Emergent ChaosThe Washington Times reports, "Outsourced passports netting govt. profits, risking national security." It is the first of a three-parter.
Interesting comments:
The United States has outsourced the manufacturing of its electronic passports to overseas companies — including one in Thailand that was victimized by Chinese espionage — raising concerns that cost savings are being put ahead of national security, an investigation by The Washington Times has found.The Government Printing Office's decision to export the work has proved lucrative, allowing the agency to book more than $100 million in recent profits by charging the State Department more money for blank passports than it actually costs to make them, according to interviews with federal officials and documents obtained by The Times.
The GPO tells us we don't need to worry, because the blanks are moved by armored car. I feel better already, but can't stop giggling.
Bookmark this post:
Kim Cameron not only admits what Ben Laurie has said here, here, and here, but he says it succinctly:
OpenID provides convenience and power but suffers the problem of all the Single Sign On technologies - the more it succeeds, the more dramatically phishable it will become.
There you have it.
It has long been a joke about crusty states such as Idaho, Oregon, New Hampshire, or New Jersey that they have signs at the border that read, "Welcome to <insert-name-here>, now go home."
As a Mac user, someone often asks me if they should switch to a Mac because it's more secure, my response to them is that the only reason a Mac is more secure than a PC is because it's only people like me who use them. As soon as hordes of people start using them, then they will no longer be as secure. I like not knowing the details of anti-virus programs. I like not bothering even to run the built-in firewall. So, no, I don't think you should switch to a Mac because it's more secure. I think you should just update your virus files every week. Besides, Macs are much more expensive than you can afford. Really. Have you heard about Ubuntu? It's Open Source! (Cue sounds of angels singing.) People tell me it's really nice. And I hate Leopard.
Despite all of these being true statements, this technique does not work as well as I would like. I think I need to take a presentation skills class.
OpenID is similar in that it's a safe neighborhood because people like me don't go there. Once enough people like me start going there, it's not going to be secure. I am reminded of comments by each of Groucho Marx and Yogi Berra.
I am happy to help keep OpenID secure by not using it. I've already written about what I think is better.
What I find amusing about Cameron's epiphany is his solution for the problem. He thinks that OpenID should become part of InfoCardSpace, and thus shipped with Windows.
There's a joke that begs to be made here, oh, how it begs. It is rim-shot worthy, so I'll not make it. I'll merely point out that if you want to get CardSpace, you have to get Vista. Ba-dum-dump.
I am again using the photo "Trunk 'n Branches" by slightly-less-random because it is the only image in Flickr that comes back from the search of "cardspace phishing" and one of two for "openid phishing".
Bookmark this post:
I've always been concerned about biometric systems for payment. I don't want my fingerprint to be able to access my bank account: I leave fingerprints all over the place. I'm glad to see that biometrics pioneer Pay-By-Touch is shifting focus:
Pay By Touch, which has made a major push in POS biometric payments, is backing off that business, according to a report in the current issue of The Nilson Report, a major payments newsletter.Tip of the hat to StoreFrontBackTalk, "Pay By Touch Giving Up On Biometric POS?"
A quick clarification: "POS" is industry-speak for "Point of Sale," not "Piece of Shit." We apologize for any confusion.
[Update: Evan now relays the news that "Pay By Touch (is) In Bankruptcy Proceeding(s)."
Photo: Escaped Monkey's password, posted to Flickr.
Bookmark this post:
Bob Blakely:My oracle most assuredly does not belong to me. It's a commercial enterprise. It differs from choicepoint in that it has contracts with its data subjects which require it to protect their privacy and other interests.
Adam:So the Oracle is making money on both sides of the deal? From me and from an employer?
Bob Blakely:The oracle is making money by providing a service to the individual. Like broadcast TV, Google, or a real estate buyer's agent, it doesn't necessarily have to charge the individual for that service; the cost could be borne by the relying parties.
Adam:If the Oracle doesn't charge me, do we have a meeting of the mind and an exchange of value? As I'm sure you know, those are the core elements of a contract.
On a related note, what's to prevent a rogue oracle organization? I think that there's both value in me paying, and all sorts of risks, such as oracle capture by customers or the moral issues of me having to pay to get data about me validated.
Bob Blakely: The oracle might make money on you but more likely is charging your transaction partners, in the same way that your real estate buyer's agent gets paid by the seller. But unlike today's identity providers, it has obligations to you.
You could ask the same question about the relationship between you and a pro-bono lawyer, or a realtor (if you're buying a house), or any one of a number of other professionals and businesses who work on your behalf but charge others for the privilege. American Express works this way - you pay a (small) yearly fee, but most of their money comes from charging retailers.
What prevents a rogue oracle organization is lawsuits (based on contract law) and the inability to continue in business due to bad publicity.
The difference between an oracle and other identity providers is that the other providers don't offer you the contract which would let you take action against them; instead you have to rely on someone like the FTC taking action on your behalf, without the possibility of personal recovery for loss.
Bookmark this post:
Adam: But applying for a job is exactly what you describe, "organizations
with whom you don't have a lot of history and interaction." For an
awful lot of people, they apply for jobs broadly. One cashiership is
as good as another.
And there are a lot of places where I'd like to protect my privacy.
The Red Cross requires your SSN if you want to volunteer. The DMV
wants it. Dave Birch talks about brands and reputation in a comment,
and I think that there are a lot of places where The Presentation of
Self in Everyday Life really comes into play, and you want to present
one front or another.
How could we extend LLPersonas to reduce the demand in these other
situations?
Bob Blakely: think an Identity Oracle - not an LLP - is what's desired when applying for a job. It would work like this:
I apply for the job. The employer alerts me that background investigation will be required. I direct the employer to my Identity Oracle.
The employer says to the Oracle "For this job I require a US citizen with no felony arrests, no felony or misdemeanor convictions, a valid motor vehicle operator's license, and a good driving safety record. Is this applicant eligible for the position?"
The Oracle then uses its information (and perhaps supplementary information it develops through investigation; this information will be protected under my existing personal information protection contract with the Oracle) to answer the question.
[At which point I jump in by assuming RCSL is primarily about reputation. Bzzzt!]
Chris: What work have you done regarding the Relational Continuity Sockets Layer?
There has been a ton of work done regarding reputation management among
autonomous agents, protocols for distributed reputation systems, etc. Can
you provide an example of the RCSL in action that shows its distinctive
properties, and why they are important/useful?
Bob Blakely: [I]t's important to say that RCSL isn't really a reputation management system. It's a way to build relationships which are scoped in time and also in committment of resources. A useful analogy here is that of a card game; at each round one antes a set of resource to qualify for the round, and one obeys certain rules for the hand. In an analogous way the RCSL enables creation of predefined relationships which have both rules (for what can & can't be done in the relationship) and roles (for which participant can do what at any particular time; compare this with a game like Bridge where the roles for the players differ).
The notion here is to design the resource committment rules, rules of play, and roles to limit risk of all types to the various parties.
The game may require reputation as a condition of entry, and it may change reputation as an effect of the outcome, but in this respect reputation is simply another resource - and is not the only kind of commodity which could be used.
[Stay tuned for more on RCSL in the next post from our interview with Bob and Mike]
Bookmark this post:
At the same time, there seem to be real limits to doing this under today's law. I don't think the Gap would be ok running a background check on AdamCorp 4735, a Nevada LLP. And as I'm sure you remember, a yet-anonymous contractor to the Gap lost data on 800,000 job applicants. (Infoworld via PogowasRight.)
Bob Blakely: These are very good questions. The difficulty with just getting a PO box and a secured credit card today is that if someone steals the credit card number and runs a bunch of charges up in some foreign jurisdiction where validation procedures aren't very good, you may get a ding on your personal credit record, which you then have to clean up even if you don't end up getting stuck with the charges. If you get the credit card in the name of the LLP, then nothing goes on your record. If the situation gets really ugly, you can simply forfeit the money backing the card, close the LLP, and walk away - with no damage to your personal reputation that needs to be cleaned up. This severability is the real advantage of incorporation. If you set up an LLC through the Company Corporation, you can even get $50,000 worth of insurance against legal fees in case someone tries to stick you with personal liability for the LLC's actions.
The Gap wouldn't run a background check unless you applied for a job. I don't think that LLPs will apply for jobs; I do think that they'll be used in a lot of transactions with intermittent or remote transactional partners, to buffer risks associated with people and organizations with whom you don't have a lot of history and interaction.
Mike Neuenschwander: I think an LLP could even work for employment-in fact, it already happens with LLCs. That doesn't mean the person has to be anonymous. But we need a system that helps build reputations of these entities, so the owners take pride in ownership.
Bookmark this post:
Does this work under the law today? Could I just set myself up with a Delaware LLPartnership of one and go?
I'm going to use LLPartnership & LLPersona rather than writing "limited liability" each time.
I also offered Mike and Bob the ability to go 'off the record.'
Bob Blakely: There are probably some open questions here; we're not lawyers so you should ask one. However, the intention of using an LLC as an LLP (persona, not partnership) is that you can endow it with a set of resources ( e.g. a secured credit card backed by a specific amount of money in an account opened for the LLP) which are thus not connected to your personal resources, give it its own name, give it its own address, and then use it (as the controlling director) to do business in a way which does not require you to reveal personal information and which does not attach your personal assets to transactions (and hence shelters your resources from the affairs of the LLP).
I definitely do not want Burton Group or us personally to be off the record on this; we are the inventors of this concept and we want it to be adopted and credited to us.
We also want to encourage related developments such as the Relational Continuity Sockets Layer (which provides a meeting place for LLPs who can interact according to a specified set of rules and generate public outcomes fortheir transactions), and the Identity Oracle, which is kind of a clearinghouse for creating LLPs and managing the relationship between LLPs and personal information about individuals (you'd go to an Identity Oracle, perhaps let it set up your LLP, and then tell it your personal information and give it specific instructions about how to act as your agent with respect to that information, with the intention that it should use the information in your interest to answer questions, but not divulge the information itself). All of these things are our inventions and we want to be publicly associated with them.
You read more about the identity oracle and the relational continuity sockets layer.
Bookmark this post:
Adam: So why don't we start out with what's the problem you're trying to solve, and what's the way you'd like to solve it?
Mike: Great question. It's difficult for me to be succinct on this, so bear with me:
The problem that LLP addresses is an underlying problem that's evidenced by a wide range of social issues. These problems are so common, they're front page news items familiar to even to people who don't own computers. These issues include:
So for the last few years, I've looked for scenarios in which parties cooperate in difficult but non-coercive contexts. Social science and evolutionary biology have a lot to say about this topic (through studies in collaborative action theory, social dilemmas, and social emotions). From my understanding of these sciences, symmetry among participants is essential to collaborative outcomes. So, it doesn't really matter how good the identity metasystem is or how benevolent its owner is-without symmetry in the relation it represents, it will produce exploitive results. As a society, we have to insist on symmetry. But in business-to-person relations there's currently no symmetry at all-particularly in the legal context. LLP is meant to help natural persons have access to the same legal treatment as corporations. It turns business-to-person relations in to B2B relations.
Adam again: I'm hoping that this interview involves some emergent chaos, from my co-bloggers and from the audience. We've already asked questions, but please, offer up your thoughts and comments.
Finally, you can read more on the Burton blog.
Bookmark this post:
Kim Cameron has a very interesting article on the distinction between accounts and credentials, "Grab them eyeballs! Any cred at all!:"
s this logical? It all escapes me. Suppose I start to log in to Dare’s blog using an AOL OpenID. Does that make money for AOL? No. I don’t have to give AOL two eyeball seconds.Me, I find the trend to refer to customers as "eyeballs" bizzare and twisted. You don't want my eyeballs, you want my business.What would make $$$ for AOL? To get my pretty eyeballs over there PDQ. What’s the best way to make that happen? Make it easy! Acquire new eyeballs! Acquire new eyeballs! Acquire new eyeballs! From anywhere and everywhere!
This is the case even if you think you're in advertising. The goal of advertising (eventually) has to be to drive business. Treating me like an eyeball isn't aligned with that.
Bookmark this post:
John Mackey took a different approach. He didn't blog, but engaged in conversation on a message board about his company.
I think it's a good thing to be able to hear from CEOs shedding their spin, from journalists freed of their need for access, and everyone else who wants to put forth their own words to stand or disappear on their own strength.
Fake Steve is a little less interesting since the unveiling. The posts about immortality were a nice touch, but, I thought, over-wrought.
Bookmark this post:
Ben Laurie has shown time and again that OpenID is Phishing Heaven. It's also a huge boon for anyone who wants to start tracking on the web. I firmly agree that if you want to steal from people or invade their privacy, OpenID is for you.
I also know that there are people I respect who disagree with this harsh opinion. I believe that the ultimate decider of who is right on this is depends on whether an effective OpenID exploit gets created, either in vitro or in vivo, and how well the OpenID people can fix it. My money is on the exploiters, but that's what makes horse races fun, as Twain put it.
At Black Hat last week, Eugene and Vlad Tsyrklevich gave a talk on OpenID security, and I just nodded as they outlined mechanism after mechanism to show how OpenID can be hijacked, MiTMed, spoofed and so on. They had short examples to show the HTML for how to do all the things that Laurie has described in words.
But then they summed up with saying that they like OpenID, they think it's kinda cool, and despite its flaws, it gives people a single sign on system that is good for -- I don't know, giving criminals a way to ruin your reputation on LiveJournal, eBay, and your employer all at the same time. I can't adequately relate it, because I just blinked a lot.
There's an old joke that exists only as a punch line: "But other than that, Mrs Lincoln, how was the play?" It's as if they summed up their presentation with, "Well, Booth's bit of performance art was over-dramatic with all that shouting Latin, but the characterization of the American Cousin was quite touching, and I thought the acting up to Ford's usual high standards."
I went up to talk to the speakers, hoping I could be more eloquent than "WTF?!" As I waited, I heard someone say that he just didn't get it at all, because he's been using the username/password saving and forms-filling in Firefox. He said that he likes it because now he picks web site names and passwords by just running his hand over the keyboard randomly. He added something like, "I know all of the problems with what I'm doing, but at least they are all on my machine." Inevitably, several people pointed out that the Mac has had that for years.
There then seemed to be a murmured assent that handing the problem locally may be a better solution.
I'm fascinated by the possibility that identity management might be headed the way of "push." I also wonder that while making fun of Microsoft cloning things is a sport rivaled only by grousing about Apple's disdain for battery compartments, this would be a case where it's called for. Out with InfoCardSpace, in with KeyChain.
Photo "Trunk 'n Branches" by slightly-less-random.
Bookmark this post:
This is utterly fascinating if you have any interest at all in online identity, but haven't had the time to compare systems.
I'd try to contribute, but I've been in the midst of a large project at work.
Archival links:
Bookmark this post:
On Dave Farber's list, Brock Meeks pointed us to a delightful Facebook Smackdown. Brock says,
What do Facebook, the CIA and your magazine subscription list have in common? Maybe more than you think...http://www.albumoftheday.com/facebook/
Trust me, it's worth the look.
And indeed it is worth looking at, along with Patrick Schitt's contribution of the background documentation.
I found the "smackdown" a refreshing antidote to much recent discussion about young adults and their attitudes about privacy. Perhaps some of it is hyperbolic; anyone associated with the Internet back in the days when it was the Arpanet has similar ties. But let's look at the larger issue.
Over the last year or so, there's been a theme going around the media about how kids today are much more comfortable with personal information out on the net. There have been dramatic news stories about it and I have had the privilege of seeing a few panels at universities about that subject amused by the walking oxymorons -- well-known privacy activists -- who participate.
The continued democratization of personal information is not an unalloyed desirable thing, but it also a fact of life. At lunch yesterday, I snorted something about how if you can't find the home address of anyone sitting at the table in less than five minutes, then your search-fu needs brushing up.
Many of those stories and discussions have had as an implicit or explicit theme that old people (those who got their first email address during, not after, the dot-com boom) can learn something from these young adults. However, young adults are well-known for risk-taking behavior. They get drunk, drive fast, take drugs, sleep around, put their hearing at risk, and do many other things that older people do not do (or don't do anymore). The mainstream media has credulously swallowed the notion that not caring about privacy is youthful wisdom rather than youthful indiscretion.
Many young adults wake up one morning with a pounding headache, fuzz on their tongue, a wretched feeling in the gut that they'll learn one day is acid reflux, the distressing feeling that they are not comfortable with the place nor manner in which they woke up, and the feeling that they may have done some things that it's perhaps better that they don't know they did. Over time, this leads to behavior modification.
When one is suffering from a hangover, one often says intemperate or hyperbolic things about that which got one in that state. Even if the Facebook Smackdown contains hyperbole, I view it as a Netizen Hangover.
Facebook has a privacy and information use policy that is skewed slightly to Facebook over its users. In a normal state of mind, one might respond to this with, "yeah, whatever" particularly if one is of an age that "yeah, whatever" is part of one's active vocabulary. If one has the unpleasant feeling that one has made a fool of oneself in public, the response might be, "ZOMGWTFPWNED!" Facebook also has investment connections that could get either the two previous responses.
This hangover plots some points and draws lines between them. During a hangover, one might forget that just because one can draw a line between two points, one isn't obligated to draw a line between them. Furthermore, when one does those little connect-the-dots puzzles, order is important; that's why they put numbers by the points.
As one holds one's coffee with both trembling hands while tending that hangover -- Facebook can do pretty much anything they want with all the information in it, and there are few degrees of separation between Facebook and the parts of the government that want to find bad guys through data mining, the thought that Facebook might get you on the no-fly-list doesn't sound unreasonable. It's easy to wonder between sips if one's internship will be in Gitmo. Are they mining Facebook to look for bad guys? Probably not. Could they? Sure.
Nonetheless, there are many lessons one learns as one gets older. Every generation learns something new that they have to carefully explain to their kids ("I'm not ashamed of what I did, but really, I recommend thinking twice or three times before doing what I did.") A cavalier attitude to privacy may end up on that list sooner than we think.
Bookmark this post:
Our white paper discusses all of the features of the U-Prove SDK without going into technical detail. The basic features are: transient ID Tokens; long-lived ID Tokens; protection against forgery, modification, eavesdropping, and phishing; universally unique token identifiers; encoding of token attribute information; user-authenticated presentation transcripts; digital signing with ID Tokens; and, user-driven and verifier-driven revocation. The advanced features include: untraceability; unlinkability; hiding attribute information from verifiers; removing attribute information from presentation transcripts; hiding attribute information from issuers; protecting against transferring and discarding of ID Tokens (software-only); issuer-driven revocation; limiting reuse of ID Tokens; and a range of device-based security measures that can protect against any imaginable unauthorized actions with ID Tokens (without contravening their privacy properties). The white paper also explains how to use the U-Prove SDK to protect identity-related assertions in frameworks such as SAML, Liberty ID-WSF, and Windows CardSpace.
Bookmark this post:
Or so "Shipcompliant" would have us believe, with a blog post entitled "Free the Grapes! Updates Wine Industry Code for Direct Shipping Practices."
The new addition to the Code is step 4, which specifies that wineries should verify the age of the purchaser of the wine at the time of transaction for all off-site transactions (Internet, phone, mail, fax, etc.). This can be done either by obtaining a photocopy of the purchaser’s drivers license or by using an approved online age verification vendor such as ChoicePoint or IDology.So to protect themselves from liability, wine merchants who sign up for this code will be putting their customers at risk. Of course, the code already says:
Free the Grapes! encourages licensees to contract only with shippers who check the identification of recipients at the time of delivery to ensure that the recipient is 21 years of age or older.So there's no reason to add this step. The very next step ensures that wine won't get into the hands of our corruptable youth.
This is two steps backwards: We're creating more work for the wineries and wine sellers, exposing their customers to increased risk of privacy violations, and all to cover a risk that's already covered.
Free the grapes? How about free the people from this nonsense?
Photo: "A sculpture commemorating the wine press and its importance to California history in Golden Gate Park near the De Young Museum of Fine Arts (6)" by mharrsch.
Bookmark this post:
So DHS finally released the proposed new standard for drivers licenses as mandated under the Real ID Act. It's a rather long document (over 150 pages) so I haven't had a chance to read the whole thing but 27B Stroke 6 has some highlights, including:
While some expected Homeland Security to require the licenses to have smart cards or RFID chips, DHS instead proposes a 2D bar code (magnetic stripe) similiar to those used on many licenses. That information will not be encrypted.
The FAQ (also linked to by 27 B Stroke 6) goes into more depth about both of the above facts, saying:
The regulations propose the use of the 2-D barcode already used by 46 jurisdictions (45 States and the District of Columbia). DHS leans towards encrypting the data on the barcode as a privacy protection and requests comments on how to proceed given operational considerations.
I can't begin to describe how happy I am to hear that RFID is not part of the proposed new standard. It is delightful to see that our objections have been heard and that we will be protected from proximity based attacks. I'm sure it doesn't hurt that 45 of the states and Washington DC already use 2D barcodes, thus making that portion of the standards much more palatable and reducing the costs in that realm.
Bookmark this post:
So there was a bunch of press last week from a company (Javelin) claiming that ID theft was falling. Consumer Affairs has a long article contrasting Javelin and FTC numbers, well summarized by the claim that "FTC Findings Undercut Industry Claims that Identity Theft Is Declining."
I think that there's an interesting possibility which isn't getting enough analysis, and that is that the probability of knowing how you were impersonated is conditional on knowing the impersonator.
Let's start with some numbers:
It might well be possible to test these hypotheses.
(Consumer affairs link via Pogo Was Right. Photo by DJ Wudi)
Bookmark this post:
