Skip to main content

Knock Knock

Posted by javakiddy on May 30, 2008 at 2:13 AM PDT

Allegedly invented by accident, the humble Post-it Note has likely been responsible for more potential breaches in computer security than any single virus, rootkit or keylogger. This handy little aide-mémoire is home to 'to do' lists, phone numbers, doodles, and (inevitably) passwords.

Most people wouldn't tape their front door key to their front door, yet they'll happily stick their computer password to the front of their computer monitor.

One time, in a book shop, I had to endure a customer loudly direct her workmate (via cell phone) to riffle through her desk drawer for the letter containing her bank PIN number. To this day I still cannot decide what was more brain-dead, the fact that she stuffed the letter into an unlocked drawer, the fact that said unlocked drawer was in a semi-public place, the fact that she revealed its existence to someone else, or the fact that she repeated the number loudly for all the shop to hear as it was read to her!

Incidents like this might be amusing, if not for the fact that we're moving towards an age when all our data may be held remotely (on 'the cloud') and accessed via Rich Internet Applications. But solving this problem could open up another one: as focus shifts from physically protecting locally stored data, to asserting access permissions on remotely held data, will we need to lose our anonymity to protect our privacy?

Safe hex

The reason people don't get computer security is because it's largely intangible. They can touch their front door key, picture in their mind's eye the menacing stranger trespassing in their home, see the empty space where their beloved widescreen TV used to be — yet none of this really seems to apply to something as ethereal as a password, or the data on a hard disk.

In the eight-bit days 'safe-sex' computing used to be so easy — the worse most malware could do was trash a floppy, so we simply avoided dubious software and kept valuable disks write protected by default. Later, viruses meant malware could infect and trash other disks, but opportunities for infection were rare, plus backups and virus checking reduced the risk almost to nothing. For the most part security was a minor concern; something to be aware of, but not paranoid about.

Then the World Wide Web got itself invented. Suddenly software from the four corners of the World was passing through the average browser cache on a minute-by-minute basis, and malware was no longer content just trashing your data, now it wanted to steal it!

Yet users still have to be urged to install and maintain good network security software. If left to their own devices many don't bother — try scanning for wireless access points from your home and see how many of your neighbours didn't even spend the extra few moments to secure their router. Even dropping a friendly hint over the garden fence won't work — you're just that craaaaazy techie guy from next door, babbling about sniffing someone's packets!

The problem here is still a physical one though — the data still physically lives on devices you own, the thief is trying to duplicate it elsewhere. But once the data moves to 'the cloud' the problem shifts to one of identity. Your data is already elsewhere, the issue is do you have permission to access it?

On the internet, everyone knows you have blue eyes

Recently I just managed to stop a friend from logging into his webmail account via a public computer in a hostel's common room... with the "remember me" box ticked! Sheepishly he agreed it might be a little safer if he didn't give everyone using the PC after him free access to his mailbox. Last week I helped another friend FTP files to her new web site. Proudly she explained to me how she devises unique passwords for every internet account — first name plus an incrementing number (Jane36... Jane37... Jane38...)

These people aren't stupid (indeed they represent the norm) but can they be trusted in an age when all their private data may be protected by merely a password?

It got me wondering whether biometics might be the way forward. We've already seen some laptops issued with fingerprint recognition instead of passwords to secure them, and face recognition using a built in webcam is also possible. But how about using this technology to restrict access to the applications and data itself?

On the surface, it makes sense twice over. For the software industry it means customers can't get free applications by trading passwords. For the users it means their data is now protected (to potentially quite a high level) with zero effort on their part.

It could even provide an effective replacement for Digital Rights Management. If iTunes used face/fingerprint scans to digitally tie my downloads to my identity, I should be able to freely play my music on every device I'll ever own, so long as its configured to 'me'.

But here's the problem: if permission to run my applications and access my data is tied to something so certain, unique and unchangeable, doesn't it pretty much blow any hope of anonymity out the water?

Listening to a recent edition of the Leo Laporte podcast The Tech Guy I was amused to hear Leo explain how his teenage daughter had set her public profile on FaceBook to that of a 38 year old guy from New Jersey. Smart kid — it presumably avoids a lot of unwanted attention. But if biometrics became the norm for accessing FaceBook this might become impossible, or a least tricky. If FaceBook gained access to a second independent data source it could compare the biometric reading and discover the inconsistency. The issue would then boils down to whether FaceBook would enforce its terms and conditions. Even if an individual RIA host had a policy of permitting bogus details, the biometric 'password' might still expose the real account owner to the Police or FBI, should they come knocking...

So, as our digital lives move steadily with each passing month onto 'the cloud', it seems like we have a straight choice: carry on with user-unfriendly passwords and expose hundreds of millions of regular users to high risk of having their data stolen, or move towards a (supposedly) idiot-proof biometric system and surrender any hope of anonymity.

Unless anyone has a better idea...?

Related Topics >>

Comments

could you do this in C#? Or perhaps classic ASP?

first line: head -1 my_humungus_file.txt

last line: tail -1 my_humungus_file.txt Note:- that switch is a one, not an "ell". You could also get just the first/last 2 lines with -2 for instance.

If you don't have the tail command (stuck in windows), install cygwin: it's part of the minimal set.

Hi Simon,

Back in 2004 when I wrote Privately Famous I posed a similar conundrum... WIthout biometrics if someone does steal your identity how can you really prove that "you" are "you".

I think that privacy is a myth that we need to get over. I just don't see any way of protecting my stuff unless I can prove that "I" am "me".

Good post... as always.

-JohnR

as soon as you hand your data to a third party for storage you loose your anonimity if that data is linked to your identity. The means by which that identity is ascertained doesn't really matter. Most people already use identical or very similar usernames whereever they visit (which is natural, that username after all is the online equivalent of your real name, and that's no different whether you're in Seattle or Boston unless you are travelling incognito which most people have no need to do). It's easy enough to scour sites for users with a certain username, so comparing biometrics isn't going to do much. As an aside, why would using biometrics to secure a Facebook account make it possible for Facebook to compare those biometrics to those used to secure an account at an unrelated site? Those biometrics wouldn't be publicly accessible by outside forces from either Facebook or that other site, and if a third party were used to store and validate them (a smart idea, maybe, possibly, depending on privacy considerations concerning that 3rd party) they would not allow (by law, privacy laws...) to hand over account names of other sites using the same biometrics profile (of course such a third party for that very reason is a massive security risk, as they themselves would of necessity be able to access any of your accounts unless the account names were not linked to the biometrics data, possible but potentially cumbersome).

While I fully agree therefore that placing too much private information online is not a good thing and destroys your privacy, I don't agree with your doomsday scenario (at least not for the reasons you use). Far more dangerous IMO is the risk of the biometrics data getting intercepted (can you trust that 3rd party? As I already pointed out they're in a powerful position, and I fear that 3rd party might turn out to be Google, Internet Big Brother #1 already, just imagine what they would (be able to) do if they had access to your account profiles on every forum, social network site, the tax authorities, banks, etc. etc.).

So the problem isn't so much the fact that that information is out there but the fact that access to it is getting ever more centrally controlled, with the keystores being consolidated into a single entity that's outside of the control of either end of the transaction (either the user of the information or the entity storing it) and may well be (effectively or legally) above the law of any country (as Google is now).

Such an entity would effectively be able to hold not just any person but any community or company hostage by threatening to either cut off its access to information stored under its keystore, destroy that information, or divulge it to parties potentially hostile to the target. They'd in fact if not in name own you, be able to not just control but direct your actions like a medieval slavemaster was in total control over his slaves.

Hi simon, i want to know that how to get the last line from a text file which have 1000's of lines

Hi simon, i wnat to know that how to get the last line from a text file which have 1000's of lines

A company may inherit another source of biometric data if it bought or merged with someone else -- if Microsoft ever did acquire Yahoo they'd have access to both MSN and Yahoo account databases. And what about those people who (for legitimate reasons) register two or more accounts with the same service? A 'biometric password' would expose them as the same person.

Safe sex computing, haha good one. Haha pocket sniffing, good one. Also, further to vasanthreddy's question; how do you get the first line of text? So far, I've been cat'ing the whole file to the console, then scrolling up to the first line then copying and pasting. BTW - this also works for getting the last line if javakitty has been unable to provide an answer.