Posted by Rob Slade on February 24, 2015.
I got a message the other day from an old friend. He left the country over four decades ago, and I’ve only seen him once, since, fairly shortly after he left.
I’m unfollowing a celebrity on Twitter today.
(Yes, of course I am going to relate these two events to each other. And to security. Compose your soul in patience.)
The celebrity account on Twitter has some amusing quotes, and sounds like the character that the actor, fairly consistently portrays. But it has become obvious that the account sends out spam on a regular basis. I didn’t know if this was just a fake account set up using the actor’s name, or if the actor had fallen victim to some arrangement which will “assist” a celebrity with social media by padding out a posting stream–and using spam to do it (though I’ve since confirmed that the celebrity actually has nothing to do with the account).
(One of the first indications of spam was that the account had frequent images in the feed. However, while most images in Twitter postings are hosted at pic.twitter.com, these all came from pic.twitter.com.gl. Easy enough to ignore those last three characters before the slash. Ah, the little tricks spammers use on us. But I digress.)
Anyway, while I was waffling back and forth between whether the amusement value of the account was worth the price of ignoring the spammish posts, along came a post that resonated with something I’ve been noting recently:
In about 20 years, the hardest thing kids will have to do is find a username that isn’t taken.
I’ve seen that problem already. In going to check out a hot social media site sometimes my preferred account name, and most of the usual variations, are taken. Forget about trying to remember your passwords, I’m having a hard enough time trying to recall all my accounts!
(And, no, I’m not going to “log on with Facebook,” thank you very much. It’s already a privacy trap as it is, and you want me to have it control all the social media I might use? Surely you jest …)
Which brings me back to my old friend. He’d found one of the dozen or so email addresses that I do use on a regular basis. It happened to be one of the ones where I review the spam filter, more or less daily, tweaking the filter and grabbing the latest samples of malware, spam, and phishing.
So I’m going through the spam list, and there’s this generic subject line, and a ridiculous email address, but the personal name caught my attention, because I’d known someone with that name back in the days before microcomputers were invented. (I have no idea why I remembered: anybody who knows me knows that I can’t recall anybody’s name. So why I remembered this is just one of the quirks of the neuronal wetware platform.)
Anyway, I pulled it up, out of idle curiosity, and lo and behold, if it isn’t actually him. I have been more surprised, on occasion, but not often.
Naturally I told the spam filter that this message and sender were real, and OK, and to please pass along any further messages.
So I was annoyed when his second message to me also appeared in the spam trap.
I really don’t know what the spam filter has against him. Yes, his message had some HTML in it, but that is hardly surprising these days, and the code content was minimal compared to most spam.
(Note to alumni groups, and others who want to keep in touch with me via email: tone down the HTML. For one thing, I use a MUA set not to render HTML [I am a security and malware specialist], and, for another, while I know you want your message to stand out from the crowd, if it stands too far out it just goes to the bit-bucket.)
So, I think it’s the email address. He’s recently got an account on one of the Web-based mail systems, and it obviously took some doing to find an address that wasn’t already taken. It’s got his name in it, but also a random reference, plus non-alpha characters, and a couple of numbers. It’d make a great password: I doubt any dictionary attack would be able to find it. It looks like the kind of random address that spammers generate.
So, yeah, I can see that we are exhausting the email and account name address space. And I can see that this is going to create problems. How do we find our own accounts? How do we tell who is behind other accounts (such as that of the celebrity described above)? I lucked out on noticing my friend’s message, but what if I hadn’t remembered his name (and the variant spelling his family used)? What if he’d used one of the accounts that is more aggressive about turfing spam? Maybe we need something that gives us a little more info, and a little more flexibility in finding the people we know. Maybe the X.400 people had a point.
(No. I’m kidding. I remember the old days when some people did have them. I remember trading business cards with people at conferences. When you got home, if you both had Internet email addresses, either one could start the conversation. If one had an Internet email address, and the other had X.400, then the person with the X.400 address would send the person with the Internet address a message, and then the conversation could start. If both had X.400 addresses they called each other on the phone.)
Authentication has always been a problem. Now, with the huge rise in social media, the problem is getting worse. (At the same time, social media users are spilling huge amounts of information about themselves, and are less anonymous than they think.) We’ve been profligate with the name space, without any protocols, and we’ve made the problem worse. Maybe it’s time to give some thought to the matter.
(The title of this post comes from a book by C. S. Lewis. I recommend it.)Share This: Submitted in: Rob Slade, Security, Social Media, Uncategorized | Tags: authentication, identity, identity verification, name space, spam
Top 100 Information Security Blogs
Independent news and views on the confluence of cybersecurity, politics and gaming.
We take neither advertising nor sponsorship so we can guarantee our independence.