Saturday, May 13, 2006

The End of the SSN

It seems that Congress is getting a little antsy about identity theft. They know that things have gone too far when people are selling SSNs for fun and profit. They know that the use of the SSN has gone too far when people can discriminate against you because you refuse to reveal your number. But when a treasure trove of identity information is found on a server on the internet, you know that Congress wants to cover their behind.

So they're writing legislation. It appears they now want to limit the sale and use of the SSN. How nice. Oh, wait. They also want to make it illegal for people to refuse to do business with you if you refuse to reveal your SSN. But only in certain cases. Still, it's a start.

Everyone has a number. And even though that number is required as a matter of survival in this country, it's required to be disclosed in so many places that often, it lands on public documents. On the Internet.

Now it looks like they are so bold as to stash huge stores of identity information on FTP sites. You may be familiiar with websites, but long before there was the web protocol, http (Hyper Text Transport Protocol), there was FTP (File Transfer Protocol). It appears that Webroot has found a hoard of stolen identities ready for sale. Where did all this come from?

It came from an army of zombie computers compromised to the point of being useless. And it came from careless users and programmers. First the programmers. It is well documented that Windows is running on 90% of the world's PCs. It is also well documented that Microsoft has long preferred to program for convenience over security. And now they're paying for it. And so are we.

The other half is users. Most users, without really being properly informed, are running as administrators on their machines. "Administrators?" There are essentially two classes of users in Windows (and linux): admins and users. Admins run the show. They can make any changes they desire to the computer. Users can't do squat. They can only create, manage, and modify documents. But they can only dream about installing software on your computer.

When you run as an admin and surf the web, malware (viruses, trojans, adware, spyware, etc.) can install itself on your computer without telling you. You may be prompted to click okay to install software, but it is unlikely you will get any warning. Then once it's installed, it's difficult if not impossible to remove the buggers.

Now if you run as regular user, and you run into something trying to install itself on your computer, you will be prompted to do so with administrators privileges. If you don't have this power, the virus, trojan, whatever, can't install itself on your computer and you get a warning that something is happening. In order to do so, privilege escalation has to occur. That means that the virus has to elevate its privileges from user to administrator. On most systems, remote privilege escalation is difficult if not impossible.

The point of this article is that sure, identity theft is a real threat to your well being, and yes, programmers need to do a better job of protecting your computer. Like Microsoft programmers. But what really needs to be done is better education of the people who use the computers in the first place. And if people do not actively seek out this information, in the end, they have to take responsibility for their own brains. Siimply legislating the problem away is not enough.

Scott Dunn
Post a Comment