Archive for the ‘politics’ Category

« Older Entries

Commentary on the Palin Email Thing

Wednesday, September 24th, 2008

I know that I promised not to talk about politics on this blog. You get some of that in the form of politically charged funnies at /dev/random and short bursts of venom on twitter. I don’t really want to become too verbose about my frustrations with certain presidential candidates here. So this won’t be about politics – this will be about security or lack of thereof. I will try to restrain myself from political comments and only make comments about human stupidity which is quality that is equally distributed amongst the democrats and republicans.

I initially wasn’t going to comment on this, but people keep asking me for my opinion and I figured I should put together something more eloquent than “Palin got pwnd by /b/. She should totally invest in a dog.” And preferably something that is not as politically charged.

Let’s start from the top. Once upon a time, Gov. Palin had a Yahoo email account. Note that I’m using the past tense here. She no longer has it, because a /b/tard heard about it and took it over in 5 minutes. How was this feat of extremely 1337 hacking on steroids performed? From the horse’s mouth:

rubico 09/17/08(Wed)12:57:22 No.85782652

Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.

In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

As you can see, there was no hacking done here. In fact, the very act of taking over Palin’s email required no computer knowledge, and no skill. Hell, it didn’t even required intelligence. All it required was the ability to type in the word “palin” into google search box. Anyone in the world could have done this. It just happens that it was done by /b/ and for LULZ but it could have been just as easily perpetuated by someone with a much more malicious agenda to either monitor, intercept or forge Gov. Palin’s work related messages.

The obvious point of failure here is of course the password recovery system. Almost all online services use one of these, because remembering strong passwords is difficult and using weak passwords is dangerous. It is an age old problem, and the solution is to force people to use strong passwords, and allow them to go through a recovery process involving easy to remember questions in case they forget. Most services won’t actually allow you to reset your password on the spot, but instead will send a temporary password or a confirmation message to the email you used to the email you used to sign up for the service. So if someone tries to recover your Facebook password for example, and correctly guesses the name of your first dog and your zip code they still won’t get access to the account. Instead you will get an email notifying you about the recovery attempt. Not the most secure solution, but it works.

Of course in case of Yahoo mail this is apparently not the case which sort of makes sense. Requiring someone to use an email address sign up for another email account is a bit silly. As a result Yahoo apparently relies solely on the very insecure personal questions to verify your identity. These questions may often work for a private person. After all, how many people in the world know the zip code of your mom’s house, the name of your high school crush and the name of that pet goldfish you flushed down the toilet when you were 11. Even if you blab about yourself constantly, there is only a limited number of people who could potentially know these things – and these are the people who know you personally, and who you can track down slap around if you find out they have tried to read your email. This changes when you become a public person and you have your own detailed Wikipedia entry that gets vandalized 5 times a day. The flaw that is inherent to the password recovery system becomes a gaping security hole.

The lessons here are twofold:

  1. Using a free email account when you are a public figure puts you at risk, even if it is purely for personal use. You really want to invest into something more robust. It’s fine if you want to keep your public email, and your private email separate but you should really look for a more professional solution. Perhaps something where you can confirm your identity by giving out the CC number associated with your account, and it’s security number. After all, that’s something a random /b/tard won’t be able to find on wikipedia.
  2. We need to carefully reexamine the way we use the password recovery mechanisms. It’s obvious that Yahoo’s solution is very vulnerable to a common sense, logic based attack. This is unacceptable, and needs to be fixed for Yahoo and all the other services which use a similar recovery method.

The problem with password recovery is a serious one, because there is really no easy way to make it more secure. Let’s remember that the only reason people use this feature is because they can’t remember their 6-8 character password. If you make the recovery questions to obscure or complex, people will forget them as well. This is why most free online services insist that you sign up with a valid email address where they can send you a password recovery confirmation. The only way to ensure that you are not giving away the password to a bad guy is to hand over the job of confirming your identity to someone else – your email provider. Of course if you are trying to be a primary email provider for people who already have, but don’t want (or don’t know how) to use their ISP provided emails you don’t really have that option.

How do we resolve this? First off, don’t do what yahoo did. When you are a free online service, always deffer the job of confirming identity when attempting password recovery to someone else. This way, when account gets compromised it is not your fault. The easiest way of course is to require you user to sign up with a valid email account. But not necessarily – you can also become an OpenID consumer. Everyone and their mom is an OpenID provider these days, but no one ever wants to be consumer. However, using OpenID logins is a perfect way to defer trust to another entity without asking the user for another email address.

This way security issues cluster around popular OpenID providers, some of which are paid services (eg. Live Journal) which can ask the user to verify their CC# upon password recovery. Better yet – if you are a public figure you can roll out your own OpenID provider solely responsible for authenticating you, and only you on bunch of online services. If you forget your password you simply visit or call up “Joe” the guy who maintains your OpenID server and ask him to reset it for you. If someone hacks your account, you can personally kick Joe’s ass, and then fire him.

Of course there are many issues with actually implementing OpenID in a way that works. If you trust the wrong OpenID provider for example, you may find yourself overrun by spammers. Not an ideal solution, but a solution nevertheless. It does seem to work for Stackoverflow for example.

If you don’t want to defer authentication to someone else, and you want to remain free do something like Google did for Gmail registration – ask your users for a phone number and send them a text message with a security code when they try to recover a password. It is almost like a poor man’s two factor authentication. There are of course usability issues with this scheme as well – problems with sms transports across networks, and other random stuff. I’m not saying everyone should do it – I’m just saying it is a more secure option than asking for the name of a person’s dog. At least in theory.

At the very least, we should revisit the questions and answers the recovery process is using. Obviously things like DOB, zip code and spouse name are very easy to find out for a potential attacker. Perhaps a different kind of questions would be in order. Perhaps something among the lines of:

You’re in the desert, you see a tortoise lying on its back, struggling, and you’re not helping. Why is that?

Only don’t use a known quote, because 80% people who watched/read Blade Runner will invariably answer this one with “what is a tortoise?” and that’s not exactly what you want. Simply ask a personal question, and assume that the answer for a given question doesn’t change. Perhaps something among the lines of:

“You are walking in the park, alone. It is cloudy day but it is not raining. You smell wet leaves. What are you thinking about?”

Again not perfect, but it may trigger some rather personal memories, or incite a trivial response among the lines “better get home before the rain”. We would probably have to test this type of questions on a group of users, and then have them try to recover their passwords 6 months later and see if they are able to use the same responses. Also it would be interesting to see if this sort of emotionally charged questions prompt similar answers from many people. I have a hunch that the above question would end up with many responses among the lines of “I think of her/him” but again – it would take some testing. Assumption is that these questions would be harder to defeat by looking them up, but since we are all emotionally wired in a similar way they may be easy to guess by intuition alone.

Those are my 3 ideas. Feel free to suggest your solutions to the password recovery issue in the comments. Maybe there is a better way to do this.

Is it Gov. Palin’s fault that she got pwnd? Yes and no. Yes, because she should have known better than to use Yahoo. No because this would not have happened if it wasn’t for the un-elegant kludge that is the “password recovery question” mechanism employed by Yahoo. She is not the only person who had their account compromised this way – it’s just that content’s of most people’s Yahoo inbox is not a matter of national security and thus we don’t hear about it on the news.

The interesting thing is what will happen to the kid who did this. What’s his name? David, was it? Yes, it was David. Will he get a slap on the wrist, or will he be made an example of? Will he spend some quality time in a federal prison or will he get off with a fine, some community service and a nasty smear on his daddy’s reputation. Or will he doge all punishment by a small margin due to insufficient evidence?

What do you think?

Posted in politics, security, technology | 5 Comments »

Our Next President Should be a Hacker

Wednesday, July 23rd, 2008

I think that the perfect kind of a leader for our country – for any country – would be a hacker. And when I say “hacker” I don’t mean “computer criminal”. I use it in its original meaning. To me a hacker is a person who knows enough about technology to make me feel small, insignificant and undereducated. There is just no other word out there that denotes this particular blend of insightfulness, technological expertise, problem solving ability, competence, intelligence and cleverness. So I will use hacker, even though in recent years it gained this negative connotation.

Why do I think a hacker would be a good leader? Let me count the ways.

Most hackers are mindful of computer security. This falls under their general technological expertise. They know security systems, they know their pitfalls, and they know ways to make things secure. They have the analytical mindset to sit down, look at a system, identify gaping holes in it’s security and devise a plan on how to close them, or minimize their impact – without actually disrupting how that system works. If you think about it, managing national security is a very similar process. You consider the country as a big, complex system. The task is to secure that system without actually disrupting or disturbing it’s inhabitants. I believe that a hacker is much more suited to carry out such task than for example a lawyer, or a career politician. They have the analytical capacity, and rigid, logical approach, and engineering precision, focus on details and a sharp mind – those are all attributes necessary to succeed in the technology field. Lawyers and politicians… Well, they just need to be good at bullshitting, and memorizing stuff. Yes, there is more to it than just being a fast talker, but they are not formally trained in identifying flaws, devising solutions, devising action plan and executing it in a rigorous way, testing and validating it along the way. This is what we technology folks do.

In fact, this problem solving ability extends to other areas beyond security. The same process can be applied to other areas be it economical, social or foreign relations. The thing about true hackers is that they have this strange ability to absorb and analyze incredible amounts of information in relatively short time. Typically you talk to one of them on Friday about some new cool technology and they promise to read up on it over the weekend. Come Monday it turns out they not only “figured it out” but they also set up a test box, ported your system to the new technology, benchmarked it, optimized it, then improved parts of your system using what they have learned in this process. So even if you don’t adopt this new thing it is a net gain for you. They are not merely fast learners – they are more than that. And this is the sort of attitude, and thorough approach they could bring into politics.

There is a crisis abroad? Have no fear, our hacker president spent the whole weekend researching that area, he already learned much of their language and he figured out the local customs, conflicts and tensions in the area. He is now with his advisers devising an action plan that is supposed to be both subtle, effective and beneficial to both us, and the area in question.

Naturally, few hackers would ever pursue a career in politics. It’s not their field, not their area of expertise and not their ambition. Which is precisely what you really want in a good leader. Diligent, hard working, dedicated, humble, reluctant to abuse the power vested in him, and happy to relinquish it at the end of his term. In my honest opinion anyone who actually strives for a political office out of ambition is absolutely unsuited for it. Lust for power is a dangerous thing. People who set out to make it big, even with good intentions can be easily led astray by their own ego. The only trustworthy leader is one who holds power sternly but reluctantly and treats it as very heavy burden of responsibility and a patriotic duty.

In other words, hackers can be perfectly serviceable leaders, precisely because they don’t want it. Their work ethic, attitude, and diligence which are all part of the hacker ethos can almost make up for lack of statecraft experience. And let’s face it, not all of our leaders are bright shining stars of diplomacy, or competent orators.

Perhaps not this time around – but at some point in the future, let’s try to get someone like that into office somewhere. Perhaps it would be a welcome change for the better.

If you didn’t notice this whole bit is supposed to be humorous and satirical in nature and in no way should be treated seriously

tags: , , , ,

Posted in humor, politics | 1 Comment »

NSPD 51

Tuesday, May 22nd, 2007

The politics category haven’t had much use lately. Let’s talk politics. No, I’m not going to go on a rant again and start with Orwellian parallels again. All conspiracy theories aside, the NSPD 51 is worrisome to say the least. Go skim through that thing – it is intentionally verbose and vague.

The way I understand it, it gives the president overreaching power over the house and the senate in case of a national emergency to “ensure constitutional government”. In other words – when the shit goes down, president can claim dictatorial powers – you know, to preserve freedom.

I doubt anyone in their right mind would use this directive to seize power or overturn government but leaving such a thing uncontested in the body of our laws seems unwise. Is that directive even constitutional? But how do we contest this? Who do we write?

tags: , , , ,

Posted in politics | 26 Comments »

« Older Entries