All Roads Lead To Rome
So Sarah Palin’s webmail was hacked recently, ostensibly through a “forgot my password” attack. Venturebeat‘s Dean Takahashi remembered that I’d recently been warning about these systems at Black Hat, and solicited my opinion. Here’s what I had to say.
My observation then was that the unifying theme of the bugs of 2008 has been a complete failure to authenticate.
I have to admit, I’m a little surprised to see the theme infecting the election. But, there it is. Webmail providers have a particularly tricky problem with “Forgot My Password” links: They can’t presume you have some mail address to send a password or a reset link to, because they *are* your mail address. With nothing else they can go on, they end up trying personal entropy — secrets like when you were born, where you went to school, etc.
In an increasingly less private society, “secrets” like your birthday are easier and easier to acquire from just normal people — let alone massively visible Vice Presedential nominees like Sarah Palin. So personal entropy is now struggling even more as a mechanism to authenticate.
People have suggested — why not use the telephone system? Everyone has SMS (text messaging). From one perspective, this is completely true. From another, in this increasingly less private society, a decent number of people are specifically averse to having to permanently identify themselves to websites. (Skip a few chapters, and you can watch SMS spam explode as every website collects those numbers ‘in case you forget your password’.) And so we end up at OpenID and its ilk, which attempt to solve the problem of password forgetting by having all sites (effectively) share the same password, or at least authentication technology (since you might use a key fob to log into your OpenID provider). This has some downsides, but isn’t necessarily bad.
One quirky thing, given the election, is how electronic voting and the latest Forgot My Password hack play into one another. People want to vote, but they want their vote to be secret, but they want to be able to detect fraud, which normally requires validating the voter to their vote. People also want to log into their websites, but they want their real identity to be obscured, but they want to still be able to get in if they forget their password, which normally requires validating the real identity to the account. We can say this is ridiculous all day, but there are many people who won’t vote if their ballot isn’t perceived as secret, and there are many people who won’t use the web if their personal identity isn’t perceived as secret.
Notice how the big new feature in all the new browsers is secret (read: porn) browsing. Funky times we live in, eh?
Thinking about it some more, it’s actually impressive, bordering on spooky, how the Sarah Palin hack plays into all sorts of issues surrounding IT. It’s not just the woeful state of authentication, or the quiet but deep desire for [a|A]nonymous connectivity to the Net that enabled the hack in the first place.
No, what’s interesting me now is how everyone’s so very surprised that Palin would use a personal email account for official purposes. Not that I’m defending these actions — the political side of me is a staunch supporter of transparency, as you can’t manage what you can’t measure and if you can’t measure your government you’re pretty much hosed — but from a purely technical standpoint, McCain didn’t invent the Blackberry, but Palin sure didn’t invent using Yahoo at work.
In fact, it’s part of a larger trend, one worthy of analysis.
IT departments are always in a bind. They’re responsible for anything that goes wrong on the network, but every restriction, every alteration they make in people’s day to day business, carries with it a risk that users will abandon the corporate network entirely, going “off-grid” in search of a more open and more useful operating environment. You might scoff, and think people would get fired for this stuff, but you know what people really get fired for? Missing their numbers. In the age of Slammer, I remember an IT department that found out about an entire division that had gone near-off-grid, with their own PC’s and own Internet connectivity. (The division didn’t patch, and flooded the rest of Corpnet with the one remaining internal link.)
But it’s not the age of Slammer, anymore. Its never been easier to get away with going off-grid. Widespread availability of WiMax and 3G networks mean there’s an alternate, unmonitored high speed network available at every desk. And what’s available out there? The Cloud.
The Cloud is fascinating. Based on the very real perception that it’s easier to write and maintain software for one tightly controlled server farm rather than millions of servers or even thousands of appliances, The Cloud offers some of the best new functionality we’ve seen in years, at the cost of the wholesale export of internal company data to the Internet.
Some companies embrace this. Others don’t, but like all productive technologies (anyone remember the early days of Linux), the tech comes in quietly, and holds up well after being discovered simply by showing profitability.
Now, is it safe? On the one hand, you’re exporting data outside the perimeter. The whole point was to avoid doing that. On the other, take a look at what’s out there. 37Signals’ BaseCamp is becoming the way to manage clients and projects with a shared environment that tracks conversations, revisions, and schedules. All of these are elements that, by their very design, cross the perimeter. Salesforce.Com practically is the way entire sales fleets manage their customer base. And then there’s what Crystal showed me people do with Google docs:
- Put a spreadsheet on Google docs.
- Tell everyone who’s supposed to contribute to the spread sheet, to contribute to the version on Google Docs themselves.
- Profit.
There are certainly ways to play this game in the traditional IT way. But, you know, distributed locking is one of the grand problems of computer science, even without introducing federation of trust across company lines. Centralized locking? Why, just head over to Google Docs…
And don’t think it’ll stop at the “few” instances where somebody outside the company needs to participate in a shared document. One must recognize that any large corporation is a collection of perimeters: Team, Department, Building, Division, and sometimes, Shared Nameholder (Verizon and Verizon Business are not the same company). Borders are fuzzy, and it’s the every day worker’s responsibility to navigate these borders as quickly and efficiently as possible.
Is the Cloud more efficient? It’s where the most intensive software development efforts are going right now. It may very well be. But is it secure? Is it safe? Are the (not insignicant!) efforts of Google, and Yahoo, and 37Signals, and Salesforce.Com enough? That’s the sixty four thousand dollar question…and right there, in the middle of us asking…
…in walks Sarah Palin, exposing gov.sarah@yahoo.com to the world.
Just like everyone else would.
Dan Kaminsky's Blog 
I don’t know why people get all worked up about nothing. There’s a very simple and secure solution. Whenever I create a new e-mail adress, I take the question : “what’s the name of your dog”, for instance, but I have no dog. So, what’s the answer ? A very peculiar name that nobody could find by accident, mixing letters and numbers, like “astero2569id”. And if I need to remember this answer, I’ll write it on a peace of paper, but only a part of it : the letters, but not the numbers (which are : my phone number or my license plate, or anything I won’t forget). If someone find this paper, he will never know what is it for; and if he know what it is for, he’ll never it needs numbers, too; and if he knows it needs numbers, he’ll never know which numbers; and even if he knows all that, he’ll never know where to put the numbers (before the letters ? after ? in the middle ?).
The only flaw in the “forgot my password” question is the lack of imagination. 😉
Heck, why not just name your “dog” the SAME as your password? …
The trouble with hiding your password is remembering where and how you hid it…
But as you point out, your webmail is your e-mail: but then, if you don’t have a mental disease, how do you forget the password that you use frequently? Why, by setting it in your pc so that you don’t need to type it in – either as a cookie or in a password store. But then anyone sitting at your computer gets into your webmail – unless your -desktop- security is adequate. (I was going to say excellent. But…)
As for conducting government business through unaudited e-mail, I suppose it’s surprising that it happened to be Yahoo and not someone ultra-secret and cryptic and secure like Hushmail (is it that?); that she couldn’t get someone to invite her onto GMail; and if the accounts -weren’t- for the State Governor and not the hockey mom, then why is there “gov” in the gov.palin and gov.sarah account names? I wouldn’t put -my- job title in a personal e-mail address.
Maybe she just wants to go in Yahoo chat groups, like in that [West Wing] episode where government spokeslady C J Cregg ends up screaming at Josh Lyman for… going off-grid, I guess. And she assigns an intern to monitor his web use in future.
“People have suggested — why not use the telephone system? Everyone has SMS (text messaging).”
Not everyone has SMS. I don’t, my family doesn’t, and some of my friends don’t, either.
No, cell phones are certainly not secure or safe. A wired land line phone with filters is fairly safe and secure but again not truly safe. I would just keep my email passwords random and safe in my brain and if I have to remember them then I would just need a place to keep them so why not just keep them in a safe in your home or a bank with some other valuables and it also is a good idea to change them from time to time. I am actually somewhat opposed to keeping confidential information on-line or on a computer if it is connected to the Internet because you have to treat information on a computer as a gateway that someone with enough skills can break in but unlike someone breaking into your home they don’t have to be there or even hire others to break into your home for them but they can just do it remotely and be done with it and steal all your information and then you have to deal with identity theft. As for forgotten password link, I just use a long bunch of random letters, numbers and characters because I see that as too easy a way to break into email. The problem is that too many companies and individuals are too relaxed on not having enough safeguards on information and that is why we are having many of the problems that we have today. Finally, companies tying programs as one are really annoying like Microsoft tying Internet Explorer into Windows back in 1998 and Apple now tying Quick-time in with I-tunes. I would much prefer to have every program separate and if I don’t want Quick-time I could just remove it and use I-tunes only.
‘widespread availability of WiMax’? eh?
At least one of the “carry a device that generates one-time passwords in your pocket” devices, such as for banking – Digipass – comes in a virtual version that, uh, messages the code to you. I was curious about disability access with this kind of system, and it seems to me that this particular facility allows you to choose any accessible messaging device and service(?) to receive your code. But then apparently you’re dependent on the privacy of the messaging service. I guess they know what they’re doing, and if not then they’ll get what they deserve.