INSULATING IDENTITY

 < Day Day Up > 

Today's Internet consists mostly of computers, web sites, and email systems. Tomorrow's Net will be crammed full of devices from cell phones to toasters, all of them with the ability to share information about you. The possibilities are both extremely cool and a little creepy.

UCLA computer scientist Len Kleinrock sees a future where Net-connected "smart spaces" can instantly identify you, using RFID chips in the walls, floors, and even under your skin.

"When you walk into a room, the room will know you walked into it," says Kleinrock, whose seminal research on computer networks provided the theoretical basis for the Internet. "It will call up your profile and know your privileges and preferences. You'll be able to ask the room questions, and it will display the answers on a screen or as a holograph."

That's the cool part. The creepy part is when the room tries to sell you a time-share, pulls up your outstanding warrants and calls the cops, or simply records everything you say and do there.

So researchers are working on schemes to minimize the flow of personal data across the Net. At the Internet2's Shibboleth Project, computer scientists have created Internet middleware that negotiates transactions between individuals and web sites using the bare minimum of data needed. So if you want to access a school's online library, its web site could use Shibboleth to verify that you're a student without needing to know your name or address. If you're applying for a loan, your bank could find out your identity and your credit score, but not what school you attended or the name of your employer.

"It's based on the usual way we exchange information with strangers," says Ken Klingenstein, director of Internet2's Middleware Initiative. "Say we're on the phone and you tell me that you're an albino hermaphrodite. I might say, 'hey, I'm an albino hermaphrodite too.' When you reveal some information, I'm inclined to reveal more. It's called 'progressive disclosure.' We're trying to find ways to do that electronically."

THE IDENTITY BLACK MARKET

annoyances 7-5. Carder site Shadow-Crew.net (now closed) was a bustling marketplace for identity thieves, spammers, phishers, and other denizens of the dark side.


Quick, what's your identity worth? If it's stolen, it can cost you thousands of dollars to undo the damage. But to an ID thief, your identity is worth only $15 to $30 maybe $60 or $70 if you've got a platinum account. That's the going rate on the Net's thriving identity black market.

In chat rooms and underground web sites, cyber criminals barter stolen credit card accounts like baseball trading cards. On these "carder" sites you can download do-it-yourself phisher email kits, rent bot networks, hire spammers, buy and sell stolen card numbers, and locate networks of unwitting accomplices to transfer the money oversees. In October 2004, the U.S. Secret Service's Operation Firewall closed down three carder sites named CarderPlanet, Darkprofits, and Shadowcrew (see Figure 7-5), indicting 19 suspects in seven countries who are charged with stealing more than 1.7 million identities.

Operation Firewall was the first public bust of a carder network, but it hardly made a dent in the market. One of the sites started back up a few months later under a slightly different name (by press time it had been shut down again). And the real deals get done via private invitations to Internet Relay Chat rooms, which can form instantly and then disappear. But while the Feds were watching the carders, the carders were watching back. One of them hacked into T-Mobile's cell phone servers, gaining access to the files of Secret Service agent Peter Cavicchia, one of the investigators involved in Operation Firewall, who used a T-Mobile Sidekick a cell phone-cum-camera-cum-email device. (The hacker also broke into accounts for Paris Hilton, Demi Moore, and other celebrities, then posted their personal address books and photos on the Web.) Cavicchia's e-mail account contained highly-confidential documents including subpoenas, agency memos, and a mutual assistance agreement with Russian law enforcement. He has since resigned from the service. The hacker, 22-year-old Nicholas Jacobsen, pleaded guilty to a single charge of intentionally accessing a protected computer in February 2005; at press time he was awaiting sentencing.


So far, Shibboleth has been employed largely by universities. For example, students at Penn State use it to log onto the school-supplied Napster music service. The system verifies that users are enrolled and eligible to use the service, but doesn't identify them by name.

Klingenstein admits a huge amount of work still needs to be done before systems like Shibboleth become a standard way to negotiate online transactions. A big chunk of that work will be convincing corporations and government agencies that hoarding information can hurt them in the long run.

"The best way for companies to reduce their liability for privacy exposures is to avoid collecting the information in the first place," he says. "They don't necessarily need to know who you are, they just need to know that you have an attribute that's relevant to the service they're offering."

Peter Wayner, programmer and author of Translucent Databases (Flyzone Press), has proposed another way web sites could confirm your identity, but without storing information about you that could be sold to marketers, stolen by hackers, or confiscated by the FBI.

Wayner's solution is to build databases using a Secure Hash Algorithm, a one-way encryption scheme that turns information like your name or email address into a randomly generated string of characters. Unlike some encryption schemes, with SHA there's no way to go back and figure out what information was encrypted. When you log in to your Amazon account, an SHA converts that information into the same character string each time; Amazon knows you're the same customer, but they can't unscramble the string to get at your name and neither can anyone who hacks into Amazon's database. The site can then use your encrypted identity to customize the web site to your liking, send you email offers, or unlock your credit card and shipping information when you purchase something.

Wayner claims the same technology can be used to secure databases for libraries, travel agencies, gambling sites, stock exchanges virtually any place private transactions are at a premium. Today, however, translucent databases are largely used to secure password files, though Wayner says he knows of one company that uses it to protect its mailing lists from being stolen by clients.

THE CLOCK IS TICKING ON NET ANONYMITY

Researchers at the University of California at San Diego have figured out how to identify specific computers on the Internet from thousands of miles away. In March 2005, computer scientists Tadayoshi Kohno, Andre Broido, and kc claffy published a paper in which they describe how specific machines can be identified by recording microscopic deviations in the device's internal clock. They discovered that every computer, from desktops to handhelds, generates a consistent digital fingerprint, no matter what operating system it uses, how it accesses the Net, or where it's located. This effect can be measured without the owner of the machine being aware of it.

Regardless of what steps you may take to anonymize your surfing, an ISP or web site could identify the exact machine that accessed a particular IP address at a specific time (though they wouldn't necessarily know whose fingers were on the keyboard). At press time the trio was slated to present its findings to a meeting of the Institute of Electrical and Electronics Engineers in May 2005. If their results prove to be genuine, digital fingerprints could become a standard part of electronic surveillance and provide evidence in legal disputes.


     < Day Day Up > 


    Computer Privacy Annoyances
    Computer Privacy Annoyances
    ISBN: 596007752
    EAN: N/A
    Year: 2005
    Pages: 89

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net