Auth, break, search

So, I saw this headline.

Stupid People Alert: 81% Of UK Commuters Give Away Personal Information

Then, I read the referenced article.

Organisers of the annual information security event have been running a survey of this kind for a few years. Each time, the result is the same: whether the incentive is free theatre tickets or a free pen, people fall far too easily for these simple tricks of social engineering.

The type of information these people gathered is the same information we all give out all the time – it is not secret. Take someone like me – I can immediately think of two ways I commonly give out such personal information: when I order stuff online and when I meet new people that I want to keep in touch with. I am sure many others do the same, including the organizers of this event.

So, this article illustrates not that people are stupid, but that the information used to authenticate people is stupid. It shows that gathering the information necessary for identity theft is easy because the information considered to authenticate our identities is so public. What needs to change is the way we authenticate our identities, not people giving out public information publicly. And, there are many tools out there for doing just that, such as public key crypto, identity-based crypto, shared secrets, physical tokens/smartcards, biometrics, reputation, etc., but the incentive to change might not yet exist.

Unfortuately, until the day we authenticate our identities in a less stupid manner, I guess people still need to follow that old advice – keep the information that the credit card company and government asks you for when verifying your identity as much of a secret as you can (e.g., mother’s maiden name, birth date, social security number, etc.). Yes, it is silly and stupid, but maybe it buys you a slight speedbump of identity security.

A better article to read on that site is this one.

Workers were asked a series of questions which included, “What is your password?” – to which 37% immediately gave their password. If they initially refused, the researchers used social engineering tactics: “I bet it’s to do with your pet or child’s name” – at which a further 34% revealed their passwords.

One man said his office uses 10 different systems a day, so he and his colleagues share one password for each system so that they can remind each other if they forget.

Authentication information needs to hold the same importance to people as the keys to their homes or safety deposit boxes, and be just as easy to use – that can be hard to achieve. I posted on passwords a long while back.

Update: Catching up on my feeds, I see this post by Lindstrom. Essentially, he says keeping SSNs secret props up the authentication facade, so let’s just publish them all right now. That is one way to try and force a sensible change.

Oh, and I see this article, “The Laws of Identity”, via metafilter.

-

This reminds me of a comment I wrote a while back in response to this post.

How can one attempt to build things without first understanding how to break things? And, how can one fix something they do not know is broken in the first place?

[...]the crypto community is small, open, and homogeneous in a way that it generally uses cryptanalytic results to eliminate weaker crypto from the ballgame quite early on before its widespread adoption and use

[...]the publishing of security research leads to the ability to improve what is out there, whether by designing and building better primitives, protocols, and systems, or just fixing flaws in current deployments.

(One of the nice things about having a blog for a while is the ability to quote yourself rather than take the time to write new stuff.)

First you break em, then you build em. Whether boot camp, crypto, or security in general, that is the way of things.

(As for Flake, while I am not an academic, I do think people publish papers containing the partial results they have obtained thus far in a research effort. For example, a research project may take 10 years to complete, but each year a paper is published on the results obtained up to that point. I think you see this in the crypto community when the same people publish papers on a similar topics over and over, each paper advancing the results of the previous one. This can serve many purposes, such as letting people know what you are doing, pulling in outside opinions, sparking others to get involved, discovering other research that is relevant, learning new ways to apply the research, covering academic requirements, etc.)

-

I saw the following referer search terms in our logs,

=lounges+in+nyc+that+don%27t+id&

Sorry kids, none of those are listed here. Rififi, Lit, Fontanas, Happy Ending, Marquee, Heathers, Lotus Cafe, Annex, Beauty, Cielo, Fat Baby, Orchard, and all the other places I end up a bit less regularly all require ID until they get to know you. (I would know this because I still get ID’d – maybe that will finally change when I cross the 30 year old threshold.)

Then, I saw the following referer search terms in our logs,

=secured+hidden+ip+address+panty+sites&

So, it seems we turn up when people search for anonymous panties. Great. (That does remind me though, this Wednesday night is the next In The Flesh Reading Series at Happy Ending.)

And, by blogging these search terms, we will now get more hits for them – that is something to look forward to in future posts. ;)

2 Responses to “Auth, break, search”

  1. paul says:

    Been a while since I visited. Very nice post. Although I am a little paranoid now that I know you’re probably logging everything I have done since visiting here.

  2. [...] and all, I might as well throw in a weekend post. So, speaking of searches, you may remember this – well, fun times taking a quick peek at recent log [...]