The US Military makes its fair share of mistakes when it comes to technology—but over the weekend, the New York Times revealed that even upgrading a single software system can go horribly wrong for it.
The New York Times describes the situation:
Last month, [the Air Force] canceled a six-year-old modernization effort that had eaten up more than $1 billion. When the Air Force realized that it would cost another $1 billion just to achieve one-quarter of the capabilities originally planned – and that even then the system would not be fully ready before 2020 – it decided to decamp.
You might expect the project to be exotic and experimental. If that were there case, the expense and failure might be understandable, if not desirable. But in fact the project was the implementation of commercial off-the-shelf software. Known as the Expeditionary Combat Support System, the plan was to improve the management of logistics using software from Oracle. Four years of development—and over $1 billion dollars—later, and neither Oracle nor the Air Force have anything to show for their labors.
So what went wrong? According to the New York Times, the plan was scuppered by constant redesigns, poor time management and lack of accountability:
[The System] was restructured many times, including three separate times in the last three years, Ms. McGrath says. “Each time, we chunked it down, breaking it into smaller pieces, focusing on specific capabilities.” But this was not enough to save the system, she says, because program managers did not succeed in imposing the short deadlines of 18 to 24 months that the department now requires for similar projects…
[A] report cited many concerns, but the main one was a failure to meet a basic requirement for successful implementation: having “a single accountable leader” who “has the authority and willingness to exercise the authority to enforce all necessary changes to the business required for successful fielding of the software.”
If anything, we should be grateful that the Air Force decided to kill the project before it haemorrhaged more cash. If you want more detail, you should definitely read the Times piece. [New York Times]
Image by expertinfantry under Creative Commons license
Tags: 1 billion dollars, authority, expeditionary combat support, mdash, military, modernization effort, new york times, Oracle, poor time management, share, shelf software, situation, smaller pieces, software, software plan, technology, time, us air force, weekend, York
I have a Sony laptop computer. It is less than a year old. It was not cheap. I bought the best components, memory and hardware components options available including 3-year in home support.
A couple of months ago the monitor developed a problem (a line of dead pixels down the entire length of the screen). I knew it was a hardware failure because I run a dual monitor setup and the line did not appear on the second screen.
I ignored that problem because it was relatively minor. However a hard drive failure cannot be ignored.
Unfortunately I experienced a hard drive failure at the beginning of January and was dead in the water. I could not boot.
Please follow this chain of events (Mac users, please try not to laugh too loudly).
My Sony Support Experience
- I called Sony support and told them of my problems. They told me my computer was out of warranty even though it was less than a year old and under standard warranty. I told them I had a 3 year warranty. They told me I they had no record of it but gave me another Sony phone number to call to verify my warranty.
- I suggested that rather than me hang up and dial Sony, that Sony should dial Sony and verify my service contract. The technical rep said that was not possible.
- I called the service number at Sony the tech rep gave me and that service rep verified my date of purchase as less than a year old. The service rep also gave me my 3-year in-home service contract number.
- I called back Sony technical support and gave them my service contract number. The technical rep said they could not find that service contact and would not help me. The tech rep told me to call back the service rep and get the right number.
- I called back up the service rep, and I did indeed have the right number. The service rep agreed to call the tech rep and stay on the line to verify the number. Apparently service can call technicians but not vice-versa. Some of these calls took 20 minutes.
- The service rep informed the technical rep of my purchase date of the service contract (less than a year old), and that it was for 3-years. At that point the tech rep agreed to help me. The service rep hung up.
- The tech rep then took my serial number and other information but said before he could schedule a service call he needed a copy of my receipt. I did not have a copy of my receipt. Given the Sony service rep verified my purchase date and 3 year service contract I failed to understand why I need a written receipt. As you might expect I was quite upset and talking rather loudly at this point.
- The service rep said he needed to know whether the computer was to be repaired under the service contract or the 1-year standard warranty. As you might imagine I did not see why any of this mattered as my date of purchase was confirmed by Sony as was my 3-year warranty.
- Well this mattered to the technician who demanded a receipt. The technician gave me a Sony website in which I could look up my order and get a receipt. I said “If I can go to a website on Sony and look up my order, why can’t you?”
- As you can probably guess from what has transpired so far, the tech rep could not do that. It was now late in the day and I had company over and a backup PC was working but without a lot of programs I frequently use and need. I waited overnight to get the receipt.
- The next day I attempted to get a receipt but the website URL the tech rep gave me was invalid.
- Once again I called the service contract rep and that person gave me the right address. I said why don’t you look up my purchase day and get it to the tech but this time the service rep was uncooperative.
- I go to the Sony website and find my order. I print out my order and fax it to the tech rep. I call the tech rep number and the tech informs me he has scheduled a service call and someone would call me shortly to arrange a time within three days.
- I was suspicious of that claim, so the next day I called up the service rep who indeed verified the tech rep did not schedule a service call.
- The service rep put in the order noting they had received my fax and that everything was in order.
- I was told I would get a call within 3 days. I was actually shocked to get a call the next day but the pleasant surprise quickly ended on news they had to order parts and I would get a another call within 3 days when the parts would be ready.
- Two days later the parts arrive and I get a call and schedule a time.
- The rep brings out another monitor and another hard drive.
- The monitor is bad. It has a line of dead pixels in a different spot.
- The tech rep installs the hard drive and leaves me with a set of install disks.
- One might think that the on-site technician might actually load the disks they delivered but one would be wrong. These guys are 100% without a doubt strictly hardware only. They do not load disks. Even ones they hand deliver.
- It is late in the evening and once again I had company. The next day I run the setup disks and get an I-O error. I cannot tell what is wrong.
- I call Sony and they suspect another hard drive problem and tell me someone will call me within three days to schedule an appointment.
- I am screaming at the top of my lungs at this point as I have had it. The rep agrees to do nothing but schedule another call. I ask for his supervisor and an transferred to a “national customer relations specialist” NCRS.
- I ask the NCRS to send me a new computer. He tells me that the computer I have is no longer available. That was a direct lie because in advance (in expectation of lies) I had gone on the Sony website and could order the exact computer I already had.
- I informed the NCRS that the computer was still orderable and he said he did not have the authority to do what I asked. If a national customer relations person does not have that authority, one has to wonder “Do they have ANY authority?”
- I asked to be transferred to his superior and was put on hold. His superior (and the NCRS refused to tell me the title of that person) would not take my call but whoever that person was did tell the NCRS that if the next delivery did not work they would pro-rate a refund.
- I demanded to talk to the NCRS superior but the NCRS would not comply.
- At that point I had had enough. I had been without my computer for 11 days and had loaded trial versions of software I use on another computer to get by, but I was still running in limited mode in a number of ways.
- I do an online search for computer repair for my city at 4:30 PM. The first two places did not answer the phone or had a messages they were closed. The owner of a third local repair shop in Barrington Illinois did answer the phone. He was open until 7:00PM and Barrington is only a half hour away.
- He agreed to look at my computer. I brought in my computer, the install DVDs Sony gave me, and an external hard drive backup I had of my computer. He took one look at the install disks and said “this one is bad” (it had a discolored spot on the DVD). He changed the bios on my machine to boot to an external DVD drive and fortunately the external drive was able to read the install disks. It was now going on 8:00PM and the owner had stayed an hour past closing to help me but the configuration was only 70% done.
- The owner had to go but the next day when I called in, he had reset my drive to the original Sony state, removed all the Sony bloatware including Norton. He loaded all my personal files from an external hard drive I brought in. Above and beyond the call of duty, he found every ICON on my computer and went out and loaded trial versions of every software program I had.
- Now that is service. I had my Microsoft Office Key as well as keys to the other programs I use. I had no idea how to configure my POP account at SBC on to my Microsoft Exchange account but he did that off the top of his head. By accident, I found someone (a business owner) who not only understands computers but someone who also understands the value of a customer.
- Five days later (two over the weekend) Sony did come by and replace my monitor. It might have been done sooner but I was out of town on Friday.
Moral of the Story
- Have file backups. I did.
- Don’t count on Sony
- I have had bad experiences with Dell as well so don’t count on Dell or any other mass producer either.
- Instead find a local computer shop that understands computers and the value of a customer.
By the way, I left out one interesting detail.
Barrington Computer has the ability to access a computer remotely. Zatek gave me a way to see what was happening remotely to my computer. When I checked on it at midnight (from my backup machine at home), Zatek was also dialed into my computer and we exchanged messages right on my computer remotely using notepad, at midnight. We could see what each other was typing. That is pretty cool as well as exceptional service.
One good thing came out of this. I am pleased to have found someone who knows computers and also understands the value of a customer. Sony sure doesn’t.
I received many emails regarding this post. Here is one from attorney “BR” who says …
I’m a big fan of your site and it is pretty much required reading for me most days. I read your account of your travails with “Big Corporate Customer service” with great empathy. I encountered a very similar experience two years ago getting a burner part replaced on my natural gas hot water heater. It took six weeks, 7 separate “house calls,” at least 15 different phone calls, and nearly being divorced before the problem was rectified. And it was a parts problem for which the company had issued a “recall,” so it wasn’t a unique or unexpected problem.
I’ve become convinced that this type of customer “service” is viewed as being a “feature” and not a “bug.” And it crosses all lines of products and services, but especially those covered by “warranties.” They are actively discouraging you from insisting on your right to the free repairs and other services for which you have already paid when you purchased your warranty. In my judgment it represents a calculated effort by corporate types to maximize the profits they obtain under extended warranty agreements. It really is a form of fraud.
Lesson learned is that while P.C. stands for piece of crap, warranties are worth even less.
Very truly yours,
I received many comments about the poor quality of consumer products. I failed to mention a possible remedy.
I asked the store owner if he custom built computers and he said it would not be cost-effective. After all, he still would be using components straight from China.
Instead he said, never buy a computer from a normal retail store or through the “consumer division” of a PC maker. Sony only has a a consumer divi! sion. HP and Dell have business divisions.
Unfortunately, that may not mean support will be much better, but rather the components will likely be of a higher quality. Large businesses might buy hundreds of computers or more at once. To get repeat business, the computers need to be more durable and have no built-in bloatware (trial software and other garbage).
I received many emails like this from Mac users but here is one from a person at VMC Consulting Corporation with a email address at Microsoft.
Reading your recent “Horrific Experiences” post, I just want to make a friendly suggestion.
Next time you want the best Windows machine money can buy, get a Mac.
The Mac is the best Windows machine you can buy, and the support is fantastic. I don’t know where you live, but if it’s a major city, I bet there’s an Apple store nearby.
You can either use “Boot Camp” and run entirely in Windows, or you can be booted into the Mac OSX, and run Windows inside of Parallels, which is a fantastic Virtualization program.
- FACEBOOK’S IPO FILING IS HERE
- Mitt Romney Is Going To Get Shredded For This Monster Gaffe He Made On CNN
- This Billboard Featuring A Wife’s Divorce Message To A Cheating Husband Just Won’t Die
Tags: ability, accident, answer, authority, backup, City, computer, configure, contract number, customer, dead in the water, dead pixels, delivery, drive, dual monitor setup, evening, everything, exchange, hard drive failure, hardware, hardware components, hardware failure, hold, home, horrific experiences, ICON, idea, isBarringtonComputer, Key, line, lot, mac users, midnight, mode, Moral, Norton, notepad, number, person, phone number, place, pop, receipt, refund, reset, right, SBC, search, service contract, service rep, sony, sony customer support, sony laptop computer, sony phone, sony support, sony technical support, specialist, Spot, supervisor, support experience, surprise, technical rep, technician, time, Title, trial, URL, warranty, weekend
Anonymous has sure been quiet lately, but today’s federal bust of Megaupload riled ’em up good: a retaliatory strike against DoJ.gov (and plenty of other foes) leaving them completely dead.
DownForEveryoneOrJustMe.com is reporting the department’s site as universally nuked, and an Anonymous-affiliated Twitter account is boasting success. This is almost certainly the result of a quickly-assembled DDoS attack—and easily the widest in scope and ferocity we’ve seen in some time. If you had any doubts Anonymous is still a hacker wrecking ball, doubt no more.
The combination of the hacking nebula’s SOPA animosity—they’ve been a vocal opponent of the bill since its inception—combined with today’s sudden Megaupload news has made the group bubble over: hundreds upon hundreds of Anon operatives are in a plotting frenzy, chatting about which site will go down next. In Anon’s eyes, the government and media interests are responsible for the undue destruction of Megaupload (and the arrest of four of its operators), so it’ll be exactly those entities that’re feeling the pain right now. Pretty much every company that makes movies, TV, or music, along with the entirety of the federal government, is in Anonymous’ crosshairs.
Update: Anonymous says they’ve also knocked off the RIAA’s site—looks down for us at the moment as well.
Update 2: Universal Music Group has also fallen off an e-cliff.
Update 3: Goodbye for now, MPAA.org.
Update 4: Affected sites are bouncing in and out of life, and are at the very least super slow to load. Anon agents are currently trying to coordinate their DDoS attacks in the same direction via IRC.
Update 5: The US Copyright Office joins the list.
Update 6: This Anon sums up the mood in their “official” chat room at the moment:
Danzu: STOP EVERYTHING, who are we DoSing right now?
Update 7: Russian news service RT claims this is the largest coordinated attack in Anonymous’ history—over 5,600 DDoS zealots blasting at once.
Update 8: the Anonymous DDoS planning committee is chittering so quickly, it’s making my laptop fan spin.
Update 9: Major record label EMI is down for the count.
Update 10: La résistance est international—French copyright authority HADOPI bites the dust under Anon pressure.
Update 11: The Federal Bureau of Investigation has fallen and can’t get up.
Update 12: Anonymous has released a statement about today’s attacks.
Tags: account, Affected, animosity, Anon, Anonymous-affiliated, attack, authority, ball, bubble, com, combination, Committee, copyright, count, crosshairs, Danzu, DDOS, ddos attacks, DoJ, DoSing, EMI, entirety, EST, everything, federal bust, ferocity, foes, government, history, inception, laptop, life, Major, media interests, moment, mood, MPAA, nebula, official chat room, offline, operatives, org, pain, planning, plenty, record, résistance, retaliatory, retaliatory strike, RIAA, site, SOPA, spin, stop, strike, time, twitter, Universal, universal music group, us copyright office, vocal opponent, wrecking ball
|Yahoo Scientist Questions ROI of Kardashian’s Sponsored TweetsDuncan Watts Explains His Model for Predicting Value of Influencers on Twitter|
Ad Age Digital Conference
NEW YORK (AdAge.com) — Stop paying Kim Kardashian $10,000 per tweet. That’s the recommendation based on the work of Yahoo’s principal research scientist Duncan Watts, who presented his findings at Advertising Age’s DigitalConference.
“If you recruit enough people who, on average, influence just one other person, you could get a much better return on investment if you aggregated them and altogether paid them a tenth of what Kardashian gets.”
But in looking at influencers, Mr. Watts found that it’s incredibly hard to predict who will be a major factor on Twitter, a conclusion that runs counter to the prevailing wisdom of social epidemics popularized by the book “The Tipping Point.” While he acknowledges there are certain personalities such as Kim Kardashian who can potentially trigger a larger cascade of re-tweets given her large amount of “followers” (“Tipping Point” enthusiasts call her a connector), close studies of social platforms reveal that influence is spread more efficiently and more reliably when done through many-to-many connections, rather than through a few highly connected individuals.
“Most of them will send tweets, and no one else re-tweets,” Mr. Watts said. “A lot of times, not that many people are listening on Twitter.”
More supporting details here: http://www.marketingcharts.com/direct/celeb-twitter-followers-have-low-authority-13297
Celeb Twitter Followers Have Low Authority
Celebrity Followers Offer More Quantity than Quality
Celebrities seem to have large amounts of followers with low Twitter authority levels (see “About the Data” for more information on how authority levels are determined). Of five celebrities examined, the average follower of President Barack Obama had the highest authority rating on a scale of 0 to 10, 2.4. The most common authority score among Obama’s roughly 4.2 million followers is 1, held by 20%.
Interestingly, the celebrity whose fans had the second-highest authority score of 2.1, pop singer Lady Gaga, had the second-lowest following of about 4.5 million. The most common authority score of followers of all celebrities except Obama was 0.
Actor Ashton Kutcher had the highest number of followers (about 5.1 million), and the third-highest average authority score (1.8). Pop singer Britney Spears had the lowest average follower authority score (1.3) and second-highest number of followers (about 4.8 million).
Celebrities seem to have large amounts of followers with low Twitter authority levels. This could be because they attract everyone from all walks of life. Some people may only be on Twitter to see what their favorite stars have to tweet about. In addition, most celebrity followers tracked by Sysomos had few followers themselves, pushing down their authority scores.
Social Media Heavyweight Followers Have Most Authority
Social media heavyweights, private citizens who have made a name for themselves on Twitter, had the fewest followers but the highest average authority scores for their followers. Following the pattern seen with celebrity tweeters, the social media heavyweight with the fewest followers, Jason Falls (27,195), had the highest average follower authority score (4.8).
Conversely, the two social media heavyweights with the most followers, Chris Brogan (139,693) and Jeremiah Owyang (64,775), tied for the lowest average follower authority score of 4. The most common authority score for all social media heavyweight followers was either 4 or 5.
Online Media Beats Traditional Media
On the whole, the five news/media sources tracked by Sysomos show more variety among their scores than the celebrities or social media heavyweights. However, online media sources attracted fewer followers with higher average authority scores than traditional media sources.
Online media source Read Write Web, with about 1 million followers, had an average follower authority score of 3, which was also its most common follower authority score (19%). This tied online media source Mashable in average authority score, most common authority score and percentage of followers with the most common authority score. Mashable has more followers with about 2 million.
Online media source Tech Crunch ties traditional media source Time.com with an average follower authority of 2.4 and most common follower authority score of 2, at virtually the same percentage. However, Time.com has significantly more total followers (2.1 million) than Tech Crunch (1.4 million).
Traditional media source New York Times has the highest total number of followers (about 2.5 million) and lowest average authority score (2.2). It also has by far the lowest most common authority score of 0 (22%). Not surprisingly, sources that specialize in social media attract users that are more active on Twitter.
Facebook Fans More Valuable Customers
While there is variation in the value of different types of Twitter followers, on the whole Facebook fans of a brand provide more value as customers than non-fans, according to a new study from digital consulting firm Syncapse Corp.
The average value a Facebook fan provides a brand is $136.38, but it can swing to $270.77 in the best case or go down to $0 in the worst. This value is based on Syncapse analysis of five factors per fan: product spending, brand loyalty, propensity to recommend, brand affinity and earned media value.
On average, a Facebook fan participates with a brand 10 times a year and will make one recommendation. Value can differ significantly by individual brand. For example, in the case of Coca- Cola, the best case for fan value reaches $316.78 but is $137.84 for an average fan. In the worse case scenario, a fan is worth $0.
About the Data: Using its social media monitoring and analytics platform, Sysomos looked at the authority rankings of five celebrities, five social media heavyweights and five media organizations. Rankings were based on the kind of Twitter users following these celebrities, social media heavyweights and media organizations. Each Twitter user is assigned an authority ranking between 0 to 10 – with 10 signifying someone with very high reach and influence. This authority ranking is based on the number of followers, following, updates, retweets and several similar measures used by Sysomos.
Tags: adage, advertising, age, amount, Ashton Kutcher, authority, average, Book, Britney Spears, cascade, Celebrities, celebrity, Chris Brogan, com, conclusion, conference, connector, consulting firm, digital, DigitalConference, Duncan Watts, enthusiasts, Factor, follower, followers, influence, Influencers, investment, Jason Falls, Jeremiah Owyang, Kim Kardashian, lot, mashable, Media, model, Mr. Watts, New York, number, Obama, online, percentage, person, personalities, platforms, point, pop, principal research, Read Write, recommendation, research, return, return on investment, ROI, scientist, scientist questions, score, singer, Social, social epidemics, Sponsored, stop, Sysomos, tech, tenth, time, Tipping, tipping point, tweet, TweetsDuncan, twitter, value, wisdom, Work, Yahoo
Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website’s certificate to verify its authenticity.
At a recent wiretapping convention however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds designed to intercept those communications, without breaking the encryption, by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.
The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.
The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.
“If company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this,” Blaze said.
The company in question is known as Packet Forensics, which advertised its new Man-In-The-Middle capabilities in a brochure handed out at the Intelligent Support Systems (ISS) conference, a Washington DC wiretapping convention that typically bans the press. Soghoian attended the convention, notoriously capturing a Sprint manager bragging about the huge volumes of surveillance requests it processes for the government.
According to the flyer: “Users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate ‘look-alike’ keys designed to give the subject a false sense of confidence in its authenticity.” The product is recommended to government investigators, saying “IP communication dictates the need to examine encrypted traffic at will” and “Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption.”
Packet Forensics doesn’t advertise the product on its website, and when contacted by Wired.com, asked how we found out about it. Company spokesman Ray Saulino initially denied the product performed as advertised, or that anyone used it. But in a follow-up call the next day, Saulino changed his stance.
“The technology we are using in our products has been generally discussed in internet forums and there is nothing special or unique about it,” Saulino said. “Our target community is the law enforcement community.”
Blaze described the vulnerability as an exploitation of the architecture of how SSL is used to encrypt web traffic, rather than an attack on the encryption itself. SSL, which is known to many as HTTPS://, enables browsers to talk to servers using high-grade encryption, so that no one between the browser and a company’s server can eavesdrop on the data. Normal HTTP traffic can be read by anyone in between – your ISP, a wiretap at your ISP, or in the case of an unencrypted WiFi connection, by anyone using a simple packet sniffing tool.
In addition to encrypting the traffic, SSL authenticates that your browser is talking to the website you think it is. To that end, browser makers trust a large number of Certificate Authorities – companies that promise to check a website operator’s credentials and ownership before issuing a certificate. A basic certificate costs less than $50 today, and it sits on a website’s server, guaranteeing that the BankofAmerica.com website is actually owned by Bank of America. Browser makers have accredited more than one hundred Certificate Authorities from around the world, so any certificate issued by any one of those companies is accepted as valid.
To use the Packet Forensics box, a law enforcement or intelligence agency would have to install it inside an ISP, and persuade one of the Certificate Authorities – using money, blackmail or legal process – to issue a fake certificate for the targeted website. Then they could capture your username and password, and be able to see whatever transactions you make online.
Technologists at the Electronic Frontier Foundation, who are working on a proposal to fix this whole problem, say hackers can use similar techniques to steal your money or your passwords. In that case, attackers are more likely to trick a Certificate Authority into issuing a certificate, a point driven home last year when two security researchers demonstrated how they could get certificates for any domain on the internet simply by using a special character in a domain name.
“It is not hard to do these attacks,” said Seth Schoen, an EFF staff technologist. “There is software that is being published for free among security enthusiasts and underground that automate this.”
China, which is known for spying on dissidents and Tibetan activists, could use such an attack to go after users of supposedly secure services, including some Virtual Private Networks, which are commonly used to tunnel past China’s firewall censorship. All they’d need to do is convince a Certificate Authority to issue a fake certificate. When Mozilla added a Chinese company, China Internet Network Information Center, as a trusted Certificate Authority in Firefox this year, it set off a firestorm of debate, sparked by concerns that the Chinese government could convince the company to issue fake certificates to aid government surveillance.
In all, Mozilla’s Firefox has its own list of 144 root authorities. Other browsers rely on a list supplied by the operating system manufacturers, which comes to 264 for Microsoft and 166 for Apple. Those root authorities can also certify secondary authorities, who can certify still more – all of which are equally trusted by the browser.
The list of trusted root authorities includes the United Arab Emirates-based Etilisat, a company which was caught last summer secretly uploading spyware onto 100,000 customers’ Blackberrys.
Soghoian says fake certificates would be a perfect mechanism for countries hoping to steal intellectual property from visiting business travelers. The researcher published a paper (.pdf) on the risks Wednesday, and promises he will soon release a Firefox add-on to notify users when a site’s certificate is issued from an authority in a different country than the last certificate the user’s browser accepted from the site.
EFF’s Schoen, along with fellow staff technologist Peter Eckersley and security expert Chris Palmer, want to take the solution further, using information from around the net so that browsers can eventually tell a user with certainty when they are being attacked by someone using a fake certificate. Currently browsers warn users when they encounter a certificate that doesn’t belong to a site, but many people simply click through the multiple warnings.
“The basic point is that in the status quo there is no double check and no accountability,” Schoen said. “So if Certificate Authorities are doing things that they shouldn’t, no one would know, no one would observe it. We think at the very least there needs to be a double check.”
EFF suggests a regime that relies on a second level of independent notaries to certify each certificate, or an automated mechanism to use anonymous Tor exit nodes to make sure the same certificate is being served from various locations on the internet – in case a user’s local ISP has been compromised, either by a criminal, or a government agency using something like Packet Forensics’ appliance.
One of the most interesting questions raised by Packet Forensics product is how often do governments use such technology and do Certificate Authorities comply. Christine Jones, the general counsel for GoDaddy – one of the net’s largest issuers of SSL certificates – says her company has never gotten such a request from a government in her 8 years at the company. “I’ve read studies and heard speeches in academic circles that theorize that concept, but we never would issue a ‘fake’ SSL certificate,” Jones said, arguing that would violate the SSL auditing standards and put them at risk of losing their certification. “Theoretically it would work, but the thing is we get requests from law enforcement every day, and in entire time we have been doing this, we have never had a single instance where law enforcement asked us to do something inappropriate.”
VeriSign, the largest Certificate Authority, declined to comment.
Matt Blaze notes that domestic law enforcement can get many records, such as a person’s Amazon purchases, with a simple subpoena, while getting a fake SSL certificate would certainly involve a much higher burden of proof and technical hassles for the same data.
Intelligence agencies would find fake certificates more useful, he adds. If the NSA got a fake certificate for Gmail – which now uses SSL as the default for e-mail sessions in their entirety (not just their logins) – they could install one of Packet Forensics’ boxes surreptitiously at an ISP in, for example, Afghanistan, in order to read all the customer’s Gmail messages. Such an attack, though, could be detected with a little digging, and the NSA would never know if they’d been found out.
Despite the vulnerabilities, experts are pushing more sites to join Gmail in wrapping their entire sessions in SSL.
“I still lock my doors even though I know how to pick the lock,” Blaze said.
Tags: acco, account, Agency, Alice, America, Anyone, appliance, attack, authenticity, authority, bank, bank of america, being, Bob, browser, case, certificate, certificate authorities, check, China, Chris Palmer, Chris Soghoian, com, communication, community, company, computer, computer science professor, confidence, convention, copy, Court, domain, e mail account, eBay, eff, encryption, enforcement, existence, expert, feds, Firefox, forensics, Gmail, government, ility, information, Intelligence, intelligence community, intercept, Internet, ISP, law, leap, list, lock, Mallory, man in the middle attack, Matt Blaze, mechanism, money, Mozilla, need, new man, order, Packet, PayPal, Pennsylvania, Peter Eckersley, point, Private Networks, Product, professor, Ray Saulino, researcher, root, Science, secure website, security, security certificates, sense, server, Seth Schoen, site, SSL, staff, technologist, Tor, traffic, United Arab Emirates, University, university of pennsylvania, user, vulnerability, Washington, way, Web, website, window, year
Dr. Augustine Fou is Digital Consigliere to marketing executives, advising them on digital strategy and Unified Marketing(tm). Dr Fou has over 17 years of in-the-trenches, hands-on experience, which enables him to provide objective, in-depth assessments of their current marketing programs and recommendations for improving business impact and ROI using digital insights.
Collaborators – Digital Profs
- The JKWeddingDance video was real; the viral effect was MANUFACTURED - Post 1 of 2
- Netflix vs Blockbuster - Perfect example of an industry replaced by a more efficient version of itself
- Try On New Glasses in Warby Parker's Virtual Booth
- ActiveHours Gives You Your Paycheck Early, Free of Charge
- Samsung 52 inch HDTV $9.99 at BestBuy - purchase receipt below (6:21a eastern time August 12, 2009)
- Marketing Costs Normalized to CPM Basis for Comparison
- What is Web 3.0? Characteristics of Web 3.0
- How to manufacture a viral video sensation and make viral profits - Post 2 of 2
- Coke vs Pepsi vs Dr Pepper
- February 2016 (2)
- January 2016 (6)
- October 2015 (2)
- September 2015 (7)
- August 2015 (6)
- July 2015 (2)
- June 2015 (5)
- May 2015 (4)
- April 2015 (32)
- March 2015 (57)
- February 2015 (79)
- January 2015 (86)
- December 2014 (69)
- November 2014 (98)
- October 2014 (150)
- September 2014 (109)
- August 2014 (44)
- July 2014 (92)
- June 2014 (118)
- May 2014 (173)
- April 2014 (130)
- March 2014 (247)
- February 2014 (167)
- January 2014 (222)
- December 2013 (167)
- November 2013 (111)
- October 2013 (116)
- September 2013 (214)
- August 2013 (210)
- July 2013 (200)
- June 2013 (87)
- May 2013 (87)
- April 2013 (70)
- March 2013 (114)
- February 2013 (89)
- January 2013 (136)
- December 2012 (96)
- November 2012 (130)
- October 2012 (147)
- September 2012 (93)
- August 2012 (93)
- July 2012 (112)
- June 2012 (71)
- May 2012 (82)
- April 2012 (80)
- March 2012 (122)
- February 2012 (114)
- January 2012 (129)
- December 2011 (60)
- November 2011 (54)
- October 2011 (29)
- September 2011 (17)
- August 2011 (30)
- July 2011 (18)
- June 2011 (19)
- May 2011 (22)
- April 2011 (23)
- March 2011 (52)
- February 2011 (69)
- January 2011 (108)
- December 2010 (82)
- November 2010 (67)
- October 2010 (68)
- September 2010 (44)
- August 2010 (101)
- July 2010 (61)
- June 2010 (28)
- May 2010 (28)
- April 2010 (26)
- March 2010 (33)
- February 2010 (21)
- January 2010 (13)
- December 2009 (4)
- November 2009 (2)
- October 2009 (14)
- September 2009 (6)
- August 2009 (19)
- July 2009 (34)
- June 2009 (11)
- May 2009 (4)
- April 2009 (6)
- March 2009 (13)
- February 2009 (32)
- January 2009 (25)
- December 2008 (1)
- October 2008 (1)
- June 2008 (1)
- November 2007 (1)