The Espionage

Can you build a website that diffuses spyware by itself? Yes! I will explain how we did this with a little javascript, a little html, and a lot of logic. We call our solution a Shaker List™. Think of it as a special captcha code.

Captcha codes are web filters. They filter out spam. A Shaker List is a web filter too. It filters out spyware, pharming, and phishing. How does it work? Your favorite websites are displayed on screen after you have authenticated partially. At that time, you select a handful of your reserved favorites.  Choosing the correct items grants full access.  With careful logic, this process can diffuse spyware (if you need briefed on how spyware attacks a web page, see our Internet Security Monster post).

Why build a website that can diffuse spyware?

• To strengthen an online identity.
• To assist anti-spyware.
• To prove that it can be done.

Any or all of these reasons will do. Consider the following.

1.) Phishing relies on a common authentication experience. If you stagger the authentication to show a personalized item in between credentials, your website becomes phishing resistant.

On the topic of phishing, identity expert Ben Laurie says “any mechanism that can be imitated by a web page is dead in the water“. The keyword is imitation. Does our Shaker List eliminate the ability to imitate? Conveniently, everyone’s list of favorite websites is custom. That makes a Shaker List hard to imitate aka phishing resistant. Correct me if I am wrong, but doesn’t that make it pharming resistant as well? Any pharming site will not know the correct list of favorites to display to the end user.

2.) If you build in authentication that does not require typing then you avoid all keyloggers.

A Shaker List is filled out by hovering over the checkboxes that appear right beside your favorite websites. No typing.

3.) If your authentication is not somewhat innate, it will be unintentionally forgotten.

Anytime you are talking about favorite things, you are talking about an innate topic. Favorite websites are part of your personality. That makes a list of favorite websites a good identifier.

4.) If your authentication is too simple, it can be guessed.

A Shaker List has scalable complexity. Build a large list of favorites if you don’t want the challenge to be simple. Choose several favorites in your Shaker List to make the challenge even harder.

A Long List of Favorites + A Handful of Shaker List Favorites = Not Easy To Guess

5.) If your authentication experience runs off the screen then it is difficult to hijack the credentials in a screen shot.

A Shaker List challenge displays all favorites in a list straight down the screen. My Shaker List runs five screens deep if scrolling from top to bottom in the browser. Thats hard to capture in one screen shot

6.) If your authentication does not require clicking, then it is hard to take a screen shot on a click.

A Shaker List is filled out by hovering over the checkboxes that appear in front of your favorite websites. No clicking.

7.) If your authentication requires additional personal knowledge after several failed attempts, you have significantly increased the complexity of an attack.

If a Shaker List is being guessed at, it locks down and requires additional information. The additional information required is called a Secret Agent. If you are ever being attacked, you will need your Shaker List and your Secret Agent to bail you out!

8.) If additional personal knowledge required to unlock an attacked account is too public, it can be found out by the attacker.

The Secret Agent is extremely innate. Its not a maiden name, middle name, or zip code. Those things can be researched.

9.) If additional personal knowledge required to unlock an attacked account is too arbitrary, it will be forgotten.

My Secret Agent is rather comical. I want it that way. That makes it easy to remember. It is not a diluted request like memorizing yet another password. How many other identity systems ask you to remember a Secret Agent? Not many. Good.

You can practice the Shaker List if you want to. We have a page for that here. Just a note. The Shaker List practice page does not lock down if you guess too many times incorrectly. Our implementation at Spyshakers.com does lock down though.

Share It!

This is the first in a series of posts explaining the challenges behind building Spyshakers. The first thing I want to say is that I spent eight months in the dark thinking this thing through. Eight months in the dark is a long time to think about anything. Some days I would come home infuriated. Infuriated because I couldn’t prove things. How can you prove that you really don’t know what your customer’s credentials are? How can you prove it, Grant? On the first day I couldn’t. On the last day I couldn’t. Somewhere in there I started to believe that proof doesn’t exist in the real world. I can find reasonable doubt. I can find burden of proof. Isn’t that interesting. I did not know the opposite of reasonable doubt until I did a search for “not reasonable doubt”. Up came a legal term called “burden of proof“. Attaching the word “burden” seems to indicate proving things in the real world is very hard. Clearly someone has thought this through before. Maybe proof is impossible?

So we move on to the next best thing. If we can’t establish as fact, we can try to convince. Can I get a witness! That is when I found out about the Truste organization. You can see the Truste Mission Statement. Because we can’t prove, we use Truste as our primary witness. Compliance with their program is not easy. They are like a super witness! I hope that our compliance in their program helps to establish trust. I am always pursuing more witnesses. The Better Business Bureau is probably next. It never hurts to have several super witnesses haha.

So establishing witnesses is important for trust. What exactly are we establishing trust for? Well, Spyshakers acts as a password manager. The process needs trust to interact. Trust is dependent on the secrecy of your passwords. How is this done? We do not store your master password. We store a one way hash of it (like a footprint). Your master password lives on your computer (technically in the parameter string). Computers only see it. Administrators do not. It decodes and encodes all secrets.

This makes Spyshakers garbage in garbage out. You send garbage to Spyshakers. We store garbage. You request garbage from Spyshakers. You get garbage. The master password turns the garbage into gold along the way. We love storing garbage in our database. That means it is not as appealing to hackers. Now you know!

Share It!

I was driving home the other day on the Hutchinson Bypass. It is a toll road that runs between Delmont and New Stanton (southeast of Pittsburgh, PA). It was late evening, but the the Hutchinson is a new road with many street lights.

So I am driving home. Well up ahead I can see red tail lights on the side of the road. Sometimes police cars sit on this road to catch speeders. My initial perception is to define the entity ahead as a police car. It has red tail lights just like a police car. It was on the side of the road like a police car. I have no choice but to assume it to be. I slow down just in case. As I approach, it becomes clear that the entity is not a police car. It is a semi truck! This is really fascinating to me. Somewhere on the Hutchinson Bypass, a witness (me) saw a police car (first perception of entity) morph (change perception) into a semi truck (second perception of same entity). An entity’s identity changed right in front of me. I got to thinking that this probably happens all the time, but we never think of it in this way!

Share It!

I started dreaming up Spyshakers back in 2003. Back then I was fresh off my philosophical courses at Saint Vincent College. I had an outstanding professor at Saint Vincent. His name was Dr. Guess. He doesn’t teach philosophy anymore (I believe he went into High School Chemistry?). I like to say that he had to quit teaching philosophy because I answered all his questions. Haha. We had good discussions though. I had a lot of fun in Metaphysics. I came to peace with many philosophical questions that I had. Those answers influence everything. They establish beliefs. It is funny how close belief and fact are related. If 2 + 2 = 4 is a fact, don’t I first have to believe in the 2, believe in the +, believe in the = and believe in the 4 for the equation to even make sense?

Mind you before I go further my major was not philosophy (it was Computer Science). I have not been in college for a while! Nevertheless I tried to build Spyshakers around philosophy when possible. I will explain over time.

Enter the concept of an identity. If you want to build the world’s premier identity website, it would help to construct the definition of identity. Merriam-Webster defines identity as “sameness in all that constitutes the objective reality of a thing”. At the time of writing Merriam-Webster has four definitions for identity. Lets break down the aforementioned. If an identity is sameness in all that constitutes the objective reality of a thing, is my sameness as a baby equal to my sameness as an adult? Hardly. What is the difference between the two identities? Many things. When did the sameness change? Vaguely and through time. By who’s testimonial did anything change? By the perception of someone who witnessed. No wonder everyone has such a hard time coming up with good identity solutions. The definition is wrong! Haha.

A better definition of identity would be “the perception of an entity assigned by a witness in the context of time and space”. If perceptions are being assigned within time and space, that means the identity of an entity is subject to change. In English that means identities for real world things can change!

Share It!