Home
Contents
Search
Back
Up
Next

September 2002

 

January 2002
February 2002
April 2002
March 2002
May 2002
June 2002
July 2002
August 2002
September 2002
October 2002
November 2002



Warm Fuzzies

def. Warm Fuzzies
The feeling you get when you are happy with the way things are going - akin to how you felt as a child with a warm fuzzy blanket on a cool Fall evening.

Last month's article was about pet peeves - things that bug me, and maybe even bug you. This month I want to talk about something that can no longer be categorized as a "pet" peeve - it has grown somewhat, into more of a monster peeve.

Some History

My work with technologies goes back almost 30 years. During that time I've been both an early adopter of many technologies and an evaluator of them; not only for myself, but for companies that either deploy such technologies or use them. 

I had one of the first cash-cards available in Canada; from Canadian Imperial Bank of Commerce. In 1976 I took a trip from Vancouver to Toronto, and took along my cash card instead of traveler's checks like I normally would have. Big mistake it turned out. It turned out that cards from the West coast would not (at that time) work on machines in Eastern Canada; a fact I found out on a Saturday, when I was sick, and when I was down to my last $5. I was also unfortunately staying in a hotel with no restaurant, so I couldn't sign my food onto my room bill. I had made the assumption that the bank had done its homework, tied all its bank machines together, and kept my needs in mind when putting its system together. The closest machine ate my card. Fortunately I had a second one, having told a white lie to a teller that I had had trouble with my current card and wanted a new one (a habit I continue to this day by the way.)

I grabbed a cab, offered him my last $5 to drive me (I was really too sick to walk) to the next nearest machine, about 3 blocks away, on the theory that the problem was unique to the first one. That machine ate my second card. I did survive the weekend as you might well guess by the fact I'm writing this, but only through the kindness of a local restaurant's weekend staff.

The point of the story is that there are examples of two completely different and mutually exclusive methods of evaluating potential for fraud in this tale:

bulletThe bank used technology to evaluate whether or not I (the holder of their card) was trying to get money fraudulently - and they failed
bulletThe restaurant staff used no technology to determine whether I was good for the food and drink they loaned me over the weekend. They used familiarity with my face from earlier in the week, coupled with the fact that I had paid with cash and tipped them and dealt with them in a kind and caring way. They had warm fuzzies towards me.

Well, to be honest, I don't really know that. But on the other hand, they had to have some feeling that I was not going to stiff them. They certainly had the potential for others to come in and do it since the hotel and restaurant were not in the best part of town.

Extension to Today

Today we are in the midst of the Internet revolution, and we have extended the concept of technology as a means (as the means?) of authenticating the guy/girl/company/... (entity) at the other end of an Internet conversation, be it web, chat, e-commerce, file transfer session or whatever. We (or at least many/most of us) who use the Internet or electronic banking system, credit card system, telephone system, door entry systems, alarm systems and all manner of daily activities which involve authentication and authorization by electronic means have put our undying faith in the infallibility of these systems to the point where we are turning into easy marks for the bad guys. We seem to have lost our "BS" filter when it comes to many of the transactions that affect our lives now that computers are involved. We have in fact simply abrogated our responsibility for our own physical and financial well being to firms who have no personal interest in being correct, and who don't take the individual's interests to heart the way an individual would in different circumstances.

Of course this abrogation of responsibility (or loss of BS filter) is not limited to just online transactions as shown by the recent spate of major corporate fraud cases such as WorldCom and others. These show that some of us may have unadvisedly abrogated our decision process to the legislators and regulators in the case of corporate health, and in the case of the US 401K employee plans in Enron, abrogated the responsibility to look after retirement investment too.

In the case of the Internet and security, the major Certificate Authorities (CAs) such as VeriSign have taken on the responsibility of determining whether or not a particular user of a domain or user name is who they say they are. This is done by requiring the company/individual to submit some proof that they are the registered owner of a company or the legitimate holder of the name. Once this proof has been vetted, the CA then issues a digital certificate, signed cryptographically with several bits of information, and with the private key of the CA. The software users use to identify such a certificate uses the public key of the CA, included with most browsers and operating systems pretty much as a matter of course now, to determine whether the certificate is correct. The software should also check with the CA's system to see if the certificate has been revoked or invalidated for some reason.

In theory this should all work as advertised and everybody would get warm fuzzies except when their software kicked up a stink at a particular certificate proffered by a site we wanted to do some transaction with. In practice there are a number of reasons why individuals (and companies) still must take it upon themselves to decide whether or not things are as they should be. Some of them are technical, some of them are human failure, some of them are poor implementation, and some of them are outright subversion of the system.

One of the most basic problems is a failure on the CA's part to actually do their job to the degree necessary. The advisory from CERT regarding two bogus Microsoft certificates issued in error by VeriSign is the best known example of this problem, but it is highly unlikely that it is the only one. But there is in fact a way for such an error (once detected) to be fixed, if the software that uses certificates properly implements it and the CA's methods and the software writers' methods coincide. The facility is called "certificate revocation lists" or CRL - and is used to list any invalidly issued certificate or any cert. that the CA no longer considers valid even if correctly issued to start with (company violates rules, goes bankrupt, undergoes major problems, etc.)

The problem is that software creators must correctly implement a system that does the actual validation and checks the CRL as well. In Microsoft's case in particular, this was not done; and the whole thing is the subject of a number of articles for those of you interested in the gory details:

bulletGregory L. Guerin's excellent article
bulletBruce Schneier's take on the problem
bulletMicrosoft's security bulletin
bulletCertificates: An excellent summation article by Martin Ramshaw, one of our local Brunixians  

But even this is only one aspect of the potential problems associated with the "trust" system that surrounds the "traditional" Internet infrastructure that gives many people a false sense of well being and inveigles them into forgoing their own "sniff testing" (comes from the concept of sniffing a piece of meat or a vegetable prior to purchasing it to determine whether it is good or bad) when it comes to technological interactions. 

The point of this is that despite the best intentions of the participants, it is still possible for the electronic "warm fuzzies" to turn out to be a skeleton key into your deepest, darkest secrets or to your bank account. 

Even when there is no CA involved, we tend to give credibility where it is not necessarily due, and have no easy mechanism to either keep track of whether we have decided someone is a good/bad guy or what level of trust we should give them. We almost daily hear of children who have struck up a net conversation with what turns out to be an adult with bad intentions. We get bogus e-mail with nasty attachments from what appear to be friends and/or relatives but are actually neither. We go to web sites looking for one thing, and end up with endless windows of unwanted and invasive advertising and/or nastyware injected into our computers.

Part of the problem is that the Internet and PC revolution has come upon us at such a pace that many people are simply overwhelmed. Many don't know where their computer leaves off and the rest of the world begins (actual words from caller: "the internet isn't working..." ) Another part is that the typical PC simply was never intended to be put into a hostile network environment (and still isn't in my opinion.) Add these two things together and you have what we have now, an environment ripe for abuse by those in the know and with less than civil intentions.

I've come to the conclusion that the only way to deal with this problem is to start putting the onus back onto the system user to determine whether a particular entity at the other end of the connection is one they want to deal with, and/or what level of credibility to give them. 

The problem is that this will take some changes to software and habits. Some of the software changes are minor, some are major and will be subject to resistance from vendors and other affected parties (the CAs for example).

Focus on the Problem

Every now and then I get called to attend a focus group session on some product or service or other. A recent one put on by a financial institution  was on the concept of trust in the light of the Enron and WorldCom (and other) scandals and the meltdown of much of the large corporate infrastructure in recent times. There were six of us plus the moderator at this session, and the two hours we spent kicking around the topic resulted in some interesting observations on the topic of personal trust today.

Two of us admitted (bragged?) to consciously working at testing trust in our relationships with newly met people and corporate entities. The others didn't consciously do it, but found that they did it none the less, at least in some instances.

In my case, I related the case of the local garage where our family gets most of its car repairs done now. The location has had at least 3 owners since we moved into the area, and I had tested the previous 2 and found them wanting, so had not gone back. I didn't cause them to fail, but I didn't help them either.

The new owner got an opportunity to do some work on our son's 1978 Firebird. The work was well done, priced reasonably, and the comments made were appropriate to the vehicle's age and use; the running gear is all in great shape, but the body needs work. There was no hint of trying to oversell anything, and there was a recognition that, while safety and reliability were high on my list of needs, we were working to a limited budget with the vehicle.

In light of my first experience, I got an estimate on getting new shocks and struts for my work vehicle, first from a major chain store, then from another garage about 3 miles away, and finally from the new, local garage. The local garage was within a few dollars of the chain store, and about a hundred dollars less than the other garage. When shown the chain's competing quote, Ken (the owner) matched the chain with the same parts and price with no hesitation. The job was done and I drove away, only to come back within a couple of hours because the steering was very loose. It turned out the left front shock had a manufacturer's defect. Ken got the vehicle up on the hoist, ordered a replacement and got it fixed as soon as the replacement came in.

Over the next several months we've had all our vehicles in their shop for various things (being a parent with two late teenage sons, and being in the suburbs, we have a vehicle each plus an old spare inherited from an uncle - this is the year of the car in our lives it seems :) 

It turned out that the right front strut on my work vehicle was also bad - both must have been made on a Monday - but the problem was not as obvious as it was with the left one. Ken has just replaced the right too, no questions asked, reaffirming my trust in his shop.

The trust goes both ways. When one of my sons had a problem with his car, he took it in himself and Ken and the boys fixed the problem and sent him on his way, knowing I would come in and settle up when I heard what had been done.

The garage is busy all the time - looks like they will make it.

Another aspect of the group's discussion centered around icons of trust, both those we thought were real icons today, and those we wished were icons but that we thought had fallen from favour. In the category of current icons; those we would trust with essentially no hesitation were exemplified by the Firefighter - especially in the light of the happenings of 9/11. In a similar vein but with fewer votes were the physicians, paramedics, teachers, police and other (at least in North America) government regulated/funded aid workers. Interestingly enough, the government itself was pointed out as an icon that nobody really trusted but all wanted to. The lower votes on the others mentioned were mostly due to negative stories heard about problem individuals.

I found it interesting that there were so few generic "icons" identified as trustworthy without thought or "testing".

On the other hand, all of us had companies and individuals we have dealt with for many years, with no thought that such a relationship might end. Once we made up our minds, it seemed that it took a lot to change our minds. It was summed up up by one of the group that we don't like to take time to make decisions, so having made them, we don't want to have to revisit them. 

In essence what we were saying was that people create their own list of entities/people they trust, complete with the level of trust (from "trusting they will try to screw me" all the way to what was essentially blind trust that the person/entity would "do the right thing") and kept this list for long periods of time. The list of entities entitled to blind trust has lessened recently, dropping things like publicly traded companies.

The point is that many of the group recognized that they had put trust in entities that they probably should not have, and they have revised their trust relationships because of their learning of problems. On the other hand, there has been no action from the likes of Verisign on revoking the certificate of WorldCom - maybe this tells us something. 

It may be (and I make the case that it is) only ourselves who can and must establish and maintain the trust relationship with an entity - maintaining our own Certificate Authority for our electronic conversations with them, and demanding that the software we are sold allow and in fact encourage this expression of our concern over trust. We are entitled to decide when we should have that warm fuzzy feeling, because we are pretty much the only ones who can decide with only our own best interests in mind.

richard 
 

 

Home ] Contents ] Search ]
Back ] Up ] Next ]

Copyright © 1993-2007 Richard C. Pitt - all rights reserved
Updated June 17, 2005