The Problem With Crypto?

I am not a cryptographer or even remotely capable of assessing the validity of what I’m about to say, but I’ll say it anyways.

The current set of cryptography techniques all seem to be increasingly clever and obfuscated iterations on the pattern of ROT13. They represent security through obscurity in that they always seem to be compromised over time, after enough knowing sets of eyeballs have looked at them. They are initially “secure” because they are so complex that no one (usually including the inventor(s)) can understand the end-to-end implications of every part of them. For example: Why do some elliptic curves allow creation of secure cryptographic rotors?

Thinking About Time

I sometimes ask myself how it came about that I was the one to develop the theory of Relativity. The reason, I think, is that a normal adult stops to think about problems of space and time. These are things which he has thought about as a child. But my intellectual development was retarded, as a result of which I began to wonder about space and time only when I had already grown up.

-Albert Einstein

My friend Jonathan recently sent me a blog post from sci fi writer/mathematician Rudy Rucker’s blog of his memories of Kurt Gödel, compiled from several talks they shared in the 70s.  I think it’s interesting that Rucker published this piece within only a week of me publishing my thoughts about my interactions with RL “Bob” Morgan.  This isn’t by way of comparison of Gödel and RL “Bob” (although “Bob” did win the California state math championship in high school.)  Nor is it intended to compare my writing with Rucker’s.  It’s just an interesting coincidence.  If you read Rucker’s writing about Gödel, you may even come to the conclusion that it’s an inevitable outcome given the givens.

One thing that struck me about Rucker’s piece is his description of Gödel’s thinking about time- specifically, the idea that time is just one factor in spacetime, and that our perception of time is an artificial perception of an epiphenomenon of higher-dimensional reality.  When you combine this with Gödel’s unique way of thinking about thinking, putting himself in a position to think about very complex problems without the constraints of ordinary reality (cf: his idea that the human mind is capable of understanding the set of all real numbers even though Cantor’s Continuum Problem states that we aren’t capable of knowing the answer) I think you can begin to use the idea to think about time in some really interesting ways.

A black swatch watch on a wrist with pink time markings

One aspect of time that is quite odd is déjà vu – the feeling that something that is happening to you or a place you are visiting for the first time has happened to you before, or that you’ve been there before, even though this doesn’t seem possible.  I can remember having regular, powerful feelings of déjà vu as a child.  In one instance, we travelled to Algonquin Provincial Park in Ontario, Canada.  There were several places there which I was sure I had visited before – they induced very powerful, almost exhilarating feelings of recognition in me.  Many people who I’ve talked to about these types of feelings report that they had much more frequent feelings of déjà vu as children.  I have not had any of these feelings since I was roughly eight years old.

I think that the Einstein quote at the top of this piece says something about the way we think as children that can be applied to Gödel’s thoughts about our artificial perception of “time.”  Perhaps, when we experience déjà vu as children, we are somehow accessing the  “unflattened” hyperdimensional reality of spacetime.  What is it that makes us lose this ability as adults?  Does everyone lose this ability?  When you start to explore some of the aboriginal cultures of the world, it seems that not all cultures lose this ability.  What is it about western civilization that causes us to fall out of touch with spacetime?

Bobs I Have Not Known

Copyright (c) 2012 by Nicholas Roy, all rights reserved.  No use or duplication of this material without written consent of the author.

There are two Bobs who have shaped my life, and I have not really known either of them.

I was born in the center of the Adirondack Park in northern New York.  It is, as far as I can tell, the largest state park in the United States.  It has mountains, but not like the Rockies.  These mountains have been smoothed away by the last bakers’  dozen million years of geologic time, so that they are now soft and round and green.  They are not threatening or majestic.  They are human-scale mountains.  They welcome you home when you first see them peeking through the treeline on the way over from Tupper Lake on route 3.

Adirondack high peaksI was born in these mountains on February 4th, 1978, one of the coldest recorded days in New York state history- three years after my grandfather, George Robert “Bob” Roy died of stomach cancer in a hospital in the city.  When my family talks about it, they say he donated his body to science, a euphemism for “he was dissected by medical students.”  What’s tangibly left of him is a stone at the old family camp site on First Pond on the Saranac River, hidden a bit back from the shoreline.  It reads:

FOR BOB ROY
WHO LOVED THIS SPOT
FROM HIS FRIENDS

Memorial stone: FOR BOB ROY, WHO LOVED THIS SPOT, FROM HIS FRIENDS

If you were to stumble upon this stone (say you decided that this particular spot on the river looked particularly appealing to tie up your boat and have a swim – a reasonable thing to do,) and you went back in the woods to discreetly relieve yourself.  You might stub your toe on something and clear away the pine needles accumulated over the last decade (since the last time my family went to see the stone.)  You might wonder, “who is this “Bob”?  You would then feel a bit of the mystery I have felt my entire life.  Who is this “Bob”?

November, 2008

I am in New Orleans, Louisiana, and it’s three years after Hurricane Katrina really put the hurt on this town.  I’m here because of an Internet2 conference.  “What the hell is ‘Internet 2′?”  You ask, “I thought we were doing okay with Internet 1.”

Well, yes and no.  The Internet, as it exists today, is a piece of 40 year old technology built from a beautiful concoction of luck, human trust, extreme skill and forethought.  It mostly works today, when the inherent trust that one network researcher had for all the others on the network at the time of its creation, has been swept aside by the billions of people on the net, because the bad guys need it to work in order to do their jobs.  Internet2 is an organization funded by the big US research universities (mostly) in order to do advanced Internet research – to make the existing Internet gradually better.  A friend of mine who’s a CIO in higher ed characterizes this work as “replacing the engines on a 747, one by one, in flight over the Pacific.”  It seems an accurate metaphor.

So I’m in New Orleans, and I’m doing my career thing, which is that I work on the part of the Internet, at my day job at a big research university.  I do “identity” stuff, which is pretty much “who are you on the Internet, and how do you prove it?”  This is a new career path for me – I’ve always been interested in electronic identity, but never had a real reason to do much with it in my career until I took a job doing it six months ago.  So now I’m at the big conference, hoping to make connections and learn the trade.

I check in – the site of the conference is one of those semi-characterless megahotel conference centers in downtown NOLA (they try to make them have local flavor by naming all the conference rooms things like “Magnolia” and “Bordeaux”,) right across the street from the French Quarter.  There are a lot of dudes in Hawaiian shirts with gray beards milling around in the lobby, talking to each other in hushed but spirited tones.  They clearly know each other.  I’m guessing these are the people who know what’s happening at this conference.  They have been here before, many times.  Apparently they are all named Ken, Steve, Bob or Keith – they blur together in my head, I can’t keep the names and faces straight.

The next morning – the first day of the conference, I go to a workshop on a particularly interesting piece of identity technology.  There’s a ton of these guys in the room – I must be in the right place.  The session gets started, and it’s extremely interesting.  I start furiously taking notes on my black Macbook.  I wouldn’t even know what questions to ask, or where to begin.  There’s one of these old guys in the back of the room on a ThinkPad, and he does not talk until the very end, when someone else asks a question.  This guy – his name tag says he is RL “Bob” – gets up and speaks about three sentences that are powerfully overloaded with extremely dry wit, powerful metaphor, and seem to magically answer the 20 or so embryonic questions I had about this technology.  Who is this RL “Bob”?  I need to try to meet this guy.

I stole my grandfather’s World War II pilot logbooks from my parents’ house.  I spent hours looking at every entry in them.

20 June, 1945 – 20 hours Midway to Tinian Hop

He was on the island where they launched the Enola Gay on its mission to destroy Hiroshima.

His logbooks had the numbers of the units he was assigned to in them – things like VPB-11.  I did Google searches for days, trying to find out who else was in VPB-11 – who might know him.  It looked like that unit has been disbanded for a long time, and they had stopped having reunions 10 years ago.  Who might know him or know about him?

My dad had good and bad stories about him, but they were mostly shaded with his apparently ill temper.

My dad, as a child, had lost a stuffed bunny rabbit out the car window.  My grandfather had refused to stop the car to pick it up – he would teach my dad a lesson about carelessness and consequences.

He got so mad at a chainsaw one day, cutting wood, that he did something stupid and terribly inured himself, while caught up in his anger.

But his family and friends had cared – deeply – about him, had put this stone in the mountains he loved.  His spirit was there, they knew it and wanted him to be at peace.

2010

Who is this “Bob”?

That’s what his personal web site opens with.  It is a collection of links to a whole series of different “Bobs” with interesting, short questions asked about their true identities.  One of the links is to his blog.  I click on it.  In the last two years I have learned an enormous amount from “Bob” and his fellow Kens, Keiths and Steves.  I am not part of the group – not yet experienced.  I am a sophomore in the true sense of the word.  I don’t know what I don’t know, but at least I don’t know it.  I have no shame.  That’s how you learn.

They are all guides in the wilderness of electronic identity.  Maybe they can tell I’m one of their kind, or at least I really care about it.  They get my boss to somehow agree to allow me to host conference calls and give feedback on policy documents that they’re working on for the community.  I love this – I am learning more than I ever thought I could.  I’m drinking from the fire hose.

“Bob”‘s blog turns out to be about his ongoing struggle with cancer.  I learn that he was recovering from his first round of treatment the first time I saw him in NOLA.  His blog is also laced with his amazing skill at metaphor and his dry sense of humor, with common threads of baking bread, watching soccer matches on TV, his wife and daughters and their dutch Kooikerhunde dog.  This is a guy with a life.  I try to reconcile this with his seemingly endless output of nearly prescient ideas in identity stuff and the fact that he seems to know, be friends with and constantly talk to everyone in the business, and constantly attend conferences in the US and abroad.  What is his secret?  How does he not burn out?  I go home at the end of the day, nearly every day, satisfied but mentally drained and physically exhausted (how?  I do IT stuff – this shouldn’t happen.)  I’m exhausted and I don’t have cancer.  How does he do it?  I want to be like him, some day.  If I can be a tenth of that, I’ll be amazed.

We got in a fight over Thanksgiving dinner – my grandmother was at my parents’ house and could not stop talking about how similar my dad was in voice and action to my grandfather.

I had heard almost nothing from this part of the family about him, over the years, except bad things.  He got angry very easily.  He slapped people, got into fights, got out the belt.

This was not my dad.  My dad is one of the kindest, gentlest people you could know.  He is a giant teddy bear.

This slandering of my father made me angry – terribly angry in a way I could not control.  I’m not terribly dumb, so I figured out that this rage must have skipped a generation, and now it was boiling up in me.  Who was really the just target of this comparison with my unknown grandfather?  Probably it was me.  This made me even angrier.  I pointed at my grandmother across the turkey – “You never say anything nice about him!  Well he’s not here to defend himself, so let’s just shut up about him!  Screw this, I’m out of here!”  I ran out the front door into the park across the street.  I sat down at a picnic table in the cold November air, the vomitous orange glow of a sodium vapor light despoiling the terrific darkness around me.

After five or so minutes, my mom sat down next to me.

“I never saw that side of him, you know.  He was always kind to me.”

“Thanks – I think I’m too much like him.”

“You’re not like him in the way you think.”

2011

I friend “Bob” on Facebook – it’s the kind of thing a teenage girl would do – friend a bunch of people she only kind of knows.

At the fall conference that year, “Bob” does an amazing talk for a packed room on the subject of social identity – the relevance of identity from places like Facebook and Google.  That morning, after several months of not accepting my friend request, he accepts it.  In the talk, he looks at me and says something like,

“Some of the people on Facebook we know, and some we only just met.”  He looks directly at me as he says this last part. I grin back, stupidly.

I’m getting married – I have become calmer, I might be starting to see the tip of the iceberg of the things I don’t know about life, poking through the surface of existence.  The parts of me that I rightly or wrongly attribute to my grandfather, I suppress.  Somehow I know that attributing them to him isn’t fair.  He’s a ghost and he can’t defend himself.  I got my pilot’s license some years back.  The FAA pilot examiner who tests me flew P38 Lightnings in the war – he signs my temporary airman’s certificate with a barely legible, shaky hand.

I’m getting married in three months, and “Bob”‘s cancer is back.  His blog says:

Just to clear this up, for all you computer people.

Last time was “re-install OS and restore from backup”.

This time is “install a different OS”.

Next time is “migrate to the cloud”.

Got it?

His wit has not been dulled by the cancer.

She helps me, my wife-to-be.  I know I love her because the parts of me that I don’t like, now I don’t blame them on my grandfather and try fight them.  I don’t have to fight them – I really try not to do those things around her because I love her and they are ugly.  Sometimes I fail and she’s scared by the anger, I know.  I feel terrible when that happens, but I’m getting better all the time.

“Bob” is honored and celebrated by his friends and family at the spring Internet2 conference in 2012 – a month or so before my wedding.  I suspect I won’t see “Bob” again, it’s a terrible thought but it feels that way.  Family is important, I know that and he does too.  I decide not to attend the meeting to help prepare for the wedding.

Our wedding day comes and I think of nothing else but my wife and my family.  At the last minute, I look at “Bob”‘s blog – he’s been admitted to the hospital after a particularly evil round of treatment.  He says: “I’m still alive.”  It doesn’t sound fun.  I worry about him but the worry is short lived.  We have a great wedding and a fun party with friends and family.

There are no more blog entries from “Bob”

A few weeks after our wedding, I find out that he’s died through one of the many identity groups he started.  They start a web page where you can leave memories of him.  I fumble for words to say what I think he meant to me, but they end up clumsy and kind of embarrassing.  Many others knew him so much better.  I wish I had known him, too.

My cousin is getting married, and my wife and I get in the car and head out to the Adirondack mountains to visit family and attend the wedding.  We will rent a boat and I will show her the stone that marks my grandfather’s existence.  As we drive over the bridge on the Saranac River, not more than a few thousand feet from his stone, I roll down the windows.  Balsam fir floods the car with its sweet tingle.  I pilot the car over the winding road, this scent filling my nose.  My heartbeat slows.  I let my foot off the gas a bit.  We’re in no hurry here.

A Shift

The world still looked the same, but it was different
He walked from the gym, back to where he parked his car
There were still cars here, and people, dirt and beauty
He could smell the bar-b-que cooking down the street

It was the same old world, but the underpinnings of it had been replaced in the night
Everyone was talking to themselves – no, they were talking to thin air
But the thin air was everyone else

The old rules faded into the background, burning away like ground fog at 6 o’clock on a sunny spring morning

The guts of the plane had been changed while the plane was in flight
The re-tooling of the world system had taken place before anything could have been done

At every point on the curve, it looks like the curve is going straight up from here
But things still seem pretty normal

Self Interest Doesn’t Scale

I’ve been thinking about the commonalities of a lot of patterns I’m seeing in the world lately:

  1. The “Arab Spring” and its coordination via social media
  2. The “Great Firewall of China”, China’s (failing) attempt to keep things like Twitter at bay
  3. Iran wants to create its own Internet (a contradiction in terms) to prevent stuff like Stuxnet and (more importantly) social media-based revolts from happening there
  4. Artificial borders and internecine conflicts everywhere are becoming permeable on all levels: from nation-state policy to transnational corporate hegemony all the way down to city council meetings and managerial turf wars.
  5. How long can places like the NSA keep employees from bringing cell phones into the work place?  How about when the “cell phones” are built in to our heads and we can’t really function without them?  Are we heading toward a world where there’s going to be a policy filter at the door of the NSA that shuts off or limits the capabilities of neural prostheses?
  6. The kids don’t care about privacy or policy – they use whatever works to communicate and share, the tools are getting better every day, and the tools and the kids don’t care about any of the above limits.  They definitely don’t care about your BYOD policy.

Let me say that I’m not an anarchist. I’m not even a libertarian. You could call me a social liberal and economic conservative, with some libertarian tendencies thrown in on stuff that’s about personal freedom, not infrastructure and the commons.

So what’s the unifying factor among all the items in my list?

I think it’s self interest and control. More accurately, it’s that the structures, frameworks and artifices of control, working on behalf of selfish individuals (everyone is selfish), are starting to crumble under the weight of the network effect inherent in social media. We are becoming less about the individual and more about the set of all humans.  This is just one more step in the long history of technology overcoming evolutionary forces.

Everyone sees and deplores the recent killings in Syria, and the governments of the world have no choice but to condemn them. The George Zimmerman/Trayvon Martin case probably never would have gone to trial if it weren’t for social media-reinforced pressure.

So what happens? Of course it looks like the control structures and the individuals they serve are pushing back. I think they are going to fail as humanity becomes increasingly interconnected.  Let’s face it: if evolution can’t win, how is power going to?

What does the singularity look like? Maybe it’s a bunch of angry kids flashmobbing a tyranny they can’t take any more. What’s the path of least resistance? Tear down the walls faster.

An Idea For Remote Proofing and InCommon Silver

The InCommon Silver assurance profile has a section that allows for remote proofing of identity subjects. Many people I’ve asked about this are saving this section for “later” and aren’t going to try to do remote proofing to begin with. Someone said something to me the other day about the availability of notaries that makes me think this is possible to do in a not too terribly difficult way. Here’s the relevant section of the assurance profile:

4.2.2.4.3 Remote proofing
1. The RA shall establish the Subject’s IdMS registration identity based on
possession of at least one valid government ID number (e.g., a driver’s license or
passport) and either a second government ID number or financial account
number (e.g., checking account, savings account, loan or credit card) with
confirmation via records of either number.
2. The RA verifies other information provided by the Subject using both of the ID
numbers above through record checks either with the applicable agency or
institution or through credit bureaus or similar databases, and confirms that:
name, date of birth, and other personal information in records are on balance
consistent with the application and sufficient to identify a unique individual. If
this appears to be the case, the RA authorizes issuance of Credentials.
3. If the record checks do not confirm the Address of Record, it must be confirmed
as described in §4.2.2.5 below.

Note that it says if you can’t confirm the information provided via record checks, you have to register the subject via the address of record. Everyone seems to be focusing on the technical problem of verifying the source document numbers via Equifax or other credit bureaus, and/or state motor vehicle registries. I think people are so shocked by this requirement that they’re misdirected away from the critical pieces here:

1) You only need to register the facts of the documents presented – you can do that via notaries public that are available free of charge for customers at all banks in the US.

2) You can confirm the identity of the individual by delivery of a registration secret to an address of record. What is an address of record?

Conveniently, section 4.2.2.5 (2)(b) says:

For an electronic Address of Record, the RA confirms the ability of the Subject to receive telephone communications at a telephone number or e-mail at an e-mail address.

So you can just e-mail them a short-lived registration bearer token after you receive their notarized paper form containing their identity documentation back. Can it really be that simple?  An idea for some legalese to include on the form (I am not a lawyer) might be:

I hereby declare that the e-mail address supplied on this form by me is a valid email address that is acceptable for use in official communications with me.  I am the only person who has access to this email address.

Update: 5/30/2012: Thanks to Mark B. Jones for this interesting international tidbit on consular services and the notary function: http://travel.state.gov/law/judicial/judicial_2086.html

Just Stop

My new pet peeve is cloud service providers who assume that they can and should use email address as a primary key for customer identities. This is a terrible idea for a large number of reasons. Here are some:

  1. email addresses are name-based.
  2. Names change (usually in the most personally sensitive situations, where they must change: marriage, divorce and witness protection or court ordered separation).
  3. Not everything that looks like an email address is a deliverable email address (e.g. userPrincipalName, eduPersonPrincipalName).
  4. If it looks like an email address you will be tempted to assume that it is an email address.
  5. You could be wrong – it might not really be an email address.
  6. Do you really need to know someone’s email address?
  7. Why do you need to know someone’s email address?
  8. Most people have multiple email addresses.
  9. Which one do you need to know?
  10. How are you going to make the person remember which one they used?
  11. What if they don’t know?
  12. What if they leave the {school, business, non-profit, government, etc} where they had their email account?  Most best practices require deprovisioning of email for people who don’t {attend, work at} that place any longer.

The worst case scenario is that you, as a cloud service provider, have not been clear with your customer about your use of primary keys for identity, and specifically your use of email address as a primary key.  The customer will then blindly deliver this to you and when customer identities’ email addresses change, someone else could end up with access to protected resources that should be owned by a different person.

Many small customers (likely the customers small enough to be looking for your cloud service in the first place) are not in a position to think about the security implications of this use.  You should do that thinking for them, and bring them up-to-speed with the problems and pitfalls associated with using email address as a key.  Sure, since most people have an email address, it’s a convenient piece of information that you can additionally use for delivery of things like password reset requests, confirmations and workflow messages.  On the other hand, you can use other things (that don’t change and aren’t re-assignable to other people) as a shared primary key, and still ask for email address for use in sending email.

I have seen a large number of cloud service providers ask for email address as an identity attribute and not disclose its use as a key- this is the worst of all possible situations, because you are making assumptions about the nature of the customer’s email address that aren’t true, and you aren’t allowing them the opportunity to understand that because of lack of disclosure.  I’m not a lawyer, but lack of disclosure of this kind of thing, leading to an unintended release of information via change of email address (situations in which someone else gets a previously used email address do happen) seems to open the door to legal action.

An ideal solution on the part of a cloud service is to make the primary key for identity very flexible (very long max length, any format alpha, numeric, etc).  You should then develop an interview process that you use to find out what types of keys your customer can provide, and be able to map one or more of them into the key field in your service.  Use a surrogate key within the service that’s hidden from the customer, and expose an API that allows the customer to update their users’ identity keys if necessary.  Some suggestions for things that might make good keys:

  1. Employee ID (not SSN)
  2. Student ID (not SSN and not name-based)
  3. Identity Management System (IdMS – if they have one) surrogate key
  4. Unix UID (if the customer is using a centrally-managed UNIX-type system)
  5. Network ID (if it doesn’t change- ask the customer if they do.  If the customer wants to use this, allow them to rename via an API)
  6. Scoped Network ID (scoped to the customer’s DNS domain name- ask the customer if these change, don’t use if they do, or allow renames via an API)

Cloud service providers: please stop asking your customers for email address as a shared primary key, and work to educate your customers on the danger of using email address as a key for access control.

Oxytosin and the Economic Benefit of Trust Fabrics

The global higher education IT community is doing something pretty amazing. They’re weaving together a trust fabric to allow shared services via robust federated authentication and attribute-based authorization (see: InCommon, UK Access Federation, GakuNin, EduGAIN, REFEDS, many others).

At any scale, it’s hard to extend trust from “my tribe” to “your tribe”- but once we’ve done it, the return on the trust is almost magical. With federation in higher education, suddenly services and projects a school would be hard pressed to support on its own become easy to leverage.

So how does this scale beyond higher education? Trust is the basis for lowering barriers to collaboration and lubricating the machinery for an effective economy (See Paul Zak’s fascinating TED talk on Oxytosin). I think this suggests that higher education is once again leading the way in building a framework for increased global trust, global research collaboration and global wealth production.