There are two things that are completely and irreconcilably broken on the Internet (besides the Internet itself, which I'll cover in another post). They are; user names and passwords, and email. They are broken because of the same principle - how you identify yourself on the Internet.
Some of you reading this got here from Facebook. You are you, for the most part, on Facebook. Your real name is there. Your pictures of your kids, spouses, and significant others are there. All of your heartfelt emotions, bipolar outbursts, rants, platitudes, and misquotes are there. You are as much of you as you are in any social setting. Maybe more, since you don't have to look anyone in the eye when you lie or say something stupid. However, you only got to be you on Facebook because you had a way to introduce your self at Facebook's front door in order to get in. That way was a user name, which happens to be your email address for Facebook, which is doubly broken, and a password. Essentially, you say to Facebook, "This is me, and I can prove it." The problem with doing that with a user name and password is that if it really isn't you, but someone else can prove they are you, Facebook will let them in the door, and they can go about the business of pretending to be you. The same is true of any other place on the Internet that you have a presence, such as Twitter and Instagram, but especially banks and credit companies.
On a more personal scale, if you want to exchange communications one on one, without all of Facebook and the rest of the Internet eavesdropping, you use email. A lot of people have forgotten what email even means. It's an anachronism. It means electronic mail, as in the electronic equivalent of paper mail (yes, people still do that). Email was built on the paper mail model. It was done that way to give people a familiar sense of communication. With paper mail, you send a letter to a physical location. You identify the source of the letter by your own physical location. It was always assumed that you and the physical location were the same thing. If that was not the case, then the person on the other end could return the mail, throw it away, or read it. There was no guarantee that the proper participants in the exchange were related to the physical locations on either side. Some ways to help tie a location to a person were invented, like registered mail, certified mail, and in extreme cases, a courier. There were still all sorts of ways around those safeguards. In a world of 7 billion people, it was and still is a bad model. So, for this new age of nearly instant communications, the best we could do is model the new system on a broken old system. It was badly done. The system still relies on a belief that the right person is located on both sides of the conversation. Worse yet, all of the letters are sent in transparent envelopes. Anybody who can watch the letter go by can read it.
I've had email accounts and user names and passwords for as long as I can remember. I used to have one email address and one user name and password. Now I have six email addresses and a couple dozen user names and passwords. Why so many? I use different emails for different purposes - personal, professional, educational, and general. They give me a context for the mail I'm reading. I have a lot of user names and passwords because I don't want someone to be able to impersonate me everywhere, just by guessing one pair. I have to use a password keeper to remember all of them. I also use long passwords with random numbers, letters, and symbols that are almost impossible to memorize. A password keeper is a piece of software that records all of the information about your different online presences and the passwords that go with them. There is a single password to access them, but it never goes over the public Internet. I have to be sitting in front of my computer to use it. As if all of the user names and passwords aren't bad enough, if you forget your password, guess how your online partner lets you fix that? You guessed it, email! Brokenness layered on top of brokenness.
So, what is the solution, Steve? Are you just whining, or do you have a better idea? Why yes, yes I do.
How can you irrefutably identify yourself? How can you prove to someone, beyond a shadow of a doubt, that you are who you claim to be? The most obvious answer would be some kind of biometrics. Fingerprints. Retina scans. DNA. The technology of biometric authentication is progressing well, but it will be years before it is as ubiquitous as user names and passwords. Right now, we can create an electronic fingerprint that is at least as unique as your DNA, and much easier to identify accurately. This fingerprint is called a cryptographic key, specifically an RSA key. This key can be any number of bits (ones and zeroes) long. The longer the key, the more unique, and therefore, the more secure. We used to use 128 bit keys, but computing power has advanced to the point that even 256 bit keys are endangered. My current RSA key is 4096 bits long. It would take the entire computing power available on the planet crunching until well beyond the predicted end of the universe to break my key.
4096 bits is equal to 512 characters. You will say, "But Steve, I don't want to type in a 512 character password every time I want to log in." Of course not, and it's actually even more onerous than that, because there are actually two keys, a public key, and a private key. The public key is the one that you use to tell everyone that you are who you are, the private key is the one you keep secret, the one that really is you. One won't work without the other. And in the system, called public key authentication, you never type in your key, any time, anywhere. In the system I propose, you will use something called a soft token. When you open an account somewhere, say Facebook, you and Facebook exchange your public keys via your soft token (remember, your secret key never goes anywhere). That allows Facebook to send you a secret message that only you and Facebook can understand. You respond back with the right secret message, and Facebook lets you in. But, you never actually see any of these messages. They are happening on what is called the protocol layer. The protocol is how your computer and Facebook's computer figure out how to talk to each other. From then on, Facebook knows how to make sure that you are you by using your public key. In this system, nothing secret, like a password or a user name ever goes across the Internet. There is no way for anyone to steal your password because there is no password to steal.
Sounds like magic? It isn't. It's the system that is in use every day, millions of times, that lets millions of computers talk to each other securely. Why aren't Facebook, Twitter, and all the banks and credit card companies already using it? They will give you dozens of excuses, but the bottom line is that it will cost them money, and you aren't forcing them to spend it. One of the reasons you aren't forcing them is because you didn't know about it. Now you do. Another reason they will give is that it is complicated. It is complicated on the protocol level, but remember I said that you don't have to go there. That's what the soft token does. It is a small piece of software that runs on your computer that keeps track of your keys. It presents your public key when it is necessary, keeps your private key secret, and handles the initial messages that allow you to get connected to wherever you are going.
But, what about email? Under the covers, here is how email works. Your email account is on a server somewhere that is running a piece of software that understands how email works. There are dozens of these programs written by different people, but they all understand the email protocol so they can talk to one another. You are given an email address by your provider that identifies your account. Your account is more or less private (depending on the NSA or provider incompetence, YMMV). You access your account by, here it comes, giving it a user name and a password. Your email consists of two parts, your user name and the address of the server that holds your account. Right away, you have given up half of your identity to anyone who cares to find it.Your address is like having a physical mailbox. Anyone who can find it, can send you email. Back in the days when humanity was smaller and more benevolent, that was considered a good thing. Today, companies that sell things think that they can bombard you with advertising to beat you into submission, causing you to buy their stuff. In the paper world, it's called junk mail. In the electronic world, it's called spam. It's good to have an email address so you and your friends can exchange brownie recipes and agree to meet each other somewhere. It's bad to have an email address because sooner or later, spammers will find you. But, email has a more insidious attribute. You trust it. You think it's secure. You think that no one can steal from it, and no one will find things out about you that you don't want them to. Wrong. For the vast majority of people, it is the least secure form of communication there is.
So, what do we do? We have to be able to give each other our email addresses so we can exchange our brownie recipes. That's true, but we want a way to be able to let people know where we are in a way that even if some spammer finds out our address, they won't be able to spam us. Once again, we go back to your public and private keys. Remember that I said that your public key identifies you, but no one can use it unless you let them. They have to send you the right messages, once again at the protocol layer, before you'll even talk to them. Why not use your public key as your email address? Well, your public key identifies you, but it doesn't identify where you are. However, we can use our public and private keys to create another key that identifies where we are. It is another key that can only be used by the people that you explicitly give it to. Not only do we protect our identity from the spammers, it will be very, very difficult for them to find us, and even if they do, we won't talk to them. Our new secret address won't even accept mail from them. It gets dropped on the digital floor. To do all of this we use something called a mixnet. The concept and execution is extremely technical and complex, so I won't go into it here. There are two aspects of a mixnet that are important to us. First, everything is encrypted. Someone snooping on the network wouldn't see any useful information. It would all be gibberish. The two ends of the conversation have their public and private keys and there is no way for the snooper to figure it out. Second, your email account isn't on a server somewhere, where it could be broken into and your private business stolen. Your email account isn't anywhere but on your computer. In this mixnet, everyone is identified and located by their keys. The location keys don't identify a server, they identify you and your connection to the mixnet. When someone sends you an email, their email program waits patiently while it finds you using your key, and then sends the message to you. The message never sits on someone's server, waiting to be delivered. The communication is completely closed between both ends of the conversation.
Well, congratulations. If you got this far, it means you have a real interest in improving your online security. My ideas aren't likely to happen any time soon, especially the mixnet email idea. The ideas about using cryptographic keys are already being discussed. The debate is over the best way to make it simple for people to use. People won't use technology if it's not simple, even if it is in their best interest. There is a company that makes the RSA soft tokens. They're easy to set up and even easier to use. Much easier than a user name and password even. All that is left is to create the browser software that uses them and get online businesses to start using them. That last is no easy task. There are still websites out there that don't even do credit card transactions over secure connections. It's just a matter of creating the demand.
Wednesday, April 16, 2014
Wednesday, April 9, 2014
Bugs
I have been a huge proponent of open source software for years. I don't plan to change that outlook. However, I think it is time for the open source community to take some responsibility for policing itself. Or, more accurately, I think it's time for the big players in the community to step up and take responsibility for the free software from which they benefit.
On Monday, a security specialist at Google discovered a bug in the OpenSSL software library. OpenSSL is used all over the Internet. For example, it is used by the Apache web server, which accounts for 50% of all web sites on the public Internet. The bug allows an attacker to potentially gain access to a lot of very, very sensitive information. SSL stands for secure sockets layer. It is a piece of software that sits between your programs and your network connection. It uses a system called public key encryption to scramble what is being sent out over the public Internet so it can't be read by anyone who doesn't have the right keys. The most obvious place you will see it is with its use in the secure HTTP protocol, or HTTPS. Go to Google. Look in the location bar on your browser. You will see something like this:
The OpenSSL bug can give up your usernames and passwords, your credit card information, and a lot of other even worse stuff (x.509 certificate keys and passphrases, long term server secret keys, EEK!).
The bug is the result of a bit of sloppy programming and a lack of rigorous testing. Both of those are the chinks in the amor of open source software. Open source software is different than proprietary software in that no one actually owns it. You don't have to pay anyone to use it. If you want to change it for your own use, you can. One of the important aspects of open source that has emerged is that of community testing and feedback. The people who use the software have a stake in making the software work right. They will fix bugs on their own or very quickly report them. If they are good open source citizens and they fix code on their own, they will donate the fixes back to the project. It has been demonstrated time and time again that the general quality of open source software is superior to that of proprietary software. Big companies code in secret, so they can hide big uglies for years and years. I shudder to think about what the Microsoft Windows code looks like. If the open source software you are working on is widely used, and the code you are writing is crap, you will hear about it very quickly.
Another important aspect of open source software is the speed that open source groups can respond to something like this bug. The OpenSSL group has already issued a patch to fix the problem. Red Hat has already issued a critical update. On the other hand, Oracle is not going to do anything about it until their regular update on April 15th. HP hasn't announced any intention to do anything about it. Oracle and HP are big companies. They're not built to turn on a dime when things like this happen. It could be argued that the big companies do more testing before releasing a fix, and that is true, as far as it goes. The big companies also have a lot more bureaucracy and other unproductive overhead built around testing and releasing software.
It should be noted at this point that the vast majority of open source groups, including OpenSSL, do not allow just anyone to write code for the product that they publicly release. So, this bug wasn't a case of some high school kid writing sloppy code that found its way into the finished product. OpenSSL has been around for a long time. The people who work on it are experienced developers. The hackers and amateurs were weeded out long ago.
Sadly, experienced developers are not immune to writing sloppy code. That was the case here. The OpenSSL group has not been forthcoming with exactly who did this. I applaud them for not throwing anybody under the bus. I think that first and foremost, the failure here was probably in peer review. The programmer either took on or was given a particular task to complete, coded it, did some basic testing and debugging, and added it to the mix. No one probably gave it a second look, or if they did, it was perfunctory. Granted, the bug is very subtle. I had to read through the explanations and code several times to get it. But, that leads to the second issue, which is testing. One of the fundamental requirements in software development is to do regression testing when you make a change. That means that you go back and make sure that everything that used to work still works after your change. I am convinced that this is what happened to OpenSSL. No regression testing.
A lot of big companies use open source software these days. There was a time when they wouldn't go near it for exactly this reason. However, open source software is free. At some point, the objections to it were answered and the economics of it tipped the balance. However, using it shouldn't be free. If companies are going to benefit from it, they need to step up to the plate and be good open source citizens themselves. Red Hat has adopted this stance. In cases where certain open source packages are fundamental to their business, they supply developers and testers. They pay people just to participate in open source development groups. Other companies that use open source should do the same. The fact that someone from Google discovered this indicates that they are involved. Other big companies like Facebook, Amazon, PayPal, eBay, and every single bank and credit card agency should be participating in testing and refining. Open source software should be free, but it shouldn't be invisible.
On Monday, a security specialist at Google discovered a bug in the OpenSSL software library. OpenSSL is used all over the Internet. For example, it is used by the Apache web server, which accounts for 50% of all web sites on the public Internet. The bug allows an attacker to potentially gain access to a lot of very, very sensitive information. SSL stands for secure sockets layer. It is a piece of software that sits between your programs and your network connection. It uses a system called public key encryption to scramble what is being sent out over the public Internet so it can't be read by anyone who doesn't have the right keys. The most obvious place you will see it is with its use in the secure HTTP protocol, or HTTPS. Go to Google. Look in the location bar on your browser. You will see something like this:
https://www.google.comThe https means that anything you send to Google, and anything Google sends back to you is encrypted. If some nefarious person (or the NSA, same thing, actually) hooks a device called a network sniffer up to the Internet, all they will see is a steady stream of gibberish. They can't see what porn you are looking for, and they can't steal your sister's secret chocolate chip cookie recipe that she sent you in gmail. You should always look for this, by the way, especially where your credit cards are concerned.
The OpenSSL bug can give up your usernames and passwords, your credit card information, and a lot of other even worse stuff (x.509 certificate keys and passphrases, long term server secret keys, EEK!).
The bug is the result of a bit of sloppy programming and a lack of rigorous testing. Both of those are the chinks in the amor of open source software. Open source software is different than proprietary software in that no one actually owns it. You don't have to pay anyone to use it. If you want to change it for your own use, you can. One of the important aspects of open source that has emerged is that of community testing and feedback. The people who use the software have a stake in making the software work right. They will fix bugs on their own or very quickly report them. If they are good open source citizens and they fix code on their own, they will donate the fixes back to the project. It has been demonstrated time and time again that the general quality of open source software is superior to that of proprietary software. Big companies code in secret, so they can hide big uglies for years and years. I shudder to think about what the Microsoft Windows code looks like. If the open source software you are working on is widely used, and the code you are writing is crap, you will hear about it very quickly.
Another important aspect of open source software is the speed that open source groups can respond to something like this bug. The OpenSSL group has already issued a patch to fix the problem. Red Hat has already issued a critical update. On the other hand, Oracle is not going to do anything about it until their regular update on April 15th. HP hasn't announced any intention to do anything about it. Oracle and HP are big companies. They're not built to turn on a dime when things like this happen. It could be argued that the big companies do more testing before releasing a fix, and that is true, as far as it goes. The big companies also have a lot more bureaucracy and other unproductive overhead built around testing and releasing software.
It should be noted at this point that the vast majority of open source groups, including OpenSSL, do not allow just anyone to write code for the product that they publicly release. So, this bug wasn't a case of some high school kid writing sloppy code that found its way into the finished product. OpenSSL has been around for a long time. The people who work on it are experienced developers. The hackers and amateurs were weeded out long ago.
Sadly, experienced developers are not immune to writing sloppy code. That was the case here. The OpenSSL group has not been forthcoming with exactly who did this. I applaud them for not throwing anybody under the bus. I think that first and foremost, the failure here was probably in peer review. The programmer either took on or was given a particular task to complete, coded it, did some basic testing and debugging, and added it to the mix. No one probably gave it a second look, or if they did, it was perfunctory. Granted, the bug is very subtle. I had to read through the explanations and code several times to get it. But, that leads to the second issue, which is testing. One of the fundamental requirements in software development is to do regression testing when you make a change. That means that you go back and make sure that everything that used to work still works after your change. I am convinced that this is what happened to OpenSSL. No regression testing.
A lot of big companies use open source software these days. There was a time when they wouldn't go near it for exactly this reason. However, open source software is free. At some point, the objections to it were answered and the economics of it tipped the balance. However, using it shouldn't be free. If companies are going to benefit from it, they need to step up to the plate and be good open source citizens themselves. Red Hat has adopted this stance. In cases where certain open source packages are fundamental to their business, they supply developers and testers. They pay people just to participate in open source development groups. Other companies that use open source should do the same. The fact that someone from Google discovered this indicates that they are involved. Other big companies like Facebook, Amazon, PayPal, eBay, and every single bank and credit card agency should be participating in testing and refining. Open source software should be free, but it shouldn't be invisible.
Friday, April 4, 2014
There Is No Now
A mathematical point has no dimensions. No width, no length, no depth. It's just an abstract concept. "Now" is a mathematical point. Not only does it have no physical dimensions, it has no temporal dimensions. It doesn't exist outside of an abstract idea. It is a singularity. The present is an artificial construct that we use to capture that dimensionless instant between past and future. We don't deal well with singularities. We need things to have a size that we can grasp. We want to be able to see that event or place or concrete point where future transforms into past. Even the phrase, at this instant, has no real meaning.
There is no one who can give you a precise definition of now. We define it by what it is not. It's not the past, and it's not the future. Even the euphemisms we use to describe it don't adequately hold it. Today. We think of it as now, but when we try to nail it down, we have to subdivide it, trying to slice it into ever smaller pieces to get closer to the magical point. Morning, afternoon. Hours, minutes, seconds, even parts of seconds. We measure events in infinitesimally small fragments. A billion nanoseconds in a second. A trillion picoseconds. We measure how long it takes for an electron to travel its own length. Even in that tiniest fragment we haven't captured that very instant that what will be becomes what was.
Even time itself is an invention we use to try to grasp what we cannot reach. A ruler held up against air. A ruler that can't measure now, no matter how small the divisions. And the more we poke and prod at time, the more it evades us, even to the point of blurring the line between cause and effect. Relativity and quantum physics tell us that our concept of time is more like a rubber band than a ruler. Now can be in two places at once. It's like finding out that your yardstick with its 36 markings, is actually 37 inches long.
Now is the very definition of a singularity. Go ahead and try to point at it. I dare you.
There is no one who can give you a precise definition of now. We define it by what it is not. It's not the past, and it's not the future. Even the euphemisms we use to describe it don't adequately hold it. Today. We think of it as now, but when we try to nail it down, we have to subdivide it, trying to slice it into ever smaller pieces to get closer to the magical point. Morning, afternoon. Hours, minutes, seconds, even parts of seconds. We measure events in infinitesimally small fragments. A billion nanoseconds in a second. A trillion picoseconds. We measure how long it takes for an electron to travel its own length. Even in that tiniest fragment we haven't captured that very instant that what will be becomes what was.
Even time itself is an invention we use to try to grasp what we cannot reach. A ruler held up against air. A ruler that can't measure now, no matter how small the divisions. And the more we poke and prod at time, the more it evades us, even to the point of blurring the line between cause and effect. Relativity and quantum physics tell us that our concept of time is more like a rubber band than a ruler. Now can be in two places at once. It's like finding out that your yardstick with its 36 markings, is actually 37 inches long.
Now is the very definition of a singularity. Go ahead and try to point at it. I dare you.
Subscribe to:
Posts (Atom)