The problem is self-signed certificates.

A CA is not a great solution:

Using a Certification Authority (CA) could solve the attack but at the same time introduces a new set of attack vectors:

1. The CA becomes a single point of failure. It becomes the juicy/high-value target for the attacker. Single point of failures are not good. Attractive targets are not good.

   Any person with access to the CA key can undetectably fake passports. Direct attacks, virus, misplacing the key by accident (the UK government is good at this!) or bribery are just a few ways of getting the CA key.

2. The single CA would need to be trusted by all governments. This is not practical as this means that passports would no longer be a national matter.

3. Multiple CA's would not work either. Any country could use its own CA to create a valid passport of any other country. Read this sentence again: Country A can create a passport data set of Country B and sign it with Country A's CA key. The terminal will validate and display the information as data from Country B.This option also multiplies the number of 'juicy' targets. It makes it also more likely for a CA key to leak.

   Revocation lists for certificates only work when a leak/loss is detected. In most cases it will not be detected.

So what's the solution? We know that humans are good at Border Control. In the end they protected us well for the last 120 years. We also know that humans are good at pattern matching and image recognition. Humans also do an excellent job 'assessing' the person and not just the passport. Take the human part away and passport security falls apart.

Eye-Fi divided its Wi-Fi SD card line-up into three parts earlier in the year: Home, which transfers to a computer ($80); Share, which uploads to a computer and to Eye-Fi's servers, which relay them to gallery, print, and social services ($100); and Explore, which ties in Wi-Fi positioning and one year of a Wayport hotspot subscription for uploads ($130). I wrote a long review of the Eye-Fi Explore on 12-Aug-2008.

If you bought a Home, you can upgrade to the Share service for $10 per year, and if you bought either a Home or Share, you can add geotagging for $15 per year and hotspot access for $15 per year. It's a smart move, since original Eye-Fi card buyers already had a firmware upgrade that converted their card into a Share model; they'll now be able upgrade to the full featureset. This is something I thought the company was offering at launch months ago, and I speculated it would be easy to add.

Eye-Fi also added two new photo sharing services: Apple's MobileMe and AdoramaPix. I cannot think of any other firm that Apple has partnered with to allow direct MobileMe uploads, although this may be technically less a big deal than it sounds. But I believe it's unique--only the iPhone and iPhoto software can transfers images into MobileMe's galleries; I'll need to investigate further. It's a good feather in Eye-Fi's cap.

Finally, Eye-Fi says they'll release tweaked firmware on 5-Oct as well that will double the speed of photo transfers from their cards to a computer on the local network.

So, what are we hoping to gain by creating a network of security consulting and training experts to work with customers who want to implement the SDL?  Generally speaking, this question has a two-part answer:  First, Microsoft is, and always will be a partner-driven company - we rely on the skills and capabilities of our partners to provide specialized services and broad geographic coverage for Microsoft products and services.  Second, even though there are talented folks in the Microsoft Services organization, it's clear that we will need help from our partners to scale to meet the demand.  I can't tell you how many times the folks on the SDL team have been approached by people - after an executive briefing, or a session at TechEd - asking for guidance in implementing SDL in their own organizations.  When we look at the demand and pair it with the geographic diversity of our customer base, it's clear that a partner approach is the right answer.

Now a few words about the partners who will be participating in the pilot phase...

After the decision was made to work with partners on SDL delivery, we had two primary criteria that we had to address; partner quality, and manageability of the SDL Pro Network pilot. We have all seen instances where individuals or consulting organizations have represented themselves to the IT community as having security expertise when in reality the "experts for hire" were simply reading a page or two ahead of the customer in whatever security tome was "in vogue" at the time. 

Based on those observations, it was clear that partner "quality" was a critical criterion.  Fortunately for us, we didn't have to look far to satisfy our quality bar - many of the companies in the SDL Pro Network pilot have direct experience with executing portions of the SDL on our products, or have delivered services to Microsoft in a security context. Design reviews, code reviews, penetration testing, training and other tasks critical to SDL implementation were (and are) common fare for these folks.

Despite the customer demand for SDL that I alluded to above, starting with a small pilot was the right thing to do; a small group of trusted consultancies supports our imperative for quality and it allows us to pragmatically grow the SDL Pro Network as the market matures.  As we continue to evolve and innovate with the SDL, we'll have a strong core of partners to help drive the software security message.

Will we grow the SDL Pro Network?  The qualified answer is: "When the market demands it..." - there are a number of talented potential partners who meet the quality bar - and clearly, the need for security in software development will grow to demand additional talented specialists. However, it's our plan to begin with a small set of partners of known expertise, and then respond to growing demand as it materializes.

So there you have it - the nuanced beginning and bright future of the SDL Pro Network...  I invite your comments, and encourage you to check in at the SDL Portal as we continue to build out the program

When an alternate email account or cell phone number is not tied to an account, online services often use personal information, supposedly only known by the account holder, to verify identity and reset a password. The risk here is the personal information is often known to other individuals and if the account holder is a public figure then the information may be easily researched. Birthdays, names of pets, locations of homes, schools, and events can often be discovered online or guessed.

Paris Hilton’s T-Mobile account, and thus all her Sidekick cell phone contents which were mirrored online, was compromised when someone “guessed” the answer to her secret question. The secret questions was, “What is your pet’s name.” The answer of course was, “Tinkerbell”. Something easily researched. Many people would not have their pet’s name online but friends, family members, or perhaps an ex would know the answer. Using a pet’s name is a very bad security practice.

Now we have Sarah Palin, another public figure, having her online account compromised because someone used the password reset functionality and guessed the answer to Sarah Palin’s secret question. This is how the attacker says he found out her personal information and guessed the answer to her secret question. He details this on 4chan.org:

rubico 09/17/08(Wed)12:57:22 No.85782652

Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.

In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

Best practices for setting up the password reset functionality of any online service:

1. Tie an account to another email account or cell phone number if that is an option. This will cause the service to send an out of band message and in essence make the password reset a 2-factor authentication.
2. Do not use any personal information that can be guessed as the answers to secret questions. Treat these answers like passwords. Don’t use dictionary words. Add some numbers or symbols to the answer. For example is Sarah Palin had used “Wasilla high 1964″ or “!Wasilla high!” it is far less likely it would be guessed. Pick a scheme to modify your secret answers so they aren’t guessable.
3. Try resetting your password. See if there are downgrade attacks which make it easier to reset the password. Yahoo for instance will allow you to specify that you don’t have access to the email address tied to your account and thus not send a password reset email. Since an attacker can do this the safety of using another account is eliminated thus making the answers to the secret question all that more important.

Apple added access for iPhone and iPod touch users to a subset of its iTunes Store over Wi-Fi--the awkwardly named iTunes Wi-Fi Music Store--more than a year ago, along with the ability to access that store at no cost from handhelds and laptops via Starbucks outlets in New York, Seattle, and throughout the San Francisco Bay Area. (Chicago and Los Angeles have been "coming soon" for a year, but the new AT&T/Starbucks deal may have delayed opening up those markets.)

Terrestrial AM/FM radio stations would like to figure out how to remain meaningful in a world of streaming Internet radio. Their latest strategy is to embed information that allows a listener to mark a song they want, potentially getting a piece of music sold in this fashion. With FM tagging, Zune players tap into an existing very low-data-rate encoding protocols that allow stations to push out their call letters and current song information. By adding a very short code, broadcasters can allow Zunes to look up the appropriate song.

At launch, 450 stations from major networks, including Clear Channel, Entercom, and others, will broadcast tagging details. Note that Microsoft includes KEXP, a Seattle independent and alternative radio station, in its sample image, for the new models. KEXP, given a boost a few years ago through significant short-term funding by Paul Allen--funding that involved changing its call letters to his Experience Music Project museum initials--has an enormous listenership over the Internet ironically enough. KEXP will be a programming partner creating channels of music for the subscription-based Zune Pass service. (Zune Pass is $15 per month, all you can eat.)

This option could allow Microsoft to ink partnerships with hotspot networks to brand them with Zune compatibility, lets radio stations promote something other than iPods that they would have a direct relationship with (and, potentially, some kind of revenue stream from?), and may be part of breaking Apple's digital music hegemony. May be. Nobody's gotten rich betting against Apple for the last several years. (Details of revenue sharing with radio stations hasn't been discussed.)

Apple opted for a partnership with HD Radio broadcasters and equipment makers that has a relatively elaborate process of tagging songs. HD Radio is digital AM/FM, a patented and licensed method that has provoked a lot of controversy, and has lagged enormously in the marketplace, despite well over 1,000 stations (including many public radio stations) broadcasting in this digital format, some for over three years.

HD Radio tagging requires an HD radio receiver with a Tag button; pressing that button stores the song's tag information. The radio must also have an iPod dock. Docking an iPod syncs the tag information, and the next time the iPod is sync with iTunes, you can see which songs were tagged. Kind of tedious compared to "press a button while listening to an FM station and buy the song over Wi-Fi." (I've been writing about HD Radio for years, and even launched a blog that's gone moribund; the technology is interesting, but Internet radio on mobile devices coupled with on-demand music purchasing over cell and Wi-Fi may simply make HD Radio unnecessary for listeners.)

Microsoft has a more compelling "marketing story" for this feature than Apple, that's for sure. On the other hand, do you really need to tag songs from stations that play only the most popular music in a given format?