How Google turned me into my mother: the proxy paradox in security

good morning um I I realized that I do not look anything like the picture in the program um as you know being in security ages you I've uh I I've been at this for about uh eight months yeah eight months and and look at me now um no actually I I uh am very very happy to be here in London again uh I lived here 20 years ago I was brought in to work on the security aspects of the merger between Swiss Bank Corporation and SG warberg if there any of of you who remember that and uh you never really take full advantage in hindsight of being in a place like London until you've left so

uh I'm I'm very happy to be back here again uh having everyone asked me you're not from here are you and uh having having all the the wonderful food and the people are very uniformly nice especially in the security Community here everybody's really some of the nicest people that I've ever met and uh don't don't tell the people in this wait this is being recorded by tripwire isn't it oh crap okay um so I'm going to talk about um how Google turned me into my mother I'm going to talk about a problem how many of you are are caring for older parents or relatives uh in the audience or is everybody too young for that okay you'll

have to take my word for it then um people who have children uh minor children that they're having to do things online for and everything there's a large problem that I I don't think is being adequately addressed yet and um it has to do with proxying and delegation and a lot of you who have worked in identity and access management know that this is this is a pretty common issue but the thing is it's different for the Enterprise um and I think this is going to have larger societal implications as we go along um so sort of a definition of proxying uh you know as as you know generally a proxy will say you know

treat me as if I were the thing that you were talking to and I will do all the conversation on their behalf and I will pass it back to them and so on uh it has legal implications which we'll talk about um any of you who have had to do a a a health care proxy for somebody else um I don't know what the legal uh ramifications are here in the UK but in the United States again under certain circumstances if someone's in the hospital and can't speak for themselves you would um help make the decisions for them and uh those are some well obviously they have uh life-changing ramifications for those sorts of decisions that you make for

them and uh uh durable power of attorney again forgive me I I don't know what the the legal terms here are in the UK um but generally you can administer the assets of a person on their behalf whether it's uh real estate transactions or managing their bank accounts uh signing legal documents on their behalf and so on now in the United States in general there are two ways that this document can take effect either immediately as soon as the person signs it or upon incapacitation now the legal definition of incapacitation is very difficult to establish um and incapacitation isn't always just being unconscious in in hospital or whatever uh especially as they're aging um seniors in particular

tend to have waxing and waning cognitive abilities some days they will be very on top of things other days especially if they get a fever or any sort of thing they enter a state that's uh the medical profession calls delirium where it's you know they may have trouble communicating having trouble putting a sentence together they're not sure where they are they're disoriented it's not dementia which is a much more long-term gradual thing um but it can look just like dementia and so um in fact one of the uh classic signs that uh EMTs look for if they're called to a house and there's a senior citizen especially a woman who is you know not communicative is is very

out of it they suspect a urinary tract infection because those are very asymptomatic for older people but it immediately results in them just being completely out of it um my mother for example uh when she had one drove home pulled her C into the garage and immediately fell asleep at the wheel so that sort of thing um so that there are some uh very difficult problems with getting someone declared incapacitated for this reason if you try to go to an elderly relative and say I want to take over everything for you because you can't do it anymore uh you're going to have words with that person it's a very long difficult psychological struggle for them to start

losing the agency in their life and the ability to do things and many of them will not will not accept it or acknowledge it you know all the way to the end so it it's a very difficult conversation to have and um sort of talking between proxy and delegation it's the you know the difference between root and sudu but the problem is that in real life none of this is logged uh when you take this over on behalf of somebody else it's on you to be financially responsible to be very clear document everything that you're doing on their behalf you know withdrawals you're making from their bank account bills that you're paying especially if you're reimbursing

yourself you have to have a very clear documentation Trail as to why you're doing it um there is uh there are a lot of problems especially with seniors being taken advantage of by the relatives um my um my half sister's uh half sister-in-law's father had all of his assets taken by one of her half siblings um when he became uh to some extent incapacitated and the bank accounts were emptied and you know that those funds will never be recovered so you have to care a lot about that too when people are at that very vulnerable stage of their lives this is a pressing talk isn't it I'm sorry so I've talked about this before in the past that role-based access

control um doesn't deal with this or with anything else well really no uh arbac has its time in place but generally they're dealing with bundles of entitlements and if you are delegating access to somebody else uh it's usually for a very specific reason it might be time limited you don't want them to have all the same bundle of entitlements that come with your role but if it's too confusing to sort out if your system is not granular enough to give just those um accesses that you want them to have you end up just giving them the whole bundle um you know because you can't be bothered um and again you know I'm I'm out for the next week um Dan Raywood is

going to take my place but I don't want him getting into the silver uh you know I want him to be able to do some other things on my behalf and arbac doesn't doesn't deal with that too well so the the old sort of old style arbac is that you have a group of entitlements and they map to your position in the organization so if you are a research director here is the role that you were given and it had comes with a static bundle of entitlements and you know this is what you should be doing um you add more roles and administrators get all the roles because it's easier that way uh and and that's

it that's the way it works now first of all even in an Enterprise this assumes that you're either a customer or you're an employee and um as you know there are many many different roles in there for example QA testers QA testers have to have all the roles when they're you know testing something in an application an administrator of an application should not be an administrator of the operating system just of the application um it doesn't reflect uh different axes of governance uh you doing this on behalf of this department you're doing this on behalf of an external customer or uh another agency this is particularly difficult and complicated in the public sector for government because your citizens are not

your customers they usually don't want to do business with you they have to and um they may be using roles themselves and dealing with you uh for example it's it's time for the monthly reporting um you know I I don't really feel like logging in and doing this can you do this here's the password which is another reason why two-factor authentication doesn't necessarily work that well because they'll just hand over the token and say can you log in and do the reporting to the state thank you uh and it doesn't support context switching and uh I I'll show you what I mean first of all if you're working for more than one organization or Department

uh when I worked for the state of Texas for the Education Agency uh we had many teachers for example who worked for they moonlighted for more than one school district um there might be legal requirements for separation of Duties so you cannot give out a union set of entitlements you may be working on behalf of one insurance broker and then you have to log back out and log back in on behalf of the other insurance broker to do that work um so these sorts of things are just not in general not handled very well I had to um replace a 10-year-old custom single sign on system that fronted for about 60 applications uh that were used by a a Statewide

external base of about 50,000 users in higher education school districts campuses nonprofits you know any agency that had to do something with education um and uh so I had to try to migrate that to tiv and I can tell you I made the IBM Engineers cry because there was just so much complexity in the business rules that had to be built in and it was a multi-year long project so let's talk about context plus government uh plus governance there's um usually an identity Authority who says yes you know I've looked at your your picture ID and I can vouch for you that you are who you say you are but you also need an access Authority somebody who is

responsible for the data that you're going to access and has to give their permission for you to access it uh which is not the identity Authority this is where you end up with long forms with multiple signatures on it because everyone has a particular area of government governance that they are responsible for administering and they have to sign off on your access your your access so they have to say both who you are and why you need access to this so again at the state you might have a superintendent who says yes this staff member at the district works for me they are in a role of uh reporting on um on the free lunch program for poor

students um and you know therefore they should have access to this system only and then all that ends up in a bundle of what your entitlements would be so again somebody validates you as an individual somebody says here is you know who who you are in the context of what whatever it is you're doing I I I don't know what this gentleman here he's kind of dodgy but he's he's waving an ID card so he must be all right um or or you know you're a medical professional you in the internet of cows somebody will validate that you are a cow so it's it's not just about who you are it's about what you can do

so you will have a function to do you will have a scope within which you will do it on behalf of an organization or only until midnight or only on these days or only with these systems and all that will turn into your your authorization so it's very much like a game of Clue uh you know it will be Professor plum in the kitchen with a lead pipe or maybe with a Candlestick or in the library and this this is more what you Enterprise roles and entitlements look like and in fact um it can get even more um it can get more complicated because you're really adding different sort of functions you're either killing or you're being killed in the kitchen

with a lead pipe or you know whatever so that it's that combination especially in a dynamic environment that is going to make identity and access management very complex so here we go you know things all the combinations that are possible out here you know this is um this is what people have to deal with in real life I don't have to tell you this with an odate in the library in the shared Library um so um again this is this is really how it should be working and it should be working this way in the consu I want to say consumer world but it's like in the real world the non-enterprise world somebody vouches for for

you uh and if you own the data you approve the access to it by this organization and by those authorized individuals and by the way this is another reason why full Federation doesn't always take on because a lot of organizations don't won't just accept somebody else's word that they have an employee who needs access to the data for for legal reasons they still have to have the final step of approval and again this can lead to a lot of um Creative Solutions especially in applications um I once found out that because my organization required so many signatures for legal reasons on forms for every access that somebody had externally and these things had to be

processed on paper and it was very slow I found that developers were just creating these nice little backdoor URLs that they were handing out to users to say just just click on here and you'll go straight into the application and see what you want to see and so um that that happens a lot you are a bunch of these things a bunch of these roles a parent an administrator a customer a subscriber and you could be all of these things at different times and the functions and the scope are different um one another really big problem that we have in the Enterprise today is it used to be in the past that enterprises had used a completely

different set of software from what you would use personally I mean nobody uses an Erp system for fun right if if you do raise your hand and and we'll we'll stage an intervention but um nowadays you may be using uh Google Docs you may be using Dropbox um there's so many different types of software that you can be using at any given time either on your own behalf or behalf of the organization from the same device during the day and the Imp ation of this for the Enterprise is that they cannot tell what data is business data anymore they can't tell by which application created it which device it was created on where it's being stored in which format where the

user was when it was created what time of day none of that matters anymore what matters is the actual content of the data and you have to look at it very closely to say does this belong to us is this part of the eisc discovery um you know do we have to go look at everything that this user has ever touched because they may have something that's responsive to this request that this is why things have gotten you know to the state that they are in now so let's talk about consumers or uh normal people as uh we may call them um one example is minor children uh I don't know what sort of Arrangements you have here again in the

UK but um for my me my prescription insurance provider informed me that as soon as my oldest child turned 13 he would need to have his own login into the online system and he would need to give me permission to manage his prescriptions for him and um I I'm not sure why it was 13 I don't know if that that was some sort of um anyway something very strange then there are incapacitated adults now you may be hit by a bus or or it may be a periodic illness um you could be on really good pain pills I know that that has happened to me I've actually written reports Under the Influence uh if you read some

of them you may be able to tell which ones those were uh but assuming this role takes a lot of time in bureaucracy I know someone gave a talk at uh I think it was besides Atlanta about how somebody um a spouse suddenly passed away and they just could not get access to their accounts even though it was an emergency so think about this for a minute if you walked out of here and you were hit by a bus who would pay your bills for you and how would they do it how would they have access to it um so going up to the official route you have to be able to prove that this

person is incapacitated just saying that they're in hospital well how long will they be in hospital oh I don't know two weeks four weeks well you don't need to take it over well yes there are bills that are due tomorrow um but it's a lot of bureaucracy and then as I mentioned convincing somebody else that they're incapacitated especially as they get older it can destroy your relationship uh it's it's just horrible nobody wants to do this so as I mentioned they said you know your 13-year-old has to have his own account and you he has to give you permission to administer his prescriptions for him and I said okay so I created a second account for my

13-year-old with one of my other email addresses cuz I knew they would check to see if they were unique so I used a second email address gave myself permission went back to work obviously this was not in the spirit you know that they had set this up in but they really really did not have a you know a good answer and uh the the only authentication that was done is demographic data and you know I'm the mother of course I know when he was born and you know all these other things I forget what they were asking for but just that sort that level of knowledge I could do everything online and nobody was the

wiser um another example was when I had to take over one of my parents accounts and I could set up the de or another medical online thing and I could set it up online and nobody was the wiser I set it up as my mother and they saidif you want to revoke this you have to do it in writing I'm like what who who thought of that business rule who who actually walked through this and figured out that this you know made any sort of sense so the authentication mechanisms for online registration and delegation and so on first of all you you need to know what your the name of your father's first pet was which you may want to go

home and ask if you don't know um you have to be able to navigate online which again is not necessarily given there are still many non-technical people out there um or even if they could at some point you know maybe they can't navigate anymore now so they can't set up the delegation for you anymore if they could they wouldn't need it this is something that you know people are not talking about uh it it they assume that you have standard IDs as people age in the United States especially if they can't drive anymore they won't have a driver's license it's too difficult for them to to get someplace to renew that driver's license sometimes they give you a a a

state ID card instead so that you can go vote but again going through that if you're mentally not you know really competent enough it seems like an insurmountable challenge to find out what you need to do what you need to sign who you need to go see uh they always assume that if you have a different email address you're a different person- which is is pretty silly uh they assume that a phone number especially for two- Factor authentication belongs only to one person which again if you have children who want to borrow your devices all the time you know that's not the case and uh there's no cleverness in the security Challenge questions um they

they assume that you are not trying to be tricky um like you know um British Airways is ridiculous as the answer to you know what's your pet's name they're assuming that when you are are uh setting up those Challenge questions you're not trying to be very very clever the problem is if somebody else is trying to be clever and you have to figure out the way in which they were clever because you're trying to reconstruct their account later um you're going to be in trouble so uh this is another thing that really bugs me about security Challenge questions there are many many systems out there where they make you change your password regularly because of

regulations but they don't make you change the answers to your security questions so as a result uh there are some systems where I don't bother remembering my password I just reset it because I will always answer the same security Challenge questions and if I only have to do this you know once a quarter that's what I'm going to do um so you will always fall back to the one factor that you can rely on that is static um that you can easily remember this is another Gap that we are not dealing with too well so this is my dad this was his first um email address you can see this is an old UCP format he was the one who

was responsible for getting me into this whole computery thing um at the age of 12 I made a mistake of telling him that I was bored never do that never tell your parents that you're bored he threw a basic manual at me and said go make the bell ring on the teletype over there anybody know what a teletype is a yes okay I'm Not Alone um so he did that he wot wrote one of the first Fortran compon ERS so he started very very early in this business you know so nobody can say he wasn't technical he was a nuclear physicist without a license he was an astronomer um he did a lot of hacking on

his own um and uh in fact he wrote a story about the Elegance of programming back in the days when you had to fit it into very very tiny spaces um and so you may want to read the the story of Mel it's also in the back of the hacker dictionary out there so he he was the one who really got me started on this but the problem is as time went on he was a total command line guy he hated windows with a purple passion he would not use it at all he only agreed to use Linux because he could go back to the command line um so there got got to be a point especially

as online things got more complicated that he just did not want to deal with them anymore he was you know kind of mentally stuck in the 80s maybe the early '90s um so even for somebody like him who had been in on the ground floor things have moved to the point where he could not you know really keep up anymore so it's a really good thing he didn't believe in security because when he had his stroke I had to um he was the one who was paying the bills I had to break into his banking accounts and um by that time he was too out of it to be able to to help me luckily he had cashed his Gmail password

and if you know that you know that if you want to break into any account all you have to do is get into their email and then you can reset everything from there so that's what I did you know and there's another thing we you know we have a lot of stock photos really horrible ones of evil hackers that are male why don't why don't we have any good ones that are female you know I this is the only one I could come up with you know that and Mrs Roberts I guess probably I'm closer to Mrs Roberts now so I had to break into all of his accounts and if I had tried to do this can you

imagine me going to Google and saying well you know my father has had a stroke yes he can speak no he really can't tell me how to log in anymore he can't uh he certainly can't go to his bank and explain everything to them he can't walk um and in fact a lot he sleeps a lot of the day and you know trying to go to the bank and saying I really need to take over his accounts for him it was easier just to do this all online and just not tell anybody now this is a problem if you have to take over somebody's accounts uh and work on their behalf so do you for

example go to the bank and do you log in to their bank account or do you try to convince them to set up a delegation account with your own login and just delegate all the functions to them um do you change their passwords to something you can remember so that as a result they don't know what it is and they can't get in or do you try to remember their passwords yeah I know there there were things like last pass and one password and that sort of thing but when it's an emergency and you're trying to figure out what you should do these are questions you ask yourself do you reset the Challenge questions is it what was the name of his

first pet or what was the name of my first pet wait a minute which one did I set and again you know you're in a crisis you're very distressed because your parent is very ill you're trying trying to make these decisions um do you use your phone and email for two Factor off if they didn't have it set up it's pretty easy but if they had been using it do you want to make them feel better and feel like they're still in control by letting them keep you know the email and phone and so on if they ask for a phone number you have to try to figure out what that institution is going to use it for if

they're going to call my mother and say you've got a problem with your bank balance you may want to leave it with them if it is for password resets and you live 5 miles away or a th000 miles away and you're trying to do this for them then maybe it should be your phone number sometimes they won't let you set two so there there are these sort of logistical things that have to get sorted now the arguments for using their uh for using their accounts and just logging in as them is that a lot of Institutions still aren't ready to deal with this um and doing it in the form in a formal way requires their cooperation

it requires that they are emotionally ready to say yeah okay you know I'll give you the passwords I'll let you do this even assuming they can remember where they have accounts because a lot of people don't um again it requires mental capacity Mobility it requires a lot of paperwork for every account most of this has to be done out of band uh notaries public um and and it requires a lot of time now the another ADV Vantage for doing it is that you have an ostensible separation of Duties um in in some cases now against using their accounts if they catch you they may block you I was administering my mother's accounts and I actually had a login of my own but

there was one bank account that for some reason the bank would not let me see in my own account so I just used my mother's account and um depending on where I was at any point in the day uh some caregiver needed a check and I didn't have my mother's set of checks because I didn't want to take them from her house because then she would get upset and want to know where they were so I would write a check and then I would transfer the money from her account to mine and I guess the first or second time I did that from my mother's account um they said oh fraud and they blocked it and I called them and they

said well your mother has to go into a bank branch and show ID and explain to them that no it really was okay and again my mother's very very limited Mobility this would be taking you know the better part of a day to get her into a bank branch she would be exhausted afterwards that you know this is not going to work so I just went okay and I logged into my account and finished the transactions so again this is not a great solution um and again especially if if they're sort of wavering if your parents are wavering there's been maybe some days where they're perfectly fine with you helping out and other days when they're

not and all of a sudden they will say what are you doing you're messing around you know with my things and they're right they're absolutely right uh so now we're getting to to the good part of the story this is how Google turned me into my mother so I have four Gmail accounts on my laptop I have a work one I have my personal Gmail and now I have my fathers and my mothers

so what happened was when I was going through and setting these up and turning on two-factor off because again my father did not believe in security uh and and doing all this I I happened to put in my personal address and added it to my mother's Gmail account as an alternate email address and then I forgot about it because I was doing a lot of of different things what happened was I started getting email addressed to me Wendy na.com except they had my mother's real name attached to it and that was really creepy um I joined the board of a nonprofit organization they added me to their mailing list and suddenly it was coming to me under my

mother's name but to my personal address and I thought what what is this what's going on here um and it was anybody who used Gmail at all and I I found out what actually happens is that Gmail will very happily add very helpfully add the primary account holder's name to whatever alternate address you're emailing now why is this a problem let's say you're Superman and you're setting up gmail.com and you're setting up an ALT email anybody now who uses Gmail who emails Clark kent.com even as they're composing it Gmail will say Oh you mean Superman so this is yeah this is kind of a problem so I reported this to Google and they said no this is functioning as

intended so I was like okay all right you don't mind if I talk about this then oh no that's fine okay that's good um so how do we deal with this the problem is that especially if you add a delegation account to anything that's very important finances or or School logins or everything if you imagine everything that you are doing in your Digital Life and having to delegate somebody else to help out with this first of all adding another set of credentials doubles the attack surface right there it's bad enough that your you know your mother's account could get hacked especially if she doesn't choose a great password or he doesn't believe in security as my dad

didn't um how do you monitor for fraud properly how do you tell the difference between me reimbursing myself into my bank account because I was writing check for my mother as opposed to I'm draining her account dry and again a lot of banks have not sorted this out yet they are still thinking about only about ex external attackers and they're looking for those patterns of fraud they're not looking at oh you know Wendy nather has the same last name has a delegation account if we set up the delegation account maybe this is okay you know for what she's doing um how does revocation work if they no longer in a state where they are able to manage their own Affairs how can

they revoke this um we don't have a good mechanism for that if it's out of band it's too onerous for somebody who's disabled especially if they're cognitively impaired uh so they really don't have any protections themselves if they want to do that um so that's these are you know societal problems and this is going to get worse as the baby boomer generation ages because um right now everybody assumes that oh these older people they don't have accounts anyway they don't know what they're doing but everybody in the boomer generation you know is living living the digital high life you are all living the digital High Life um we need to talk about this so I hate presenting problems

without recommendations um so I'm just going to throw a few out here but I think it would be worth having a great discussion if you guys run out of things to talk about out there over the club mate um first of all wherever possible in your life right now go get those pieces of paper um when I had the discussion with my attorney I went out you know after this and I got um I gave a durable power of attorney to my husband and I said I wanted it with immediate affect and my attorney said are you sure you want to do that and I said well if I'm going to trust him then when I'm incapacitated

I'm going to trust him now so I recommend you do that because it was much easier once I got this for my father to say do you want me to just take care of this one thing for you today and he'd say yes and I would go do that it wasn't a binary thing it wasn't a you can't do this anymore I'm going to do this for you you know because that's what they will resist do you want me to just help you out sure that's great that's the conversation you can be having and then just you know put it this way if you needed me to pay the bill for you how would I go about doing

that should we just set this up now just in case this is a much better conversation than saying here's a legal document saying you're incapacitated you you really don't want to do that so do this in your own life but what we really need are standardization in online systems around these sorts of roles these Dynamic roles temporary roles uh personal proxies and delegates both for minors and for people in their majority who are temporarily incapacitated who are periodically incapacitated um or who are suddenly and irrevocably incapacitated we need better integration of digital and legal and physical world authentication we need ones that take better um that acknowledge better the very complex issues around people who

are disabled um people who are economically disadvantaged and have no transport especially in the United States that have no transport to to go to these offices or can't afford to take time off work to get these sort of legal documents executed they they also cost money uh in a lot of cases and we really need identity authorities that operate in the rest of the normal world that can help vouch for these sorts of roles the same sort of thing that you would have inside of an Enterprise except it has to be um something that says yeah I know I know Bob I know where he lives I know that he has these roles in the community um and

I know that this is his son his son you know has the authority to do these things on behalf of his father um the son also has two minor children and has the right to do these things online on their account uh but it needs to be better coordinated uh and then in general we need better adaptation for all sorts of disability ities not just um visual impairment for example but cognitive disabilities and um we really need to find a way to solve this in the digital world because otherwise you're disenfranchising people for no reason other than you know they have a high fever or um you know they've been used to running their lives but now suddenly

they

can't and then ultimately if I had all the free time in the world I would be setting up some sort of service that would help mediate these things help choose the right um digital and online solutions for people at different stages of Life different stages of technical knowledge ability awareness um you know circumstances relationships and so on because somebody needs to help um you know sort this out at um Assisted Living centers now sometimes they will have um a consultant who comes in and shows these older folks how to use a computer which is very nice but again it doesn't deal with uh a lot of the the complicated logistical things in their life especially financial and

legal transactions um whenever I would have to check my parents into a rehab center for example if they had a fall there would be a stack of papers this High um to admit them and I would end up signing them all because again whichever parent it was was in no shape to sit there in a chair and sign so I would you know sign these things over and over and over and over again and it was the same if they had a fall every month you know or or every three months it' be going through that again at the hospital in the emergency room for the insurance you know all these sorts of things being

able to streamline this and put this uh you know in a way online that can be much more easily executed over and over and over and over again is something that we desperately need um if I had all the time in the world I would set that up maybe somebody else uh would be inspired to do that but I can tell you that having this sort of digital concierge would be a really great thing so that's my speech and uh I'd like to know if anybody has any comments that they'd like to share with me