Kadin2048's Weblog
JulAug Sep
Oct Nov Dec


Fri, 12 Jun 2009

I discovered earlier today, while trying to load my personal X.509/SSL certificates onto my trusty Nokia E61i, that its personal-certificate support is for all intents and purposes intentionally broken.

When the user certificate is imported to Nokia Eseries devices, e.g to be used for authentication with WLAN connections, the certificate contents are checked and if there’s any issues with the certificate fields, the importing of the certificate will fail and the error message “Private key corrupted” is shown.

One common situation where this problem may occur is if the KeyUsage field in the certificate has the nonRepudiation bit enabled. A certificate with nonRepudiation bit is rejected by E60, E61, E61i, E65 and E70 devices because of the security reasons.

The workaround is to create a new user certificate where the nonRepudation bit is removed. The nonRepudiation bit is not necessary when doing a certificate based authentication e.g. in WLAN environments.

Yes, broken. I don’t care what the Nokia engineers were thinking when they put that “feature” in, it sucks. It basically stops you from using 99.9% of all certificates in the world — ones produced using the default settings from most issuers, and forces you to generate a brand new certificate for the device. That is totally unacceptable. Certificates cost money in many cases, and even if they don’t, they take time to create. Plus, managing multiple per-device (rather than per-user) certificates is a royal pain in the ass.

Nokia’s “solution” to the problem would force me to generate a brand-new certificate for my mobile, and then I’d need to replace the certificates stored on every other device with the new one, in order to make sure I can decrypt S/MIME email. If I didn’t do this — if I used one certificate on the E61 and another on my desktop and laptop, the E61 wouldn’t be able to open encrypted email sent in response to messages originating from the other machines.

(This is all assuming the E61i can even do S/MIME, which I’m not 100% sure of; but since it can’t load my certificate, it’s a bit of a moot point.)

Hardcore failure on Nokia’s part. Security, no matter how well-meaning, is worse than useless if it breaks functionality or makes the user’s life this difficult. All it does is raise the ‘cost’ of security, and make it more tempting to forgo things like certificate-based authentication at all.

Up until recently I’ve been pretty happy with the E61i, but I’m feeling more and more that they just didn’t take core functionality seriously enough. The software is flaky and unreliable, as is the Bluetooth stack (I get lockups about once a week when I’m using it with a BT headset or tethered to a laptop), and I question whether anyone who worked on the built-in email client actually used it. (When you have an entire QWERTY keyboard to work with, why does every action require at least 3 clicks on a miniature D-pad?) It does have its charms — JoikuSpot is amazingly useful, and I love not being locked into an iPhone-style “App Store” — but the warm fuzzies are really wearing off.

It’s starting to become clear to me why BlackBerry, and not Nokia, is so dominant among users who actually care about communication over everything else. (BlackBerry offers both S/MIME and PGP, although it seems like it may need to be deployed to an Enterprise Server rather than to individual handhelds.) It’s just unfortunate that the BlackBerry offloads so much intelligence to the BES/BIS backend; I’m not really comfortable being that tied-in to somebody else’s infrastructure, and I don’t really feel like running my own BES.

Maybe it’s time to take a look at Palm.

0 Comments, 0 Trackbacks

[/technology/mobile] permalink

Mon, 08 Jun 2009

Calculated Risk, one of my favorite finance and economics blogs, has a great article written by the late Tanta on The Psychology of Short Sales. The piece really hit home for me, because during my recent search for new quarters, I ended up drooling over a lot of short sale listings, only to be warned by my agent that they often take a very long time to execute and frequently fall through. I quickly cooled to the concept.

On paper, short sales are the ultimate win/win for an upside-down homeowner who wants to “walk away,” and a lender who wants to minimize their loss. It lets both parties avoid foreclosure, prevents a house from sitting empty and potentially becoming a target for vandalism, squatters, and generally a source of neighborhood blight, and lets the homeowner remain on the property and leave gracefully when it sells. Plus, potential buyers get a house that hasn’t been trashed by a bitter ex-owner, or had its pipes freeze and burst due to over-winter neglect. Triple win, right?

That’s on paper. In practice, things often don’t work out so well. Because of the way short sales work, there’s often a disconnect between what the various parties involved in the deal think the property is worth. If they can’t reconcile their views, there’s no sale and the property goes back on the market, and eventually to foreclosure.

The biggest difference between a short sale and a traditional bank-owned post-foreclosure property (a “REO”, or “real estate owned”) is that in the latter case, the bank has already taken possession of the property, probably had it assessed, and accepted that they’re going to take a non-negligible loss. It’s just a non-performing asset sitting on their books at this point, one that they’d presumably like to unload at the earliest possible opportunity at an acceptable price. Contrast this to a short sale: the bank has just learned that the current homeowner can’t make their payments and wants out, and has responded by telling them to get a listing agent and put it on the market. They haven’t really written anything down yet. The big loss is still to come.

To a buyer, a short sale property ought to be more attractive than a REO, because it hasn’t been sitting vacant or gotten trashed during a ugly eviction. However, buyers quickly learn to beware these six words in any listing: “offers subject to third-party approval.”

When a buyer makes an offer on a REO, the offer goes to the bank and they get a pretty straightforward thumbs-up or thumbs-down. Either the offer is acceptable and it sells, or it isn’t and the bank is content to let it stay on the market a bit longer. Since the bank already owns the house, they just want to get the most for it they can.

When an offer is made on a short-sale property, it gets forwarded by the listing agent to the bank, who has the choice of whether to accept it or not. If they accept it, they’re almost certainly taking a loss and accepting a writedown on the original mortgage. There is a big psychological difference between this and the REO case, it seems to me: in a REO situation, the bank is trying to recoup as much as it can of an already-realized loss; in a short-sale, the bank is actually taking the loss as part of accepting the offer.

This psychological difference seems to manifest itself in the relative speed with which banks process the two different types of offers. REO offers get decisions rendered quickly; short sale offers can take months to process, during which both the buyer and seller live in uncertainty. This uncertainty causes buyers to make fewer offers on short sales than on REOs, and to offer less for short sales than they might otherwise. In theory there’s no reason why short sales should sell for much below what a regular owner/buyer sale would, but in practice they go for something closer to REO prices. This difference is, to my eyes anyway, almost completely due to the perceived arduousness of the short sale process.

In addition, there’s often a failure on the part of buyers and lenders to understand how the short sale benefits the other party, and how this affects the price they’re willing to accept. This is what Tanta explores in the Calculated Risk article. Lenders are only interested in a short sale if it results in a price that’s significantly (more than 40%) greater than what the property would fetch as a REO, post-foreclosure. Buyers, on the other hand, often try to bid less than what the property would fetch as a REO, on the assumption that the lender ought to be willing to take a little less on a short sale than they would as a REO, since they’re avoiding going through foreclosure. Hence, no deal.

In order to make short sales a more viable option for distressed homeowners who find themselves upside-down on their mortgages and unable to pay for them (or who simply want out and can’t sell normally and cover the mortgage), I can think of several things that need to happen:

  • Banks and other lenders need to assign more staff to “special assets” and other pre-foreclosure divisions, and realize that they can avoid needless trouble and expense by going the short-sale route versus foreclosure. They need to gear these divisions to providing fast up-or-down decisions on short sale offers, and empower employees to write down assets significantly (at least as much as the delta between the REO price and the loan face value) in order to make deals happen quickly.

  • Prospective buyers need to be better-educated about how short sales work, not only from their own perspective, but also from the owner’s and lender’s. They need to understand why a lowball, sub-REO offer isn’t going to fly with the lender. For a short sale to work, three parties — the owner, the buyer, and the lender — need to feel like they’re making out better than they would have via foreclosure. Offering substantially less than a property would fetch as a REO doesn’t allow that to happen.

  • Homeowners considering a short-sale, whether in financial distress or not, need to be better about selling their properties. They need to work hard to make it clear to buyers that they’re not selling a REO, and that the property is inhabited and well-maintained. If a house looks like a foreclosure property, it’s going to get offers that reflect that, and it will almost certainly end up as a foreclosure property eventually. I saw several short-sale properties during my recent search that were frankly worse than the average REO, and that just isn’t going to work.

As it turned out, I didn’t make any offers on the short sale properties that I looked at. Given the time available before I have to be out of my current rental, it just doesn’t make sense. And I definitely wasn’t alone: many short sale properties had been on the market for hundreds of days, while REOs are being snapped up almost daily by hungry buyers armed with low rate pre-approval letters.

Making the reality of short sales better match the concept would provide affordable homeownership to many buyers, a dignified ‘out’ for distressed owners, and smaller losses to lenders and their investors. But a lot has to happen before that will be the case.

0 Comments, 0 Trackbacks

[/finance] permalink

According to a post on the Full Disclosure mailing list, history has repeated itself: T-Mobile’s systems have apparently suffered a serious breach, and a lot of customer data has been compromised. Oops.

The last time something like this happened to T-Mobile, it was due to a known vulnerability in BEA’s WebLogic application server that T-Mobile had failed to patch correctly. Although the ‘hacker’ in question ended up in the Federal pen for his trouble (one hopes the celebrity email-reading was worth it), and a lot of attention seems to have been paid to the Secret Service’s identification and capture of him, the real culpability was T-Mobile’s. By failing to patch their servers, they left them wide open to infiltration.

It’s a bit too soon to tell whether the latest break-in was similarly due to technical incompetence at T-Mobile, or if they fell victim to some other method. However, it doesn’t sound like the ‘cybercriminals’ behind it all are the sharpest pieces of cutlery in the drawer. Unless they’re playing an amazingly deep game, I think it’s safe to say they didn’t think their cunning plan all the way through.

From the FD post:

We already contacted with [T-Mobile’s] competitors and they didn’t show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder.

Sounds almost petulant, doesn’t it? “Probably because the mails got to the wrong people” — really? They seriously think that’s the problem? If only they’d had the contact information for the Espionage Division of AT&T, the whole thing would have gone so smoothly!

They would have done better to read up on the Coke / Pepsi trade-secrets bust from back in 2006. A disgruntled Coke employee stole the secret Coke formula and tried to sell it to Pepsi, but Pepsi — much to her surprise, I’m sure — pretty much fell over itself notifying Coke of the offer, and then worked with the Feds during the ensuing investigation. Although the press coverage tried to make a heart-warming after school special out of the whole thing, Pepsi’s behavior should have been predictable and obvious: the risk of getting caught with stolen trade secrets from their fiercest competitor so greatly outweighed the value of those secrets, there was no way they would ever take the thief up on her offer.

The very same situation now exists for the morons who stole the data from T-Mobile. What competitor would even think of touching it? What could any competitor possibly gain from the data that would be greater than the huge downside risk, and could not be obtained more easily some other way? I can’t think of anything. Even if the files were totally complete, and represented dossiers on every one of T-Mobile’s customers completely documenting their behavior and preferences with regards to cellular telephony, it still wouldn’t be worth the near-certain chance of getting busted down the road, when T-Mobile notices a startlingly high number of their subscribers getting poached.

The smartest thing for AT&T, Verizon, Sprint, et al to do, on receiving an offer to purchase obviously stolen records, would have been to immediately report it to the Feds. That they didn’t makes me guess that they probably didn’t even take the offer seriously. How humiliating!

After failing to sell the goods (which I suspect are database dumps) to T-Mobile’s competitors, the thief or thieves then decided to just post a for-sale ad to the Full Disclosure mailinglist — well known in IT security circles, but not known as a clearinghouse for stolen identities. It’s not as though there aren’t venues on the ‘net where trading and selling identity information is common — supposedly there are whole online communities for this purpose — but the FD list certainly isn’t one of them. The only way they could have been more bush league is if they’d used Craigslist. Or maybe Ebay.

So that brings me to two possible conclusions about the whole breach:

  1. It was conducted by someone of questionable technical competence (at this point it’s too early to tell), but dreadful business skills, who couldn’t resist undermining the commercial value of the information they stole in order to claim credit in a high-profile way. They chose the FD list rather than some more appropriate sales channel because the FD list gets read by a fair number of security experts, and this means more geek cred. Of course, what ‘geek cred’ gets you in prison is beyond me. (Maybe Hans Reiser knows.)

  2. It was conducted by someone who knows exactly what they’re doing, and what we’re seeing is a carefully-constructed ruse of some sort. There might not be any information to sell, or else selling the information at a maximum profit might not be the real goal. Instead, the purpose would be to embarass and tarnish T-Mobile’s reputation as badly as possible.

Admittedly, option #2 does get a little tinfoil-hatty. To profit from it, someone would need to build up a huge short position in DT stock (or certain futures contracts), and hope that the news of the breach would cause the value to slide. However, I don’t even know if this would be realistic: DT is a huge company, and T-Mobile USA is only a part of it. Even a cataclysmic security breach might not do more than wiggle the needle of DT’s share price, requiring a huge position or lots of leverage to take advantage of it.

Neither theory bodes well for the people behind it; according to option #1 they’re clearly incompetent and far beyond their depth as far as professional criminality is concerned. Not exactly a hard target for law enforcement. According to option #2 they’re less stupid, but still at a huge disadvantage: the position they’d need to have built up to profit from the security breach would be visible in retrospect, possibly even obvious. Even spread between lots of accounts, I suspect it wouldn’t take long for the forensic accountants to catch on.

It will be interesting to see how everything pans out in the next few weeks. There is no scenario where it looks good for T-Mobile; those who, like me, are T-Mobile customers can only hope that this time they’ll learn the lesson a bit better, and put some more effort into security.

0 Comments, 0 Trackbacks

[/technology/mobile] permalink