Paper-Thin Security

Foolish paper-based security solutions have been seriously annoying me over the past couple of days. Two recent examples come to mind: my recent trip to the DMV and my ongoing application for Irish citizenship.

The DMV lived up to its reputation this weekend – a purgatory whose screaming children and close quarters seem to be specifically designed to concentrate psychological distress. Welcome to the DMV, we’re here to serve you. After a mere three hours, we arrived at the counter only to have the DMV employee point out that my middle name did not appear on my newly-issued US Social Security Number card. This was unacceptable, given that my middle name appeared on my other identity document, my passport. “Ever since 9/11…” the DMV employee offered in half-hearted explanation.

Only when the employee’s supervisor came over and signed off on the condition that the information be matched against the computer did my application get the go-ahead. Funny, and here I thought the Orwellian concentration of personal data in government computers was going to be a bad thing. Apparently I shouldn’t have worried, as it doesn’t appear the government is actually using any of the data it’s collecting in any significant way during the normal course of business. Had I not even provided my passport (it wasn’t required, I brought it just in case), the integrity of the DMV process would have hinged entirely on a 3″ by 2.5″ piece of cardboard.

Has anyone considered how ludicrous it is to still be relying on paper for our security? With high-resolution printers and sophisticated imaging technology in the hands of every web designer on the planet, one would hope for something more sophisticated than heavy paper and pretty patterns. But what’s worse than pointless paper-based security? How about badly-designed security solution that are supposed to address the deficiencies of pointless paper-based security systems. Like those of the Irish government.

To be clear, the Irish government and Irish institutions have a weird love-hate relationship when it comes to paper. For Irish institutions, a utility bill is often enough to provide proof of identity. But for Irish immigration, this apparently isn’t enough – no, no, no, they want notarized documents. Sounds appropriate, right? But they also want the original documents to be sent to them as part of the application – if they need the original documents, what’s the point of sending notarized copies of these documents as well?

The devil is in the details – it’s not enough that the documents be notarized by a notary public. No, the notary public has to be personally known to you – meaning that you must have known the notary for a minimum of six months prior. Oh, and you can’t identify yourself to the notary using either a driver’s license or passport – no, they just have to know you, by telepathy or some other unspecified means. According to the Irish government, if you were to introduce yourself to a notary, wait six months, and then present documents for notarization, this would provide a much better proof of identity than just asking a notary (or the consulate) to do their job and verify the authenticity of the documents using one of the many computer systems available.

In the end, it probably doesn’t matter – I doubt they even bother to check the identity of the notary public! After all, they probably just rely on another paper-based security mechanism: the notary’s seal. No one could possibly duplicate embossed paper technology!

Software Wars

Last week Hewlett-Packard attempted to use the Digital Millennium Copyright Act (DMCA) to crush security research company SNOsoft for revealing a particular nasty exploit allowing a remote attacker to access to machines running HP’s Tru64 Unix operating system. While this is not the first attempt to disrupt legitimate security research using the DMCA (see earlier attempts by the RIAA against Dr. Ed Felten), this represents a true departure from previous attempts: to a casual observer, SNOsoft didn’t even violate the DMCA!

The DMCA, as its name suggests, is about protecting copyright in the age of technology that enables perfect digital copies of copyrighted materials. Part of the act outlines terms that make it a crime to circumvent copyright controls or distribute tools for that purpose. What’s interesting is that the “technology” distributed by SNOsoft had nothing to do with copyright protection technology, it only really enabled a malicious user to access a system running Tru64 without proper authorization. Is that wrong? Undoubtedly a person using the exploit against a third-party’s system would be breaking the law, but they, not SNOsoft, would be prosecutable under US federal computer fraud statutes, not the DMCA.

Did HP honestly expect it would be able to sue SNOsoft for damages resulting from the release of the exploit, despite the fact that the problem was a direct result of HP’s own faulty software? Most software today is distributed under an End User License Agreement (such as this example Microsoft EULA) that stipulates the software is provided “as is”, under no warranty, and not even guaranteed to be suitable for any purpose! If HP is not liable to its own customers for faults in its Tru64 Unix, how can it contend that SNOsoft should be liable for any damages that result from an exploit that someone other than SNOsoft used to breach a Tru64 system?

Perhaps recognizing the possibility of setting a software-liability precedent, HP hastily recanted its legal threats.

Software companies want to be able to sell a product, but they don’t want to be liable for any damage their product might inflict. They want to sell something, but a person who purchases their product doesn’t actually own it, they only own a “license” which can be revoked by the manufacturer at any time. They want to be able to access a user’s machine without their knowledge. They want. They want. They want.

How about what we, the users, want?

It’s time that software development companies realized that they’re just regular companies and, like every other company (recent examples notwithstanding), they have to follow the rules. Play time is over. Grow up or go home.