Friday, July 20, 2012
Feral Communists...
Another excellent Afterburner from Bill Whittle. It contains the phrase in the title, which tickled my fancy :-)
Crypto vs. Rubber Hose...
Hristo Bojinov of Stanford has come up with a way to thwart a “rubber hose” attack that tries to force an individual to give up a password. No, it's not training in pain tolerance – it's a different way to authenticate.
The basic idea is that you can learn subconciously (in fact, this is the way we learn most things), without even realizing that you've learned something. Passwords are not like this; those we very conciously learn (memorize).
The new technique involves learning how to play a special game. In the process of doing this, you learn – subconciously – a 30 character password made up of just six characters. This is a very secure password. If someone asked you to recite it, you wouldn't be able to do it – not even if they gave you the rubber hose treatment, and not even if you wanted to give them the password. You are not concious of it at all. To actually authenticate yourself to a computer, you have to play a round of their game. In doing so, you demonstrate to the computer that subconciously you really do know the password.
You might ask yourself (I certainly did) “But how does this help with the rubber hose attack? The trained authenticator could still be forced to play the little game!” The authors of the paper assert that there must be a “liveness test” – in other words, you can't use their method for remote authentication, but rather only for authentication when physically present at the system you're trying to authenticate to. Presumably someone would then notice if you were being beaten with the rubber hose. There are some problems with that, as there are ways to coerce people that don't require the coercer to be physically present with the coerced (for example, your spouse or child could be held hostage until you authenticate). Worse, I think, is that if you subject a password authentication system to a liveness test, then its security is enhanced in the same way. In other words, it seems to me that a large part of the benefit of this new system is derived from the liveness test, rather than the method itself.
But all that carping aside, there are some genuinely interesting security ideas in here. How practical they are is another matter altogether, but the general notion of using subconcious memory strikes me as worth exploring.
Authentication to a computer system is a really tough problem, far harder than most people realize. It's the basis for many of the kinds of computer security that average people run into every day (like, say, access to your bank account) – and yet we are still lacking good, secure, reliable solutions. Passwords are by far the most common approach, and they are demonstrably feeble. Biometric authentication (fingerprints, iris patterns, etc.) are stronger, but are defeatable and less reliable than most people consider acceptable. So I'm always interested in anything that might improve the situation...
The basic idea is that you can learn subconciously (in fact, this is the way we learn most things), without even realizing that you've learned something. Passwords are not like this; those we very conciously learn (memorize).
The new technique involves learning how to play a special game. In the process of doing this, you learn – subconciously – a 30 character password made up of just six characters. This is a very secure password. If someone asked you to recite it, you wouldn't be able to do it – not even if they gave you the rubber hose treatment, and not even if you wanted to give them the password. You are not concious of it at all. To actually authenticate yourself to a computer, you have to play a round of their game. In doing so, you demonstrate to the computer that subconciously you really do know the password.
You might ask yourself (I certainly did) “But how does this help with the rubber hose attack? The trained authenticator could still be forced to play the little game!” The authors of the paper assert that there must be a “liveness test” – in other words, you can't use their method for remote authentication, but rather only for authentication when physically present at the system you're trying to authenticate to. Presumably someone would then notice if you were being beaten with the rubber hose. There are some problems with that, as there are ways to coerce people that don't require the coercer to be physically present with the coerced (for example, your spouse or child could be held hostage until you authenticate). Worse, I think, is that if you subject a password authentication system to a liveness test, then its security is enhanced in the same way. In other words, it seems to me that a large part of the benefit of this new system is derived from the liveness test, rather than the method itself.
But all that carping aside, there are some genuinely interesting security ideas in here. How practical they are is another matter altogether, but the general notion of using subconcious memory strikes me as worth exploring.
Authentication to a computer system is a really tough problem, far harder than most people realize. It's the basis for many of the kinds of computer security that average people run into every day (like, say, access to your bank account) – and yet we are still lacking good, secure, reliable solutions. Passwords are by far the most common approach, and they are demonstrably feeble. Biometric authentication (fingerprints, iris patterns, etc.) are stronger, but are defeatable and less reliable than most people consider acceptable. So I'm always interested in anything that might improve the situation...
This Is Just Wrong...
The U.S. Olympic Committee (USOC) zealously protects its use of the word “Olympic” – if it finds another business trying to associate itself with the Olympic Games without having paid a license fee, it goes after them for trademark infringement. That's fine, as stated. The problem here is this: the word “Olympic” has multiple meanings. It's the name of several mountains or mountain ranges around the world, and it's closely associated with many things Greek.
Now the USOC has successfully forced the owner of the Olympic Gyros to change the name of his business – 30 years after the business was founded, and despite the rather obvious fact that the “Olympic” in “Olympic Gryos” refers to things Greek, and not the Olympic Games.
For shame, USOC, for shame – for even trying to do this. And what the hell has happened to our legal system that the USOC could prevail in this travesty?
Now the USOC has successfully forced the owner of the Olympic Gyros to change the name of his business – 30 years after the business was founded, and despite the rather obvious fact that the “Olympic” in “Olympic Gryos” refers to things Greek, and not the Olympic Games.
For shame, USOC, for shame – for even trying to do this. And what the hell has happened to our legal system that the USOC could prevail in this travesty?