The Espionage

I know what your thinking. Your thinking “you know, soon we won’t need passwords. We will just scan a fingerprint or something.”  I am here to tell you that this is most likely naive.  I don’t want to rain on anyone’s parade but there are some big problems combining biometrics and the internet. Big problems. I’m not talking about the current finger scanner solution found on your state-of-the-art laptop. That is a locally stored biometric secret used to manage your identity on your laptop. That is not so bad.  I am talking about large, centralized databases of biometric secrets.  I am talking about a system where I can use your finger scanner to access my files over the internet.

If a biometric identifier is a value computed strictly from physical trait(s) then THAT VALUE IS STATIC. Fingerprint, palm, footprint, retina, dna. It doesn’t matter. Any one of them. Any two of them. All of them combined. They all add up to one large string of characters that never changes. All you need to know is this. If your biometric value is obtained by some stranger AND that stranger can feed your value into the authorization channel then guess what… Your identity is compromised for the life of the system. It is not my intention to slight biometric efforts. But think about what the current solution would be. The internet is currently susceptible to spyware. Slap a biometric device on the front. The internet is still susceptible to spyware. Only now its worse. The internet becomes susceptible to biometric spyware.

I know there is research being done on something called irrevocable biometrics. This is the study of biometric secrets that can change value. IBM is currently conducting research on irrevocable biometrics. The IBM paper is a complicated read. Good luck to those gentlemen. I am unable to follow the math. But I do follow the logic in their charts. I still see vulnerability with spyware immediately after the biometric feature has been scanned.

Which brings us back full circle to the password. Biometrics are derivations of the body. Passwords are derivations of the mind.  One of them can be changed easily. I suggest using both to best emulate identity.

Share It!

Can you build a website that diffuses spyware by itself? Yes! I will explain how we did this with a little javascript, a little html, and a lot of logic. We call our solution a Shaker List™. Think of it as a special captcha code.

Captcha codes are web filters. They filter out spam. A Shaker List is a web filter too. It filters out spyware, pharming, and phishing. How does it work? Your favorite websites are displayed on screen after you have authenticated partially. At that time, you select a handful of your reserved favorites.  Choosing the correct items grants full access.  With careful logic, this process can diffuse spyware (if you need briefed on how spyware attacks a web page, see our Internet Security Monster post).

Why build a website that can diffuse spyware?

• To strengthen an online identity.
• To assist anti-spyware.
• To prove that it can be done.

Any or all of these reasons will do. Consider the following.

1.) Phishing relies on a common authentication experience. If you stagger the authentication to show a personalized item in between credentials, your website becomes phishing resistant.

On the topic of phishing, identity expert Ben Laurie says “any mechanism that can be imitated by a web page is dead in the water“. The keyword is imitation. Does our Shaker List eliminate the ability to imitate? Conveniently, everyone’s list of favorite websites is custom. That makes a Shaker List hard to imitate aka phishing resistant. Correct me if I am wrong, but doesn’t that make it pharming resistant as well? Any pharming site will not know the correct list of favorites to display to the end user.

2.) If you build in authentication that does not require typing then you avoid all keyloggers.

A Shaker List is filled out by hovering over the checkboxes that appear right beside your favorite websites. No typing.

3.) If your authentication is not somewhat innate, it will be unintentionally forgotten.

Anytime you are talking about favorite things, you are talking about an innate topic. Favorite websites are part of your personality. That makes a list of favorite websites a good identifier.

4.) If your authentication is too simple, it can be guessed.

A Shaker List has scalable complexity. Build a large list of favorites if you don’t want the challenge to be simple. Choose several favorites in your Shaker List to make the challenge even harder.

A Long List of Favorites + A Handful of Shaker List Favorites = Not Easy To Guess

5.) If your authentication experience runs off the screen then it is difficult to hijack the credentials in a screen shot.

A Shaker List challenge displays all favorites in a list straight down the screen. My Shaker List runs five screens deep if scrolling from top to bottom in the browser. Thats hard to capture in one screen shot

6.) If your authentication does not require clicking, then it is hard to take a screen shot on a click.

A Shaker List is filled out by hovering over the checkboxes that appear in front of your favorite websites. No clicking.

7.) If your authentication requires additional personal knowledge after several failed attempts, you have significantly increased the complexity of an attack.

If a Shaker List is being guessed at, it locks down and requires additional information. The additional information required is called a Secret Agent. If you are ever being attacked, you will need your Shaker List and your Secret Agent to bail you out!

8.) If additional personal knowledge required to unlock an attacked account is too public, it can be found out by the attacker.

The Secret Agent is extremely innate. Its not a maiden name, middle name, or zip code. Those things can be researched.

9.) If additional personal knowledge required to unlock an attacked account is too arbitrary, it will be forgotten.

My Secret Agent is rather comical. I want it that way. That makes it easy to remember. It is not a diluted request like memorizing yet another password. How many other identity systems ask you to remember a Secret Agent? Not many. Good.

You can practice the Shaker List if you want to. We have a page for that here. Just a note. The Shaker List practice page does not lock down if you guess too many times incorrectly. Our implementation at Spyshakers.com does lock down though.

Share It!

Michael Arrington of Techcrunch posted an article about OpenID yesterday about the big four (Microsoft, Yahoo, Google, and AOL) becoming issuing parties of OpenIDs but not relying parties of OpenIDs.  In English that means that you can get an OpenID at Yahoo, but you can’t use your Yahoo OpenID at AOL, for example.  Even though AOL is an OpenID provider, they are not a consumer, and therefore you can’t use your Yahoo OpenID to log in to AOL.  There is an interview posted on the Yahoo Developer Network between Yahoo Rep Christian Heilmann and OpenID advocate Chris Messina concerning Yahoo’s implementation of OpenID.  In that interview, this exact topic comes up.

Christian (Yahoo Rep):  In December you published a wishlist on OpenID and support by Yahoo! was one of the wishes. Have you taken a look at what was done, how do you think we are doing so far and what would you want to see next?

Chris:  Well, I think it’s excellent to see Yahoo! become a provider. That’s huge and really gives OpenID a needed push in both its longterm viability and in validating the investment people will make in becoming OpenID consumers. But providing OpenIDs is the easy part; for Yahoo to really earn full credit, it needs to consume OpenIDs, and so I’m hopeful that that will happen in time as well.

Translation:  “You half assed it”.  To be honest, the blame should fall on OpenID.  I wouldn’t have built the libraries to allow providers denial of consumer support.  All or nothing.  But alas they did not do that.  The shame of it all is that OpenID is a good idea.  Unfortunately, the message being sent is “don’t be a consumer”.  That’s the wrong message.  You should not have given the choice.

Share It!

My name is Maximus Decimus Meridius. Commander of the Armies of the North. General of the Felix Legions. Loyal servant to the true emperor, Marcus Aurelius. Father to a murdered son. Husband to a murdered wife. And I will have my vengeance, in this life or the next.

If he were by himself, he would have cried. Instead Commodus trembles. There in the dry dust of the Coliseum a man from the grave stands before him. To Commodus he must appear as a ghost in armor. Maximus stares down the emperor who would have him dead. His helmet had shielded his identity. Not anymore. Gladiator. Spaniard. Maximus. All are one in the same.

If you have never seen the movie Gladiator, I highly suggest picking it up. For those who have seen it, you know of the moment that I speak of. Gladiator is a classic example of our infatuation with mistaken identity. Commodus ordered Maximus dead long ago. He had no reason to believe he was still alive. This perception was supported by the fact that Maximus had disappeared. Now, a Gladiator emerges with exceptional fighting skill. Gladiators are slaves. They are not the leaders of the Roman Army. Many at the event knew Maximus in a different time. None of them recognized him with mask on (though it would not be out of the realm of possibility to recognize him from his body and fighting style). The mask shielded his identity from witnesses who knew him as a different man. When the mask was removed, it was clear that the Gladiator was no peasant. The exhilirating moment of truth IS a moment of truth because a mistaken identity has been corrected.

Share It!

Trinity: Morpheus believes he is the one.
Cypher: Do you?
Trinity: It doesn’t matter what I believe.
Cypher: You don’t, do you?
Trinity: Did you hear that?
Cypher: Hear what?
Trinity: Are you sure this line is clean?
Cypher: Yeah, of course I’m sure.
Trinity: I better go.

Are you sure this line is clean? What line? What does that even mean? Let’s use The Matrix to further define identity systems.

Remember our definition of identity? An identity is the perception of an entity by a witness within the context of space time. When Trinity asks Cipher if the line is clean in the beginning of The Matrix, she is really asking Cipher if there are any unwanted witnesses. Have you ever excused yourself from the room because of a cell phone conversation? Why did you do that? You did that because the secrets exchanged in the conversation were to be shielded from unwanted witnesses. This is privacy. Security is the shield for doing so. In this case, what shield is used? Simply space time. Relocating puts unwanted witnesses out of earshot. The shield is not always that simple.

Internet transactions generally rely on the Secure Sockets Layer (or SSL) to exchange secrets. SSL depends on encryption for its shield. Data is encrypted on the origin computer by a key. The encrypted message is then sent over the channel. The destination decrypts the message by the same key. This is how the internet shields its private messages.

Share It!

I was driving home the other day on the Hutchinson Bypass. It is a toll road that runs between Delmont and New Stanton (southeast of Pittsburgh, PA). It was late evening, but the the Hutchinson is a new road with many street lights.

So I am driving home. Well up ahead I can see red tail lights on the side of the road. Sometimes police cars sit on this road to catch speeders. My initial perception is to define the entity ahead as a police car. It has red tail lights just like a police car. It was on the side of the road like a police car. I have no choice but to assume it to be. I slow down just in case. As I approach, it becomes clear that the entity is not a police car. It is a semi truck! This is really fascinating to me. Somewhere on the Hutchinson Bypass, a witness (me) saw a police car (first perception of entity) morph (change perception) into a semi truck (second perception of same entity). An entity’s identity changed right in front of me. I got to thinking that this probably happens all the time, but we never think of it in this way!

Share It!

I started dreaming up Spyshakers back in 2003. Back then I was fresh off my philosophical courses at Saint Vincent College. I had an outstanding professor at Saint Vincent. His name was Dr. Guess. He doesn’t teach philosophy anymore (I believe he went into High School Chemistry?). I like to say that he had to quit teaching philosophy because I answered all his questions. Haha. We had good discussions though. I had a lot of fun in Metaphysics. I came to peace with many philosophical questions that I had. Those answers influence everything. They establish beliefs. It is funny how close belief and fact are related. If 2 + 2 = 4 is a fact, don’t I first have to believe in the 2, believe in the +, believe in the = and believe in the 4 for the equation to even make sense?

Mind you before I go further my major was not philosophy (it was Computer Science). I have not been in college for a while! Nevertheless I tried to build Spyshakers around philosophy when possible. I will explain over time.

Enter the concept of an identity. If you want to build the world’s premier identity website, it would help to construct the definition of identity. Merriam-Webster defines identity as “sameness in all that constitutes the objective reality of a thing”. At the time of writing Merriam-Webster has four definitions for identity. Lets break down the aforementioned. If an identity is sameness in all that constitutes the objective reality of a thing, is my sameness as a baby equal to my sameness as an adult? Hardly. What is the difference between the two identities? Many things. When did the sameness change? Vaguely and through time. By who’s testimonial did anything change? By the perception of someone who witnessed. No wonder everyone has such a hard time coming up with good identity solutions. The definition is wrong! Haha.

A better definition of identity would be “the perception of an entity assigned by a witness in the context of time and space”. If perceptions are being assigned within time and space, that means the identity of an entity is subject to change. In English that means identities for real world things can change!

Share It!