Anonymity and Privacy
Some of the most interesting security debates involve anonymity and privacy. Everyone seems to have a different idea about what those words mean. For example, some people think anonymity is a binary thing – you’re either anonymous or you’re not. But when I think of anonymity I think of two axis.
The first is how much or little someone knows about you. For example, if you know what I look like, I don’t feel completely anonymous. But I feel more anonymous than if you also know my name. Perhaps that’s because I’m a 6’7” bald guy and if you went around Ottawa asking security professionals if they knew a tall bald security/writer/photographer guy chances are that my name would come up pretty quick. Or, perhaps, it’s because my name is only part of my identity.
The other axis is how difficult it is to breach someone’s anonymity. For example, it might not be too hard to get the clerk at a small-town store to tell you the name of the customer that was in front of you in line. But getting information from other sources is more difficult.
So, when I think of anonymity, I picture a quadrant. In the upper right corner you know nothing about me and it would be really hard to find out who I am. In the lower left corner my name, address, telephone number and photo are on the front page of the Ottawa Sun.
Privacy is even more complex because it is hard to define. For example, it has been defined as:
- The right to be left alone;
- The right to exercise control over one’s personal information; and,
- A set of conditions necessary to protect our individual dignity and autonomy.
When it comes to telemarketers, the right to be left alone appeals to me. I’d also like to stop businesses from selling my name to other businesses (or telemarketers). And I’d prefer some privacy when I’m in the washroom too, thank you very much!
Anonymity and privacy are obviously related. But the interesting debate is whether anonymity is required to achieve privacy. In some cases it certainly helps: When I buy a coffee from Starbucks and pay cash, I have a relatively high level of anonymity, at least until they install cameras with face recognition software that links back to that one time I pulled out my debit card. (Of course if it expedited my mocachino with an extra shot of espresso I might not feel too violated.) But other privacy controls exist, including legislation, corporate policy and the desire to avoid negative publicity.
The problem with such privacy mechanisms is that they are outside the control of the individual. When I surf the net, I have no way of knowing what companies do with that data. I don’t know for a fact that Google isn’t building a database of every search request from my IP address and that some point in the future they’re not going to acquire (or be acquired by) companies and link my IP address to my credit card information or Facebook profile. And there are online advertising companies that make it their business to track users across multiple Web sites using cookies of the not-so-tasty variety.
Whether this matters to you or not really depends on who you are and what you do online. You may not care and it might not matter. Or, you might prefer that the only people who have your personal information are those you give it to.
As more people understand these issues, the anonymous Web surfing services will continue to gain popularity. For example, one of the best known is Anonymizer, started by astrophysicist Lance Cottrell in 1995. He was concerned about online privacy and as an early Internet user saw first-hand how much information could be captured. And his company was recently acquired by a larger firm that provides anonymous Internet access to corporations, governments and law enforcement agencies.
But before you rush out and buy, it’s important to consider the big picture. Anonymous proxies hide your real IP address, and are a great first-line defense of your online privacy. But, to be effective, you also must control cookies and carefully consider what personal information you give to businesses, including social networking sites. Remaining anonymous on the Internet to protect your privacy requires much more than hiding your IP address. It requires that you also think before you type.
Credit Card Insecurity
Another round of credit card number exposures and my wife’s bank proactively changing her card number due to an ‘ongoing investigation’ reminded me that I haven’t written about credit card issues for a while.
But please don’t click away — this isn’t going to be another ‘how you can protect yourself’ article.
Security can be complicated but there are some simple fundamentals that explain the credit card fraud problem. The first is the concept of risk. People often agonize over how to explain risk. But it can be simple if you break it down into three components:
- An asset — something of value
- A threat — something or someone that endangers the asset
- Vulnerabilities — a way for the threat to impact the asset
If all three of these are present, you have risk. The magnitude of the risk is related to the magnitude of each of the factors. Large assets, motivated threats and serious vulnerabilities mean high risk. Remove any one of the three and risk disappears.
Money is a great example. It is a valuable asset and there are always criminals (threats) who would like to steal it. So, the question becomes how much money, how many criminals and whether a vulnerability exists that allows the criminals to steal the money.
If we consider credit cards, there is a lot of money. From a criminal’s perspective, it doesn’t make sense to buy and sell drugs (an inherently dangerous activity) or steal property and sell it (very low profit margins) if one can steal money directly.
When we consider credit cards, we’re dealing with a high-value asset and a high threat level. It’s not practical to try and reduce either. The whole point of the credit card industry is to make lots of money available and charge high interest rates for using it, so lowering the asset value isn’t going to happen. And we know that our criminal justice system certainly isn’t doing much to reduce the threat.
So, the key factor in credit card risk management is vulnerabilities. Reduce them and risk falls. Add vulnerabilities to the system and risk skyrockets. And that’s where we are now.
There are a number of weaknesses in the credit card system. For example, if you steal my credit card, you can probably get away with using it in certain stores until I report it stolen. And, if you’re a merchant, you can collect lists of credit card numbers, sell them to your criminal friends and they can charge stuff to them. Debit card issuers attempt to reduce some of these vulnerabilities by requiring the user to type a PIN but that fails miserably because it’s not all that difficult to watch someone type in their PIN — in person, using a camera or by modifying the PIN pad to capture it.
All these issues can be reduce to one vulnerability that isn’t in any way the consumer’s fault: Financial institutions fail to properly authenticate the cardholder.
But mine requires a PIN you say? Yes, but its not nearly enough and, while you should heed their advice and try to protect your PIN, there is a fundamental security flaw in the system.
To understand the flaw I need to touch briefly on authentication theory, which holds that there are three ways to authenticate a person:
- Something they know (like a PIN)
- Something they have (a physical thing like a card)
- Something they are (a fingerprint, iris scan, or other biometric)
To be sure that you know who you are dealing with — something that security practitioners call ‘strong authentication’ — you need at least two of the above factors. One just isn’t enough. And, in the case of (2) and (3), they also need to be something that isn’t easily copied.
Credit card security is fundamentally flawed because everything you need to authorize a credit card transaction is on the card. Sure they’ve added a three or four digit number for card not present transactions. And some merchants use address verification services that require a postal/zip code. But, if you give me your credit card, I can take it to the store and use it.
Debit cards use two factors and, in theory, two factors is much stronger than a single factor. But one factor — the card, the thing you have — is easily copied. An unscrupulous merchant can run it through a (US)$100 device that records everything on the magnetic stripe and create an exact duplicate. So, the only thing between them and the money is your PIN. Any they are highly motivated to find a way to get it.
Of course, banks know this and their security professionals have expert knowledge of risk assessment and authentication theory. And they are, very slowly, starting to do something about it by moving toward credit and debit cards with a computer chip on them, making them more difficult to copy.
There is much more that they could be doing. But they choose not to. And, while I haven’t been privy to the discussions, I suspect it has something to do with the ability to charge 20 per cent interest even when the prime rate is less than 2 per cent. It also, probably, has to do with the fact that, in many cases, it’s the merchants that take the loss, not the bank.
So, next time you hear a bank complain about credit card fraud losses, remember that it’s their system. They choose to issue cards, they choose the security mechanisms and they know the risks. And they’re the ones that should be fixing it.
Evidence from a Black Box
A recent count case in Minnesota poses an interesting question. In summary, a man accused of impaired driving says he should be able to review the source code of the breathalyzer used to gather the evidence against him.
On the surface, the man’s request seems reasonable. As I understand it, the primary evidence against him is that he exhaled into a box and it displayed a number. And that number was too big. In fact, everyone who drives, impaired or not, presumably has an interest in the accuracy of the device.
But the manufacturer, CMI, Inc., and the State of Minnesota apparently disagree, and they have convinced both the trial and appeal judges that handing over the source code would be “unreasonably burdensome.” So unless the defendant launches another appeal — or perhaps buys one and sends it to a lab for analysis — he appears to be out of luck.
I’m inclined to believe that the accused is simply looking for any possible way to have the evidence against him excluded. But that’s the way the system works. To be convicted, the accused must be proven guilty beyond a reasonable doubt. He has the right to cross examine human witnesses, so it simply doesn’t make sense that he’s not allowed to examine the functioning of the machine that says he was over the legal limit.
What could go wrong
There are a number of things that could go wrong with an electronic breathalyzer. Presumably, aging or failing components that change the readings would be picked up during calibrations, so there are likely some procedural safeguards. But what if the developer made a mistake or took shortcuts? Converting the output of an optical sensor into alcohol in the breath into blood alcohol levels must involve some math. What if there is a bug in the math libraries that hasn’t been discovered?
Then there are issues such as version control. Did the right software get loaded onto the device? Has it been upgraded? Can the vendor reproduce the exact code loaded onto devices sold several years ago? Has it been modified?
The last question should send shivers down a Judge’s spine. The device is in the custody of the same person who laid the charges and, therefore, has an interest in seeing a conviction. While the vast majority of police officers play by the rules, we are obliged to ask the question: What checks and balances are in place to stop that one bad apple from tampering with the device? Without appropriate safeguards, you too could be just one firmware mod away from a criminal conviction.
What should be done
An objective third party can examine all aspects of the software development life cycle, the software, the hardware, field maintenance and related security controls. If the manufacturer has done its job, the third party report will depict a reliable and trustworthy device. In fact, if the manufacturer has done its job, it should welcome the notion of an objective third party doing just that. On the other hand, if the manufacturer hasn’t done its job, we’ll all know that, as well.
According to Bill Collins, sales manager at CMI, the product was thoroughly tested by the National Highway Traffic Safety Administration, part of the United States Department of Transportation, prior to sale to law enforcement agencies. Individual States also test the device and it has been subject to other third party examinations prior to being generally accepted by the courts. He made another very good point: Source code is only one part of the device and, to draw a meaningful conclusion, one would have to examine the entire device including both hardware and softwar.
Preserving defendant rights
While I sympathize with the company and understand its desire to keep the proprietary source code confidential, impaired driving is a crime and a conviction can have major implications, including restrictions on employment and travel. Criminal defendants must be allowed to examine the evidence against them. Intellectual property concerns are a red herring – courts have long had procedures in place to allow the examination of sensitive information in a controlled manner.
If a defendant wants to retain an expert to conduct such an analysis, he or she must be allowed to do so. If the product is solid, defendants will quickly find out that they are simply throwing their money away. Some American states including Florida agree and have upheld the defendant’s right to examine the code.
In the words of English jurist William Blackstone, “Better that ten guilty persons escape than that one innocent suffer.” Allowing any black box to produce evidence is a slippery slope that we can’t afford, and product vendors should take note. It won’t be long until other devices like digital recorders are subject to the same scrutiny. Until we illuminate inside, outside and around the box there is no justice.
Bus Strike? Bad Weather? Work at home!
Businesses, transit users and those of us who drive to work all suffered during Ottawa’s transit strike. However, we can learn valuable lessons about business continuity planning that are equally applicable to an influenza pandemic, severe storm or even a terrorist attack.
There is a segment of our population who simply must get to work: Police officers, fire fighters, teachers, bankers, assembly line workers and those in the health care, retail and hospitality sectors. But many of us can — or could, with the right solution — work from anywhere we have access to a computer and telephone rather than sitting in traffic.
Now, before I give you the wrong impression, I do live in the real world. Face-to-face meetings are often more desirable than teleconferences, and some companies aren’t set up to support remote workers. Some corporate cultures are such that working from home is seen as a euphemism for a day off and having one’s buttocks pressing upon a chair for the requisite number of hours is considered far more important than actually getting work done. As a result modern day office martyrs drag themselves to the office when ill and consider sprinkling their viral load amongst colleagues a badge of honour.
When we step back and look at the issues from a broader point of view, it’s clear that during a transit strike we would all benefit by keeping the roads clear for those who must go to work and spending our time working instead of sitting in the car.
From a business perspective, not only are there advantages during transit strikes and severe storms, but the capability also allows the organization to function despite other emergencies such as fires, building evacuations and localized power failures. Enabling employees to work at home also helps to retain top talent by promoting a better work-life balance. And less commuters is a better thing for the environment as well.
Enabling remote work — like any other infrastructure change — does have security implications. Some organizations already have fundamental components in place such as laptops with VPN connectivity and the ability to forward phone lines. For those who don’t, products are available to specifically address the issues.
One company seeing increased interest in their products is Route1, the Toronto-based firm that developed the MobiKEY product. “The user simply plugs MobiKEY into any computer with Internet access and within seconds they are able to access their home or office computer through the TruOFFICE service,” explained Tanieu Tan, Director of Marketing. “With MobiKEY, all information remains behind the corporate firewall and no footprint of the work session is left on the guest computer. In the event that there is malware on the guest computer, it can not be introduced into the corporate network, making this a very secure solution.”
The product also offers other features to facilitate secure access to Web portals or specific applications instead of an entire remote desktop environment. These solutions also tout a high level of security by eliminating dependence upon applications on the user’s local computer.
So, whether you blamed the City, OCTranspo workers or, perhaps, both, we did get a great lesson in business continuity planning. Acting now can better enable you and your company to cope with similar events in the future.
Keep in Touch
Kudos
Recent Comments