Security by Obscurity

A lot of people are afraid of identity theft or fraud. Others are afraid of having their true identity known when they engage in behavior that some may find objectionable, embarrassing, or shameful. For a plethora of reasons, people choose to hide their identity online; either by anonymity or using pseudonymous names. This is security by obscurity. Unfortunately, it doesn't work.

The entire concept of security by obscurity is that people can't break through your security if they don't know where to look, or it's not worth their time to look for something. That's a false sense of security because there is always someone with the time, desire, and means to locate something you value – including your identity.

I found three articles online today dealing with this concept.

First, Pamela Dingle wrote this article on her blog about how modern Internet tools make it not only easy, but likely, to correlate disparate data about a person's online habits.

As if to prove her point, Wired News posted this article today about pulling articles from an author who faked sources. The source existed, but told fact checkers he never spoke to the author. Upon investigation, Wired News learned that the author faked identities for use as a source and as a supporter on a Usenet group. Unfortunately, he wasn't smart enough to use different IP addresses. A senior editor at Wired correlated all these disparate sources to the same IP used by the author and came to the obvious conclusion.

If that wasn't enough of a coincidence, I found this on ZD's Digital Identity blog:

[box]Anonymity and identity by ZDNet's Eric Norlin — In the very near wake of a foiled terrorist plot, I find myself waking up, planning to write about the topic of anonymity and identity.[/box]

Eric Norlin makes the point that our identity exists in multiple states. You have a choice with regard to the way you present yourself, either online or in person. If we cross paths on a sidewalk, what is the state of our identity? It's no longer anonymous. Now I know you exist and I can identity certain attributes about you (approximate height, weight, age, hair color, gender, etc.). Perhaps I don't know your name, but you are no longer anonymous to me. Unless I have some interest in you based upon these attributes, I may not give you another thought.

However, what if I do have an interest? Suppose I meet an attractive girl at a social situation. What's the first thing I'm going to do? Say hello and ask for her name. Depending upon her interest (or lack thereof), she may respond with her name, a pseudonym, or decline the conversation entirely. Now I have more information about this person and her identity.

People online leave a trail of attributes all over the place; some willingly and some without even knowing it. The person who collects and correlates your attributes may discover your identity without even knowing he's looking for you. Call it data mining or data sifting, the intention is to take massive amounts of attributes and correlate common elements – like an IP address – until you find enough information to identify an individual.

Hiding your identity is a fool's option. Personally, I believe the best way to protect your identity is to assert it. Think of your identity like a car. Some of the most stolen vehicles are also the most common. They look alike and don't stand out. Fitting in with the crowd is a type of security by obscurity, or hiding in plain site. On the other hand, exotic cars are much more difficult for thieves. These high profile machines are instantly recognized and there's a limited market. Asserting your identity serves the same purpose. If people know who you are, then your identity is more difficult for an impostor to use.

This is why we need an identity infrastructure in common use. Digital certificates for signature and encryption are a reality, but few people use them to assert their identity. Few business web sites recognize and accept an individual's certificate to authenticate and authorize their access, despite the fact that it's in best interest of both sides. It's time for that to change.

Know someone with road rage?


I would love to take this thing out on the road. Sure, it's slow. Let someone honk their horn. Go ahead, make my day.
The Land Walker, made by Masaaki Nagumo, measures 11 feet tall, weighs one ton, and sprays bullets from air guns mounted outside the cockpit. Ok, the bullets are foam. It's the thought that counts. I could imagine replacing them with paintballs.
It's really for sale in Japan. Only $315,000 (plus tax, tag, and title). If I put this on my wish list, will you buy me one?

Be a Barenaked Lady

I think this is incredibly cool, even though it's a simple idea. Barenaked Ladies spent the last couple of months recording a new album. They have about 29 songs mixed up and ready to go for a release in September. That's nice, but here's the cool part.

One of the tracks – Easy – is available in a multi-track downloadable format on their web site for $2.95. It gives fans a chance to take the component sound tracks and make their own remix, mash-ups, whatever. After that, you can upload your new mix and listen to other people's remix versions of the song.

If you have something like GarageBand, Acid, Fruity Loops, etc. It's pretty simple and fun to do. Check it out.

Auditors Lose Credit Card Data

I just read a news article warning that thousands of Hotels.com customers from 2004 may be subject to identity fraud because their information was on a laptop stolen from an auditor's car. Ernst & Young is the outside auditor. The laptop contained names, addresses, and credit card numbers for 243,000 customers.

The auditor didn't take the simple security precaution of encrypting the data or his hard drive.

Even if you only have one transaction with a vendor, they keep your name, address, and credit card number for years. Is that ethical? What use does a vendor have to keep my credit card information if I don't authorize another transaction?

The sad truth is that you do not own your identity. The attributes that identify you are there for other people to use. What's the value of your own name? Most people don't speak in the third person, they refer to “myself” or some other personal pronoun. Your name belongs to everyone but you. It seems that your credit card number belongs to everyone else, too.