Tag: credentials

The Turing Wars have begun

15th June 2015by Consult Hyperion1 Comment

On the internet, as they used to say, no-one knows you’re a dog. That’s not, as far as I can tell, too much of a problem at the moment because dogs have quite poor keyboard skills and little interest in most kinds of internet fraud. The real problem, as things have turned out, is that on the internet no-one knows you’re a bot. Now, I see this emergent property of Moore’s Law and Metcalfe’s Law as fascinating and chaotic and there are some environments in which it is jolly amusing as well. Fake social media fans, for example.

Today, he says he manages 10,000 robots for roughly 50 clients, who pay Mr. Vidmar to make them appear more popular and influential.
[From Inside a Twitter Robot Factory – WSJ.com]

Rappers fighting over fake fans is funny but, as is easy to imagine, there are environments (almost all of them as far as I can see) in which there is no humour, only havoc. A very good current example of this is Bitcoin trading.

Bots control/contribute more than 70% of the volume on OKCoin Futures.
[From Further lies at OKCoin, where does it end? : BitcoinMarkets]

There’s no problem with this, as far as I know, and I don’t see why we should stop bots on Bitcoin exchanges when we allow them on Wall Street, especially when they might offer an accelerated evolutionary path by exploring different strategies.

The exchanges are already rife with trading bots; these are shark infested waters. Bots dance around each other in a chaotic swirl. They employ so many diverse strategies. It’s like so many microbes competing in the primordial ooze.
[From High Frequency Trading on the Coinbase Exchange]

Another environment that, unlike Bitcoin, I see as a fantastically useful economic model of the “real” world is World of Warcraft. This is infested with bots. If you want to see this for yourself, take a look at this amusing (but not suitable for work) YouTube clip of a guy playing WoW only to discover that he’s the only human playing. Last month, there was a WoW crackdown that saw more than 100,000 bots kicked out so I suppose Bitcoin exchanges could have a crackdown try to kick them out too if they want to, but in the absence of a working identity infrastructure the arms race may already be lost. The WoW bot maker had revised their technology to be undetectable. WoW revised their technology to detect it. And so it goes on.

The Turing Wars, as I call them, are only just beginning. These Turing Wars will not be limited to fun and games, to fintech bloggers battling over influence leaque tables or investment banks battling over bonds. There are considerable real-world implications as to possession or otherwise of the IS_A_PERSON credential and without it I can see a likely international cyberwar battleground that will replace WoW battlefields at the epicentre of bot vs. bot evolution, turning the Internet of Things into a wasteland.

In March, two students at the Technion, the Israel Institute of Technology, created a swarm of bots that caused a phony traffic jam on Waze, the navigation software owned by Google… The Waze software, believing that the bots were on the road, started to redirect actual traffic down different streets, even though there was no traffic jam to avoid.
[From Friends, and Influence, for Sale Online – NYTimes.com – NYTimes.com]

When you don’t know who IS_A_PERSON and who IS_A_DOG and who is neither, you cannot interact online in a functional way. We must grasp the nettle, so to speak, and actually do something about this. Who is better placed, right now, to determine whether I am a person or a dog or a bot? Surely it must be my bank and surely this must give my bank a key role in the future? All my bank needs to do is to issue me with some kind of digital passport that I can show to WoW or Waze or Wall Street? Right?

Anywhere, anyone

8th July 2011by Consult Hyperion1 Comment

I’ve been reading Emily Nagel’s book “Anywhere“. She’s the CEO of Yankee Group and the book is about global connectivity revolutionising business. I hope she won’t be offended if I say that it’s an “airport book”, but it’s an accurate description, at least for me, because I read it on the plane. There’s something that bothers me about it, though. It has lots of stories and examples and narrative about ways in which business is transformed as it goes online, but it doesn’t have “identity” or “authentication” in the index and says nothing about the identity problems that will need to be solved in order to realise the full potential of connectivity. As I’ve often observed before, using my favourite Kevin Kelly classification, connection isn’t the problem: it’s the disconnection technologies that will shape the medium-term roadmap for transforming new technology into business models: once everything is connected to everything else, the business model shifts to the creation and management of subgroups within that single, giant internet of everything.

Here, things aren’t going so well. By coincidence, the Saturday newspaper that I picked up after putting down Emily’s book had a technology advice column, and there was a letter from a typical consumer in it. I paraphrase:

I have a long list of passwords for home banking, shopping, social networks, magazines and so on. I’ve put them all in a Word document. How can I encrypt it?

This is, in a nutshell, the state of the mass market today. We all have masses of passwords, we’ve been complaining about it since 1994, and nothing much seems to happen, largely (I think) because the costs of our time don’t factor into business models. And yet… we don’t seem to be evolving any better business models and we don’t seem any closer to better identity infrastructure. Should we give up? No! I say we should remember William Samuel Henson.

It is sad that the name of William Samuel Henson is largely unknown today. A man of great vision, he petitioned Parliament for permission to set up an airline — with a business model largely based on post — flying to Egypt, India and China. Parliament turned his proposal down on the grounds that it was 1843 and no-one had invented airplanes yet. Henson knew this, obviously, but could see which way technology was evolving and correctly reasoned that just because he didn’t know how to get an airplane off the ground (he had been involved in numerous experiments around powered flight), that didn’t mean that no-one else would. And when they did, there would be a new business to build on aviation technology. So he started thinking about the businesses that would make sense and, since the post had just been invented in the UK, he looked at how that might work in the future.

This is a parable of our identity space now. We can’t get the technology to work, but we know that someone will, so we’re trying to think of business models (I should be clear in our case: we’re trying to think of business models for our clients) that will make sense when the technology works. But we’re thinking about web browsing and e-mail because these have just been invented and they’re our equivalent of the post service. Maybe we should challenge ourselves harder to look at wider possibilities, start from the perspective of social networking, virtual worlds and Twitter rather than Alice sending her credit card details to Bob.

Facebook is better understood, not as a country, but as a refugee camp for people who feel today’s lack of identity-forging social experience.
[From Facebook: the heart in a heartless world | spiked]

I think many organisations should be focusing on the next phase of evolution of online business, and phase that will be fundamentally shaped by the emerging identity infrastructure. But we must be careful not to take what has just been invented (in this case, say, Facebook) and project it into the future as the key to new business models. We have to think more broadly to develop strategic roadmaps for business that can react to the general trends to exploit the technology downstream. An example? Well, it doesn’t matter which social network we’ll be using in five years time, we’ll still need to authenticate ourselves in a more effective way that a Word file full of passwords. It isn’t only me that thinks this.

The president wants consumers to use strong authentication, something more than user name and password, which will most likely add another security factor, say officials familiar with the project.

For example, user name and password is one-factor security, something you know. But additional factors can be added. A token or digital certificate can be a second factor, something you have, resulting in stronger two-factor authentication. If you add a fingerprint or other biometric, something you are, it’s increased to three-factor security.
[From NFCNews | Potential technologies that consumers may use for online ID]

There follows an interesting, but confused, list of options. I’d like to suggest a more straightforward taxonomy, based on a digital identity infrastructure (which doesn’t exist, of course). The article, to my mind, confuses the distinct bindings between the virtual identities that exist in the Net and the real identities that are connected to. This is why it is useful to introduce the notion of digital identity in the middle. So then we get the two categories of things that might be used to solve the

Linking virtual identities to digital identities. The article suggests that digital certificates and PKI might be a good way to do this and I agree. Think of a digital identity as a private-public key pair … tamper-resistance… smart cards, tokens, smart phones.
Linking digital identities to real-world entities. The article suggests that passwords will be supplanted by biometrics.

Each of these will be a separate business that operates according to difference scale factors (scale in the first case, scope in the second). I don’t know how to make them work, but someone will.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

And I’ve got my bronze swimming certificate

1st February 2011by Consult Hyperion3 Comments

When I’m talking about identity, I sometimes joke that our ill-thought out perspectives on the topic have led to the bizarre situation that in the UK it is much easier to get a job with a bank than an account. In The Daily Telegraph for 29th January 2011, I read under the headline “False CV Fooled Bank” that:

A fraudster used a false CV [claiming degrees from Oxford and Harvard] to gain a £165,000 per annum job at a City investment bank.

I assumed that everybody made up stuff on their resumes, but it turns out that it’s against the law, so the culprit, Mr. Peter Gwinnell, was prosecuted and given a suspended sentence (I assume he’ll skip over this on his next CV). We keep being told that employers use Facebook profiles nowdays (I hope they use mine: it says that I am the most intelligent person alive today and that Nelson Mandela queued for my autograph) so perhaps CVs will soon be a thing of the past. Just out of curiosity I googled Mr. Gwinnell and found that as well as his empty LinkedIn profile, the bald fact of his departure is there on the web.

PETER GWINNELL Appointment terminated as director on 15 Feb 2010 (Document)
[From AHLI UNITED BANK (UK) PLC of W1H 6LR in LONDON UNITED KINGDOM]

To be honest, if an employer wanted proof of my A-Level in Mathematics or O-Level in British Constitution or the Degree I scraped through with in 1980, I’d be hard pressed to provide it. I don’t have the faintest idea where the relevant certificates are. I suppose I could ring the University and ask them to send me a letter, but how would the employer know I hadn’t forged the letter. And how would Southampton University know that it is me calling? Or, for that matter, how would they know that I hadn’t forged the O-Level in British Constitution certificate?

When I started my first job after university, I don’t remember being asked to provide any such proof. Come to that, I don’t remember being asked to prove who I was either. In those days, all you needed was a national insurance number. But if employers are going want proof, like the actual certificates, then there will be a bit of a premium on the certificates. Once the certificates are worth something, they will be stolen. This is what happens in China.

Local officials said the files were lost when state workers moved them from the first to the second floor of a government building. But the graduates say they believe officials stole the files and sold them to underachievers seeking new identities and better job prospects — a claim bolstered by a string of similar cases across China.
[From Files Vanished, Young Chinese Lose the Future – NYTimes.com]

How are we going to deal with this digitally? It shouldn’t be that complicated for Harvard to create a digital certificate to attest to the fact that the owner of a particular identity did, in fact, graduate. If there were some sort of device or token, perhaps some form of card, that contained my educational identity (ie, key pair) then Harvard could simply sign the public key with their private key and the whole problem is fixed (glossing over, of course, where this device or token might come from, and so on).

Something does have to be done though. The current system is simply a joke. It’s quite funny when someone cons a bank into giving them a senior position despite knowing nothing about banking (imagine!) but one of the areas that really bothers me, and probably should bother you too, is the ease with which medical credentials are forged.

A conman from Lancashire who posed as a vet and nearly killed a pony by botching its castration has been jailed for two years. Russell Oakes also masqueraded as a doctor, carried out an intimate examination and charged for false diagnoses, Liverpool Crown Court heard. The 43-year-old, of Hesketh Bank, admitted 41 charges of fraud, forgery and perverting the course of justice.
[From BBC News – Bogus Lancashire vet jailed after botched castration]

How did he do this? Was he a master forger, capable of producing an authentic-looking medical school diploma using specially-aged paper, his engraving skills and authentic ink procured from the correct German manufacturer? No, of course not: this is a post-modern crime.

He bought a fake university certificate off the internet, the court heard.
[From BBC News – Bogus Lancashire vet jailed after botched castration]

Now imagine an alternative infrastructure. I am asked to prove that I have a degree from Southampton University. I log on to the university using my OpenID id.dave.com and answer some questions, provide some data, to satisfy the university that I am, indeed, the relevant dave. My OpenID profile includes a public key, so the university creates a public key certificates, signing that key and some standard data that they provide. I can now give this certificate to anyone, and they can check it by verifying the signature using the published Southampton University public key, resolving the certificate chain in the usual way.

the BBC suffered another embarrassment today after a man interviewed on Radio 4’s World at One who claimed to be a Liberal Democrat MP was revealed to be an imposter.
[From Radio 4 follows Jeremy Hunt gaffe by interviewing fake MP | Media | guardian.co.uk]

How would the proposed infrastructure help here? The system has to be so easy to use that a harassed BBC researcher can use it. Come to that it has to be so easy that military installations, the police and other can use it too.

During the period of January to June 2010, undercover investigators utilized fraudulent badges and credentials of the DoD’s military criminal investigative organizations to penetrate the security at: 6 military installations; 2 federal courthouses; and 3 state buildings in the New York and New Jersey area
[From Schneier on Security: The Security Threat of Forged Law-Enforcement Credentials]

Step forward the mobile phone. Every single one of the people who were “verifying” IDs in these stories has a mobile phone, so there’s no need to look any further. The military policeman’s mobile phone should be able to check your ID. And your mobile phone should be able to check his ID. And if you’re both using mobile phones, both IDs can be checked simultaneously. We already know that symmetry is an important property of an identity infrastructure: the bank needs to be able to check it’s me, but I need to be able check it’s the bank. And the mobile phone can do both. So next time Peter shows up for an interview, the interviewer can simply tap Peter’s NFC phone against their NFC phone and see a full list of his credentials.

(Law enforcement has special additional issue though: sometimes, the policeman doesn’t want to reveal that he’s a policeman, but that’s a topic for another day.)

Ageing problem

26th January 2011by Consult HyperionLeave a comment

The simple and prosaic case of age verification has always been a litmus test for digital identity infrastructure and it’s taken on new dimensions because of social networking. We need some clear thinking to see through fog of moral panic, made worse by the turbocharging impact of the mobile phone, because it is such an individual and personal device. The spectre of legions of perverts luring children via their mobile phones is, indeed, disturbing. If only there were some way to know whether your new social networking friend is actually a child of your age and not an adult masquerading as such.

A mobile phone application which claims to identify adults posing as children is to be released. The team behind Child Defence says the app can analyse language to generate an age profile, identifying potential paedophiles.
[From BBC News – Researchers launch mobile device ‘to spot paedophiles’]

Of course, it ought to work the other way round as well. One of my son’s friends told me that members of his World of Warcraft Guild (all 13- and 14-year olds) enjoy pretending to be “grown ups” online (by pretending to have jobs and wives). But this seems an odd way to move forward, as well as something that will surely be gamed by determined perverts.

Why on Earth can’t we just do this properly, at the infrastructural level. If we had a half-decent digital identity infrastructure, there would be no need for this sort of thing. Look, here’s a simple of example of this, in Japan. If you want to use social networks via your mobile phone then it is the operator who verifies your age to the social network service (SNS) provider. Since the operator has the billing relationship, this makes sense.

KDDI announces age verification service for mobile SNS platforms; Gree, Mixi and MobaGa to start at the end of Jan
[From Mobile SNS Age Verification Service by Wireless Watch Japan]

Note that this has no implications for privacy. The operator could require you to come to one of their outlets and prove that you are, say, 18. Then they set a flag for service providers to tell them that you are over 18. It doesn’t tell them your age, or your name or where you are. Just that you are over 18. Note that this system hasn’t been invented for social networking: it is already used to prove age at vending machines (you can’t buy cigarettes or sake or whatever unless your phone says that you are old enough). It ought to be simple enough to do the same thing but using proper technology. Suppose that your Facebook page came with a red border if you have not provided proof of age? Then you could provide that proof of age and have your border changed to blue for under 18 or green for over 18 – then make the rule that anyone with a red border is only allowed to connect to people with green borders.

You see what I mean. Have something that is understandable at the user level and implement it using certificates, digital signatures and keys in tamper-resistant storage (in, for example, mobile phones). There would be no need to try and explain to people how PKI actually works (which killed it in the mass consumer market last time), just show them how to log in to things using their phones. There’s a waiting mass market for this sort of thing if you can be clear to consumers that it will protect their privacy and that market is adult services: porn and gambling, primarily, either of which should generate a decent income stream for the successful service provider. Simple. As a complete aside, there’s another connection between the adult world and social networking.

The surprise relationship between social networking and adult-themed sites came last September, when total page visits for social networking sites for the first time eclipsed that of adult sites.
[From BBC NEWS | Technology | Porn putting on its Sunday best]

So the internet isn’t all about porn after all!

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Internet driver’s license?

10th January 2011by Consult Hyperion5 Comments

Last year I said that I thought that the US National Strategy for Trusted Identities in Cyberspace (NSTIC) was heading in the right direction. I’m very much in favour of the private sector providing multiple identities into a framework that it used by the public sector and vice versa. I’m in favour of choice: if I choose to use my Barclays identity to access the DVLA or my DWP identity to access O2 it shouldn’t matter to the effective and efficient use of online transactions. There was one area where I felt it could have presented a slightly different vision, and that’s in the use of pseudonyms, which I think should be the norm rather than the exception.

People should consider it normal to get a virtual identity from their bank or their mobile phone operator in a pseudonymous name so that they can browse, transact and comment without revealing anything about themselves other than the facts relevant to a transaction.
[From Digital Identity: USTIC]

James Van Dyke, when discussing NSTIC (which seems have become known unofficially as “Obama’s Internet Identity System”) warned about

Apocalyptic fear-mongers. Yes I’m ending with the crazies here, but hear me out. The extreme cable networks and televangelists will surely jump on this as the digital incarnation of the Mark of either the Beast or “(gasp!) Obama liberals. Historians will recall that social security numbers were supposed to be an apocalyptic conspiracy.
[From Obama’s Internet Identity System: Could This Change Everything? – Javelin Strategy & Research Blog]

I don’t think the danger is the crazies — although I feel a little sheepish writing this a couple of days after a crazy did, in fact, murder several people and seriously injure a congresswoman — but the journalists, politicians, commentators and observers who don’t really understand the rather complex topic of digital identity. Or, as “Identity Woman” Kailya Hamlin (who some of you may remember from the first European Internet Identity Workshop that Consult Hyperion sponsored with our friends from Innopay and Mydex back in October) said about NSTIC:

I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative
[From National! Identity! Cyberspace!: Why we shouldn’t freak out about NSTIC. | Fast Company]

She’s bang on with this. Here’s a couple of typical examples from the blogosphere:

CNET reported on January 7, 2011 that Obama has signed authority over to U.S. Commerce Department to create new privacy laws that require American citizens to hold an Internet ID card.
[From Internet Anonymity: Obama Pushes for an American Internet ID]

And

President Obama has signaled that he will give the United States Commerce Department the authority over a proposed national cybersecurity measure that would involve giving each American a unique online identity
[From Obama administration moves forward with unique internet ID for all Americans, Commerce Department to head system up — Engadget]

As far as I can see, NSTIC being managed by the Commerce Department has nothing to do with “privacy laws” and the idea that it will require Americans to have an “Internet ID” is a journalistic invention. The actual situation is that NSTIC is to go from being an idea to an actual system:

The Obama administration plans to announce today plans for an Internet identity system that will limit fraud and streamline online transactions, leading to a surge in Web commerce, officials said. While the White House has spearheaded development of the framework for secure online identities, the system led by the U.S. Commerce Department will be voluntary and maintained by private companies,
[From Internet Identity System Said Readied by Obama Administration – BusinessWeek]

What this means is not that Americans will get an “Internet Driver’s License” but that they will be able to log in to their bank, the Veteran’s Administration, the DMV and their favourite blogs using a variety of IDs provided by their bank, their mobile phone operators and others.

[White House Cybersecurity Coordinator] Howard Schmidt stressed today that anonymity and pseudonymity will remain possible on the Internet. “I don’t have to get a credential, if I don’t want to,” he said.
[From Obama to hand Commerce Dept. authority over cybersecurity ID | Privacy Inc. – CNET News]

As long as it’s a matter of choice, I really don’t see a problem with this. The idea of NSTIC is that it is the infrastructure that is standardised, and this is good. We need standards for credentials and such like so that I can use my Woking Council ID to log in central government services and my Barclays Bank ID so that I can log in to do my taxes online: but I might pay Barclays for an additional ID that has some key credentials (IS_A_PERSON, IS_OVER_18, IS_NOT_BANKRUPT, that sort of thing) but does not reveal my identity. This sort of Joe Bloggs (or, for our cousins over the water, John Doe) identity would be more than adequate for the vast majority of web browsing and if other people want to wander the highways and byways of the interweb with a Manchester United, Prince or BBC ID, then it’s up to them. Let a thousand flowers bloom, as they say (well, as Chairman Mao said).

If the crazies want to be concerned about a single ID mark of the e-beast infocalypse, they’re perfectly entitled to, but I don’t understand why they are convinced it will come from the government in general or Obama in particular – there are half-a-billion people out there (including me) who have already handed over their personal information to a single unaccountable entity.

Facebook Login lets any website on the planet use its identity infrastructure—and underlying security safeguards. It’s easy to implement Facebook Login, simply by adding few lines of code to a web server. Once that change is made, the site’s users will see a “Connect with Facebook” button. If they’re already logged into Facebook (having recently visited the site), they can just click on it and they’re in. If they haven’t logged in recently, they are prompted for their Facebook user name and password.
[From Facebook Wants to Supply Your Internet Driver’s License – Technology Review]

Now, at the moment Facebook Connect just uses a password, so it’s no more secure than banks or government agencies, but it could move to a 2FA implementation implementation in the future. Widespread 2FA access to online services really should have become a business for banks or mobile operators already (think how long Identrus has been around) but it just hasn’t happened: I can’t use my Barclays PINSentry to log on to Barclaycard, let alone the government or an insurance company. But suppose my Facebook login required access to my mobile phone so it was much more secure: you know the sort of thing, enter e-mail address, wait for code to arrive on mobile phone, enter code (a proper UICC-based digital signature solution would be much better, but that’s another topic). Then I could use Facebook Connect for serious business. This would have an interesting side-effect: Facebook would know where I go on the web, which seems to me to be much more like the mark of the e-beast.

An interesting side benefit for website operators is that Facebook Login provides the site with users’ real names (in most cases) and optionally a variety of other information, such as the users’ “friends” and “likes.”
[From Facebook Wants to Supply Your Internet Driver’s License – Technology Review]

Which is, of course, why I don’t use it. On the other hand, if Facebook decided to use cryptography to secure and protect this sort of information, they could at a stroke create a desirable internet passport: by “blinding” the passport to prevent service providers from tracking the identity across web sites Facebook could significantly improve both convenience and privacy for the average users.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]