The Espionage

Last post I described several hazards to an internet identity on the user end. Spyware was talked about a lot. It is the 800 pound gorilla in the room that no one ever wants to talk about. I explained why anti-spyware isn’t always good enough to save you. That amplifies the problem. It’s just not popular enough yet to fear. But spyware products are innovating. They are scary stealth and sophisticated. With every revision, they get simpler to use. You can’t ignore that. That’s a gorilla riding a bull in a china shop.

You could approach the solution in several ways. You could cross your fingers and rely on anti-spyware. You could rely on an identity management system that authenticates directly between the local operating system and the websites themselves (I think this is what Cardspace does, but I am not sure of all of its spyware resistant features). Maybe other identity systems try to resist spyware as well. In our case, we are going to try to build a web-based, spyware resistant solution.

Now, if this spyware resistance I speak of cannot be done with a simple user experience in mind, then I say take the losses and scrap it. But follow me. What would it take? What would it take to build a website that is spyware resistant? Can we get phishing resistant too? I know we can. Consider the following bullets (with some of the points taken from my previous post The Internet Security Monster). I will describe how we implemented these bullets in an upcoming post.

• Phishing relies on a common authentication experience. If you stagger the authentication to show personalization before all credentials are supplied, your website becomes phishing resistant.

• If you build in authentication that does not require typing then you avoid all keyloggers.

• If your authentication is not somewhat innate, it will be unintentionally forgotten.

• If your authentication is too simple, it can be guessed.

• If your authentication experience runs off the screen then it is difficult to hijack the credentials in a screen shot.

• If your authentication does not require clicking, then it is hard to take a screen shot on a click.

• If your authentication requires additional personal knowledge after several failed attempts, you have significantly increased the complexity of an attack.

• If additional personal knowledge required to unlock an attacked account is too public, it can be found out by the attacker.

• If additional personal knowledge required to unlock an attacked account is too arbitrary, it will be forgotten.

Share It!

I have been talking a lot about philosophy and identity. I wanted to mix it up with this post. Let’s talk security. Let’s talk about internet security. Ohhh man. Here we go. I am going to call this post The Internet Security Monster. What is the Internet Security Monster? He is a mysterious creature.

I’ve heard that the Internet Security Monster does whatever he wants. And no one can do anything about it. That is what I have heard. I have encountered this monster more than most. I will try to define for you the skills of the Internet Security Monster. Please note. These are end user hazards. I am not including security breaches that occur on the back end of websites. That’s a different monster. That’s the Network Security Monster.

1. Deceptive.

The monster will show you websites pretending to be other websites. We call that phishing.  Monster phishes all day long.

2. Intelligent.

Monster uses spyware as his weapon of choice. Typed credentials are captured by spyware. The target web page is captured by spyware. Monster wins.

3. Stealth.

The monster tricks you into believing that anti-spyware will destroy him. Anti-spyware weakens the monster but it does not kill him. Anti-spyware definitely eliminates many threats. But it does nothing against hardware keyloggers or stronger keyloggers that run at the kernel level. It is also difficult for anti-spyware to detect spyware that it is not familiar with. Sometimes the monster is there but you can not see him.

4. All knowing.

Monster knows all. He knows you think that auto-completing all of your passwords saves you from spyware because you are not typing passwords. Spyware can capture your auto-completes. Monster 1. You 0.

5. If he doesn’t know he will guess.

Not all threats come from spyware. Your passwords must have some degree of complexity and length to save you from a brute force hack. Some say eight characters is safe. Some say ten. Monster says three digits. Don’t listen to the monster.

6. X-ray vision.

The monster can see through your house right to your computer screen, so it seems. Sophisticated spyware has screen capturing built in to the program. Pictures can be taken of your computer screen on a tight frequency if this kind of spyware is running (technically down to the second, but more practically once every 30 seconds or so). Some spyware can take screenshots when the mouse is clicked. Pictures are then sent off to a remote location. Scary.

7. Advantageous.

It is innocent, but it happens. You have a few friends over for poker night. You take out the trash. When you come back you are greeted to a screen full of those pictures of your girlfriend that no one was supposed to see. What a shame. Don’t auto-complete the credentials to your email. Bad move. Damn you monster!

8. Mobile.

We know. Your home computer is authenticated by a biometric face scan. Your firewall issues third degree burns, and you run anti-virus, anti-spyware and anti-aircraft weapons. But when you use your friend’s computer, you may be high and dry. The monster can set traps on other people’s computers. Beware.

9. Sticky Fingers.

Damaged, lost, or stolen flash drives means that your collection of passwords could fall into the wrong hands. Monster hands. Hopefully you backed up the flash drive so that you can recover most of the passwords. It gets worse if the password that was protecting the flash drive is weak. In that case, the flash drive can be brute force hacked by the monster. Now your identity is stolen. Here is a box of tissues. You will need them.

10. Copycat.

Copy and paste can be monitored by spyware with clipboard monitoring built in. Monster knows you don’t care, but it’s still true.

In an upcoming blog I will show you how to stop this menace.

Share It!

Michael Arrington of Techcrunch posted an article about OpenID yesterday about the big four (Microsoft, Yahoo, Google, and AOL) becoming issuing parties of OpenIDs but not relying parties of OpenIDs.  In English that means that you can get an OpenID at Yahoo, but you can’t use your Yahoo OpenID at AOL, for example.  Even though AOL is an OpenID provider, they are not a consumer, and therefore you can’t use your Yahoo OpenID to log in to AOL.  There is an interview posted on the Yahoo Developer Network between Yahoo Rep Christian Heilmann and OpenID advocate Chris Messina concerning Yahoo’s implementation of OpenID.  In that interview, this exact topic comes up.

Christian (Yahoo Rep):  In December you published a wishlist on OpenID and support by Yahoo! was one of the wishes. Have you taken a look at what was done, how do you think we are doing so far and what would you want to see next?

Chris:  Well, I think it’s excellent to see Yahoo! become a provider. That’s huge and really gives OpenID a needed push in both its longterm viability and in validating the investment people will make in becoming OpenID consumers. But providing OpenIDs is the easy part; for Yahoo to really earn full credit, it needs to consume OpenIDs, and so I’m hopeful that that will happen in time as well.

Translation:  “You half assed it”.  To be honest, the blame should fall on OpenID.  I wouldn’t have built the libraries to allow providers denial of consumer support.  All or nothing.  But alas they did not do that.  The shame of it all is that OpenID is a good idea.  Unfortunately, the message being sent is “don’t be a consumer”.  That’s the wrong message.  You should not have given the choice.

Share It!

My name is Maximus Decimus Meridius. Commander of the Armies of the North. General of the Felix Legions. Loyal servant to the true emperor, Marcus Aurelius. Father to a murdered son. Husband to a murdered wife. And I will have my vengeance, in this life or the next.

If he were by himself, he would have cried. Instead Commodus trembles. There in the dry dust of the Coliseum a man from the grave stands before him. To Commodus he must appear as a ghost in armor. Maximus stares down the emperor who would have him dead. His helmet had shielded his identity. Not anymore. Gladiator. Spaniard. Maximus. All are one in the same.

If you have never seen the movie Gladiator, I highly suggest picking it up. For those who have seen it, you know of the moment that I speak of. Gladiator is a classic example of our infatuation with mistaken identity. Commodus ordered Maximus dead long ago. He had no reason to believe he was still alive. This perception was supported by the fact that Maximus had disappeared. Now, a Gladiator emerges with exceptional fighting skill. Gladiators are slaves. They are not the leaders of the Roman Army. Many at the event knew Maximus in a different time. None of them recognized him with mask on (though it would not be out of the realm of possibility to recognize him from his body and fighting style). The mask shielded his identity from witnesses who knew him as a different man. When the mask was removed, it was clear that the Gladiator was no peasant. The exhilirating moment of truth IS a moment of truth because a mistaken identity has been corrected.

Share It!

Win the crowd and you will win your freedom. - Proximo (Gladiator)

Share It!

Many people are too scared to use a password manager because they do not trust the service. I will show you a trick to get of all the privacy you shall ever need. We will use partial passwords. Partial passwords are the power supreme!

Step 1 - Edit Passwords at the Real Websites:

Let’s say I have an E-trade account. Say my E-trade username is Stockinator and my password is m@dddMONEY. Those are decent credentials. Now I establish my partial password. Use the partial password as a suffix which goes on the end of the normal password. I used to have a 1997 Camry (not really). 1997camcam sounds pretty good. I log in to E-trade. I change my password from m@dddMONEY to m@dddMONEY1997camcam. Now we are talking password, baby! Repeat this process at other websites of importance. Remember, we haven’t touched the Password Manager yet.

Step 2 - Edit Passwords On The Password Manager:

I clicked on a Google Ad that said “Store Your Passwords Online With The Devil”. Sure why not. So I signed up and put all of my credentials in my online account at satan-stores-passwords.com. When I added E-trade to my favorites, I entered my username as Stockinator and my password as m@dddMONEY. Months later a scandal breaks. Turns out satan-stores-passwords.com was running a shady operation. Who knew? All of my accounts are compromised. Not quite, broseph. My real password over at E-trade is m@dddMONEY1997camcam. My E-trade account is safe. I was storing a partial password. I can get even sexier. I could store my partial password as a fake password in a fake favorite. Now I don’t even have to remember it. Well sort of. I still have to remember which favorite is the fake. You get the point.

Advantages of Partial Passwords:

• Eliminate the need to trust the password manager.
• Critical passwords become twice as strong.

Disadvantages:

• One more thing to remember.
• Problems with any kind of automated authentication.

Share It!

This is the first in a series of posts explaining the challenges behind building Spyshakers. The first thing I want to say is that I spent eight months in the dark thinking this thing through. Eight months in the dark is a long time to think about anything. Some days I would come home infuriated. Infuriated because I couldn’t prove things. How can you prove that you really don’t know what your customer’s credentials are? How can you prove it, Grant? On the first day I couldn’t. On the last day I couldn’t. Somewhere in there I started to believe that proof doesn’t exist in the real world. I can find reasonable doubt. I can find burden of proof. Isn’t that interesting. I did not know the opposite of reasonable doubt until I did a search for “not reasonable doubt”. Up came a legal term called “burden of proof“. Attaching the word “burden” seems to indicate proving things in the real world is very hard. Clearly someone has thought this through before. Maybe proof is impossible?

So we move on to the next best thing. If we can’t establish as fact, we can try to convince. Can I get a witness! That is when I found out about the Truste organization. You can see the Truste Mission Statement. Because we can’t prove, we use Truste as our primary witness. Compliance with their program is not easy. They are like a super witness! I hope that our compliance in their program helps to establish trust. I am always pursuing more witnesses. The Better Business Bureau is probably next. It never hurts to have several super witnesses haha.

So establishing witnesses is important for trust. What exactly are we establishing trust for? Well, Spyshakers acts as a password manager. The process needs trust to interact. Trust is dependent on the secrecy of your passwords. How is this done? We do not store your master password. We store a one way hash of it (like a footprint). Your master password lives on your computer (technically in the parameter string). Computers only see it. Administrators do not. It decodes and encodes all secrets.

This makes Spyshakers garbage in garbage out. You send garbage to Spyshakers. We store garbage. You request garbage from Spyshakers. You get garbage. The master password turns the garbage into gold along the way. We love storing garbage in our database. That means it is not as appealing to hackers. Now you know!

Share It!

Trinity: Morpheus believes he is the one.
Cypher: Do you?
Trinity: It doesn’t matter what I believe.
Cypher: You don’t, do you?
Trinity: Did you hear that?
Cypher: Hear what?
Trinity: Are you sure this line is clean?
Cypher: Yeah, of course I’m sure.
Trinity: I better go.

Are you sure this line is clean? What line? What does that even mean? Let’s use The Matrix to further define identity systems.

Remember our definition of identity? An identity is the perception of an entity by a witness within the context of space time. When Trinity asks Cipher if the line is clean in the beginning of The Matrix, she is really asking Cipher if there are any unwanted witnesses. Have you ever excused yourself from the room because of a cell phone conversation? Why did you do that? You did that because the secrets exchanged in the conversation were to be shielded from unwanted witnesses. This is privacy. Security is the shield for doing so. In this case, what shield is used? Simply space time. Relocating puts unwanted witnesses out of earshot. The shield is not always that simple.

Internet transactions generally rely on the Secure Sockets Layer (or SSL) to exchange secrets. SSL depends on encryption for its shield. Data is encrypted on the origin computer by a key. The encrypted message is then sent over the channel. The destination decrypts the message by the same key. This is how the internet shields its private messages.

Share It!

I was driving home the other day on the Hutchinson Bypass. It is a toll road that runs between Delmont and New Stanton (southeast of Pittsburgh, PA). It was late evening, but the the Hutchinson is a new road with many street lights.

So I am driving home. Well up ahead I can see red tail lights on the side of the road. Sometimes police cars sit on this road to catch speeders. My initial perception is to define the entity ahead as a police car. It has red tail lights just like a police car. It was on the side of the road like a police car. I have no choice but to assume it to be. I slow down just in case. As I approach, it becomes clear that the entity is not a police car. It is a semi truck! This is really fascinating to me. Somewhere on the Hutchinson Bypass, a witness (me) saw a police car (first perception of entity) morph (change perception) into a semi truck (second perception of same entity). An entity’s identity changed right in front of me. I got to thinking that this probably happens all the time, but we never think of it in this way!

Share It!

Genius is someone that turns the extremely complex into something simple. - Grant Alan Friedline

Share It!