Privacy: A house of cards?

Wayne Rash's insightful column exposes some serious risks associated with Microsoft's Passport. We worked with Wayne for almost two weeks, running a fine tooth comb through the premise of his piece to make sure it stood on solid ground. And it does. But what struck me most profoundly was that at the heart of Rash's commentary is a problem created by the existence of a master key.

We all know the feeling of being locked out of something--and of having a vision of a savior, somebody who gets us out of the bind. The person who bails us out might be a building manager with a master key, a locksmith lugging a toolkit a safecracker would envy, or a tow truck driver wielding a slim jim to pop a locked car door. Helpful folks for sure, but all of these life savers have one thing in common--and it worries me. They all have a tool that they use to do good things, but put that tool in the wrong hands, and the result could be significant losses for a lot of innocent people.

Take that notion, and then make believe that same key works in every keyhole of every door in your house, the ignitions of your family's cars, and all your bicycle locks. Hard to imagine? This is what a single sign-on technology like Passport is.

While there's no such thing as a risk-free security scheme when it comes to securing your privacy or that of your customers, the degree of risk you assume does, indeed, vary depending on the scheme you choose. Risk is directly proportional to convenience. At one end of the spectrum, you could have 20 keys, one for each thing you need to secure. If one key is lost or stolen, 19 of the 20 things still remain relatively secure. Carrying around 20 keys is pretty inconvenient-not too different from having to remember 20 passwords. And you know how inconvenient that is.

So, for the sake of convenience, we often make master keys to use in place of our myriad passwords. We use the same password for everything we need to access: our ATM cards, our network login, and various other devices and services that require PINs, Ids, passwords, and so forth. This security scheme, while convenient, is a house of cards. The security of everything behind that PIN--or master key--hinges on a single point of potential failure.

So, when we opt for convenience--which most of us do--we often take extra measures to keep our master keys out of the hands of the bad guys. We don't leave that PIN laying around on a sticky note or even give it to family members. We know that if it gets out, our assets could be at risk.

Even if someone got hold of our master keys, it might take a while before any serious damage could be done. Assuming the bad guy also had your ATM card, he'd have to go to an ATM machine to clean you out. Then, provided he had also scarfed your social security number, he can use a phone to dial several institutions, navigate some menus, and wreak havoc with your accounts. But all that would take a while.

But when most of the damage can be done from an Internet-connected computer, enormous damage can be done in a matter of minutes. That's the main point of Rash's column. Your single sign-on data is kept encrypted in the Passport Data Center, a series of distributed servers run by Microsoft. But when the bad guys realize just how much there is to be gained in so little time, they're going to be a lot more interested in compromising someone's security scheme.

With Passport being such a critical part of Microsoft's .NET strategy--a strategy that the company is betting its future on--the company has made it clear to us that it believes Passport is secure. But as Rash points out, Microsoft also admits that the Windows operating system can be exploited in a number of ways that could result in the master key falling into the wrong hands. Microsoft also said that the problems would be corrected in forthcoming versions of Windows. It sounds to me like the company is willing to sacrifice a few foot soldiers to protect its core strategy.

Hal Howard, Microsoft's general manager for Passport feels that Rash is unfairly vilifying the company. Howard says "Rash's column starts from the premise that if I can install software on your machine, I can compromise your security. This is true of any operating system: the Mac, Unix, or Windows. It doesn't matter. Once I install software on your system, I can do bad things."

True. But the reason Microsoft's feet are being held to the fire is because--for the first time the history of our industry--a company is planning to mass deploy a single sign-on technology that unlocks significant transactional capabilities.

My question is, why should I care which of the Microsoft technologies on my computer is vulnerable to this kind of attack? If Microsoft can fix the vulnerabilities in forthcoming versions of Windows, then they should fix it now for existing versions of Windows, too.

According to Howard, there are changes coming and they can be expected to be retroactive to some versions of Windows (mostly likely those based on the NT codebase: NT, 2000, and XP). These improvements Howard says "include a secondary PIN that cannot be stored on the client device that Passport-based services could require of its users. Also," adds Howard, "we said a number of times that we are going to add a certificate infrastructure that can be hardware or software-based." Once deployed, users who elect to use it won't be able to log in to Passport without the presence of a unique hardware (such as a PC card) or software-based certificate. Howard also said that Microsoft is looking into biometrics (fingerprint and retinal scanners) as well.

But while we wait for these measures, I have to agree with TechUpdate reader Dan Juroff. In his letter to us, Dan argues that in cases like this, software products need the equivalent of a surgeon general's warning. If it can't be fixed, then Microsoft is responsible for clearly communicating in no uncertain terms where the vulnerabilities are, exactly what could be compromised, and what users should do about it. Neither Windows nor Passport have adequate warnings, disclosures, or disclaimers.

Howard agreed that there's a need for better communication. "We need to step up and educate users more on what the basic things they can do to protect their own security. But users rarely install those things. We are trying hard [to get the word out] when a new vulnerability happens. But more can be done."

Howard's right. Despite well publicized recommendations on how to bulletproof desktop systems, not enough end users actually follow through. So, while we wait for more to be done, you have a couple of action items. If your company is considering Passport-enabling your service as a convenience to your customers, go to whatever lengths are necessary to disclose the potential risks of using a single sign-on technology. Then, be sure to implement the optional secondary Passport PIN for all transactions. Microsoft calls this SecureKey.

If you're an end user, carefully weigh the risk of using a single sign-on technology against the convenience. Windows 95, 98, and ME are more vulnerable than versions of Windows based on the NT codebase. If you're not already using Windows 2000 (or XP), this may be as good a reason as any to upgrade. Remember that no security scheme is infallible. Practice safe computing. Keep your operating system and applications (especially e-mail) up to date with all the latest security patches and install that personal firewall now.

What do you think? Share your thoughts with your fellow readers at ZDNet TechUpdate's Talkback, or write directly to david.berlind@cnet.com.

Got a great tip? An industry rumor? Or do you want to submit your own column to ZDNet TechUpdate? Send David your submission, and if we use it, you'll be compensated with some of the cool vendor schwag that arrives in our mailboxes on a daily basis.