Facebook, Hacking and the Voldemort Horcrux Gambit

Not at all surprised to read about Facebook getting its code hacked over into the public domain (see this report in New Scientist) - as we have argued before, sites like these are hackers' paradises and there are way more mathematicians outside than in. NewSci makes the same points well and also quotes our favourite cryptoguru Bruce Schneier, so even if you don't believe us....

Anyway, to quote NewSci:

The reason the leak is concerning is that, by studying the leaked code, a canny computer hacker might be able to figure out some critical security vulnerabilities and thus gain access to tonnes of personal information.

Having the source code is not the same as finding a vulnerability, however, so I don't think there's much cause for alarm right now. On the other hand, the story raises two important and worrying issues.

The first is that social networks place an awful lot of personal information in one location, raising the risk of identity theft - as several security experts have already warned.

The second point, which is connected to the first, is that social networking services are becoming an ever more enticing target for computer hackers. Only last week we ran a story about a computer expert cracking into MySpace accounts.

Eggs, Basket and all that......

Increasingly when we think about Identity (being the paranoid people we are) we like to think about it being dispersed, hidden, and hardened against attack. I was asked to talk at Mobile Monday last week on the issue of mobile Identity, and noted we could call our approach the "Voldemort Horcrux Gambit" - anyway, that seems to have gone down quite well judging by the comments I got afterwards, so we offer it as an analogy here for you, gentle readers.

From Wikipedia:

A Horcrux is a "receptacle in which a Dark wizard has hidden a part of his soul for the purposes of attaining immortality." With part of a wizard's soul thus stored, the wizard becomes immortal so long as the Horcrux remains intact, typically hidden away in a safe location. If the wizard's body is destroyed, part of the soul remains preserved within the Horcrux.

Words like Intact, Safe and Hidden are to the point here. Furthermore...

There is no apparent restriction on the nature of the items that can be made into a Horcrux. Inanimate objects are usually used, but a living organism can also be made into a Horcrux. There also seems to be no limit on the number of Horcruxes a wizard can create. However, as the person's soul is divided into progressively smaller portions, he loses more of his natural humanity and his soul becomes increasingly unstable

In that respect they behave much like federating identities - more is safer but is harder to maintain. Voldemort believed 7 was the magic number but inadvertently made 8 (and look where that got him). And finally. a salutary lesson:

In his arrogance, Voldemort dropped subtle hints about having created Horcruxes to his followers. Having overheard one such boast, Regulus Black guessed correctly that Salazar Slytherin's locket was a Horcrux and sacrificed his life to retrieve it

Now, one may think that this is only relevant to Evil Wizards, Corporates and other mobsters with a need for high security, but people would do well to think about the rise in (i) ordinary consumer identity fraud and (ii) the number of "lapses" like the Facebook one that have already occurred

So, can we offer probably the best bit of free consulting advice you will ever get this side of 2010 - if you are ever tempted to "let it all hang out" on Facebook or whatever - don't. Build your own Horcruxii instead.