Avi,

This is an excellent question, which I've been mulling over the past few
weeks... after taking a few days, here are my thoughts and concerns with Web
2.0... 

-------------------------------------
Web 2.0 vs. Privacy & Security
Permalink:
http://www.secureconsulting.net/2007/01/web_20_vs_privacy_security_1.html

I've been thinking a lot lately about the impact of Web 2.0 on information
security. I've read Tim O'Reilly's seminal "What Is Web 2.0" article that
defines this new trend. I've attended Dion Hinchcliffe's Web 2.0 training.
I've read (most of) The Long Tail and The World Is Flat. I get it. I
understand this new surge in the Internet economy. I see myriad
opportunities for monetization for anything that can be sold effectively
online, for ad revenue, for social networking, and for further redefining
the customer relationship experience.

In the end, I do not see how any of this changes the fundamental issues
within Privacy and Security. It does, however, potentially make things
worse. Here's my take on some of these fundamental issues:

* The Web 2.0 Paradox: Consumers are encouraged to push all their data to
the intarweb, blindly trusting that corporations will handle that PII, etc.,
properly. Yet, the corporations do not have a fully vested interest in
actually spending much money to protect that data. Corporations encourage
this behavior because the more consumers push their data out, the more
reason they have to visit the recipient sites, resulting in more uniqs and
increased ad revenue. However, at the same time, these same corporations are
declaring caveat emptor. They expect consumers to read and understand all
shrinkwrap licenses/agreements (written by corps, for corps), and they also
expect consumers to backup their own data. As technologists we think "yeah,
so, I know how to deal with this, and kids growing up with this should,
too." Ok, I agree, but to a certain point. We still have an intermediary
generation that has not grown up with this technology, but likes to avail
itself of new technology. There are limits to what education, training, and
awareness can do for them.

* Dumbing Down the Consumer: I'll be the first to admit that kids these days
understand and use technology in ways that I find amazing. However, I also
do not believe that these kids understand the security concerns inherent in
these advances. Studies are starting to show that kids understand privacy
issues (see here). But what about security? It's unclear that there is a
commensurate expectation that corporations will properly protect and handle
PII. At any rate, one of the goals of Web 2.0 seems to be lowering the bar
for technical savvy in order to participate in this ever-expanding world.
For corporations, this is a Good Thing (tm). The less savvy a user has to be
to leverage a site, the broader the audience that can be reached, meaning
the easier it becomes (in theory) to monetize the offering. But, in
providing these easier interfaces (albeit with potentially greater end-user
control), we are effectively decreasing the technical competency of the user
pool, increasing the likelihood that people won't fully understand what
they're up against, they won't appreciate the inherent security and privacy
concerns, and they will blindly trust that corporations will behave
properly, even if they have no fiscal motivation to do so. In essence, the
average IQ of the Internet population decreases with the ubiquity of access
and increasing simplicity of site navigation.

* Dumbing Down the Developer: In addition to making the interface easier for
the consumer, we're also seeing tools developed that make coding and
creation a much easier prospect. Which is all good and fine, if people know
what they're doing. But there is an inherent danger in having a decreasing
number of corporatized people creating tools for the mass development world.
Do we really trust these tools? Do we know what they really do? Salon.com
had an article about this in September titled Why Johnny can't code. Also,
what happens if the tool everyone is using has introduced a flaw in all the
apps/sites that it was used to create? Now we see the platform extended
beyond the OS to the development tool, and face potentially the same types
of problems that malcode has represented for decades.

* Legislative/Regulatory Catch-up (or About Face?): Especially in the U.S.,
legislation and regulations are still behind the curve in protecting
consumers from data mishandling. The EU is definitely tracking on this
better. For example, Germany has a law that states that all PII is owned by
the consumer, not the corporation. This includes billing records. As such,
if a consumer cancels service and requests that their data be deleted, the
corporation is legally obligated to remove all that information, including
from archives/backups. This law exemplifies the Web 2.0 mantra that the
consumer owns the experience. We need more laws like this.

* Data Security: The full gamut of traditional concerns apply, but are of
even greater importance. While corporations may not have a legal or
regulatory driver to protect consumer data, their reputations are
increasingly at stake based on what they do with the data entrusted to them.
As such, access management, data privacy protection, backups, business
continuity, and application security (including secure coding) should be top
concerns. The sooner companies realize, understand, and accept that security
threats are a direct influence on the bottom line, the sooner the Web 2.0
giant can be aligned with sound security practices. The sooner we can make a
coherent financial argument to executives on this correlation between the
bottom line and corporate success, the more successful we will be in getting
security best practices integrated into development and operational
environments. This issue perhaps sounds remarkably familiar (it is). The
twist, however, is that Web 2.0 puts an increased focus on the
consumer-driven experience. Betray the consumer and you may lose your
business altogether. This reality is closer today than it was 7 years ago
when the bubble burst.

* The Externality Game: Bruce Schneier has spoken numerous times about
security as an externality. If the corporation doesn't feel pain in
mismanaging data or trust placed with them, then what's their motivation in
conforming to good practices? Ultimately, the solution is a combination of
consumers taking control of the fate of corporations and government placing
legislation with significant financial penalties in place to protect those
consumers. Fortunately, Web 2.0 provides a new, unique method for consumers
to flex their might in influencing other consumers to boycott or avoid badly
behaving corporations. However, corporations still aren't fully motivated or
required to disclose their bad behavior, meaning consumers can't always be
well-informed. Tools like seller rating systems go part of the way toward
remedying some of this concern, and now it's just a matter of new mashups
being developed to extend this further.

* Chasing the Data: One of the key tenets of Web 2.0 is the concept of
mashups - a 3rd party site that pulls together information and/or services
from 2 or more sites into one dynamic interface. I think we'll continue to
see the growth of this approach in the coming years. It opens up one big
headache for consumers: where's the data actually being stored? If I visit a
mashup site, the potential exists that data I share through that site may
not actually be saved on that site, but could in fact be saved at a
combination of the 2+ sites that are being mashed up. Just because I have an
agreement that I understand with the mashed site does not necessarily mean
the same thing for the original sites that are being pulled into the mashup
(or vice versa - liking agreements on source sites does not equate to liking
the mashup site's agreement). This may also introduce issues of downstream
liability. And then there are the potential issues with aggregation. What if
mash-up siteA is leverage siteB and siteC that are actually owned by the
same mega-corp? The consumer may not want mega-corp to have their aggregate
data, yet will be unwittingly sending it over.

* Who Owns the Layers: Just a brief point here, without getting into
corporate politicking. Have you noticed the return of the telecom monopoly?
AT&T and Verizon come to mind, as does the whole Net Neutrality battle. One
company may own your experience at Layers 1-3. Corporations providing these
great "free" Web 2.0 services own Layers 6-7. P2P and file sharing protocols
are being attacked by the ever-popular targets RIAA, MPAA, and their crutch
the DMCA. To quote a friend, "The only thing we're free to do is establish
sessions and close them, everything else has somebody's paws on it." This is
perhaps the great irony of Web 2.0. It looks and feels like FOSS, until you
start looking closely and realize that the whole thing is owned end-to-end
by corporations. Unless a law comes along that stipulates that the consumer
owns their data at all times and in all places, then corporations are going
to assume otherwise.

* Universal IDs: One of the hot new things is OpenID and how the consumer
now can have a universal ID which they control. All good and fine, but this
OpenID also lowers the bar for consumer profiling. And, with the beauty of
the information age, this also means that we can profile in an extremely
granular way. But where do we stop? For example, what's to stop Law
Enforcement from creating their own mashup (for their use only, of course),
using an OpenID to track individuals, perhaps to the point of seeking
so-called "terrorists"? Maybe this sounds ok on the surface, until we
imagine the abuses, such as China has pursued for decades in suppressing
free speech. If a consumer speaks out on their blog against the current
government, what threshold will need to be crossed before the government
identifies them as an agitator? This is not to say that there aren't
potential benefits, particularly in terms of unlocking the long tail to
market better to consumers. It just provides the start of the slippery slope
argument. We need keep in mind the need to balance civil liberties against
universal trackability. Why does privacy need to be an illusion?

(*Note: A special thanks to my friend Bob Alberti of Sanction, Inc., for
proof-reading and providing input on this posting.)

---
Benjamin Tomhave, CISSP, NSA-IAM, NSA-IEM
[EMAIL PROTECTED]
Web: http://falcon.secureconsulting.net/
LI: http://www.linkedin.com/pub/0/622/964
Blog: http://www.secureconsulting.net/
Photos: http://photos.secureconsulting.net/

"We must scrupulously guard the civil rights and civil liberties of all
citizens, whatever their background. We must remember that any oppression,
any injustice, any hatred is a wedge designed to attack our civilization."
-President Franklin Delano Roosevelt


 


________________________________

        From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Avi Shvartz
        Sent: Thursday, January 25, 2007 2:06 AM
        To: sc-l@securecoding.org
        Subject: [SC-L] WEB2.0 Security Issues
        
        


        Hello list,

        Lately I read some articles that cover WEB2.0 from various aspects
(social, technical etc.).

        What I am missing is a reference to security & privacy issues
related to WEB2.0.

        I would like to hear opinions what are the new security & privacy
concerns that WEB2.0 

        Creates and if possible, links to relevant resources 

        Thanks,

        Avi


_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

Reply via email to