Random Oracle

A data point on the value of backwards compatibility. This is an area where MSFT is frequently slammed, for its insistence on favoring compatibility with past mistakes instead of throwing everything overboard to start over again– the way Apple has done with OS-X and later switching to Intel x86 chips.

Imagine having to demonstrate an application running on Windows Mobile to a crowded room full of security professionals. This code will not run on the emulator– and even if it did, emulation hardly makes for a compelling demo. “Code always wins” as the old MSFT adage goes and working code on an actual device is the golden standard. This is the predicament confronting the blogger next week. Slide decks are not a problem; they can run off a locally installed PowerPoint or OpenOffice instance (the import process still loses some details if the latest eye-candy from Office 2007 is used) or better yet run from the cloud-hosted Google Presently. Showing UI from the device is a different challenge.

Most phones can not project the view of their own display to an external monitor using a standard VGA, DVI or HDMI output. (Oddly enough a few can project other video over Bluetooth to specialized devices and there is nascent efforst to give phones projectors of their own.) Having a dedicated, fixed camera pointing at the phone was not an option in this setting. And since it is not possible for dozens of people to cluster around a single handset trying to get a peek at the tiny screen, one option is to capture static screenshots at relevant points and project these as part of the slide-deck.

Even that is non-trivial: there is no “print screen” functionality on Windows Mobile out of the box. One quick Google search finds several third-party substitutes, including a freeware version from Ilium software. Luckily the search results also unearthed a better solution. An entry on the Windows Embedded Blog dated November 2004 references a Remote Display application included as part of the Windows Mobile Power Toys. This is good news; power toys are officially unsupported applications typically written by MSFT developers on the side. According to the description Remote Display shows real-time view of the phone display mirrored on the desktop.  Much better than static screen-shots and the audience can now follow along with the exact flow.

One problem: the Power Toys are dated December 2003. Supported operating systems on the download page include W2K SP3– long defunct– as well as “Windows Mobile 2002 based smart-phones.” In other words, this code is archaic. The MSI installed without a problem on Vista, even bearing a proper Authenticode signature to keep the inane UAC prompt happy about reporting the author. But the first attempt to run it with an HTC Diamond failed with an error message about unknown CPU type on the device. Not surprisingly 5 years after the code was written, the architecture of mobile devices, as well as the operating system MSFT is shipping to run on these devices had become unrecognizable under the assumptions the original author had made. Vista does not even have a separate Active Sync component, instead Mobile Device Center handles synchronization with phones.

But the README file provided plan B: the instructions described what to do for that particular error. The recommended fix was to manually find the correct binary over for the mobile device and copy it over. There were not exactly many choices either: Windows CE 3.0, CE 4.0 and smartphones based on CE 4.0. Each OS SKU had a corresponding array of architecture choices, including x86, MIPS and ARM4. As for the device? It is running Windows Mobile 6 on ARMv5i.

So it was a surprise that copying the ARM4 binary built for CE4 worked: Vista could mirror the device screen in real time. Even more impressively, Remote Display works both ways: clicking on the phone UI from the desktop PC actually sends the mouse clicks to the phone, allowing the phone to be driven by the full-size mouse and keyboard combination.

This is one of the rare cases where the insistence on backwards compatibility paid dividends. Not only did the ARM processor have to remain backwards compatible and run binaries compiled for an earlier version, but Windows Mobile itself had to evolve such that code written for earlier CE variants could run without any changes.

cemp

From relative obscurity, Nebuad has emerged as the star witness in the Senate hearings last Wednesday that also included representatives from Microsoft and Google.

WSJ points out that many current Nebuad executives previously worked for Gator, which almost single-handedly defined the “spyware” category earlier in this decade. Gator was one of the first examples of software bundling useful functionality appreciated by users with with intrusive, privacy invading and unwanted “features” designed to monetize that user for the benefit of advertising networks. On the surface Gator was a form-fill assistant; it helped users with the repetitive task of completing forms on websites. Web browser including Internet Explorer had an autocomplete / intelliforms feature for some time, but it was fairly primitive compared to what Gator could do. IE remembered that the user typed in some string on a particular field on a particular form on one web page; it had no concept of recognizing that as an address or recognizing other forms on other websites also asking for the address. So far so good– even Microsoft Passport was taking out full-page advertisements in the New York Times about its ability to save time by avoiding forms, because the profile data would be included in the authentication process.

But Gator had also had a dark side and it was hidden in plain sight, buried in the terms-of-use / click-wrap agreement that users seldom read. It collected information about the user’s navigation history and called home with the information. The resulting profile was used for taking targeted advertising to new levels: Gator replaced existing banner ads on websites with ads of its own choosing, disrupting the business model for many ad-funded free websites. This over-zealous tinkering with other people’s advertising brought Gator a lawsuit from several publishers including the New York Times and Washington Post.

Worse there was no meaningful opt-out possibility: no way to retain the useful functionality and opting out of the invasive tracking, other than uninstalling the app completely. And that is exactly what users decided soon after it was branded spyware (or “adware” as the preferred expression in polite company) in the public perception. On balance the inconvenience of taking two additional to provide your address one more time to another website did not outweight the potential privacy invasion from the tracking. Making matters worse, while it was possible to verify what Gator collected, users had no way to verify how the data was used once it is uploaded to the service in the cloud.

Seeing the writing on the wall, Gator soon found a more appealing application to latch on to: P2P. The popular file sharing program Kazaa was bundled with Gator (and soon several other variants of spyware) P2P created a dilemma for users who wanted to tap into the global jukebox but avoid the dubious spyware that often came bundled with the free software. Volunteer programmers responded by creating Kazaa Lite and other derivative “unauthorized” versions stripping out the dubious functionality. As for Gator, when the backlash became widespread, to the point that today Symantec has anti-spyware application that will remove Gator, the company reacted in typical fashion: by changing its name to “Claria” and hoping that will white-wash any previous associations.

Nebuad is an unmistakable here-we-go-again moment for the privacy advocacy community:

1. Company decides to push the boundaries of accepted data collection and user tracking with new “creative scheme,” crossing the line from dubious into nefarious
2. Technology press gets wind of the idea, at first as a curiousity, later with growing skepticism and apprehension, feeding the blogosphere.
3. Mainstream media picks up on the story
4. A public relations crisis results, indignant pundits demand that the company change its ways, high-level executive begin complicated song and dance for damage control.

At this point, the story normally continues with the dust settling down, contrite executives offering token changes to appease the privacy wonks and all concerned individuals move on to the next crisis-of-the-day. This time it is different. Charter canceled plans to pilot Nebuad, other ISPs are backing out and the Senate has taken an interest in the problem. Quiet possibly Nebuad picked the worst possible timing: with concerns about monitoring Internet traffic and ongoing FISA discussion around retroactive immunity for carriers, the technology community has been collectively primed to watch for the slightest incursion into the privacy of electronic communications. CDT released an interesting report suggesting that an ISP contracting with Nebuad would be violating a provision of the Wiretapping Act around unauthorized disclosure of private communications, a possibility hinted at earlier by Peter Wu.

Predictions? Keeping in mind Yogi Berra’s warning here, it is a reasonable bet that high burden of opt-in proof (as opposed to the current opt-out structure or simple click-through agreement) will be required if Nebuad-type systems are to be operational in the US. These barriers will make it unlikely that many subscribers will in fact participate voluntarily, unless the ISP offers heavy discounts on the Internet service, which is going to defeat the purpose of collecting additional revenue from Nebuad. Even if the economics worked out, the participation incentives will skew the data towards customers that were willing to make that trade-off and it is unlikely that this demographic will be very interesting for many advertisers. Bottom line is that Nebuad and its ilk are currently sailing into terra incognita with an extremely shaky business model.

cemp

Crude oil at $100/barrel may have been the first psychological barrier for traders. Now long crossed and $150 looming on the horizon, it turns out there is an equivalent one for drivers: the $100 refueling at the friendly local gas station. New York Times reports in the article titled When a tank of gast costs $100 several large trucks and SUVs have enough capacity for hitting the three digits during a refueling stop.

But they often do not quite get there for two reasons. First one is the unwillingness to see the register ringing up that amount. The article cites owners who prefer to refuel long before they are running on fumes, to avoid seeing the full price– and possible wasting more fuel with more frequent visits to the gas station, as well as slightly higher  weight of the car on average from carrying more fuel.

The second one is a “security feature:” many pumps that accept credit cards will shut off at $75 to prevent overcharges as well as stolen cards from being used. It seems strange that a criminal in possession of someone else’s credit card would be going on a shopping spree for fuel. Electronics, jewelry and other high value goods that can pawned off appear as more likely candidates. (Never mind the cartoon strips– these measures have been in place since the times when fuel was relatively inexpensive.)

That’s not the worst limitation: in an echo of the Y2K crisis, it turns out that many older pumps are not capable of registering three digits at all. (No word on whether they simply roll back to $0.00 and start counting from there or getting stuck at $99.99.)

cemp

In a sign that Domain Keys Identified Mail deployments have become reliable enough to depend on, Google has started to enforce DKIM signatures on eBay and PayPal.

Quick recap: DKIM is an anti-spam scheme intended to block forged of email messages and verify the sender by using digital signatures. The  short version is every large email service provider signs messages originating from their site and the recipients verify them. Strictly speaking this is purely an authentication technology, defined by an open IETF standard– nothing prevents spammers from also signing their message but there is an implicit assumption that somewhere a reputation system will spring into existence to allow vetting the verified identities and blacklisting the miscreants. Microsoft has backed a competing solution called SenderID.

Major challenge with deploying these solutions is dealing with the “gray area.” If a message is properly signed by eBay, it is clearly coming from eBay. (Leaving aside the fact that eBay may have been handing out email accounts to its own sellers and one or more of them are spammers.) That email can be safely accepted. If the message is signed but the signature does not validate, it can be rejected– although even then there are edge cases where innocuous message modifications can cause the signature to invalidate. By design cryptographic signatures are designed to be very brittle; any change to the message invalides them. Domain Keys had to work around this.  But what about unsigned messages? It could mean that eBay does not implement the DKIM standard at all. Or perhaps they have not gotten around to deploying DKIM on all the servers. A large service may have hundreds of server dedicated to handling outbound email and the conservative approach is doing a small-scale pilot project first. The final possibility is the message did not originate with eBay and is indeed a forgery, an attempt at phishing for example. It’s important to distinguish these cases because the accept/reject decision for the message will be different.

Strictly enforcing DK would mean that unsigned messages are rejected but that can not be done until there is good reason to believe that the service provider has committed to signing 100% of outbound traffic. In October 2007 eBay (and PayPal, which is owned by eBay) announced plans for adopting DKIM. But until both services could commit to signing all traffic, strict enforcement could mean legitimate messages getting dropped or sent to the junk folder and unhappy users.

cemp

Dated story from The Unofficial Apple Weblog hints at the sad state of competition in the US wireless market. As the release date for the second-generation iPhone draws near, news stories pointed out that AT&T and Apple are trying harder to lock down the phones. The widespread use of jailbreaking on first generation phones caused AT&T to miss out on significant revenue as customers bought the devices  without any intention of signing up for the corresponding wireless service. This time around buyers are forced encouraged to surrender the money upfront: phones are pre-bricked according to CNet and must be activated in the store, along with minimum 2 year commitment to a wireless contract. (AT&T to Apple customers: “submit to our authority!”) Expect delays as the purchase itself got complicated by doing credit checks and all the other ceremonies that go with signing up for service plans.

It is still possible to purchase the device itself, but at steep premium. This is standard in the US market where phones are subsidized by the wireless service contract, and sold below cost. There are early-termination fees in case the user decides to part ways with the carrier before they generated enough revenue to offset the cost of the subsidy.  But there is still a gap in the logic as the TUAW points out in the article Doing the wacky AT&T math: it is still more economical to sign up for the contract and then break it after one month instead of purchasing the unlocked device.

On that note, Jonathan Zittrain was at Google NYC yesterday to talk about his recently published book “The Future of the Internet and how to stop it.” One of the highlights from the presentation involved a picture of Steve Jobs on stage discussing the application approval process for iPhone, describing the criteria used to decide when code is unworthy of running on the sacred device. Alongside the usual suspects “malicious” and “bandwidth hog” were one that captured Apple’s attitude towards open platforms: “unforeseen.”

cemp

Recap from a story developing last week:

• MSFT announced that it was accepting OpenIDs for the new HealthVault service, a cloud-based solution for managing health records. But not just any OpenID: only accounts issued by Trustbearer and Verisign are accepted. Both companies have two-factor authentication with portable hardware tokens.
• The blog ConnectID objected to the restriction, claiming that it violates the spirit of “open” in OpenID. Why is the user not free to choose any identity he/she prefers to use?
• MSFT’s identity architect fired back, joined by another blogger, both arguing that cherry-picking identity providers is fair game.

Underlying this exchange is a misunderstanding: agreement on protocols is necessary but not sufficient for identity federation. Accepting an identity issued by another company is a risk management decision– or under a broader perspective, it is a business decision. The mere fact that the aspiring ID provider has successfully implemented some protocol, is compliant with this other standard or runs the most popular software package for authentication is not enough.

Authentication is a security-critical function. Getting it wrong leaves any resource protected by that system vulnerable. And if something does break, it will always be the service provider’s problem downstream, even they are provably not at fault. Suppose that HealthVault accepted identities from Keys-Are-Us, a hypothetical incompetent OpenID provider operating out of a basement. This is an external dependency; when Keys-Are-Us makes an assertion about the identity of the user, HealthVault will accept that assertion on face value and provide access to controlled resources such as health records. This is essentially betting on the ability of this shady outfit to properly run an identity management system. If Keys-Are-Us experiences a security breach, and the health records accessed by unauthorized persons as a result, MSFT is still on the hook. Yes, in principle it was not their fault: Keys-Are-Us made the error. But try getting that message across to the media and blogosphere pouncing on the incident as another indication of everything that is wrong with the Internet. More importantly, by agreeing to accept identities from Keys-Are-Us, HealthVault is implicated in the risk management decision.

Case in point, HealthVault accepts Windows Live ID, the identity management service operated by MSFT. (Full disclosure: this blogger worked on WLID security in a former life.) Because both of these organizations roll up to the same corporate entity, HealthVault designers have visibility into and more importantly, influence over the risks of accepting these identities. Similarly the Verisign and Trustbearer systems are known quantities, and their reliance on hardware tokens makes it possible to gauge the security assurance level in a way that is not possible for random OpenID provider.

cemp

Charter communications announced that it was canceling a controversial plan to sell advertisers information about the web usage patterns of customers. The plan had sparked backlash from privacy advocates, soon spreading to regulatory agencies, culminating in Connecticut Attorney General formally asking Charter to throw in the towel. As CNN/Money reports the market barely shrugged, sending the stock down a mere 3.5%, leaving it trading well above its 52-week low. All of that effort for nothing? Once the dust settles, Charter may be remembered for successfully generating free PR (but not necessarily of the desirable variety) and positioning itself as an ISP ready to make aggressive, ill-advised moves in the name of monetizing existing subscribers with complete disregard for privacy.

With the ink on that story barely drying, another news item from Reuters reports on privacy concerns about US cable providers have teaming up to mine the TV viewership data from their subscribers. Objective: stop the advertising revenue from shifting over to the web. Individual, targeting is the main differentiating factor for advertisement the web, whether this is done by profiling users over time or derived from point-in-time context, such as a search query. By contrast mass media suffers from its “broadcast” nature where many people by definition will see the same content. The ability to tailor the message to the audience is very crude by comparison, despite heavy investments to improve that over the years. For example today newspaper can target particular zipcode– it is possible to get New York Times to print a full page ad but only for certain zipcodes in Manhattan. Impressive as that sounds for an old school newspaper, this is primitive compared to the level of customization on the web.

There are two pieces to the puzzle: first one is being able to understand the audience better and the second one is being able to deliver unique, personalized content for each subscriber. Digital cable in principle already solves the second problem. Unlike analog systems where all channels are delivered to the user at all times and a “tuner” picks out the particular one, with digital cable the subscribers set-top unit requests a particular channel from the provider. That also allows solving the first problem: getting to know the subscriber. DVRs were the first devices with visibility into everything a user is watching and the ability to call home with this information. TiVo unwittingly created the first privacy scare over DVR tracking by commenting on the 2004 Super Bowl. Cable providers have long been able to derive similar conclusions. (The DVR does have an advantage in that it can report on multiple-views, including the number of times a recorded program is watched and when. But then again many DVRs today are bundled with cable packages and cobranded by the provider so it is not clear who is calling the shots on the device logic.)

With both pieces in place, what remains is creating the platform. Enter Project Canoe. Backing this new initiative are Time Warner, Comcast, Cox, Cablevision — and Charter. From a privacy perspective there is good reason for concern. The extent of data mining is unclear. A key question is whether it will be limited to TV content. Several of these companies are both cable providers and broadband Internet providers. Charter crossed the line once before backing down. The current attitude is summed up in this quote:

“The cable industry is betting that full disclosure to subscribers about the information being collected, the ability for them to opt out, and the attraction of more relevant ads would help overcome potential misgivings.

The problem is few people read the disclosures and even fewer understand the extent of data collection and its implications to make an informed decision on whether this practice is consistent with the person’s personal values on privacy. Even for users who decide to take issue, some fraction will be deterred by the difficulty of the opt-out process. Quoting an analyst about the initiative the article concludes:

“It’s all but certain that the cable operators will have to set a third-party clearing house for information to safeguard privacy concerns,” Moffett said.

The article does not speculate on which independent entity would be stepping up to the plate for that role. In general the idea of trusted third-parties safeguarding information is very attractive in principle, but so far there have been no takers. Even the organization trying to offer a much simpler service, third-party verification of privacy practices have been dogged by skepticism about their effectiveness.

cemp

NetworkWorld has two interesting articles about the information debt collectors have access to and the risks posed by this concentration of data.

Call it the second wave of data breaches. The first wave were compliments of massive aggregators experiencing major data breaches (Choicepoint, Acxiom, Lexis-Nexis) and briefly putting the issue of data security on the map, before it faded away in the collective consciousness again. These companies, until recently having no direct consumer facing operations and dealing only in B2B markets, were forced into the limelight for their 15 minutes of infamy/congressional grilling. Nothing quite encourages better security as public scrutiny. But the data aggregators much like the credit reporting bureaus essentially constitute an oligopoly immune to competition. Much as consumers have no choice in opting out of having their credit history collected by the “triumvirate” (Equifax/TransUnion/Experian) they have no meaningful choice over having their information compiled and commoditized. In fact owing to the lack of anything comparable FCRA, there is even less accountability with data providers. Given this lack of economic incentives, it remains to be seen if the security lock down and public floggings after the data breaches will have any effect. Meanwhile the Network World article draws attention to debt collectors– who often receive their data from the major brokers and often end-up spreading it around n the name of tracking down missing payments– as the next problem spot. Quote:

“As IT director for a medium-sized collection agency, I can tell you that there are indeed many large databases out there that we use for ‘skip tracing’. . . [and] anybody posing as a business can get access to them.”

“So what information can be acquired? [...] Social Security numbers, known accounts (but not account numbers), known aliases, all of present and past addresses, the names of people living near the debtor (known as “nearbys”), people in the same town with the same last name (known as “possibles” as they might be related to the debtor), companies having made recent queries against the debtor’s credit and recent employers.”

The earlier article by the same author establishes the position of debt collection agencies as the downstream beneficiaries from the main artery of information flow. Barriers to entry are remarkably low:

It turns out pretty much anyone can set up a collections operation by buying a package of bad debts for around $40,000, hiring collectors who will work on commission, and applying for the appropriate city and state licenses. Once a company is set up it can buy access to Axciom and Experian and other databases and start hunting down defaulters.

There is a circularity to all of this. Defaults may be one of the expected consequences of easy credit. That credit is made possible only by the massive databases that allow any business anywhere in the country to make a decision within minutes about the creditworthiness of any customer that walks in the door. Proponents justify the existence of data collection and mining operations by that one benefit: a portable “reputation score” that travels with the individual, attached to their social security number and unlocking doors at every step– such as the doors to a new home or a new car. The information no doubt is important for efficient functioning of the system; the subprime debacle showed what happens when lending decisions are made without regard for credit rating. (Oddly enough in that case the easy access to information made no difference; since the mortgage was getting securitized with an over-inflated rating, the lenders had no incentive to check on the odds of payment.) When debt collection agencies purchase and share that data, they are trying to solve a problem that would not have existed unless extensive credit data were available in the first place to make bad lending decisions an endemic problem.

cemp

Gates officially steps down from day-to-day responsibilities at Microsoft today.

For those of us who spent any significant amount of time at MSFT, this is a watershed event. Even after Steve Ballmer became the chief executive officer, Gates had remained actively involved in technology decisions and product reviews. More than anyone else, he was the heart and soul of the company. After his ambitious vision– a personal computer on every desk running MSFT software– was accomplished for all purposes, the company had difficulty articulating a new direction or rallying around an equally compelling objective.

cemp

(Follow-up to earlier posts on interference with Slingbox traffic)

Comcast had announced that it was making changes to the way network traffic was managed. Perhaps as a result of this change, this blogger has observed that a Slingbox located in a Philadelphia residence with Comcast broadband access no longer shows the strict cap at 350kbps for upstream bandwidth. During sustained streaming, bandwidth reported by Sling Player application regularly hovered around 800kbps. On the downside, the change in video quality between this new unrestricted stream and the artificially capped one was barely perceptible.

cemp