Sunday, May 25, 2008

The Women of Bletchley Park

Last Friday, I visited Bletchley Park, home of the WWII code-cracking team, now a somewhat tattered, yet still inspiring remnant of the glory days of Churchill's England.

On this visit, I was fortunate to encounter several excellent guides, including Tony Sale, former MI5 engineer, and the man behind the reconstruction of Colossus - the computer built to break Lorenz, the code used by Hitler and his generals.

Between witnessing a live demonstration of the world's first computer (which, unbelievably, still uses some of the original valves from the WWII period), touring the huts where Turing and his peers worked, and viewing a simply incredibly array of artifacts, including several Enigma machines and replicas of the famous Turing Bombes, I enjoyed a terrific few hours.

However, during the course of the visit, I came across one fact that had somehow eluded me while reading several of the books that have Bletchley Park at their core: the pivotal role of women at Bletchley Park during the war.

According to the displayed HR logs, photos graphs, and anecdotal stories, more than 75% of personnel at Bletchley were female, including virtually all of the radio station operators, Bombe operators, motorcycle dispatch riders, analysts, and many of the code-breakers.

In the hut made famous by Alan Turing - Hut 8 - an excellent video is on display featuring Mavis Batey (nee Lever), one of Dilly Knox's "girls". Ms. Batey, who is now in her eighties, came up with one of the critical breakthroughs of the war -an inspired analysis that resulted in victory over elite Italian naval forces during the Battle of Matapan.

In the room next to it are several stories involving female leaders of resistance groups that Hollywood producers need to immediately check out. I had not heard of several of these women but was awed by their toughness - and sacrifice.

The one down point of the day occurred as my guide showed me the remains of the hut that housed the world's first computer - hut F. The only thing remaining is a concrete slab - the hut itself was knocked down by a housing developer in the early '80s. The rebuilt Colossus II is now housed in a hut a hundred yards from where the original stood.

It is estimated by some experts that the code-breaking carried out at Bletchley shortened the war by two years, and sparing Berlin from an atom bomb. Whether or not that is true, what is clear upon visiting Bletchley Park is that this group of scientists, like those at Los Alamos, moved forward computing at an unprecedented pace, in the years from 1938 to 1945.

Thursday, May 15, 2008

Protecting The (Brand New) User

Over the past few weeks, I've had the opportunity to meet with literally dozens of leading banks and financial service providers, as part of the Authentium SafeCentral rollout.

Authentium SafeCentral, for those unfamiliar with the service, provides consumers with a simple, highly-effective way of securing online banking and transaction sessions, by combining a locked-down virtual desktop with a secure browser and dedicated secure DNS network.

For the most part, banks are doing a good job of deploying and employing additional security layers and user authentication methods.

I witnessed a number of very practical and well-designed technologies, including several practical and well-designed out-of-band text-based transaction confirmation systems, and some terrific automated fraud and AML (anti-money laundering) controls.

However, one glaring gap in security that almost everyone agreed needs improvement is the issue of how to protect the personal data supplied by a "brand new user." Nobody I've spoken to has yet gotten this right.

Visit the web page of virtually any bank (except those than only allow branch-based processing of new accounts) and you'll see what I'm talking about. Most banks host multiple online application forms for credit cards, home equity loans, insurance, and numerous other products.

All require massive amounts of personal data to be entered at the time of application.

Which leads to a problem. At the time of the application, the only security is "implied" security - which is to say, the user assumes that the bank is somehow protecting them while they go through the process.

In actuality, both parties are "flapping in the wind" when it comes to this data transfer. Banks don't yet know their (new) customer, and cannot verify if the data is legit or stolen, and cannot protect the user using anything more sophisticated than an SSL session.

In the event of a breach, users, unfamiliar with the site, don't know they are being redirected to a phishing site, a spoofed sign-up page, or a page designed to serve up malware.

During this critical application process, the user is, for possibly the only time in the banking relationship, laying out every single personal detail, include the details most critical to their identity - for the world (and any installed keylogger or screen-scraper) to see.

Here's an example of how this can affect behavior - and the pace of account sign-ups.

While having a very pleasant lunch recently with the CTO of a billion dollar financial services firm, we got to discussing (a service that we're both fans of, in concept), and discovered that neither of us had gone "all the way" through the sign-up process. We'd stopped short of plugging in our accounts.

Why? Security. The part in the sign-up process where you need to share all your passwords to all your bank accounts "in the clear" - without any prior relationship being in place with the company, and any knowledge of security processes - was just too scary for either of us.

Which is a shame, because the service Mint offers looks tantalizingly good.

Obviously, our service - SafeCentral - offers a possible solution here. And it wouldn't be an expensive solution. Offering it as part of a new account sign-up wouldn't cost Mint (or anyone else in the business of signing up new users online) anything - there's a 30 day free trial version.

And it would help those users (like me) that are deeply uncomfortable sharing personal data online - and help plug a hole that I am certain, based on my recent conversations, that online criminals are bent on further exploiting.

Whatever solutions are eventually utilized, these gaps for me loom larger ever time I visit a financial services site. I feel for the (brand new) user, who has no way of knowing whether or not their personal data is going to be protected, or stolen, as a result of applying for a new service.

Lori Drew Indicted in MySpace Hoax

Several months ago in this blog, I predicted that US Federal authorities would find a way to prosecute Lori Drew, the alleged perpetrator of the Dardenne Prairie MySpace cyberbullying effort that resulted in the death of Megan Meier, her teenage neighbor.

My prediction was based on the fact that Drew's alleged messages undoubtedly traveled through the MySpace Los Angeles data center - a detail that I thought would enable Feds to take an interest in the case.

The good news out of Los Angeles today is that the Feds there have come to the same conclusion, and indicted Drew. I doubt this action would have been taken without some serious reflection on behalf of prosecutors, and careful examination of the evidence.

Regardless of whether or not Drew goes free at the end of this (I'm sure First Amendment free speech rights will form at least part of the argument for the Defense), Megan's mother Tina and the rest of the Meier family - and other families affected by cyber-bullying - can at least be comforted that some level of justice may be in sight.

Undoubtedly the case, when it comes to trial, will get massive media attention - and spur some attempts at legislation. Watch this (My) Space!

Note: On the subject of parental controls, I've been recently playing with a new version of Authentium's SafeCentral that enables parents to lock their kid's surfing choices to a manifest.

This service, which will hopefully launch this year, adds some new options to parents seeking to protect kids from some of the more extreme users (see above) of the more anonymous social networks, like MySpace.