Monday, May 19, 2008

Historic perspective to mobility security problems

When I was reading an excellent performance audit report about Finland’s failed PKI-project (more about that later) I remembered an old project where I was once working. At late 90’s web applications were extremely hot and new thing and the project’s target was to create a browser solution that citizens could use to change their contact details. Somebody had made a decision earlier that the web solution must be very secure and all transactions must be strongly authenticated to ensure that no false data could ever be entered to the system. Because of this security requirement, project had to use PKI solution with Finland’s brand new certificates, identity cards and card readers. Obviously that ensured that the browser solution was very well secured.

However, browser access wasn’t the only channel to change person’s contact data. Instead of using the high-secure browser solution, citizen could pick up the phone and call to customer care center and ask them to change the data. No passwords asked, no certificates needed; just give them new address and change was done.

The thing that I didn’t understand at that time (and I still don’t) was that browser access was ranked very insecure and potentially dangerous, but at the same time the old channel was completely lacking user authentication and still there were no problems because of false data or similar. What made browser so dangerous at late 90’s?

I have a strong feeling that browser was once dangerous because it was a new thing and all risks related to that were overrated. What potentially could happen was interpreted that it must happen. Now ten years have passed and situation is much better regarding browser’s risk assessment; of course the risks still exist but browser itself is not seen so dangerous anymore.

What has taken browser’s place as the very-dangerous-new-thing? Mobility of course! So many times I have been in the situation that the possible mobile solution has been ranked very dangerous to the organization - but at the same time the data is already available in the internet from a password protected browser page. What mobility would mean in this case is that the data would be rendered in a different way to ensure usability in a small device. The risk of loosing the mobile device is real, but properly encrypting local data and/or using mobile browser is a good real life solution. 

Now mobile solutions are suffering from this same “new solution’s handicap” that the browser faced at the late 90’s - if you don’t have time to wait until mobility becomes mainstream you’d better work with your arguments and tell customers honestly what the real risks with mobility are. Perhaps the risk is that the competitor integrates mobility smartly into their processes and performs better than you?

//Harri

Wednesday, May 14, 2008

Phone as a security token?

It is a good thing to notice that other people have got same ideas and even more, implemented those.  When that happens, idea probably isn't totally useless.

This came to my mind when I today started to think mobile phone as a security token that could add "something you have" dimension to the login process of a desktop terminal. In short my idea was that desktop computer could be constantly "pinging" a certain bluetooth hardware address, and when that device no longer is available then desktop will automatically lock itself. Think about following use case and you will get the idea: you are sitting at your office working with your desktop. Your colleague arrives and reminds you that the meeting is about to begin and you must rush. You grab your mobile phone and run to the meeting. Probably you forgot to lock your desktop and now anybody can use your user account. 

An easy solution to this would be that if desktop were pinging your terminal, the desktop would lock itself when the connection is lost. With Google I found  some applications that are able to do this: LockItNow and BTWatcher.

Because the simple use case (locking terminal when bluetooth connection is lost) is already implemented, I began to think about the reverse: unlock desktop when mobile phone becomes available. Obviously that shouldn't be done just by discovering some device (about bluetooth security issues, check this document).

What do you think about this idea: unlock the desktop when identification is done with bluetooth so that desktop sends a challenge to the terminal, terminal signs that challenge with PIN-locked client certificate and sends the response back to desktop. This way would be possible to implement a "poor man's secure id" system that adds an additional security to desktop environment. In addition to username and password, user must also carry a bluetooth device with a known hardware address, that bluetooth device must be able to accept and sign desktop's challenge and user's client certificate must be correct.

Did I just reinvent the wheel - has this already been done?

//Harri

Tuesday, May 13, 2008

Mac OS X, parental controls and disabled network

This is kind of an off-topic posting as this doesn't have anything to do with the "standard" mobile issues. Nevertheless, I still feel this must be documented somewhere because I guess my kids are not the only ones who can't go online because of this bug/feature.

If you don't use Macs and/or you don't use parental controls you can ignore these notes.

Setup
Mac computer running Mac OS 10.5.2 with user accounts that have parental controls enabled.

Problem
Suddenly network connection ceased to work with accounts that have parental controls enabled. Network works OK for other user accounts.

What changed when problem occurred 
I got a new xDSL modem box from by network operator.

What has happened? 
Warning, nerdy stuff will follow!

When I investigated this issue I understood that web content filtering is done by Apache proxy server that gets started if user account has parental controls enabled, regardless of the web content filtering setting. In this case Apache proxy failed to start, effectively disabling all network connections for users under parental control. From console listing I found entries like "com.apple.familycontrols: httpd not running". From apache2 log I found etnries like "nodename nor servname provided, or not known: mod_unique_id: unable to find IPv4 address of "Macintosh", which indicates a problem that prevents Apache from starting. My guess is that mod_unique_id tries to do reverse DNS request to my new xDSL modem and that fails to give valid response; hence Apache doesn't get unique identity and quits. Discussion about the same issue can be found from Apple's support site. More info about mod_unique_id is here.

How to fix this?

Warning: messing around with root identity is potentially dangerous and you can do bad things if you are not careful!

Open terminal window and gain root identity by giving command
sudo su -
and give your password when prompted to do so.

Then change to another directory by giving command 
cd /Library/Application Support/Apple/ParentalControls/ContentFiltering/

From that directory edit file httpd.conf with vi editor
If you are not familiar with vi, you perhaps should Google for vi tutorial first.
Locate this line: 
LoadModule unique_id_module libexec/apache2/mod_unique_id.so
and comment it out by adding # at the beginning.

At vi that goes like this:
  • position cursor at the beginning of the line
  • press i
  • type #
  • press esc
  • type :wq
Now try to login to the system as user that has parental control enabled. Network should work now - at least this helped for our two MacBooks.

Final words
I have very mixed feelings about this workaround/fix. I'm happy that I can open terminal and play around with configuration files. However, I have bought these Macs because I don't want to do that!

//Harri

Wednesday, May 7, 2008

Finland, strange(?) market for mobile solutions

There is a nice study available that draws an interesting picture about Finland's mobile environment. Study is highly interesting because of the quantity of data and the method used: data has been gathered directly from operator's systems for over 4.000.000 subscribers.

Here are some highlights from data:
  • Nokia's market share is >86%, first non-Nokia terminal ranked 57th
  • Nokia's market share in smartphones is >99%
  • Symbian penetration is 18%
  • Most popular terminal is Nokia 3310, N70 most popular smartphone
  • 1000 different terminal models used in mobile networks
  • 54% of S60 terminals are 3rd edition
  • 70% of terminals support Java
  • 17-19% terminals generate data traffic weekly
  • 92% of mobile data traffic comes from computers that use mobile phones as modems
  • When browsing with mobile terminal, content is mostly local
Is you are planning to do mobile business in Finland, this report might give you something to think about.

//Harri

Compiled iPhonesque packages

Quick update: after several requests from readers I have compiled some versions of iPhonesque application and uploaded those to my website

The most important use case for this application seems to be avoiding operators' terminal type checks.

//Harri

Friday, May 2, 2008

Mobile audio guides

I like to visit museums, exhibitions and other attractions and I have noticed that there is nothing in common when it comes to audio guide systems. If the guide system exists at all, it is typically as close to chaotic as it could be: staff is too busy to help visitors, devices are not charged completely and visitor runs out of power, one wrong key press and language changes to something far too exotic, volume level is going up and down without any reason and so on. In short: systems are unstable and they require way too much support from staff. 

Why not use mobile phones instead?

Replacing museum audio guides with mobile phones is something that could make sense. There are many possible ways how to technically implement this: people could make a call to museum’s audio guide number and then “press 1 if you are at the first floor” and so on. Another possibility is that people could download audio files to their phones and listen those with built-in audio player. As you might guess, there are lots of obstacles for this scenario (but none of those impossible), not least that people are uncertain about the costs of such a system and hence they might not want to use it. Well, this will change over time.

Where could people then find the downloadable audio guides as there is no default start page for museum visitors? This is a job that someone talented web 2.0 guru could solve by creating a site where museum community could post data and promote their offerings. Consider also that today museums try to get more revenue by selling small souvenirs and memorabilia to visitors; this site could be a new sales channel for museums and hence switch old money consuming audio guide system to a new source of income.

I saved the best part to last: this new portal&audio guide solution would open up the possibility for community created museum related content. No matter which museum you are about to visit, you can be sure that there is a very devoted group of people that knows everything about some special topic presented in museum; whether it is pots, pans, sticks, dresses, paintings or whatever. Their voice can be made heard by solution that would allow “community created museum audio guides accessible from global museum portal”. That would give museums a Long Tail (if you are fed up with long tail -talks, I apologize. I couldn’t resist mentioning it here, because long tail this is).

//Harri