Michael Barrett on Web 2.0: This stuff scares the hell out of me

Michael Barrett on Web 2.0: This stuff scares the hell out of me

Summary: When Michael Barrett (CISO, Paypal) heard the Eric Nolin was putting on Defrag, he called up and said "I'd like to come and talk because this stuff scares the hell out of me." His key messages: (a) we're doomed to repeat history if we ignore it and (b) security is hard.


Michael Barrett at DefragWhen Michael Barrett (CISO, Paypal) heard the Eric Nolin was putting on Defrag, he called up and said "I'd like to come and talk because this stuff scares the hell out of me." His key messages: (a) we're doomed to repeat history if we ignore it and (b) security is hard. Not exactly earth shattering news--but one we're inclined to ignore in our giddy rush to new uses for the Web.

Michael puts up a rogue's gallery of protocols that have missed security: telnet, SNMP community strings, Kerberos, and WEP. He says of WEP: "What were they thinking?" WEP cost TJ Maxx somewhere in the $200 million dollar range. He adds OpenID to the list. When it's used outside specific use cases, OpenID is open to phishing attacks.

The Web 1.0 standards are broken: You can't write a safe Unicode webapp. Most Web sites are vulnerable to cross site scripting. It's impossible to write software that fully validates it's inputs and screens it's outputs. DNS poisoning is a threat on any network--especially open ones. How can you build secure eCommerce when 30% of the endpoint PCs on the Internet are compromised?

What's worse, nothing in Web 2.0 has done anything to fix the Web 1.0 issues--it's simply given us more poorly executed protocols and standards to worry about. A couple of examples:

The problem is exacerbated the fact that even well-designed protocols get implemented poorly by programmers who don't fully understand them.

Of course, there's no silver bullet. A very reliable source recently told Michael that the take from electronic crime is now higher, worldwide, than that from illegal drugs! The bad guys are extremely well funded and the take is huge. As a result, the problem is likely to get worse--especially if we ignore it.

Topics: Wi-Fi, Browser, Networking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Phishing scares me


    Just to inform every one of a possible solution at Tsert.com,

    We call our protocol, the [b]SALT[/b] [i]protocol[/i]. It simply uses
    the [b]crypting algorithm[/b] in combination with the [b]SALT[/b]
    value as a [b]certificate[/b].

    Pierre Inocent
  • Wow...

    an exec that gets it. There may be hope for Paypal. Too many execs forget about the risks when the dollars start rolling in. With the high turnover rate in corporate America, you see the same mistakes repeated time and time again. Paypal needs to make sure this guy stays put.
  • RE: Michael Barrett on Web 2.0: This stuff scares the hell out of me

    Paypal need's better protection than what they have now. There is no FDIC coverage from Paypal if your bank accounts are compromised through security breaches.
  • Perhaps if...

    Perhaps if PayPal didn't require sellers to expose their e-mail address to spam harvesters in order to use the PayPal shopping cart, I could believe they were dedicated to improving security.

    How hard would it be to give sellers an identity code to use for this instead of their PayPal e-mail address?
  • Journalists should know grammar

    "It???s impossible to write software that fully validates it???s inputs and screens it???s outputs."

    It???s ill-advised to write a column without fully validating your grammar.


    it's inputs ---> its inputs

    it's outputs ---> its outputs
    • Here's a usage hint

      Simply, If its use is possessive, no apostrophe; if it's a contraction, then put in an apostrophe.

      Unfortunately, Verbila's post contained spurious characters ("It???s", probably from the Mac's variant of ASCII for smart quote characters.)
    • Why do we appear to have

      a "grammar fairy" every time someone misspells a word or uses incorrect syntax? It is extremely annoying, not responsive to the main theme of the article, and I defy anyone to proclaim that they have never, ever, found typos in a text they have typed, especially when typing in a hurry. I believe I speak and write English fairly well (although it is my fourth language), but I make syntax errors and misspell words occasionally. Please give others a break!

      With regard to the subject matter of the article, one of the reasons I refuse to use Paypal is their "validation" requirement, where you have to provide them access to checking account information. Apparently, a credit card is not enough. There is no way I would ever let Paypal or anyone else obatin and keep on file my checking acount information, especially since we all know there is no such thing as perfect security.
  • Clean up your own backyard

    Given I've recently been scammed through Paypal for US$300 and given the run-around by Paypal's poorly trained and blocking customer service staff, I'd like to see them expend efforts on cleaning up their own backyard before they begin criticising others.

    I've totally stopped using the service as if it doesn't offer buyer protection, it offers nothing.

    At least Web 2.0 apps don't offer a promise they don't keep.
    • Customer Service?

      PAYPAL does not even know what the definition of CUSTOMER SERVICE is!! In my past dealings with those idiots, it's blatently obvious they don't give a damn about anyone but themselves!!

      They intentionally make it difficult to contact them and go thru any kind of resolution process; hoping that you will just go away before they have to refund your money.

      Having had a previous account (before EBAY bought them) hacked, I refuse to give them any kind of "access" to a live checking account since banks don't offer the same "protection" that a Credit Card does. ONLY link them thru a Credit Card; preferably one of those TEMPORARY ones that your actual card issuer will generate for you online.

      That way, even if the hacker gets the card number, it will be useless to them since it is locked to the single merchant it is first used with; plus the credit limit is set by you. Also, without a "confirmed account" they won't be able to 'SEND' themselves money, only pay for an EBAY purchase.
      • Lost 1000.00 thru Paypal

        A few years ago I had 1k stolen from me thru my Pay Pal account. The were actually the ones that notified me about it and refunded the money within a few days with no problems or hassles for me. I still to this day haven't figured out how it was done (I hadn't used it in months or even thought about it) but the reason they figured it out was because the person that did it tried to add a stolen credit card to my account.
        I don't know what Pay Pal was like before Ebay bought them but I haven't had any complaints since I started using it.
  • Simplify

    If (ALL) programmers would make things more simple instead of more complicated then there would be some hope.

    Also, keep in mind that a digital ID is nothing more then a DRM on the user.