data needed to initiate a transaction? Using these kinds of methods may not prevent theft of data, but they can sure as heck increase the difficulty in using that data to make a profit.
I wonder what the cost is to the credit card companies per re-issued card? Adding the postage, labor, and manufacturing time, I have to imagine this will not be cheap. Changing an already established system isn’t cheap either, but what are the options? Getting better promises of security from your payment vendors? Yeah. Right.
Tuesday, December 16th, 2008
Yesterday Friend Connect added Twitter to their list of accounts that can be used to authenticate and to communicate friend data between cooperating sites.
From a social graph perspective, this makes complete sense, although I’m not sure what is supposed to happen when a twitter user with 5,000 followers and following 5,000 logs into a site for the first time. I have to assume that you get little dribbles and drabbles of friend links over time, in the background. Still, if the website operators are using an elastic, as-needed payment model, it could be rather expensive for true twitter addicts to visit for the first time.
From an authentication perspective, I can only laugh, the irony is too much for me. Twitter as a provider of identity information. This is a site with an unbelievably cavalier attitude towards the credentials of users, as evidenced by the fact that they force their entire partner community to ask for and resend usernames and passwords, and as evidenced by the fact that they encourage their users to type their credentials into any input box that might present itself with the short introduction of “Twitter API”.
You may say that Twitter was never intended to be a highly secure service, and I’m sure you’re right. What so many people in this industry are trying to do, however, is to provide a way for services like Twitter to no longer have to badly manage their user data, but instead to rely on the services that DO care about security, and do actually take the security of user credentials seriously.
In the short term though, convenience wins out over security. It’s bass-ackwards, but it’s still progress. Gotta crawl before we can run. Anything that connects sites and propels application and service owners to start considering externalized Identity is good in my book. We need to get in there, mix it up, and hope that something reasonable emerges from the fray.
Monday, June 16th, 2008
If I buy a retail version of Vista, I pay several hundred dollars for the DVD set, but really the value is in the license.
If I buy a machine with Vista on it, I theoretically get a “deal” because the computer arrives pre-installed. I have a license — I have paid for the right to use the software.
However, if my disk dies, taking with it the operating system that never actually ran particularly well AND the recovery partition that took up 10gb of the disk space that was marketed as usable space when I bought the machine, and which sat there doing nothing until the day I was desperate to access it, the same day it became inaccessible to me (dim bulbs, the engineers that thought up this recovery strategy), SUDDENLY THE MEDIA MATTERS. And it isn’t ANY installation DVD, oh no, I can’t borrow my buddy’s Vista Ultimate installation disc that he paid for, oh no. I have to have the OEM version. For another $160.00 $200.00 CAD. I swear I’ve aged 10 years in the last 3 days. And I still am not able to run the Operating system I theoretically paid for.
Have you guys out there making these licensing deals ever heard of KISS? Keep It Simple Stupid.
No, I guess not.
Tuesday, April 15th, 2008
y’know, sometimes I think these guys just don’t care.
If you’re going to own a powerful Web Access Management product, doesn’t it make sense to perhaps showcase your own product by making Single Sign-on and password management simple and seamless on your own customer-facing sites?
As such, I would hope that asking for SSO integration between the documentation site and the knowledge base site would not be so much to ask for. I’ve had to do password recovery on both sites today — one worked and the other failed. The second (failed) attempt just kills me — check out this flow:
- I enter my email address into the lost password form.
- I receive a new password via email. This would imply to me that I have chosen the correct email address, yes?
- I then take that very same email address and the newly assigned password and put them into the username and password boxes on the login form.
- My login fails.
- There is no “forgot my username” link
- The help link confirms that I should be entering my email address anyway.
- I can get passwords galore from the lost password workflow, but none of them appears to actually work with my email address.
- I can’t actually figure out who to talk to to get out of this lovely loop.
I *know* they have the tools to make this a much easier process, that’s the worst part.