A Problem of Authentication

In computer security, we talk about “I&A” – Identification (or Authentication) and Authorization. It’s one of the fundamental problems that makes everything work or not work, accordingly.

How does the system know who you are? And, if it’s reasonably confident that you are who it believes you are, what are you authorized to do? This crops up everywhere in security because we need to authenticate and authorize important transactions before they’re processed; that ranges from “create a new user” to “delete all my files” or “reboot the system” and perhaps “transfer money from my account to ${other account}.” On the internet, there is a sort of hierarchy of digital certificates based on public key signatures, but (let me just assert this) it’s marginally functional at best and totally bogus at worst. That hierarchy represents a “trust delegation” – if A trusts B, then A trusts that C is who B says they are, if B attests to that identity. There’s a great big not very secret battle being fought over who controls these federated identity systems: do we use our Microsoft Azure credential, Apple-ID, or our Google or Facebook login?

use your finger to authenticate to the phone, the phone is authorized to do certain transactions on your behalf

Consider “de-platforming” as an extended argument over I&A – control of an online identity and its actions. A digital identity can be extremely valuable; imagine Donald Trump’s iPhone as a remote control for the stock market; hijacking that identity would be a coup. De-platforming it would be, too. And, in this context, “de-platforming” means “this identity ${user} is exceeding their authorization because they are engaging in {hate speech|stock market manipulation|violation of terms of service} and their access should be revoked.” The systems that we use for just about everything were not designed with a subtle understanding of these things – they mostly evolved in place, and began with authentication/identity and then began loading more and more authorization controls on top of the basic authentication.

Doing I&A right is really, really hard. It may be impossible to even do it well. Doing it badly is pretty easy: you use something to control how easy it is to make a new identity. One example: social security numbers. In principle you can only get one per person because that identity is tied to a birth certificate and – in principle – you only get one of those. Never mind that that’s not really true, it’s harder to get a fake ID based on a social security number and birth certificate than it is if we used someone’s name and address; those are low-cost to generate. The obvious answer to the cost question is to make identities more expensive, money-wise, so that you’re accepting a certain number of fake identities but you’re profiting off of them. That way, having your account yanked for misbehaving comes with a real world cost. Suppose that Twitter collected $5,000 from each user before their account was established, and returned it when the account was shut down – and kept it if the account was terminated for abuse. There would be a lot fewer sock-puppet users and a lot less abuse because people would have to think about how much their Twitter account was worth, to them. In effect, that’s how your smartphone works: you buy an expensive piece of electronics and give your phone company your credit card information, and your identity is worth at least the pain factor of establishing a new identity (and buying a new phone!) if your phone is lost or compromised.

look it’s a matrioshka coder-bro!

That’s as tenuous as it gets, really: financial resources as a proxy for identity, which (tell me if you’re shocked by this) tends to favor those who have more resources. In our modern cyber-civilization, there are vast numbers of systems that are built on the flimsiest of credentials and those credentials are often proxies for “it’d be an expensive pain in the ass to transfer this credential.”

Let’s look at a case-study of the problem: Facebook. [vice]

One of Facebook’s major efforts to add transparency to political advertisements is a required “Paid for by” disclosure at the top of each ad supposedly telling users who is paying for political ads that show up in their news feeds.

But on the eve of the 2018 midterm elections, a VICE News investigation found the “Paid for by” feature is easily manipulated and appears to allow anyone to lie about who is paying for a political ad, or to pose as someone paying for the ad.

It appears that Facebook is using “the credit card charge was accepted” as a proxy for identity, and has no kind of detailed authorization behind it.

To test it, VICE News applied to buy fake ads on behalf of all 100 sitting U.S. senators, including ads “Paid for by” by Mitch McConnell and Chuck Schumer. Facebook’s approvals were bipartisan: All 100 sailed through the system, indicating that just about anyone can buy an ad identified as “Paid for by” by a major U.S. politician.

Facebook and Twitter were created as advertisement platforms to amplify marketing. That’s a nice way of saying “their purpose it to carry lies” and they do it pretty well. Identity was not an initial requirement of the system, and it’s only been grafted on, too late, because it turns out that the origin of lies matters. I suppose we can excuse the developers of the systems on the basis that “they didn’t expect to succeed as well as they did.” But there’s a simple but powerful failure-mode in the very foundations of the systems. It’s an example of how ‘code it now, fix it later’ is not how to build a significant and dependable system.

Another report describes a flaw in the business interface in Facebook, that allowed a researcher to add themselves to the permissions for any business account: [soph]

Security researcher Philippe Harewood says on his blog that he discovered a way to import administrators to a business account via a call to the social network’s website that didn’t have any access control set on it. This made it possible to add anyone as an administrator to any business account, he claimed.

The attack could be executed by making a simple HTTP post to Facebook’s site that included the ID of the targeted business, the ID of the attacker’s account, and a session ID. In a demo video on the blog, he shows himself making an HTTP post to Facebook and then showing the new admin added in the Facebook Business Manager.

That’s just ordinary sloppy coding, not a systemic flaw in how social media works. It’ll be fixed. But, the problem is that people trust sketchily authenticated stuff on social media, and believe that it’s true.

What if someone created a fake account that was allegedly Northrop-Grumman and “announced” a major program flaw in the F-35, to cover a short position in the stock? We saw that Elon Musk’s comments on Twitter were enough to move Tesla stock, and the “Paid for by” warning Facebook puts on promoted content could be mistaken for an imprimatur not a disclaimer. There’s so much room for shenanigans, quick, better run blame the Russians before it’s too late.

-- divider --

Back in 2009 or so, when Howard Schmidt was Obama’s cybersecurity advisor, he invited me down to the White House for a briefing and opportunity to comment about the government’s online identity plan. I agreed to it on condition that I got a chance to offer some prepared remarks – this sort of invitation is a double-edged sword because what the government does is tells you something and then embargoes it under a non-disclosure so you can’t trash the idea if you think it’s bad. They also do this with secrets, sometimes – “read you in” to a particular piece of sensitive compartmented information classified under a code-word – so that you can no longer speak publicly about that topic. Anyhow, I was interested in what Howard had to say (we’d been casual acquaintances for a decade or so) and I got up at 3AM and drove down, suffering a potentially fatal 70mph transmission failure in the process, made it to the meeting on time and eventually found my way home in a rental car. The government’s plan was to extend some of its authentication/certification hierarchy to civilian agencies – basically, WALMART could leverage a form of the DoD’s Common Access Card (CAC) if they needed a high quality identity service. It was an interesting idea and we discussed it for a while; the main open question was how the cards were going to be authenticated – you needed a trustworthy card-issuer. That’s the same problem which you have with drivers licenses, passports, etc. I told Howard he was walking into a world of pain, and wished him luck.

Then I got to my prepared comments, which were in the form of a short two page paper arguing for “government-issued fake ID.” When I handed it around the table, people made choking and gasping noises. My view was (and is!) that ‘nom de plume’ identities such as “Voltaire” have value and the government is uniquely positioned to authenticate fictitious identities. The idea would be that you go to the post office with your actual credential, apply for a fake ID, and the government countersigns a fake ID that it (presumably) guards against everything short of a subpoena or court order. I also argued that fake ID would need a mechanism for sharing the fake identity and transferring it; there would need to be a succession-map created as part of the identity (“If I die, the new Dread Pirate Roberts is, in order: cabin-boy Fred, One-eyed Jane the barmaid, or Apprentice Jim”) with provisions for how an ID is officially discontinued (“‘Snake’ Plissken is dead.”) Not surprisingly, Howard said something to the effect of “this is all interesting stuff and it’ll get disseminated to the appropriate people, but you know it’s not going to happen.”

------ divider ------

There is another proxy for identity, which is longevity. Although longevity could be faked (hey! finally a use for blockchain!) it is a lower-cost way of maintaining value in an identity. Imagine if Facebook were ruthless and swift about closing accounts that violated the terms of service. After 10 years an account that was still open would have a history of 10 years of behavior within the TOS, it would be worth more than an account that was 24hr old. I believe that idea could be combined with financial penalty to produce a good value-basis to some online identities: you put $2,000 in the pot and you get it back with interest if your account survives 5 years. After that, your account gets a “gold star for good behavior” or some other mark of seniority. Unfortunately such a system still favors those with the money to cram in a bunch of fake identities for later use, or to farm and sell identities.

Back in the 90s a friend of mine and I came up with a scheme to create and establish hacker identities, build them industry reputation anonymously, and then sell them discreetly. Want a hacker identity with a history of associating with the Russian mafia, who has developed some attack tools and is responsible for hacking the Brazilian election? $15,000. $20,000 if you want a few other hacker identities that’ll vouch for it.

On the way out of the building, Howard mentioned that they were trying to find candidates to replace him eventually, and my name had been brought up early in the process. I started laughing when he said that, but then he told me how, at that meeting, someone had pulled up my website on their laptop and announced, “he has an anarchist ‘A’ on the top page of his website” and everyone crossed me off the list. I have to say I’d be approximately the worst possible fit for a position like that. I’m good at the big picture strategy stuff, but bureaucracy gives me hives.


  1. Some Old Programmer says

    It’s an example of how ‘code it now, fix it later’ is not how to build a significant and dependable system.

    But it was a great way for me to make a living. I marketed myself around Silicon Valley in the early ’90s as a “Software Consultant”, but privately I would describe my work title as “Code Janitor”. Companies, large and small, would have developers spit out large chunks of code that mostly did what they wanted, then needed someone with good coding skills and a lot of patience to go in, understand what the code was doing, plug the holes and otherwise clean up the inevitable mess.

    Of course this tends to lead to zero warm fuzzy feelings about the safety and security of computer systems …

  2. Curt Sampson says

    “Safety and security of computer systems.” Hahahahaha!

    An engineer is someone who, when he’s finished consing up a system, thinks, “Are there any circumstances in which this could break?” Then he does a cost-benefit analysis on mitigation for those circumstances.

    A “software engineer” is someone who thinks, “Are there any possible circumstances in which this could work? Oh, I thought of one! Great! Release it!”

  3. komarov says

    use your finger to authenticate to the phone, the phone is authorized to do certain transactions on your behalf

    … the phone is authorised. It pains me to confess I’ve never thought of it this way. While it doesn’t render me any less helpless with regards to my dependency on technology to do virtually anything (pun not intended), it’s a useful thought to keep in mind. As if I wasn’t already uncomfortable enough making online payments…

    you put $2,000 in the pot and you get it back with interest if your account survives 5 years.

    Sounds like “facebank.” The worst part is, I’m not entirely sure if facebook wouldn’t be a “safer” investment than regular banks, having demonstrated that it can do all sort of awful things and, at worst, wobble a little bit on the stock market before becoming even richer. Okay, as we’ve seen banks can do all sorts of awful things, too, but afterwards only the execs get richer and everyone else .. does not.

    Maybe a facebook account in good standing (i.e.: gathering digital dust) could make a good nest egg. Assuming the account isn’t stolen by trolls and subsequently annihilated. In this scenario it might be worth re-evaluating facebook’s incentives regarding account security.

    P.S.: WordPress has authenticated my browser’s password manager and is now authorised to post this comment.

  4. says

    … the phone is authorised. It pains me to confess I’ve never thought of it this way. While it doesn’t render me any less helpless with regards to my dependency on technology to do virtually anything (pun not intended), it’s a useful thought to keep in mind. As if I wasn’t already uncomfortable enough making online payments…

    It’s a very important point. What’s going on is a delegation of trust: you prove to the phone who you are (to the phone’s satisfaction) and then the phone has its own way of proving to the system who it is. And by “proving” I mean “waving its hands and hoping it works.”

    The President authenticates to The Football, which authenticates to the nuclear arsenal. Under Clinton the passcode was ‘00000000’ – honest, no kidding.

  5. Curt Sampson says

    As if I wasn’t already uncomfortable enough making online payments…

    Just use a credit card. This is perhaps counter-intuitive, but because credit cards are relatively easily and constantly fraudulently used, they’re probably the safest way to pay for something on the Internet because they (mostly, see below) have excellent protection for you against getting charged for something you didn’t buy, didn’t receive, or wasn’t what it was claimed to be. If you’d use your card to buy something at a random shop that said they’d send the product to your home, that’s really no different from using it online.

    One thing to note, though, check the conditions and fraud protection of your card carefully. Debit cards, which look and are used like credit cards but are not, have almost no protection: once the money’s gone, it’s gone, regardless of what happens after. And in some cases, especially with the introduction of Chip and PIN, credit card companies have been able to relax their fraud protection (much of which is enforced on them—or not—by regulators) signifiantly in the hope of making consumers pick up more of the tab for fraud so they can spend less effort on anti-fraud systems.

  6. Curt Sampson says

    Oh, and just in case it wasn’t obvious, review all the charges on your statement every month and raise any issue with your card provider for any transactions you didn’t initiate.

Leave a Reply