The Security Frustrations of Apple’s “Personal” Personal Computer: Device Access, Two Factor ID, and 386BSD Role-Based Security

Recently, a FaceBook friend lamented that he could not access his icloud mail from a device bound to his wife’s icloud access. He also expressed frustration with the security mechanism Apple uses to control access to devices – in particular, two-factor authentication. His annoyance was honest and palpable, but the path to redemption unclear.

Tech people are often blind to the blockers that non-technical people face because we’re used to getting around the problem. Some of these blockers are poorly architected solutions. Others are poorly communicated solutions. All in all, the security frustrations of Apple’s “personal” personal computer are compelling, real and significant. And do merit discussion.

One way tech folks get around Apple restrictions on email, for example, is to use multiple accounts. On an IOS device one can use multiple services and setup accounts for these services. For example, most don’t know that “notes” is actually a hidden email client via an imap fetch. Apple does use the appropriate protocols behind the curtain.

In my case, I don’t even use icloud mail. I use dedicated email accounts. I have access mediated by a mail server in our datacenter cloud which we personally administrate.  So all this frustration doesn’t impact me. I don’t see it in my daily life. I’m blind to the impact on others.

But what if I, like most people using Apple devices, want to access icloud mail from any Apple device? Icloud isn’t an ordinary heterogenous service. It is actually bonded to a set of devices. This is the philosophy behind Apple’s “personal” personal computer. The assumption is the customer has many devices tightly held and only used by that single customer. If that’s so, it naturally follows that those device will not easily permit access to a different icloud mail, because there is no need. The security won’t allow it. They expect you to setup another imap account, like Gmail, directly. They expect you to be a “techie”.

As an experiment in trying to understand this issue, I went to a mac that is not bound to an iphone I had in hand. By using “find my iphone”, I logged in as the apple ID and password. It then showed the location of that iphone sitting next to me. I then changed to the mail app within the browser, and it showed me the icloud mail. All this on a mac bonded to a different user. So I did get around the problem.

But it was non-intuitive. It was somewhat absurd. And it did reveal a security issue. Security by obscurity is a bug, not a feature.

I was unable to test this on other devices, such as an ipad, as I was pressed for time. But I’m pretty sure there are ways to get around this even on small devices. But really, seriously, is this sensible?

This entire conversation then segued into a discussion of two-factor identification. In theory, two factor identification is quite straightforward: Since everybody has a phone and some other device, if someone tries to access your account because they cracked your password and it’s not on one of your bonded devices, they send an email or a text to another device known as yours to confirm it’s OK. Simple, right?

Well, theory and practice are called that because thinking and living are really two different things. People live messy lives. Their phone may have been lost or forgotten or not charged up. They don’t know what device is the “mother may I” device.

The fundamental problem is that the nature of the security constraints of the Apple iphone concept requires it to be hermetically sealed. (In contrast, Android is a leaky sieve, and it is quite vulnerable.) This is why the battles between Apple and the government on access to personal iphones is so fraught, because it really is all or nothing.

This is not the only use of two factor identification. Two factor identification is required for a lot of services, such as FaceBook, and is not bound to a particular device walled garden. But the issue of making sure you have access to the primary device and “mother may I” device is still there. You must have all your devices, old and new, standing ready for the occasional incursion. And you must check and update all two-factor identification access points when you update devices. And this, my friends, is absurd.

I actually did a little work on security way back in the 1990’s, where William and I came up with the concept of role-based security as an adjunct to the usual password mechanisms. We even wrote up an article in Dr. Dobbs Journal about it, plus implemented it in 386BSD Release 1.0.

What were the gotchas? Security people didn’t like it because they were obsessed with crypto as a savior – which of course it wasn’t. The IT guys weren’t enamored because they liked administrating passwords and didn’t think it was a problem to change the password all the time, even though people don’t do that because they forget it, or they put it on a post-it on their monitor or write it in their wallet, and use “password” and “12345” as their password.

Two factor authentication is just doing a “mother may I” to a separate device because we have lots more devices, but fails if the device being asked might not be available, hence blocking the user from work. It may not be great, but at this point, it’s really all we have.

Google Cloud OnBoard San Francisco: Buried Alive by PR

There are times when a seminar or conference or training session induces trepidation because the expectations are high. One questions whether it was worth the time to travel to the destination, wait to park in the wreck-a-lot, find the coffee urn empty, and then find a chair in the back where you can barely hear the speaker. All the while, slack messages are building up at home base. Is it worth it?

I’ve always found a reason to make the trip worthwhile – a small tidbit of knowledge, an off-the-cuff experience, an interesting speaker. Sometimes I run into an old colleague and we chat over lunch. Maybe even something *new*.

Then there was Google Cloud OnBoard San Francisco. This conference did not meet expectations. And given the stakes in the battle for the cloud between Amazon, IBM and Google, Google must excel. It did not.

Google advertised this conference as an all-day in-depth technical “training” session on the Google Cloud Platform (GCP). Anyone who has been to AWS conferences knows what that entails: a keynote on where the cloud is heading by an executive including *numbers* on pricing and trends, a set of overview talks on the technology, and then breakout sessions on specifics from hardware to apps so the attendee can focus on their specific expertise.

Google offered none of this.

Instead of an informative keynote by someone who matters on the trends and reasons for using Google Cloud, Google offered weak PR. Instead of analysis, Google offered bluster. Instead of technical expertise, Google offered mean jokes with a smattering of contempt for their audience.

And instead of “training”, Google offered a bait and switch “try and save” set of random slides presented by an obnoxious Henny Youngman wanna-be who would cut off the few good technical speakers with “Hey morons, even my wife can do this” remarks which were so annoying in their constant and disruptive repetition that the audience became more and more irritated and combative during the few times they were allowed to ask questions.

Of course, beyond insulting the men and women who just happen to be programmers, engineers and managers with the “my wife” spiel, the icing on the cake were the snarky responses to genuine audience questions comparing AWS issues to Google cloud, something any attendee would be hard-pressed to answer at the weekly engineering team meeting. “Yes, boss, I spent the entire day at the Hilton in SF, and all I got was this lousy t-shirt” is not a satisfactory answer for any company engaged in serious work in the cloud.

The irony of this all this hand-waving by Google’s inept training staff is, if you can actually glimpse behind the curtain, there is some damned fine technology and thought put into Google Cloud.

You wouldn’t know that to hear the folks pitching it. Except for two competent people, a younger man and an older woman, who squeezed in a few technical discussions before they got shut down by the “host” of the event, it resembled nothing more than a mandatory cheer assembly for the losing high school football team at “More Science High”.

Two pluses. One: Since the training conference was a bust, we worked through the Qwiklabs “free” training kit (in record time I might add) of six hands-on “labs” on “GCP Fundamentals: Core Infrastructure” (Getting Started, GAE and Datastore, GCS, GKE, GCE, BigQuery). These were clearly ripped from a Spring bootcamp on Google Cloud and were rather haphazard, but far more informative than the actual training session. Two: If we passed Go (all the labs), they promised us $200 Google Cloud dollars.

We shall see if the GCP bucks are worthwhile or as useful as monopoly money.

Amazon is a company that decided to monetize their own product for other enterprise customers. In Microsoft parlance, they “eat their own dog food”. This means if their customer suffers, they suffer. It also means as an early adopter, their technology is arcane and hybridized. But they understand their customer, are willing to “buy in” to hold the customer, and constantly advance their reach.

Google can afford to learn from Amazon’s mistakes and make a *clean* Cloud – efficient, effective and reliable – at a cost-competitive advantage. But their attitude towards the very people they need to woo away from Amazon, to put it mildly, stinks. They’re arrogant, abusive and vulgar – even to their own technology staff.

And that is worrisome to any engineer or manager betting the company on a system that works all the time, every time. If you can’t trust Google to be serious about where you store and access your critical data, why invest the time and money in moving to their platform?

My compliments to the chef on the roast beef sandwich at the Hilton. It was definitely the high point of the day. The hotel staff were also quite pleasant. A hospitality business understands that the experience matters to a customer. A bad experience, and they may leave a bad review and never return.

Get your act together, Google.

Delusional mom or out-of-control government agency?

A toddler is snatched by TSA officials from a weeping helpless mom in the middle of a busy airport and wisked away. Nobody helps. Nobody cares. A horror for any parent. But is this story true? Is our civilization so depraved and cowed that government can violate every aspect of decency and not be challenged or even noticed? I suspect many good citizens might agree with this – after all, isn’t government bad?

But of course “who watches the watchers”? There’s nothing like evidence to mess up a good story, and evidence we have. TSA released nine different camera shots of this distraught mom demonstrating *nothing* happened to her or her child. Nothing at all. Sorry folks – nothing to see here. Please remember to pick up your shoes and water bottles on the way out.

The fact that TSA had to release this video footage (long, detailed and from multiple camera angles to mitigate claims of “doctoring”) demonstrates how paranoia dominates, and also why the appearance of airport security for the masses is consequently just as ridiculous as the culture.

When I reviewed one of Schneier’s books on security and culture, I was struck by his observation that security is handled in an “overt” fashion… public searches, obvious cameras, announcements, shoe and lotion inspections, and so forth, to provide the appearance of serious involvement. But many of these “glamurity” measures, while juicing up the public, are not the ones that are likely to uncover the real bad guys – remember that a group of determined terrorists took over planes with box cutters – those little blades to cut open boxes – not AK47’s or switchblades or cologne. It was organization, intimidation and the element of surprise that allowed them succeed.

So the greatest concern regarding security in airports isn’t necessarily inspecting baby bottles (although on the basis that a bomb could be slipped into an unsuspecting child’s backpack or grandma’s purse, *everyone* must be searched – see, there’s that “organization” and “planning” stuff by determined bad guys again). Nope, the smart investment is in areas of automated photo recognition (do I know you?), examination of flight records (frequent flier? holiday to Tuva?), purchasing habits (cash or credit card? one-way or round-trip?) and ID (are you who you say you are and why are you traveling anyway?). This means realtime database analysis (a form of “business intelligence” pioneered by guys like Tandem to track your phone calls and credit cards – we *are* a consumer society after all) and lots of digital cameras. Oh, it also helps to have smart police who use their “instinct” to check out things – even though 9 times out of 10 there’s nothing there, there’s always that “tenth” time…

So what’s the moral of this little story? That bloggers lie to get hits? Well, I think that we already knew that. That some women are crazy? Given the road rage I see daily it’s not just women here, but there’s a thick percentage of “crazies” everywhere. Nope, the moral is pretty simple: You are being recorded, and not just from the cameras you see or the cameras the staff knows about, but also from cameras the staff and you *don’t* know about. This data is *collected* and *analyzed* and can persist and be pulled for review long after you’ve had that “claimed” incident with TSA or the janitor. To be fair, it’s unlikely to be reviewed – after all, millions of people pass through crowded airports and this means petabytes of uncompressed data that has to be stored somewhere so the persistence time is likely short. But since claims must be made quickly in a 24/7 Internet world, anyone who blogs that “TSA stole my lunch” yesterday on my business trip may actually face video surveillance footage that either shows the staff scarfing down fajitas or shows…nothing at all.

But why, you may ask, are there so many cameras? Aren’t one or two enough? Isn’t that a “waste” of taxpayer’s money. Not necessarily, because subverting security is something that insiders like staff are prone to, hence like banks the vast amount of data collection revolves around monitoring the workers with access – did she just go around the gate? did he just feel up the customers? did they steal from the luggage? and so forth.

But as a personal observation, I’d like to point out a common sense analysis that doesn’t rely on technology nor expertise, but only relies on an understanding of human nature. I felt the most unbelievable aspect of this woman’s blogged claim of TSA child abuse was that nobody in line at the airport inspection station noticed or said anything during this “incident”. Now seriously, I know this is a paranoid “fear culture” where “nobody helps nobody but himself” (to paraphrase a con man), but do people really think that the woman waiting behind this distressed mother or the businessman just ahead of her waiting on a laptop inspection or the grandparents three feet away are *not* going to notice something as unusual as an agent taking a toddler away from his weeping mom? That during an unfolding drama people waiting impatiently to get to a plane will not notice the delay, press in closer and begin to demand explanations?

This is why this woman’s posting was complete nonsense – it completely ignores that we are social creatures who always want to know what’s happening with others. We comment. We rant. We watch. We get upset. Just as a couple of chimps arguing over a banana will cause the rest of the troop to press in closer, people will get involved – especially if there is a child. Grandma will crowd in closer to learn what is going on, the businesswoman four feet away will express concern for the toddler, a twenty-something will ask to speak to another agent. It is human nature to meddle in the affairs of others – that’s what being social animals is all about.

America is full of problems we need to solve to avoid a distopian future, and misconduct by those with badges does occur and must be dealt with appropriately. But there are also lots of scammers, liars and jerks who feed off of the paranoia of our society and make it look a hell of a lot worse than it is. These bottom feeders destroy trust, blacken reputations and encourage cynicism. Instead of focusing our energy on solving real problems, we are instead distracted by idiots enamored with celebrity. We waste time. We waste energy. We lose as a society.

So while some might wish to dismiss this incident, I’d like to expand upon it as an object lesson in how going too far to aggrandize oneself can result in serious blowback. And I’d rather see a fame-obsessed woman trying to get a blog audience to raise her google adwords paycheck exposed as a liar and use this lesson to engage in a discussion of real security needs than see the converse – that in a crowded airport nobody would come to the aid or even question essentially the official kidnapping of a toddler. That so many people are still willing to believe the worst here despite evidence to the contrary says everything about trust in our democracy.

Taking a Byte out of Cookies

When I wrote Memories and Cookies for Byte several years ago after the dot-com boom went bust, I got pushback from the editor. Why would anyone care about persistence, monitoring and cookies structures? As a Director at one of those Internet datacenter companies at the height (and fall) of the bubble, I knew that cookies were very important to bizdev and sales as an indicator to tracking unique visitors. Of course, the underlying assumption was that cookies were persistent even though browsers allowed one to selectively delete them. On my modern Firefox browser there is even a special “remove all cookies” button that makes non-flash cookie removal a snap (flash cookies, aka local shared objects in flash-speak, are persistent objects embedded in the flash plug-in, and not removed by the browser’s cookie mechanism; this is one reason lots of sites are going to flash). And remove them we do — up to 1/3 of computer users remove cookies at least once per month, according to comScore, and 7% of computers account for 35% of all cookies served.

While not surprising, this has serious implications for ad monetization.

FilmLoop and Alexa – When Fake Rankings Kill Companies

There’s much sturm und drang about the nasty setup and selloff of a little company called FilmLoop in the business community this week. While there can be much debated about liquidation preferences, drag-along rights and sharp practices, there is one issue relevant to the datacenter operator – the claim by some VCs that Alexa rankings are a good validator of an Internet company’s audience and future traffic. And now, since we’ve stepped out of money-land and into datacenter-land, let’s examine this assumption a bit more carefully. Is Alexa a good validator of a business, or not?

Fun Friday: Google Test Positive, Laser Bits, Gender Blues

While we were working on getting all those Jolix 386BSD fans their Porting Unix to the 386 articles (we have been swamped BTW – and yes, there’s more coming), a few other items of interest this week…

If you made money on Google (or if you wished you had made money on Google), you might try using The Google Test to evaluate your next investment. According to Matt Marshall of VentureBeat, “Entrepreneur William Jolitz posits a contrarian view on YouTube, praising its expensive use of bandwidth as a key to its success. Read on about how YouTube meets the “Google Test.

Bandwidth-driven business models may seen counter-intuitive to a technologist – after all, we like to make products that make money, and when we fail we tend to face a firing squad. So I can understand it when a techie gets all worked up about those $1M/mo bandwidth bills without getting anything in the way of dollars back. It’s always bothered me that companies like Google, YouTube, and MySpace seem to violate laws of nature. But guess what, kids – making these big Internet moves doesn’t seem to have as much to do with moving $$ product (after all, any techie can upload a movie or make a GenY webpage with a plethera of packages) and more to do with getting eyeballs and mindspace. Yes, this was true when I was at IGN Networks way back in the dotcom bubble, and it’s still true today.

So I heartily recommend that tech guys and gals read this little piece, not to depress you, but to allow you to learn how those top-flight venture firms like Sequoia make their decisions. After all, if they want to spend the money, aren’t we up to the challenge of making it work out?

On another exciting topic, looks like Intel and UC Santa Barbara have made a a promising breakthrough in using laser light to make a much faster interchip switch. According to the article “The breakthrough was achieved by bonding a layer of light-emitting indium phosphide onto the surface of a standard silicon chip etched with special channels that act as light-wave guides. The resulting sandwich has the potential to create on a computer chip hundreds and possibly thousands of tiny, bright lasers that can be switched on and off billions of times a second.” As one of my engineering friends said when we chatted, this makes low-power SiliconTCP all the more valuable (see InterProphet for more information).

Finally, an interesting essay from up-and-coming Renkoo CTO Joyce Park on women role models in business and her dismay over the HP Dunn affair. Since I’ve written on this topic often, I couldn’t help putting in my own two-cents. 🙂

Happy weekend reading – there will be a “Google test” on Monday.

Exploitation of Child Labor in Tech? I Can’t Hear You Over My IPOD…

This spring I interviewed a number of “The Tech” museum award laureates who have used technology to improve the human condition (usually extremely frugally). One of the most exciting innovators is Saeed Awan, director of the Centre for the Improvement of Working Conditions & Environment based in Pakistan. They tackled the problem of child labor in the rug weaving industry. Instead of simply outlawing the practice (which would be futile because these child laborers are the major breadwinners for their poor families), they “engineered out” child labor by developing a “improved, ergonomic and, most important, adult-friendly loom”. Coupled with economic practices (loom ownership allows bidding on lots by adults), this innovation moves the breadwinner status back to adults (primarily women) and moves children back to schools. A perfect use of technology and worthy of a “tech” award.

But where technology providers giveth, technology providers also taketh away…

When Your Bandwidth Runs Out

Tom Foremski of SiliconValleyWatcher had an amusing item about how awful it is to be successful enough to “run out of bandwidth”. “SiliconValleyWatcher was off line for about 6 hours as traffic surged above our monthly quota. And I couldn’t open up the pipes because there was no way to buy more bandwidth online. I found that I would have to wait until the next morning and email the sales department!!!”

This little problem is why you negotiate with a managed service provider for overage bandwidth. A good ISP should be calling Tom about his burst, not waiting for Tom to call call them after his blog has been knocked offline as punishment for the sin of being successful. But negotiating bandwidth overages when you are a small business isn’t usually done – everything is so “on the cheap” that even simple contract items (which could be automated) don’t exist. Is it any wonder I run my own datacenter?

I wrote about this in one of my essays on datacenter management and monitoring. I’ve been told that no one needs to know this stuff anymore, because everything works perfectly. Think that’s the case?

D-Day – Apple-IBM Axis Collapses

Well, I figured it was happening finally. The hint was there *if* you knew where to look. Looks like nobody else twigged to the firing of those Linux developers at Intel for timing – even though I had a thoughtful discussion with an analyst just last week over that very issue and asked whether that meant Jobs was going to Intel. He said “No way” but this time I wasn’t sure he was right – he went back to check things out one more time, was guaranteed it wouldn’t happen, and then “Voila”, it did. But his mistake was talking to Apple contacts. I didn’t bother. I looked at what Intel was doing. Since I’ve dealt with Intel on the silicon side over the years with SiliconTCP, it didn’t take a lot of digging to put the pieces together.

Markoff and Lohr (NYTimes) have one of the best articles on the topic today – less hand wringing and more substance than most. But they could add one more line that would tie it up, something like:
“The real story is Apple vs. Dell. High cost factor for Dell is Windows. Mac still sells at a premium above Wintel, and the OS & developer base is open source, so Jobs is out of the Mac developer debacle and cost leveraged. And he still has Microsoft Apps like Office in the stable … for now.”

Apple may be having the hissy fit, but IBM doesn’t care. IBM doesn’t even need Apple anymore to showcase their chips given all the game console manufacturers who are using them. Apple has always been high maintenance and low volume – the worse of all sins to a processor vendor – but IBM tolerated them because of their “Hollywood” artist image. But now it turns out gaming is even more “mogul” than Macs. Who wins? Intel for one, who’s been desperate to get some Hollywood patina for years, enterprise systems and desktops being so boring.

Customers and vendors will also win – in the short run. Prices will drop and applications development should broaden, especially in leveraging open source development for the X86 more effectively. But the long run remains bleak for Apple’s desktop and laptop division. It was the only decision possible for Apple if IBM wouldn’t give them the price breaks they needed for margin. But it probably wasn’t the best decision.

Do You Smell Smoke — Oops, there goes a Server!

It takes time, but it’s lovely when you get borne out in an article, as Martin LaMonica discusses how Google manages to handle all those search queries. And it’s really simple – get cheap X86 machines, use an open source stripped-down kernel, fiddle with the filesystem to do simple block transfers with a simple triad mirror (master – dual slave) configuration. So low-cost, easy, and direct.

Of course, I recall the enterprise guys at the time laughing at using commodity cheap servers for “real enterprise applications”. So I guess Google isn’t a real enterprise application company, hmmm?

But there is a little nit in the ointment, so to speak. Power! Having lots of cheap servers and simple management reduces people overhead, but at the cost of much greater power consumption. As Urs Hoelzle, VP Operations and Engineering at Google says “”The physical cost of operations, excluding people, is directly proportional to power costs,” he said. “(Power) becomes a factor in running cheaper operations in a data center. It’s not just buying cheaper components but you also have to have an operating expense that makes sense.”