Anonymous, an Internet meme

On the Internet, Anonymous has become a badge, a group, an idea. It’s all a bit nebulous really. It could quickly just fizzle out. On the other hand, it might just be the start of something new, something big, an emergent phenomenon.

Let’s start with meme. According to Wikipedia, a meme is an “idea or behaviour that can pass from one person to another by learning or imitation.” Examples of memes include ideas, theories, practices, fashions, habits, etc. The word was coined by Richard Dawkins in 1976 that has caught on as “a convenient way of discussing a piece of thought copied from person to person.”

Next, Internet memes. Again, according to Wikipedia, an Internet meme is “used to describe a catchphrase or concept that spreads quickly from person to person via the Internet.” There is a very interesting timeline of Internet memes that has some of the great viral distractions that the Internet has spawned. Have a look but be warned that it can hook you for hours. Like George Bush and Google. Or, the Star Wars political commercial.

Most people are familiar with the use of anonymous as a default name for a person on the Internet whose identity is unknown. Post a comment without identifying yourself and it’s likely to be accredited to anonymous.

But then anonymous began emerging as Anonymous, a sort of an in-joke. Many people think it originated from the site 4chan, an image-based bulletin board where anyone can post comments and share images anonymously. Definitely not for the faint-hearted. Almost anything is acceptable. That’s led to a clique with their own language, norms, jokes, values… culture?

In turn, that’s led to a movement on the Internet, perhaps one that can be best described as an Internet meme.

In an often-quoted article in the Baltimore City Paper called Serious Business, “anons” are linked with repeated attacks on the Church of Scientology, called Project Chanology, “a battle that pits an anarchic, leaderless group of mostly young and tech-savvy activists organized through online forums and chat rooms against a religion formed in the 1950s whose adherents believe a science-fiction writer laid down the course to world salvation.”

Their words are ominous, “We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.”

Anonymous has been linked with more attacks. Such as a DDoS attack on the SSOH (Support Online Hip Hop) website; even the attack on Republican vice presidential candidate Sarah Palin’s personal Yahoo! Mail email account.

Anonymous has now become a movement, a moniker for a wide range of leader-less groups, from fringe elements on a path of reckless destruction to activists united in a sort of superconsciousness.

It could amount to nothing, a passing ripple in Internet history. Or, it could also become something far more potent, such as a rallying cry for the anti-establishment, a new breed of cyber-vigilantes.

In many ways, Anonymous is the child of the Internet. Do we get the children we deserve?

EV SSL certs and phishing

Extended Validation (EV) SSL certs launched about a year ago were supposed to be a powerful weapon against phishing. The reality is proving to be less promising.

Of course, true believers remain. PayPal recently raised eyebrows when it recommended that customers stop using Apple’s Safari browser. One of the reasons cited was its lack of support for EV certs.

When a website has EV certs, the address bar in browsers (IE 7, Firefox 3) turns green. According to VeriSign, “There is a natural positive psychological impact when a person sees the green address bar.”

The reality is somewhat different. An oft-quoted study by Stan U and Microsoft in September 2006 concluded that, “We did not find that extended validation provided a significant advantage in identifying the phishing attacks tested in this study.” More recently a survey conducted by UK managed hosting company NetBenefit found that “70% of shoppers don’t understand the significance of the green browser bar.”

EV certs primarily depend upon two assumptions to be effective against phishing. Both of these seem to be flawed:

- First, that the bad guys can’t get EV certs. The problem is that the two pieces of information that the Guidelines for issuing certs require to prove that a “legal entity” exists is not really a problem for the bad guys. All they need is proof of incorporation and a physical business address. These hardly present an insurmountable hurdle.

- Second, that people will understand what the address bar in their browser turning green means. More importantly, if it does not turn green when it should, they would detect and understand what was happening and stop interacting with the site. As the research shows, at least currently, this is simply not happening. While PayPal and others believe that this is only a matter of time, in my view relying on people to implement your security feature is a big ask.

So, should a site get EV certs knowing that they probably won’t stop phishing and the main gainer is the CA who gets extra money over ordinary SSL certs? Unfortunately, the answer is yes. Not because they provide any real benefit but because they do no harm. And that’s hardly a strong endorsement of the great hopes that backers of EV certs held out a year back.

Are IP addresses, OpenID-URLs/XRIs PII?

There is an interesting debate emerging in the EU whether IP addresses should be treated as personally identifiable information (PII). A consequence, if this was to be the case, would be extending all the privacy and data protection requirements to IP addresses.

Extending this debate, should an OpenID identifier be treated as PII and protected similarly?

IP addresses are meant to be locators for devices on a network and often do not map to being a unique identifier (for example, where the IP address is dynamically assigned or NAT is being used for an external connection).

Yet, ISPs and online services routinely log IP addresses and use it for tracking users. Search engines use IP addresses to provide location-aware results, advertising, and detecting click fraud.

The answer is far from clear cut.

As a privacy counsel for Google told the EU meeting, “There is no black and white answer: sometimes an IP address can be considered as personal data and sometimes not, it depends on the context, and which personal information it reveals.”

On the other hand, Germany’s data protection commissioner believes that when someone is identified by an IP address “then it has to be regarded as personal data.”

This is going to be an interesting debate. To spice things up, lets thrown in things like persistent cookies and ISP/OP logs into the mix.

Openness and Kerckhoffs’ principle

I don’t know too much about crypto stuff so when I came across Kerckhoffs’ principle, I was intrigued. This 19th century principle states that a (military crypto) system should be secure even if everything about the system, except the key, is public knowledge.

It was reformulated as “the enemy knows the system” by Claude Shannon and contrasts with the security by obscurity approach.

Several people, including Bruce Schneier in a Crypto-Gram Newsletter, have extended the thinking to other systems.

Got me thinking. I think the point is that the strength of a system is inversely proportional to the number of secrets it has to rely on, i.e. a system which relies on several secrets for its security is inherently less secure than one that relies on a small number of secrets (ideally, none except the “key”).

So, a strategy that relies on peoples’ ignorance is risky.

While this seems intuitive for crypto, I think it can be applied to all sorts of things with interesting results. Authentication systems for one. Proprietary vs. open standards for another. Applying this to government policies makes transparency a better choice.

Come to think of it, in many of my public presentations, I have described the way NZ authentication services are architected and work at a fairly detailed level. The underlying belief was in line with Kerckhoffs’ principle in that they do not rely on obscurity to be secure.

NZ: use of Web 2.0 in government

At the recent Digital Future Summit 2.0 in Auckland, Laurence Millar of the State Services Commission gave an excellent presentation (ASF/Windows media file; just over 26 minutes but skip the first 3 minutes) entitled “The Government’s supporting role”.

He gave the following examples where Web 2.0 technologies have been used very effectively by NZ government organisations:

- a wiki from the NZ Police for getting the views of the public in developing new legislation (the Police Act Review). A bonus nugget: “wiki” is an anagram for “kiwi”!

- a community forum focussed on road safety that taps into the wisdom of the people to collectively solve community problems in partnership with government.

- entries on Wikipedia, such as that for the State Services Commission itself.

- a mashup that aggregates broadband demand and supply geographically across NZ.

Two further highlights for me from the presentation were:

- the importance of igovt in providing “secure online identity assertion and management” as a critical foundation for transforming government; and

- at the end, a question that I thought was truly interesting and insightful. Something along the lines of, “is this truly government 2.0 or just an Internet overlay over a clunky old government?”

Now that’s a worthy question: just what is Govt 2.0?

Good and bad CAPTCHAs

CAPTCHAs- those distorted letters and numbers that you need to figure out and type in to prove you are human- are everywhere on the Web nowadays. They span the entire spectrum from very bad to competent. The topic of CAPTCHAs also invariably brings forth all the frustrations people have in using them.

Using unsuspecting humans to get around CAPTCHAs is well known. For example, displaying the CAPTCHA from a genuine site to a person to solve in return for the person getting free access to porn.

A blog post on Coding Horror led me to the site of a Chinese hacker that sells software for breaking CAPTCHAs. The site has a very interesting page in which CAPTCHAs from well known sites are shown with how easy (or not) it is to break them. The software price is proportional to the ease of breaking.

For example, 9you (a Chinese online games site) is listed as easy with a 100% cracking rate. On the other hand, cracking eBay CAPTCHAs is listed as moderate with a 70% accuracy rate and is 8 times the price.

Perhaps not so surprising, the three that can’t be broken by the software are Google, Yahoo, and Hotmail. Comments on the Coding Horror page point to Google as having the best CAPTCHA- easy for people to figure out yet impossible to break programmatically.

Score another one for Google!

AKILL, the Kiwi botmaster

New Zealand’s dubious claim to fame is being home to one of the world’s largest botmasters- Owen Walker, aka AKILL, aka Snow Whyte, aka leader of the A-Team.

The 18 year old stays in the Waikato town of Whitianga and police have described him as “very, very bright in terms of his ability to produce this sort of code.” He suffers from Asperger’s syndrome, a mild form of autism often characterised by social isolation but great intelligence and talent in a particular area. He was something of a loner at school, picked on by bullies, and completed his education using a correspondence course after leaving school early (when 14).

The police raids were a result of Project Bot Roast run by the FBI. The trigger seems to be a revenge 50,000-bot attack on IRC servers that inadvertently brought down U Penn’s network.

He is also being investigated by the Dutch for his role in an adware scheme thought to have infected 1.3 million computers.

Thanks to the mainstream media, middle-New Zealand is getting a whole new vocabulary that includes words like bots, zombies, botnets, botherders, malware, adware, distributed denial of service attacks, and Trojans.

“It’s a cultural change for us,” said Andrew McAlley, a spokesman with the New Zealand Police. “I think it’s going to take time for New Zealanders to come to grips with the ramifications of it.”

New Zealand, say hello to the black side.

Et tu, Passport Canada?

Even though I have no connection with Passport Canada, for some reason I’m feeling terribly let down by them.

My disappointment may stem from an agency making an elementary security mistake and, rather than fixing the problem, repeating it and looking foolish.

Or, it might be that it is incidents like these that collectively undermine trust people have in dealing with government agencies online.

Sigh…government agencies dealing with sensitive personal information simply have to do better.

What happened? According to Globe and Mail, a security flaw in their website allowed passport applicants to view the personal details (including social insurance number, date of birth, address, driver’s licence number, and gun ownership) of other applicants by simply changing one character in the URL displayed in the address bar. A very, very basic mistake and, worse, evidence of appalling testing.

The site was taken down but when it was put up again, a few key strokes were still all it took to reveal personal information. All the while, Passport Canada was in a public denial mode.

Their website says about Web Security that “Passport Canada is taking the measures necessary to protect the confidentiality of the personal information you provide and to ensure that your electronic transactions with us are secure.”

The problem is, when fine words don’t match reality, public cynicism results. And that hurts.

The feds & your Amazon records

When should US law enforcement authorities (the feds) get access to your details and records at Amazon? Not exactly a rhetorical question given that Amazon is asked several times a year to hand over customer records.

If your answer is “Never, it is none of their business” then that’s probably not correct, especially in a post-9/11 world. In any case, it is widely acknowledged that the right to privacy is not absolute, e.g. in preventing crime or terrorism.

Note that the question was “when”, not “if”. In the US, the feds have access to personal information for their investigations if there is:

(a) a compelling need and close nexus, or

(b) the records may be relevant to the investigation.

While (a) is the norm, clearly (b) presents a very low threshold for the feds to access your records. That explains why they tend to try to find ways to argue that (b) should apply or that some laws, such as the USA Patriot Act, specifically allow for (b).

What happens when the feds get your records under (b)? In most cases, the records turn out to be not relevant but, hey, once they’ve got them, why not just add it to their huge databases so that they can mine it again and again without going through the bother again?

A recent case when Amazon took on the feds is interesting and relevant although it does not carry the same weight as judgements by more senior courts. As The Register reports, “Amazon refused to reveal individual names [but did give email addresses], citing the buyers’ First Amendment right to privacy. The grand jury thought this was silly, and as it continued to push for at least some of the names, the uber-dot.com asked US Magistrate Judge Stephen Crocker for protection.”

Recently unsealed court documents (PDF) show that the Judge agreed and the feds, now finding that they no longer needed the information, withdrew.

According to the court documents, the judge used some colourful language. My favourite is, “The subpoena is troubling because it permits the government to peek into the reading habits of specific individuals without their prior knowledge or permission… it is an unsettling and un-American scenario to envision federal agents nosing through the reading lists of law-abiding citizens while hunting for evidence against somebody else.”

“If word were to spread over the Net – and it would – that the FBI and the IRS had demanded and received Amazon’s list of customers and their personal purchases,” he continued, “the chilling effect on expressive e-commerce would frost keyboards across America.”

What about outside America? The impact would be as much, if not more, as the First Amendment would not apply.

For many non-US users of online services- be they ecommerce sites, SaaS providers, or search engines- this aspect of US law is often overlooked. Think about the online services you use and consider which ones store your data in the US.

In all those cases, US law applies and the feds can get your details and records without your knowledge. The only question is whether it will be via (a) or (b).

Data location does indeed matter.

NZ: CardSpace – SAML interop

One of the two new projects that the Microsoft New Zealand Innovation Centre is funding involves integration of Windows CardSpace with SAML 2.0.

The project is to make the Authentication Programme’s all-of-government shared services, called “igovt”, accessible via CardSpace. According to Microsoft, “this technology will enable users to safely provide their digital identity to online services.”

Working on the project will be Microsoft’s Mark Rees together with Kiwi IT firm Datacom over the next four months. Igovt is based on SAML and the Microsoft-funded project will go some way in implementing CardSpace-SAML interoperability.

CardSpace and igovt make a great combination.

CardSpace provides an intuitive and natural user interface for people to manage their identity and authentication to online services. As CardSpace (and other identity selectors) progress towards the tipping point and CardSpace itself gets refined, a new paradigm for accessing secure online services is brewing.

On the other hand, igovt provides people with the option to verify their identity to NZ government agencies, online and in real-time, to a high level of confidence. In addition, igovt lets people use a single logon (password, token, etc.) to access all online government services. All of this with the highest levels of privacy protection.

When people verify their identity, one of the core design principles of igovt is for people to fully understand and view what identity information is being sent to the agency (Service Provider). In addition, active consent is a critical element of privacy protection. Currently this requires a browser re-direct to the igovt website, something that CardSpace will admirably eliminate, without any reduction in user control or privacy protection.