Sunday, March 29, 2009

LifeHacker collection of user password stories

An entertaining LifeHacker post collecting reader password stories that is worth a read. A couple suggestions for generating passwords also thrown in.

Monday, March 23, 2009

What is identity on the web these days?

Identity is a funny thing. It seems intuitively obvious, but like many such concepts, it becomes really confused when you move it from the real world to the Internet.

In the "old days" of the Internet (last century), your identity was an email address. Back then email addresses were not handed indiscriminately - you generally got them from your employer or your school, or you paid for them from a service provider (e.g. CompuServe). An email address was likely to be a reasonable representation of your legal name, unlikely to be reused and the combination of your name and the institution it belonged to usually served to identity you fairly well.

This was the last time Identity on the Internet was simple.

Now email addresses are increasingly disposable. There are lots and lots of places that will give you email addresses with any name that happens not to be taken with no concern about who you are. Plus many that provide anonymity as a feature.

And the the organizations like schools and workplaces that hand out long-lived email addresses have had to resort to various schema to "uniqify" them. The first John Smith may have gotten "jsmith", but a new John Smith showing up today is more likely to get "jas0009". Unique yes, but not very representative of the person's real name.

Also, email is not the primary communication mechanism any more. The Web has opened a proliferation of social networking sites - Twitter, Facebook, MySpace, etc. Even Amazon has profiles for customers who choose to review things.

Each of these sites has it's own concept of identity. Von Welch on Facebook might be vonwelch on twitter which might be Von Welch on MySpace, etc. It's easy for people to have multiple identities across these different sites. Or even on the same site.

In many ways this is a good thing. It's often useful to have different identities for different purposes - for example, one identity for work and one for personal life.

But this does cause some issues. For example, you could jump someones claim and snag their identity on a social networking site they aren't using yet. Even if they are already on a site, you can grab a intentionally similar name and claim to be them. To help counter this, there are sites now to let you check for people impersonating you, but even if you discover someone acting as you, what you can do about it is not always obvious - how does Facebook know which you is you?

What's the upshot of all this? Identities are now longer intuitive. Like the Internet they are becoming more complex and the rules we apply in the real world without much thought just don't work any more.

How we are going to deal with all this is still emerging and I suspect will be for a long time. Being aware of the issue is the first step.

Sunday, March 15, 2009

My letter to the editor regarding Identity Theft

Whenever you consider a security problem, two questions to ask are: Who will suffer if security fails to provide protection? And who is responsible for providing security?

If the answer to those two questions aren't the same person, you have a sticky situation because that means the person in charge of security isn't the one that suffers. That leads to a variety of problems related to a lack of motivation in providing security, at least to the level that the person who suffers would like to see it provided.

Sometime a lot of effort (and money) goes into shifting responsibility to avoid having to provide security.

The subject of "Identity Theft" is one that annoys me, because that is one such area where those who should be responsible (banks, credit card companies, etc.) have done a good marketing job to shift the responsibility to you and I.

After seeing an article on medical identity theft in my local paper, I wrote a letter to the editor hoping to raise awareness and understanding of this issue.