The Espionage

Can you build a website that diffuses spyware by itself? Yes! I will explain how we did this with a little javascript, a little html, and a lot of logic. We call our solution a Shaker List™. Think of it as a special captcha code.

Captcha codes are web filters. They filter out spam. A Shaker List is a web filter too. It filters out spyware, pharming, and phishing. How does it work? Your favorite websites are displayed on screen after you have authenticated partially. At that time, you select a handful of your reserved favorites.  Choosing the correct items grants full access.  With careful logic, this process can diffuse spyware (if you need briefed on how spyware attacks a web page, see our Internet Security Monster post).

Why build a website that can diffuse spyware?

• To strengthen an online identity.
• To assist anti-spyware.
• To prove that it can be done.

Any or all of these reasons will do. Consider the following.

1.) Phishing relies on a common authentication experience. If you stagger the authentication to show a personalized item in between credentials, your website becomes phishing resistant.

On the topic of phishing, identity expert Ben Laurie says “any mechanism that can be imitated by a web page is dead in the water“. The keyword is imitation. Does our Shaker List eliminate the ability to imitate? Conveniently, everyone’s list of favorite websites is custom. That makes a Shaker List hard to imitate aka phishing resistant. Correct me if I am wrong, but doesn’t that make it pharming resistant as well? Any pharming site will not know the correct list of favorites to display to the end user.

2.) If you build in authentication that does not require typing then you avoid all keyloggers.

A Shaker List is filled out by hovering over the checkboxes that appear right beside your favorite websites. No typing.

3.) If your authentication is not somewhat innate, it will be unintentionally forgotten.

Anytime you are talking about favorite things, you are talking about an innate topic. Favorite websites are part of your personality. That makes a list of favorite websites a good identifier.

4.) If your authentication is too simple, it can be guessed.

A Shaker List has scalable complexity. Build a large list of favorites if you don’t want the challenge to be simple. Choose several favorites in your Shaker List to make the challenge even harder.

A Long List of Favorites + A Handful of Shaker List Favorites = Not Easy To Guess

5.) If your authentication experience runs off the screen then it is difficult to hijack the credentials in a screen shot.

A Shaker List challenge displays all favorites in a list straight down the screen. My Shaker List runs five screens deep if scrolling from top to bottom in the browser. Thats hard to capture in one screen shot

6.) If your authentication does not require clicking, then it is hard to take a screen shot on a click.

A Shaker List is filled out by hovering over the checkboxes that appear in front of your favorite websites. No clicking.

7.) If your authentication requires additional personal knowledge after several failed attempts, you have significantly increased the complexity of an attack.

If a Shaker List is being guessed at, it locks down and requires additional information. The additional information required is called a Secret Agent. If you are ever being attacked, you will need your Shaker List and your Secret Agent to bail you out!

8.) If additional personal knowledge required to unlock an attacked account is too public, it can be found out by the attacker.

The Secret Agent is extremely innate. Its not a maiden name, middle name, or zip code. Those things can be researched.

9.) If additional personal knowledge required to unlock an attacked account is too arbitrary, it will be forgotten.

My Secret Agent is rather comical. I want it that way. That makes it easy to remember. It is not a diluted request like memorizing yet another password. How many other identity systems ask you to remember a Secret Agent? Not many. Good.

You can practice the Shaker List if you want to. We have a page for that here. Just a note. The Shaker List practice page does not lock down if you guess too many times incorrectly. Our implementation at Spyshakers.com does lock down though.

Share It!

Last post I described several hazards to an internet identity on the user end. Spyware was talked about a lot. It is the 800 pound gorilla in the room that no one ever wants to talk about. I explained why anti-spyware isn’t always good enough to save you. That amplifies the problem. It’s just not popular enough yet to fear. But spyware products are innovating. They are scary stealth and sophisticated. With every revision, they get simpler to use. You can’t ignore that. That’s a gorilla riding a bull in a china shop.

You could approach the solution in several ways. You could cross your fingers and rely on anti-spyware. You could rely on an identity management system that authenticates directly between the local operating system and the websites themselves (I think this is what Cardspace does, but I am not sure of all of its spyware resistant features). Maybe other identity systems try to resist spyware as well. In our case, we are going to try to build a web-based, spyware resistant solution.

Now, if this spyware resistance I speak of cannot be done with a simple user experience in mind, then I say take the losses and scrap it. But follow me. What would it take? What would it take to build a website that is spyware resistant? Can we get phishing resistant too? I know we can. Consider the following bullets (with some of the points taken from my previous post The Internet Security Monster). I will describe how we implemented these bullets in an upcoming post.

• Phishing relies on a common authentication experience. If you stagger the authentication to show personalization before all credentials are supplied, your website becomes phishing resistant.

• If you build in authentication that does not require typing then you avoid all keyloggers.

• If your authentication is not somewhat innate, it will be unintentionally forgotten.

• If your authentication is too simple, it can be guessed.

• If your authentication experience runs off the screen then it is difficult to hijack the credentials in a screen shot.

• If your authentication does not require clicking, then it is hard to take a screen shot on a click.

• If your authentication requires additional personal knowledge after several failed attempts, you have significantly increased the complexity of an attack.

• If additional personal knowledge required to unlock an attacked account is too public, it can be found out by the attacker.

• If additional personal knowledge required to unlock an attacked account is too arbitrary, it will be forgotten.

Share It!

I have been talking a lot about philosophy and identity. I wanted to mix it up with this post. Let’s talk security. Let’s talk about internet security. Ohhh man. Here we go. I am going to call this post The Internet Security Monster. What is the Internet Security Monster? He is a mysterious creature.

I’ve heard that the Internet Security Monster does whatever he wants. And no one can do anything about it. That is what I have heard. I have encountered this monster more than most. I will try to define for you the skills of the Internet Security Monster. Please note. These are end user hazards. I am not including security breaches that occur on the back end of websites. That’s a different monster. That’s the Network Security Monster.

1. Deceptive.

The monster will show you websites pretending to be other websites. We call that phishing.  Monster phishes all day long.

2. Intelligent.

Monster uses spyware as his weapon of choice. Typed credentials are captured by spyware. The target web page is captured by spyware. Monster wins.

3. Stealth.

The monster tricks you into believing that anti-spyware will destroy him. Anti-spyware weakens the monster but it does not kill him. Anti-spyware definitely eliminates many threats. But it does nothing against hardware keyloggers or stronger keyloggers that run at the kernel level. It is also difficult for anti-spyware to detect spyware that it is not familiar with. Sometimes the monster is there but you can not see him.

4. All knowing.

Monster knows all. He knows you think that auto-completing all of your passwords saves you from spyware because you are not typing passwords. Spyware can capture your auto-completes. Monster 1. You 0.

5. If he doesn’t know he will guess.

Not all threats come from spyware. Your passwords must have some degree of complexity and length to save you from a brute force hack. Some say eight characters is safe. Some say ten. Monster says three digits. Don’t listen to the monster.

6. X-ray vision.

The monster can see through your house right to your computer screen, so it seems. Sophisticated spyware has screen capturing built in to the program. Pictures can be taken of your computer screen on a tight frequency if this kind of spyware is running (technically down to the second, but more practically once every 30 seconds or so). Some spyware can take screenshots when the mouse is clicked. Pictures are then sent off to a remote location. Scary.

7. Advantageous.

It is innocent, but it happens. You have a few friends over for poker night. You take out the trash. When you come back you are greeted to a screen full of those pictures of your girlfriend that no one was supposed to see. What a shame. Don’t auto-complete the credentials to your email. Bad move. Damn you monster!

8. Mobile.

We know. Your home computer is authenticated by a biometric face scan. Your firewall issues third degree burns, and you run anti-virus, anti-spyware and anti-aircraft weapons. But when you use your friend’s computer, you may be high and dry. The monster can set traps on other people’s computers. Beware.

9. Sticky Fingers.

Damaged, lost, or stolen flash drives means that your collection of passwords could fall into the wrong hands. Monster hands. Hopefully you backed up the flash drive so that you can recover most of the passwords. It gets worse if the password that was protecting the flash drive is weak. In that case, the flash drive can be brute force hacked by the monster. Now your identity is stolen. Here is a box of tissues. You will need them.

10. Copycat.

Copy and paste can be monitored by spyware with clipboard monitoring built in. Monster knows you don’t care, but it’s still true.

In an upcoming blog I will show you how to stop this menace.

Share It!

This is the first in a series of posts explaining the challenges behind building Spyshakers. The first thing I want to say is that I spent eight months in the dark thinking this thing through. Eight months in the dark is a long time to think about anything. Some days I would come home infuriated. Infuriated because I couldn’t prove things. How can you prove that you really don’t know what your customer’s credentials are? How can you prove it, Grant? On the first day I couldn’t. On the last day I couldn’t. Somewhere in there I started to believe that proof doesn’t exist in the real world. I can find reasonable doubt. I can find burden of proof. Isn’t that interesting. I did not know the opposite of reasonable doubt until I did a search for “not reasonable doubt”. Up came a legal term called “burden of proof“. Attaching the word “burden” seems to indicate proving things in the real world is very hard. Clearly someone has thought this through before. Maybe proof is impossible?

So we move on to the next best thing. If we can’t establish as fact, we can try to convince. Can I get a witness! That is when I found out about the Truste organization. You can see the Truste Mission Statement. Because we can’t prove, we use Truste as our primary witness. Compliance with their program is not easy. They are like a super witness! I hope that our compliance in their program helps to establish trust. I am always pursuing more witnesses. The Better Business Bureau is probably next. It never hurts to have several super witnesses haha.

So establishing witnesses is important for trust. What exactly are we establishing trust for? Well, Spyshakers acts as a password manager. The process needs trust to interact. Trust is dependent on the secrecy of your passwords. How is this done? We do not store your master password. We store a one way hash of it (like a footprint). Your master password lives on your computer (technically in the parameter string). Computers only see it. Administrators do not. It decodes and encodes all secrets.

This makes Spyshakers garbage in garbage out. You send garbage to Spyshakers. We store garbage. You request garbage from Spyshakers. You get garbage. The master password turns the garbage into gold along the way. We love storing garbage in our database. That means it is not as appealing to hackers. Now you know!

Share It!

Welcome to the Espionage. My name is Grant Alan Friedline. I am the President of Grant City Ventures Inc and the founder of the Spyshakers project. This is my first post on our re-designed blog. I admit, I didn’t really know what I was doing with the first blog. I think I can do better this time around. Where to start? Let’s start at the beginning!

I am an alumni of Saint Vincent College (2002) and University of Pittsburgh (2003). I studied Computer Science at Saint Vincent College. After graduation I had a very hard time getting a job. Job opportunities were few and far between in 2002 (right after nine eleven). My internships at Saint Vincent College were nothing impressive. I was in a world of hurt. In 2003 I went back for my Masters Degree at the University of Pittsburgh School of Information Science. I graduated from Pitt in one year. Pitt grad school gave me enough insight to consider starting my own company. I thought up a project for storing favorite websites online.

At the time my project was called Page Genius (I later found out that website was taken - not too bright in my young age haha). As I coded Page Genius I found similar websites popping up on the internet. This was disappointing and I put the project on the shelf for a while. I started working at Sony on the assembly line. It was the only (slightly) respectable job I could get.

Working on the assembly line was hard work. When I first got the job I would dance at my station. I finally had a job! But after time I got ran down. This was trial by fire. I worked in what they call “the dark room”. It is just that. Picture a trailer-like shelter built over top of the assembly line. Quality control tests are done inside. Thousands of televisions pass by me. I worked by myself. In the dark. On the graveyard shift. With no air conditioning and no chairs! It was not pleasant, but it was a job.

You have a lot of time to kill when you work a job like this. I dusted off Page Genius. It was my ticket out of here. What to do? I started taking notes. Lots of notes. In the dark. I did have a flashlight. Haha.

This is my suggestion to anyone who wants to start their own business. Get a zombie job. You need a zombie job in the very beginning. What am I talking about? You need a job where you can literally think about something else for eight hours on end. Your body is working. It is automated. Very robotic. Your mind is drifting off. Solving problems. You are planning something else. You are building a business while you earn a paycheck. This doesn’t work at all jobs. Choose wisely.

Back to Page Genius. I focused on passwords instead of favorite websites. Nobody out there could do password management the way I wanted. How do you store someone else’s password without knowing what it is? And give it back to them whenever they want? And prevent it from being stolen by spyware? And get it from any computer? And nooo I am not carrying a flash drive everywhere. I can barely remember my car keys!

These were major problems that took me months and months to solve. Maybe not solve, but at least provide a working solution. The answers came to me. The answers came to me in the darkness at Sony on the graveyard shift. I picked up my investor somewhere in there. You will find that during the business building stage you lose track of time. Not just by days. By years. It’s 2008 already? Where have I been!

Share It!