I have to admit I wasn’t expecting PayPal to be the first company that realised phishing was a real problem but having just read a BBC News article reporting that PayPal is introducing a security token, I am very pleased to see this happen.

How they work?

These Verisign tokens are devices that generate one-time passwords every 30 seconds using a cryptographic key known only to the token and the server. PayPal will be selling these for $5 (USD) which is frankly a ridiculously cheap price for these tokens. The suggestion on BBC’s site that PayPal should be providing them for free is interesting, but I would pay a lot more if I managed to persuade my banks to provide these. Separating the authentication from a computer by requiring the user to type the tokencode into the system will vastly improve security, although this doesn’t solve the problem outright.

The article does acknowledge a problem with man-in-the-middle attacks which are still possible as long as the malicious party is ready to use the tokencode immediately it becomes available to them. This means that someone engaged in phishing would need to run a site which persuaded you to give then the tokencode, which they then used to login into PayPal straight away. This does decrease the window of opportunity significantly however. One-time passwords in general have always suffered from race conditions, which this is not too different from.

The keyring problem..

These tokens have already been used in the corporate market for many years with RSA SecurID being one of the leaders. Similarly banks have used them for specific applications like corporate banking, stock brokerage, etc. When they wake up and realise the benefits of cutting fraud and introduce them for all customers, we are all going to have fun carrying around one of these tokens for each of our bank accounts, workplace login systems, etc. They may be getting smaller but they aren’t that small.

Sooner or later, some kind of hybrid solution needs to be found. Sharing the token ‘secret key’ (the encryption key located on the token and the server) is clearly not an option, unless it’s a full private-public key infrastructure, although with codes as short as six (or in RSA SecurID special applications I believe they can be up to eight) digits long, I’m not sure how feasible that would be whilst maintaining security seeing as you don’t want your employer having the keys to your bank account, etc.

Another option is a trusted third party verification system, something that is already being tried on the Internet in general for unified logins. However, it then comes down to the question do you trust the third party. Is it wise to put all eggs in one basket?

What I suspect will happen, certainly for devices which show digits on the front, is that hybrid devices will come in which can securely store multiple secret keys which in turn work for different functionality. In the long run, it’s also quite possible that smart cards will take over in which case fully PKI infrastructure will manage the problem with a single key. The reason why these ‘tokencode’ devices are so useful is because they require no hardware interface to a PC (although some have USB interfaces) which mean they can be rolled out at minimal cost. To an extent this already happens with RSA having soft tokens for PDAs and mobile phones.

Open standards & low quantities

The one change I would like to see this industry make is for the standards to become open and for individual keys to be sold without the need to buy a huge infrastructure to go with it as this would encourage even smaller companies to adopt these which are currently priced for the corporate market. RSA has launched an SecurID appliance but the cost per user is still very large and the licensing overly complex–Charge £10-20 per token and £10 per order to deliver the keys and allow open development of the server applications. Of course, I doubt RSA will go that way as they would fear their corporate business, but sooner or later this cash cow will mature into a competitive industry. It is worth adding there are more open platforms than others, some of which are linked below.

I have also just seen the Initiative for Open Authentication which is trying to unify authentication architectures and looks promising.

Links

Verisign
RSA SecurID
Aladdin eToken
ActivIdentity

Apologies for not updating my blog for the last few weeks but it has been very hectic to say the least. I have quite a few issues I intend to write about when I get more time. In the meantime however, I have been persistently annoyed by the following issue.

The Post Office (or at least the one I frequent) doesn’t take credit cards as payment for items such as postage for Special Deliveries, etc. They accept debit cards, but not credit cards. Well, that is to say they say they don’t accept credit cards, but a friend has had no problem using one when he put it in the PIN-pad machine, but I am assured they don’t.

It seems quite backward that an organisation such as the post office cannot accept a modern means of payment for their services. If it was a question of costing too much, I would be quite prepared to pay for it, just like at Ikea where a surcharge applies for credit (and I think debit) card transactions to cover the extra cost they incur in processing.

I spent the best part of an hour reading an interesting document entitled A Cost Analysis of Windows Vista Content Protection by Peter Gutmann which discusses problems that Microsoft Windows Vista introduces into the general PC market by its implementation of copy protection measures which will both increase the cost of hardware as a whole (not just for Vista users) as well as artificially degrading output of high quality devices.

Microsoft’s new system of handling device drivers (the pieces of software that interface between hardware and the operating system) and the standards they require all such drivers to adhere to will require hardware manufacturers to change the way they design hardware. Specifically, they need to do so in such a way as to make it very difficult for someone to intercept signals for ‘protected content’ (e.g. movies, music, etc.)

To achieve this, hardware designs need to be less modular. Traditionally, modularity has been used by manufacturers to develop multiple products using the same core framework or circuit board, a bit like each car model has the same frame with different extras. This reduces development and production costs as these can be shared across a larger number of units. By removing this flexibility, the cost of hardware (sound cards, graphics cards and motherboards at least) will rise and since Microsoft is in such a dominant position in the market, it means the cost increases will affect everyone including non-Vista users. With requirements to encrypt communications between devices, the cost in processing terms, and therefore power consumption, will also rise. In a world which is increasingly aware of the impact of the green impact of technology, this is counter-productive.

Not only are Linux and other users faced with potentially increasing hardware costs, the author of this document suggests that the specifications for the hardware need to be closed to be certified to work with Vista and thus reducing the likelihood that open source drivers could be developed making them incompatible with Linux operating systems for example.

Essentially, Vista’s new copy protection system means you can’t play legally purchased content (e.g. movies) with a legally purchased high quality monitor if it doesn’t support the copy protection standards.

If this wasn’t enough, Microsoft is employing a driver revocation system which allows it to disable any devices which ‘leak’ protected content (allow you to copy a movie for example) rendering parts of your PC as useless as a brick.

These are just some of the issues raised by this paper. There’s a summary of the issues on TheRegister for those too busy to read the full document:
http://www.theregister.co.uk/2006/12/27/windows_drm_monstered/

It may not be obvious from the above, but I am a Microsoft fan. I like linux shells but I prefer Microsoft as a workstation OS. I like the way Microsoft software works and how predictable the features are (I’m not quite sure of the new IE7/Vista ideas but I won’t judge that yet). I have dabbled with OS X but I like Windows too much to switch. Will this be the catalyst for change in my position?

These two words are the most abused terms in broadband advertising. The Advertising Standards Authority (ASA) did publish an critical adjudication against Carphone Warehouse using “free forever” in its TalkTalk advertising, but there is still a lot of marketing material which is open to misunderstanding by naive consumers in particular as to the nature of the costs and limits of a particular product or service.

Let me be clear about this – There is no such thing as “free” or “unlimited” anything which doesn’t at the very least rely on the law of averages. Any company using these terms is relying on income from something which helps make particular options or features available at no additional cost. Usually they are suffixed by an asterisk or other reference to a footnote detailing the terms, or worse, text such as “Terms and conditions apply. See website for details”.
So why am I so wound up about this? – I view using these terms as being dishonest.. Let’s look at the word “unlimited” for a second. It means “without limit”. Therefore by definition “unlimited internet” means “internet without limits”. Now I can understand that it is not possible to run a service which is not contended (and thus limited in some way) but my issue is where the small print includes concepts such as a ‘Fair Usage Policy’ (which comes under various names including Acceptable Use Policy, Sustainable Usage Policy, etc.)

These policies effectively place limited on what is and is not acceptable, thereby rendering the product no longer unlimited. The honest service providers call these services ‘unmetered’. I am not suggesting that all products should employ charging by usage, but if they have limits in the form of FUP/SUPs, they should be clearly labelled as such. ‘Unmetered’ is understood to mean you won’t get a meter reading each month on how much you’ve used.

Recently, several broadband service providers have started offering ‘free broadband’. This is another term I taker issue with–It’s not really free.. you have to subscribe to some other service to qualify so in reality there is a cost. This is slightly less of an issue as it can be argued the broadband is free whether you take it or not, however I am quite concerned many users do not see past the headline when choosing a provider.

I recently ordered some Christmas presents from an online retailer who was using Initial City-Link to deliver them. This made me quite happy as I see them on average once a week at least for all sorts of deliveries so they usually don’t get the address wrong.

The package was scheduled to arrive on a morning delivery (pre 12:00) one day and I had to go out that afternoon. I was “carded” (they couldn’t deliver it and left a card saying “We called whilst you were away) at around 13:50 that afternoon, so I called the supplier who confirmed it was supposed to come that morning. They arranged for it to be re-delivered the next day although they didn’t promise it would be done that morning, but they said they would try.

The following day the morning and afternoon passed so I called the supplier after I could not reach City-Link myself other than an automated line which said they had tried to deliver it twice.. Their website still said it was in the van.. They had similar problems getting through to City-Link but I was lucky as they had one person on the phone with them and the rep who was helping me sent her colleague an Instant Message (IM) with my delivery reference and they confirmed it would be going back to the depot and I could collect it that evening.
So I went to the depot to collect it and sure enough they found the package. I mentioned they had never called that day and they first said it wasn’t on the van, then they checked their computer and said it had been on the van and they did try to deliver it.. I asked what time this was considering I was home all day and never heard a knock or had a card through the letterbox at which point she duly informed me “Well maybe they never got around to you..”

I wasn’t aware City-Link’s definition of a “delivery” is “trying to get around to you” but there we go.

Here’s a story I heard today:

A man walks to check-in for a flight, and the clerk asks him some questions..

Check-in Clerk: “Do you have any bags to check in?”
Traveller: “No”

Check-in Clerk: “Any hand luggage?”
Traveller: “No”

She then proceeds with the usual security questions..

Check-in Clerk: “Did anyone give you anything to carry on board with you?”
Traveller: “No”

Check-in Clark: “Did you pack your bags yourself?”
Traveller: “No”

The check-in clerk looks up as it wasn’t the answer she was expecting.. After thinking for a few seconds, she smiled and proceeded to hand him his boarding card and wish him a pleasant flight.

Following my discussion on social exclusion if Internet sites have to resort to micropayment charging for visitors, a comment asked if I believe that Internet access is a social right, like housing and food.

The modern economy is making increasing use of the Internet to lower transaction costs which seeks “Internet discounts” for everything from insurance services to banking benefits and accessing government services online. Even HM Revenue & Customs is giving financial incentives to companies who file annual employer returns electronically (with a view to making it compulsory for the remaining businesses – It already is for larger ones). The capability of the Internet to lower barriers to entry in markets, increase competition and increase access to information (a key requirement for a ‘perfect competition’ economy) is phenomenal and it is something that every part of society needs to be able to access.

I guess by that I am indeed arguing basic Internet access is a social right just like housing and food. In the modern economy, exclusion from this can restrict your career prospects, access to online learning material, etc. If on the other hand you’re asking me if playing online games, and downloading movies online is a social right, clearly the answer is no. I am therefore not arguing the government should be running a national UK Broadband Service, but that we should be conscious that the ability to access the Internet can have significant social benefits. Premium Internet access is still a luxury.

The question I was posing in my micropayments article was whether a trend towards usage charging might lead to exclusion of those who can only just afford the cost of accessing the Internet.

Running a web site that relies on advertising as its only source of income has presented some interesting challenges. Over time, various users have suggested that we should be offering subscriptions or taking donations as a way to fund the site, and maybe use this as an option to allow individuals to opt out of advertising.

Whilst there are no widely used micro-payment solutions around so the feasibility of such a system would still be questionable, it raised some concerns about impact on society if the net moves towards this system to replace advertising.

Let’s assume that when visiting an information website, you pay 5 pence (say 10 cents for the Americans) per month to access that site. Now this may be regarded by many as a wholly reasonable price, and everyone can afford 5p can’t they? Well yes maybe, but what if they visit lots of websites.. If the fee was based on usage of a site, then it would need to be higher. Maybe frequent users pay £1/month ($1.90).. but with a dozen sites that’s a significant income loss to those on very low incomes who could most benefit from the Internet.
Now some will argue that this would be a choice for users who can decide they will pay to not watch adverts, but my question would be, would advertisers be interested in targeting those who can’t afford to buy an opt-out from advertising anyway since their disposable income would be lower? I don’t know the answer to that, but I think it poses an interesting social exclusion question to any changes in how web sites are funded and we might find separate search engines for developing countries as they could not afford to pay the same rates as those in developed countries.

On Friday, a press release landed in my mailbox which made me ask exactly what do people expect from low cost services. It contains a quote from an individual describing himself as a “business owner” who had a problem with his broadband service provider who was in dispute with its supplier. Apparently he operates an “Internet retail business” and says that his business would have gone under if his broadband service had been down for six weeks.

This is where I have a problem.. How can a business have no contingency plans in place to cope with a fairly sizeable risk that a single broadband connection could be down for an extended time period? Are they hosting their website on the end of their £10.99 DSL line? If you run a business which is so dependent on your connection, then get a leased line, or at least multiple broadband connections with different providers, and ideally different technologies.

The UN Internet Governance Forum is currently taking place in Athens with not far from 1,500 attendees registered for a room that can’t hold more than 800, to discuss four key topical issues of Openness (freedom of expression, flow of information, etc.), Security (trust), Diversity (multilingualism, local content) and Access (connectivity, policy and cost). Having attended the Nominet organised “The Road To Athens” meeting a few weeks ago, I was quite surprised as the openness of the organisers, Mr Nitin Desai in particular, to encouraging wide participation in the process.

Karl Auerbach in his blog makes reference to a paper he wrote which argues that stakeholderism is a ‘regressive idea’ in conflict with the principle of democracy adding that stakeholderism is about organisations rather than individual people having influence in the process. I think he has some point in that anything you put in the way has the potential to distort the interests of the stakeholders, but on the other hand is our political system any better?

Democracy is an imperfect system along with all others in politics, but it’s the best of a bad bunch which tries to achieve a result with everyone is represented fairly. With the national governments the population feels it is ‘important’ enough to get involved and vote, but looking at the elections run by Nominet for the Board of Directors and the Policy Advisory Board, the turnout is such that most members who can vote don’t. Many put this down to Nominet not doing enough, and whilst I’m no stranger to criticising Nominet where necessary, I think they have and continue to make an effort to engage the membership. Many stakeholders are busy and thus sometimes it is left to those who are not to elect individuals to represent them, so I’m not quite certain that a democratic solution is perfect. Democracy also encourages ‘politics’ to get elected in the first place, which is not about representing the electorate, but persuading them you will represent them. I think in Nominet’s case, the election of half of the members of the PAB has resulted in a group of people overall who will bring on board a wide range of views. There are very few groups which are as diverse in their views and interests as the PAB. I believe this makes it a very strong forum as compared to other systems which restrict choices to nominating committees, etc.

I think the way in which a stakeholder model (and I mean from an ‘organisational’ point of view) works depends heavily on the values the individuals involved share and to what extent they can distance their own personal beliefs, agendas and ulterior motives from trying to consider the bigger picture.

The concept of a ‘stakeholder’ is not in my view exclusive of the concept of democracy, but it is the implementation of the structure of a mechanism which takes these into consideration that may at times suffer from. A ‘stakeholder’ is someone who holds a stake in the outcome of a decision or policy, someone who is affected by it. This may, but need not be, financial. I suspect the mistake often made is to appoint an organisation to ‘represent’ a particular stakeholder group who is not in a position to do so. I suspect for example ‘intellectual property’ interests can be better represented by an individual than ‘the consumer’ which is a wider ranging group with disparate beliefs.

Taking the democracy principle further, it could be argued that all democratic governments would be suitable to represent their entire nation within a forum such as the IGF. With due respect to politicians and their hard word on our behalf, I would prefer to have wider input in such an important process. It is also not possible to exercise micro-democracy on every decision. If the population of a particularly country is growing at a phenomenal amount, does that mean they should dictate how the Internet works because they have many individuals? I think the answer is no, in the same way the Internet should not be run by the U.S. Government either. What is needed is a middle ground which takes into consideration all the viewpoints, and that is what a stakeholder approach attempts to do.

We also need to recognise that particular stakeholders may have more of a stake than others depending on the policy in question. If we are examining Internationalised Domain Names (domains with accents, or characters from Japanese, Chinese or Arabic languages for example) then the IDN users are a very significant stakeholder group, whilst their significance to the location of root servers is far less relevant (although the same people as a regional group may well have a strong stake in that debate). We need to accept the concept of dynamic stakeholder groups which may vary across time and on different issues. This concept is something I think the IGF has understood from the reference on BBC News from Nitin Desai where he makes reference to dialogue and formation of “coalitions of the willing” rather than a decision making meeting.

As with democracy, stakeholder theory is imperfect both in principle and implementation, but it is not ready to be dropped quite yet. What we need to recognise, which I believe is Karl’s fundemental concern, is that this should be an inclusive rather than an exclusive approach, and this needs to be on a level field rather than giving exclusivity or premium status to particular organisations, especially on a general level.

We have already seen with the IGF a wide ranging range of views on the igf2006.info site, recognising that interests are not limited to the people at the event in Athens in person. This is the beginning of something very interesting. It would be very refreshing to see the United Nations adopt the IGF model of encouraging wider participation more in every type of forum it hosts. The Internet is not a technical development, but a social one, and it will change the world of representation within every level of politics and governance.