- It's their own fault for having naked pictures of themselves on their phones.
- It's not their fault. They should be able to put whatever they want on their phones.
It is their fault for having naked pictures, or any other private data on their phones without adequately protecting them. That's like saying that it's not your fault that you left your front door open and thieves took off with your big screen TV. Technically, it's not your fault, but your stuff is still gone, and if you do it again, more of your stuff will get gone. Lament the downfall of modern civilization if you will, but lock up your shit.
The real problem is passwords. It is a model that was proven to be broken years and years ago. So here we are at, "it is and isn't the celebrities' fault." Unless you just got on the Internet yesterday (welcome!), you should know better than to use your aunt's birthday, the name of your pet, or "happy79" for your password. The mere fact that hackers got into their phones before they were old enough that no one wanted to see naked pictures of them means that they were using weak passwords. But, here's the thing, because you can use a weak password is a problem with passwords themselves. The password model is an impediment to using strong passwords. In the heat of the moment, when you absolutely have to show your latest naked selfie to your boyfriend, you aren't going to remember the 16 character string of random letters, numbers, and symbols you used to create your iCloud password. And if you are using the best practice of never using the same password twice, you will have to dredge up which password you used on which account. Definite mood-killer.
So, what is the answer, Steve? You're doing a lot of bitching about passwords, but you're woefully short on solutions.
Mea culpa on the bitching part, not so much on the solutions part.
The solution is a system that is a combination of known strong security measures combined in such a way that your average naked selfie taker (or online banker/shopper) is going to use because it is simple to use. It would have to be simpler to use than passwords, which sets the bar pretty low. The system is a combination of
- Zero knowledge proof authentication.
- Strong cryptographic signing.
- Public key cryptography.
Sally gets online and wants to check her bank balance. She has previously set up a couple of things with her bank. A public key, which is just a set of random numbers that identifies her. Instead of her username being "SallyMae1983," It will be something like
"But wait, Steve, you said this would be simple." It is, actually, because Sally will never have to remember it. It will get created and stored on her computer and the browser, or whatever else she's using, will know where to get it and hand it to the bank. And good luck Mr. Black Hat Hacker with trying to guess that one.lQO+BFPOiY0BCADyCJ1GtQ3oVeLFVOEwlqvNmvDGHc5SlBPWgA
The second thing she set up with her bank was a passphrase. I'm not being disingenuous here. A passphrase, unlike a password, can be anything you want it to be. It could be Hamlet's soliloquy, or the words to your favorite song. The longer the better, but since you don't have to remember it, it can be anything at all, even "happy79." The secret to all of this is that you never, ever send your passphrase to the bank after you set it up in the first place.
So, Sally gets on her browser and her browser knows how to present her key, and the bank uses that to know that it is Sally. Now, the bank sends some data, called salt, which is different every time Sally logs on, back to her browser and the bank and the browser go to work performing some complex cryptographic math on Sally's passphrase and the salt. When they are both done, they will exchange their answers, and if they both got the right answer, the bank will let Sally in, and Sally will know that it's actually the Bank, and not some phishing site. Sally never actually sent her passphrase, she just proved to the bank that she knew it, and the bank proved to her that it knew it as well. That's called zero knowledge proof.
The idea works even better on smartphones. The key and the passphrase can be stored in a very secure location on the device's SIM card. If you lose your phone, the SIM card can be remotely wiped. Paris Hilton's contact list would have never ended up on Reddit.
"So, Steve, when is the world going to get this technological marvel?"
I'm working on it. Stay tuned.
No comments:
Post a Comment