I've been wasting time on groklaw again.
This is about weev's problem, which I blogged about several months ago.
It's not a little problem, and it's not just weev's problem.
AT&T put an open interface to their database of iPhone customers' e-mail addresses. The primary key was essentially the serial number of the phone's radio modem circuit. This was negligent, and, with the current privacy laws, it was criminally negligent. Comparing database interfaces to doors, this is like failing to put a door in the doorway. It must be expected that people will come and go at will.
They could have put a hash on the key in their interface. A simple one-to-one hash would be like a gate with a latch. In this case, the key in the database query (visible in the browser's URL bar) would not look like the modem's serial number, so they interested visitor would be required to think a bit to conclude that there might be a relationship between the key and the serial number.
A simple hash would still be subject to the problem with bumping the number and seeing someone else's e-mail address, but at least it would not be advertising the path in. Using the serial number directly was effectively advertising the path in. That's why it's like an entranceway without gate or door. (And no lock.)
A sparse hatch, where numbers before and after valid keys would be invalid keys, would be a latch with a cheap and easy combination lock. Simply incrementing the key would result in an invalid query instead of a customer's e-mail address. But a curious visitor might "check the doorknob" and even try a few combinations. In other words, might try a long enough sequence to determine that the key was sufficient to produce more valid addresses.
To avoid revealing addresses, AT&T would have to limit such tries from the same IP address.
A cryptologically strong hash, sufficiently sparse, would be like a stronger lock. It would take a lot more deliberate and sustained effort to find valid keys, and such a sustained effort would be a red flag in AT&T's logs. (If they bothered to look.)
AT&T failed to make any real technical measure to limit access.
weev's actions were discourteous. But the only criminal element to them is projected through a twisted interpretation of bad laws that were written without any reference to the technology involved.
AT&T is the criminal, and the prosecuting attorney are also culpable.
Now, in truth, what AT&T did with the database should not need to be considered a crime. Negligent, discourteous, inconsiderate, grounds for reconsidering whether we want to be their customer, yes. It should not be a crime.
Why is it a crime?
The "technology" behind e-mail is extremely simple. Simple, as in, without safety features. Simple, as in minimalistic controls. They were "best practices" in a context where most users were technically inclined and motivated to be courteous to fellow users. They are not even good practices in the current context, where users don't want to be bothered with technical details, where many want to depend on the computer like it's a substitute for God, and where some are all too willing to misuse the tech if they can make a profit thereby.
In some ways, it's simple like physical mail. It's easy to write any address you want on the envelope.
But it is not as good as physical mail because the envelope is basically see-through. Any admin on any server that the e-mail passes through can easily look inside.
And if you open the envelope and change the contents, there is no evidence of the change.
And, while there are words on the envelope and inside it, those words are not like handwritten words, or even like typewritten words. There is no evidence of who put those words there when.
If it says it's from your Aunt Sharon, it's hard to tell whether it really is unless you call her up and ask her.
You can recognize her voice on the phone. If you got a physical letter from her, you probably know what her handwriting looks like. You can sort of tell a little by the words and expressions used, but there are far fewer clues about identity in e-mail.
There is some external evidence in the form of records on servers, but that is pretty weak evidence, and not visible to the ordinary user.
If your mail service provider encrypts their storage, the envelope and the contents become opaque, but only as long as the message is stored. Once the message is transmitted, it is visible to anyone and everyone who bothers to look during transit.
There is also the problem of volume. e-mail is much easier and cheaper to generate in excessive volume than ordinary junk mail.
End user encryption can mitigate some of these disadvantages to a certain degree, but there are no current common ways to use encryption.
When Microsoft incorporated e-mail into MSWindows95's internet application suite, they were making technology for the technically inclined to people who are not interested in technical details. They put an easy user interface on it and allowed ordinary users to do themselves damage with the tech.
They have several times offered to half-fix the technology, but their offerings are woefully inadequate and invariably make critical use of technical measures that Microsoft can control through patents and other means. Their solutions are always going to cement their effective monopoly position, if we allow them to have their way.
AT&T is culpable for putting a bad database interface on the web for all their iPhone customers. Microsoft is culpable for selling us technology that is not really appropriate for ordinary users in ordinary use.
We are culpable for continuing to use it.
I have some ideas about ways to mitigate the problems with e-mail, but it's a lot easier for me to just dream about re-booting the computer industry with good basic technology. So I waste my time dreaming instead of contributing to the solution. Mea culpa.
Someday.
Someday.
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment
Courtesy is courteous.