Tim O’Reilly has distilled the lessons of the Kathy Sierra affair, and Tim Bray further distills them into a single dictum: “You’re accountable for what appears on your Web site.” He elaborates:
if a Web site is yours, you are ethically and perhaps legally responsible for what’s there, whoever wrote it. This is reality; deal with it.
Agreed I’ve always believed that, which is why for over a decade I’ve advocated cryptographically strong ways to assert online identity. So long as we depend on authentication by name and password, we are frighteningly vulnerable to impersonators who could irreparably damage our online reputations.
Let’s not lose sight of the message that Doc Searls received from Alan Herrell, who says in part:
Just about every online account that i have has been compromised. Most importantly my digital identity and user/password for typepad and wordpress.
The Kathy Sierra mess is horrific. I am not who ever used my identity and my picture!!
I’ve never read Alan Herrell’s now-discontinued blog, and know nothing about his involvement in this whole affair, but the fact is that we’re all vulnerable to the kind of impersonation that Alan Herrell describes.
There’s no perfect defense. But if I had to use cryptographically strong multi-factor authentication to log into my blog publishing system, and if I also had to digitally sign every one of my entries, I’d be far less vulnerable to malicious impersonation.
As we project more of our personal and professional identities into the Net, we create new demands for supporting infrastructure, and thus new opportunities for commercial services. To the extent that you are your website, you will need — and will pay for — a website that’s as secure, as reliable, and as persistent as you can afford to make it.
Update: I’ve just learned that the anonymous sploggers who run biginternetmall convinced someone that this anonymous ripoff of this item of mine was a legitimate posting. Yet another facet of the same issue.
April 2, 2007 at 3:15 pm
Finnish “application of freedom of speech in mass media” law states that every website must have a named editor who is ultimately responsible for all content published there.
Usually this means that if they get a report of illegal material published on the site they must take it down.
More info here:
http://bergie.iki.fi/blog/2004-03-25-000.html
April 2, 2007 at 3:45 pm
[...] Karen wrote an interesting post today onHere’s a quick excerptTim O’Reilly has distilled the lessons of the Kathy Sierra affair, and Tim Bray further distills them into a single dictum: “You’re accountable for what appears on your Web site.” He elaborates:. if a Web site is yours, … [...]
April 2, 2007 at 6:12 pm
[...] that I disagree with Jon Udell, but I’m not sure that I can quote convince myself of his latest argument that implies dramatic and potentially long term consequences for the compromise of weak [...]
April 3, 2007 at 11:48 pm
I’m probably as big a fan of cryptographic strong authentication as anyone — 14 years in and around the Lotus Notes world does that to you, I guess. But bear in mind that with all the hassles that it brings, cryptographic authentication is still only as strong as the two weakest links in the chain. The first weak link is the operator of the certificate authority, who may not always properly verify identity before issuing a certificate — or perhaps more to the point, may not be able to verify identity properly because the user community as a whole doesn’t really trust them enough to be willing to provide sufficient identifying information. And the second weak link is of course the users themselves, who may compromise their own digital credentials in the name of convenience — and those years in the Lotus world tell me that this happens far too often, no matter how much you try to educate your users about not sharing their id files and passwords.
April 3, 2007 at 11:50 pm
Oops. I somehow managed to paste garbage into the web link on the above reply.
April 4, 2007 at 10:45 am
[...] — Jon Udell @ 10:44 am Kim Cameron had the same reaction to the Sierra affair as I did: Stronger authentication, while no panacea, would be extremely helpful. Kim writes: Maybe next [...]
April 4, 2007 at 10:58 am
“cryptographic authentication is still only as strong as the two weakest links in the chain.”
Agreed, and you’re right to note that people are the weaker of those two. To those of us who’ve watched all this evolve, it seems like it’s taken a long time, and it has, but we’re still in the early innings.
April 14, 2007 at 10:12 am
But only if your key is known and trusted by the person trying to determine if what they’re reading is really by you.
April 25, 2007 at 8:18 am
[...] Cameron had the same reaction to the Sierra affair as I did: Stronger authentication, while no panacea, would be extremely helpful. Kim writes: Maybe next [...]
January 23, 2008 at 6:06 pm
[...] issue of online identities and how easy it is for someone to hijak someone else’s name and pose as that person when, for example, posting messages online. How do you know the person is who he says he [...]