Thursday, September 27, 2007

Humanity versus Security - Part 2: MFA

This is the second installment in a multi-part string of articles discussing how security affects the 'human' aspect of computing. Security is a very important issue in computing in this day and age. This is especially true on systems in which personal data about customers will be stored or handled.

As such, we try hard to increase the security of our systems, making it more difficult for hackers or other unsavory people from acquiring information they don't have a right to read. Sometimes however, making systems more secure and less simple for users makes systems less secure in the long run.

Multi Factor Authentication

Most everyone is used to the standard form of authentication in the digital world, a password. It turns out though, that there are multiple ways to authenticate someone. There are three very clear types of authentication:
Something you know - Such as a password or PIN (often times referred to Out of Wallet)
Something you have - A physical object (such as your ATM card or RFID badge)
Something you are - Something about the actual user (such as fingerprint, retinal scan)

Simply put, Multi Factor Authentication is using more than one of these to ensure that someone is really who they say they are. In order to be MFA, they must be authenticated by at least two categories of authentication. Authenticating twice from the same category is NOT MFA.

In 2005 the USA Federal Government mandated that all financial institutions must use MFA to reduce identity theft and increase the safety of members/customers while on the internet. This was in place outside the internet without anyone really noticing (such as your ATM card and PIN). They also require all financial institutions to use encryption.

The problem

There is the issue that it is not easy to implement MFA. It is a regulation that is not possible at this point in time. The government has mandated a form of security that is not practical to implement. And more importantly, it is not something that most people want to deal with.

The simplest form of "something you know" is a password. This can be in the form of a PIN, password, mother's maiden name, or complicated pass phrase. This is supposed to be something that is secure, and something other people would not guess. It should be "Out of Wallet", meaning that it is not something that could be guessed if someone were to compromise your wallet. But identity thieves are a tricky group. They can likely figure out who your mother's maiden name is easily using the internet, or perhaps observe you typing your PIN while at the ATM. Not only that, but the system is depending on the user picking a good secure password.

"Something you have" is harder to implement. In the physical world these can be security badges, ID's, RFID's, and cards with magnetic strips (such as Credit Cards). On the internet it is not so easy; in fact it is downright hard. Currently for high security systems (such as VPN's for large corporations or government) the users are given devices. Sometimes these devices are USB dongles, or smart cards. My personal favorite is the device that generates pseudo-random numbers. It will generate a number (as will the server, using the same time synced algorithm), which the user will enter in. Mostly I just like that one because it feels very James Bond. Of course, it's not practical to give every customer/member one of these devices. This form of authentication is not useful for the mainstream audience over the internet.

"Something you are" is indeed even harder. Usually this is employed using biometrics. The most common of which is the fingerprint. It turns out however that fingerprint readers are easy to fool (and the methods to fool them well publicized by Mythbusters). Voice recognition is not effective since it is a simple matter to record. Retina scanners are bulky and expensive. It is almost impossible to use this authentication over the internet. Not only that, but if biometrics are compromised, they are compromised forever (you can't simple change your fingerprint as you can with a password). The best option is to give a device to users that scan their fingerprint. This of course can't be given out to all the members of a financial institution.

So what do the banks and credit unions do? They require a password, your mother's maiden name, ask you what your first dog's name was, and a bunch of other questions. Is that MFA? No, it is not. Have I ever seen a true large scale MFA solution? No, I have not. MFA is effective in small scales only.

The biggest part of the problem though is that it is flat out annoying to have to jump through hoops to authenticate yourself. We all don't want the big bad wolf stealing our stuff, but we also don't want to be living in fear, or have to spend twice as much time just getting to our financial records. Why don't you frisk us when we walk into the nearest branch of our bank/CU while you are at it?

The Solution

Give up. No seriously, I mean it. MFA is not possible with our current technology. There are too many combinations of proprietary hardware out there to come out with a standard option (does that USB dongle work on mac/linux/windows/iPhone/Blackberry/Wii?). We do not have the technology out there for everyone to be scanning, encrypting, and transmitting their fingerprints to the servers for authentication. Devices get lost, fingerprints lifted.

When possible we should encourage small scale groups to use MFA, especially if they have access to other people's info. However it is not practical to use MFA for every single user. Not only is it impractical, it's impossible. We should not be pushing regulations that are impossible to enforce. We should of course try research how and implement MFA in the future, but we also need to recognize that what we use in most cases now is not MFA.

Most importantly, users should be encouraged to choose good passwords that are truly secure. Don't write your PIN on your ATM card. Don't tell everyone your password. Protect it.

Thursday, September 13, 2007

Genius Plan (aka: fun with links)

So here's the plan. I need to steal a robot, and I need to kidnap a rocket scientist.

Using these two tools, we shall send a robot to the moon. And it shall move around 500 meters, and it shall take pictures of things. Maybe it will even snap some pictures of some old NASA junk that was left behind. We will collect our $30 million prize from Google for being the first privately funded operation to get to the moon with a robot.

Of course we'll give some money to OLC (who is likely who we would steal the robot from). And likely give a bit to Ted thanking him for his assistance (we will also release him from captivity if he wants, but only after he explains that equation to me again, because the last time he explained it to me I so didn't get it). Obviously some of the money will also have to go to posting bail after the kidnapping and theft.

But there should be plenty of money left over to take on our next step in the plan. We will work with Virtual Reality. We will combine full body sensor arrays goggles and a bit of wire-fu to create a full body 3d interactive VR experience. This will make us even more money of course.

This is just the start of the plan though! Oh it gets better! We shall reinvest that money into creating Holodecks! Of course we will license the name fro Startrek, and this corporation cooperation will be as big as iPod and Starbucks. Obviously this will completely crush the entertainment industry, which we will buy out completely. This will obviously bring in MASSIVE amounts of money.

But of course, we all know money can buy anything, even private plane landing strips on government airports. So that will let us push through new technology that will let people plug their brains directly into computers. We'll of course hook their brains up to our world wide entertainment system, along with lots of other software. We'll need a catchy name for it, something like Matrix or Web, but maybe not something that's taken yet (I kinda like the sound of Grid).

Ah, but here is where it gets REALLY tasty. These humans that we jack into the Grid, they have all this unused brain, all that useless computational power! So we will use their brains to run our distributed computing system (much like SETI@home). With that computational power we will find extra terrestrial life. And we will lure them here with tentacle porn. Once they are here, we will beat them up with Cheetos. We will then steal their space ship, and fly around the universe having a fun time.

Ah yes. It's a perfect plan.

Tuesday, September 11, 2007

Am I the demise or the future of humanity?

In the not so distant future we will all have RFID chips implanted in us. They will be used in place of credit cards and ID. They will let hospitals know all about our previous medical history when we walk in the door. They will be an electronic key for all sorts of things.

In the past we have replaced joints and various other body parts with synthetic materials, but only if they are defective. In the future we will be able to have elective surgery to replace our parts and pieces with more reliable lower maintenance higher performance synthetic parts.

Our brains will be plugged into the internet, with little video screens behind our eyes. We will have data storage in our brains so that we can record things and remember them better.

We will become synthetic, bionic, electronic. And I'm all for it!

Hook me up. Let me listen to my mp3 collection without having to carry an iPod and headphones. I would love to check the internet to see what movies are playing, and please give me directions of how to get there using my built in GPS device, because I'm lost again. What was that person's name again? Oh I see in my digital Rolodex in my brain who they are. You want me to rearrange the furniture again dear? No problem, with these new joints and muscles I can move our couch with ease.

No, I'm serious. I do want that. Yes, I want to put circuits in my brain. Yes, I'm okay with having an RFID chip in my hand that I can use to buy stuff. I would love a built in GPS device.

But they tell me companies could track my spending habits. So, you mean Best Buy could track what sort of purchases I make, so that they can more accurately offer me the goods and services that I am likely to want? They already do that with my Best Buy club card, and my Safeway card, and my Fred Meyers card, and my Borders card, and my Hollywood Video card, and my Mr. Movies card, and my Lovers card, and my AAA card, and my... well you get the idea. And of course on the internet every site has it's own login and tracking (amazon, newegg, etc). And honestly, is it such a bad thing if they can track what I buy? I'm not ashamed of anything I buy. Sure, I don't want a lot of the things I buy to be known publicly, but why would they be?

This is the future we are going towards. Do I embrace it? Yes. Does it diminish humanity? Yes, no, maybe. So are people like me the sort that are going to be the future of humanity or the demise of humanity? I dunno. Hook me up and let's find out.

Wednesday, September 5, 2007

Humanity versus Security - Part 1: Passwords

This is the first installments in a multi-part string of articles discussing how security affects the ‘human’ aspect of computing. Security is a very important issue in computing in this day and age. This is especially true on systems in which personal data about customers will be stored or handled.

As such, we try hard to increase the security of our systems, making it more difficult for hackers or other unsavory people from acquiring information they don't have a right to read. Sometimes however, making systems more secure and less simple for users makes systems less secure in the long run.

Password Complexity

One of the primary methods of securing systems is by using passwords. In a typical work day, I use four different passwords; however I have at least fifteen login/password keys associated with work. This of course isn't taking into consideration all of the personal login/passwords I have (personal e-mail, MMO logins, websites, forums, etc).

Many systems have different password requirements, such as: all lowercase, all uppercase, mixed case required, no digits allowed, digits required, must be under 8 characters, must be over 9 characters, and many other weird requirements. Some of them track the last few passwords you used and don't allow you to reuse them. Some systems are even so complicated that they require multiple passwords to get to successively deeper parts of the system, and the passwords are not allowed to be the same (there are even rumors of some systems that use heuristics ensure they aren't similar).

We are told that it is wise not to reuse your passwords too much, if one password is compromised, then all of them are. For example, if you used the same password for your online banking as a forum, and the forum is compromised, now your bank account is at risk.

Of course, forgetting a password makes the user feel stupid. Some systems are quite nasty if you forget your password. Some IT help desks are polite and understanding, but those are a rare thing.

The Problem

The problem with this entire password idea is that humans simply can't remember 15 passwords. So what do users do? They write them down. We carry around little black books filled with passwords, have post-it notes all over our cubicles, and text files on our desktops. If any of these are compromised, then all of the systems we are associated with are compromised, and the entire security breach is blamed on the human’s inability to manage passwords properly.

Well, that's simply not fair. Humans can’t be expected to remember that many passwords. By requiring complex passwords for absolutely everything, we in truth are reducing the security of these systems because we force the users to write their passwords down.

This problem has four distinct parts. The first part of the problem is the blame game. We blame the programmers, the IT, and the software if there is a security breach. This is what forces the programmers to come up with convoluted systems to shift the blame onto the users.

The second part of the problem is the policy creators. Legislators, compliance officers, and managers demand systems to be secure. They demand these things without realizing what goes into actually making a system secure.

The third part of the problem is the programmers and IT themselves. They are required to make a system secure, and do so without consideration of the humans that are using the system.

The fourth part is the users themselves. They refuse to learn to manage their passwords appropriately and securely.

The Solution

There is no one single solution to the problem of password complexity; if there was, every system would use it. However, communication between all involved parties will allow a solution to form that is beneficial to the system, without being a problem for the users. We need to realize that making the password systems more complex in truth make our systems less secure.

First off, we need to stop pointing fingers about who's fault it is, and instead try and figure out how to make systems secure without making it difficult for the humans that need to use it.

This would help reduce the making of pointless rules about security, and instead hunt for solutions. We need to trust our users a little bit more and give them a little bit of slack. It would also be helpful to explore new technologies such RFID tags and biometric scanners.

There are also devices that can store our passwords for us and use fingerprints or a password to unlock. These devices should be encouraged instead of discouraged. They enable users to write down their passwords but still keep them secure, and allow a user to only need to remember one. However, it should be researched which

Most importantly though, everyone involved needs to realize it’s a problem. If fingers continue to be pointed and blame shifted, no one will want to take responsibility and try and repair the situation for fear of being reprimanded when the system breaks. Users and policy makers need to educate themselves about security. First and foremost the programmers and IT need to help educate everyone, and study methods to increase security without removing the human feel.

Tuesday, September 4, 2007

Cold Water

Why is water cold?

No serious, why is it cold? When you get water out of a water fountain, or a water cooler, or at the tap, or at a restaurant, what temperature is it? Cold.

Do people actually PREFER cold water to drink? I asked around. Some people said they do, and that it is more refreshing that way. But has anyone actually done a study on the drinking of cold/hot/room temp water? Or is it just that we all think "Oooh, ice, yeah gimme some of that."

And that's another thing. Ice. Why do we use ice? Sometimes the ice kinda gets stuck, and makes a mini-dam that prevents the flow of the water, and then all of a sudden the dam gives way and it splashes water. Well it's not a big deal for most people. Sure, their upper lip got a little wet, but most of the water just goes right back into the glass.

But you know what? I have a mustache. It gets my mustache all wet. I hate it. And if I try and curl my lip out of the way so my mustache doesn't get all wet, then the ice clanks against my teeth. And I don't even like the water being cold in the first place! I prefer it to be around room temperature. So I have to put up with my water being cold, plus the ice abusing my mustache and teeth!

Have you ever seen a sober man drink out of a glass with ice happily? No! He'll ask for a straw if he can!

All of this because the water that came out of the office water cooler is too cold for my personal tastes. I think by the time I post this it will have sat in my sippy cup long enough to warm up.