When technology changes faster than society can adapt

Thomas Malone inspired me with this bit:

If you want me to be a little bit grandiose about this, I’ll tell you what I wrote on my college application when I was a senior in high school.  I said I wanted to help solve the problems created by technology changing faster than society could adapt. — Thomas W. Malone http://edge.org/conversation/collective-intelligence

The current US solution to this problem is the modern “Intellectual Property” system. It operates by picking a “winner”– the IP owner– and giving that person exclusive control of the situation created by the changed technology. If something else new happens then another IP owner is chosen. Repeat until the changes stop. The IP owner is expected to demand payment for use of the IP or otherwise impose restraint and order on the use of the new technology.

The owner selection process favors incumbent IP owners of similar technology. The IP owner of an original work is given arbitrary powers over derivative works so further technological change that builds on the IP owners property is restrained for a time. An IP owner that does not or cannot exercise restraint on derivative works risks being replaced in the market by a derived IP with a different owner.

 

 

The Epic Hack– A new front in spear phishing

Mr. Malicious has opened a new front in online fraud. But of course you have read about Mat Honan already.

As with any social engineering attack, the hacker reconnoitered his target, collecting bits of information here and there to build a profile of his mark.  The innovation here is to spear phish Apple’s techical support staff instead of the mark or one of his friends. The way Mat Honan centralized control of other accounts to his Apple email allowed full cloud root.

TIME suggests doing away with username/passwords altogether, replacing it with some improved OpenID-like schemes. These simply move the phishing target to another authentication service provider like Disqus here below.

Time Warner Cable’s technical support handles password resets by deleting the user’s profile. No information is disclosed and, if you are the legitimate account holder, you can reconstruct it in about half an hour. Many online services could use this approach. But Apple stores too much valuable data for that to work. Dropbox, Facebook et al.

Apple has a good possible fix: the Macintoshes and iDevices all have unique serial #s obtainable by software and Apple has complete control over them through the software update process. They could switch to two factor idevice and password based authentication for AppleID and supply a stronger OpenID to web applications approved by Apple. To reset a password, you must initiate it from your Apple product, then call support, then wait 72 hours (to give the owner a chance to report a stolen device). Something like this will give Apple an edge over pure software-based security solutions and avoid the cost of distributing onetime key fobs.

Identity Control and Management

This blog is about Online Identity Control and Management.

I created it because I need to get better control over how I appeared on the internet in order to advance my search for employment. I expect you and a great many other people out there have a similar need.

The internet industry as currently organized has no centralized notion of identity. However, many organizations require disclosure of your true identity as a condition of delivering any services. Even where such information is irrelevant to the actual service delivered.

In the early days of the internet, persons routinely made up handles like mine — ‘Magicianeer’ — to identify themselves on various forums and sites. The true identity was only disclosed for the purpose of completing an e-commerce transaction and was guarded like… money. Your true identity was worth at least the price of the goods you bought. Up until ~2000 that was OK.

From 2000, interests emerged on the internet that insist on real, verifiable identity outside of a financial transaction. Examples are yahoo.com, facebook.com, dice.com. Providing such information did not yield a benefit to the person providing it, but added much value to those collecting it. They could do demographic analyses, geographic analyses, for better targeting advertisements (among many other things I will cover in later posts).

Any single person in these databases is essentially worthless to the collector. Only the aggregate has value. Consequently, these data collectors have little incentive to ensure accuracy of any single datum. For example, convincing spam artists email marketers to allow people to unsubscribe from the lists required several Acts of Congress and criminal prosecutions. Your email address is just about the least sensitive bit of identifying information collected.

Many of these services go out of their way to publish this data (Facebook! Linked in!). This wanton disclosure of identifying information, fuels identity theft– impersonating another person for financial gain. Those collecting the data are not harmed. The individual datum are left to pick up the pieces of their reputation.

Follow

Get every new post delivered to your Inbox.