All Roads Lead To Rome
So Sarah Palin’s webmail was hacked recently, ostensibly through a “forgot my password” attack. Venturebeat‘s Dean Takahashi remembered that I’d recently been warning about these systems at Black Hat, and solicited my opinion. Here’s what I had to say.
My observation then was that the unifying theme of the bugs of 2008 has been a complete failure to authenticate.
I have to admit, I’m a little surprised to see the theme infecting the election. But, there it is. Webmail providers have a particularly tricky problem with “Forgot My Password” links: They can’t presume you have some mail address to send a password or a reset link to, because they *are* your mail address. With nothing else they can go on, they end up trying personal entropy — secrets like when you were born, where you went to school, etc.
In an increasingly less private society, “secrets” like your birthday are easier and easier to acquire from just normal people — let alone massively visible Vice Presedential nominees like Sarah Palin. So personal entropy is now struggling even more as a mechanism to authenticate.
People have suggested — why not use the telephone system? Everyone has SMS (text messaging). From one perspective, this is completely true. From another, in this increasingly less private society, a decent number of people are specifically averse to having to permanently identify themselves to websites. (Skip a few chapters, and you can watch SMS spam explode as every website collects those numbers ‘in case you forget your password’.) And so we end up at OpenID and its ilk, which attempt to solve the problem of password forgetting by having all sites (effectively) share the same password, or at least authentication technology (since you might use a key fob to log into your OpenID provider). This has some downsides, but isn’t necessarily bad.
One quirky thing, given the election, is how electronic voting and the latest Forgot My Password hack play into one another. People want to vote, but they want their vote to be secret, but they want to be able to detect fraud, which normally requires validating the voter to their vote. People also want to log into their websites, but they want their real identity to be obscured, but they want to still be able to get in if they forget their password, which normally requires validating the real identity to the account. We can say this is ridiculous all day, but there are many people who won’t vote if their ballot isn’t perceived as secret, and there are many people who won’t use the web if their personal identity isn’t perceived as secret.
Notice how the big new feature in all the new browsers is secret (read: porn) browsing. Funky times we live in, eh?
Thinking about it some more, it’s actually impressive, bordering on spooky, how the Sarah Palin hack plays into all sorts of issues surrounding IT. It’s not just the woeful state of authentication, or the quiet but deep desire for [a|A]nonymous connectivity to the Net that enabled the hack in the first place.
No, what’s interesting me now is how everyone’s so very surprised that Palin would use a personal email account for official purposes. Not that I’m defending these actions — the political side of me is a staunch supporter of transparency, as you can’t manage what you can’t measure and if you can’t measure your government you’re pretty much hosed — but from a purely technical standpoint, McCain didn’t invent the Blackberry, but Palin sure didn’t invent using Yahoo at work.
In fact, it’s part of a larger trend, one worthy of analysis.
IT departments are always in a bind. They’re responsible for anything that goes wrong on the network, but every restriction, every alteration they make in people’s day to day business, carries with it a risk that users will abandon the corporate network entirely, going “off-grid” in search of a more open and more useful operating environment. You might scoff, and think people would get fired for this stuff, but you know what people really get fired for? Missing their numbers. In the age of Slammer, I remember an IT department that found out about an entire division that had gone near-off-grid, with their own PC’s and own Internet connectivity. (The division didn’t patch, and flooded the rest of Corpnet with the one remaining internal link.)
But it’s not the age of Slammer, anymore. Its never been easier to get away with going off-grid. Widespread availability of WiMax and 3G networks mean there’s an alternate, unmonitored high speed network available at every desk. And what’s available out there? The Cloud.
The Cloud is fascinating. Based on the very real perception that it’s easier to write and maintain software for one tightly controlled server farm rather than millions of servers or even thousands of appliances, The Cloud offers some of the best new functionality we’ve seen in years, at the cost of the wholesale export of internal company data to the Internet.
Some companies embrace this. Others don’t, but like all productive technologies (anyone remember the early days of Linux), the tech comes in quietly, and holds up well after being discovered simply by showing profitability.
Now, is it safe? On the one hand, you’re exporting data outside the perimeter. The whole point was to avoid doing that. On the other, take a look at what’s out there. 37Signals’ BaseCamp is becoming the way to manage clients and projects with a shared environment that tracks conversations, revisions, and schedules. All of these are elements that, by their very design, cross the perimeter. Salesforce.Com practically is the way entire sales fleets manage their customer base. And then there’s what Crystal showed me people do with Google docs:
- Put a spreadsheet on Google docs.
- Tell everyone who’s supposed to contribute to the spread sheet, to contribute to the version on Google Docs themselves.
There are certainly ways to play this game in the traditional IT way. But, you know, distributed locking is one of the grand problems of computer science, even without introducing federation of trust across company lines. Centralized locking? Why, just head over to Google Docs…
And don’t think it’ll stop at the “few” instances where somebody outside the company needs to participate in a shared document. One must recognize that any large corporation is a collection of perimeters: Team, Department, Building, Division, and sometimes, Shared Nameholder (Verizon and Verizon Business are not the same company). Borders are fuzzy, and it’s the every day worker’s responsibility to navigate these borders as quickly and efficiently as possible.
Is the Cloud more efficient? It’s where the most intensive software development efforts are going right now. It may very well be. But is it secure? Is it safe? Are the (not insignicant!) efforts of Google, and Yahoo, and 37Signals, and Salesforce.Com enough? That’s the sixty four thousand dollar question…and right there, in the middle of us asking…
…in walks Sarah Palin, exposing firstname.lastname@example.org to the world.
Just like everyone else would.