Donate for the Cryptome archive of files from June 1996 to the present

2 December 2012

Personal Security Weak on Purpose, Fix It

A sends:

I am wondering if you'd review this article and comment on it on Cryptome:

I find the last few paragraphs contain a disturbing solution to the laid out problem.


"The security system will need to draw upon your location and habits, perhaps even your patterns of speech or your very DNA."

"We need to make that trade-off, and eventually we will."

Kill the Password: Why a String of Characters Can’t Protect Us Anymore

By Mat Honan


[Final paragraphs}

The other thing that’s clear about our future password system is which trade-off—convenience or privacy—we’ll need to make. It’s true that a multifactor system will involve some minor sacrifices in convenience as we jump through various hoops to access our accounts. But it will involve far more significant sacrifices in privacy. The security system will need to draw upon your location and habits, perhaps even your patterns of speech or your very DNA.

We need to make that trade-off, and eventually we will. The only way forward is real identity verification: to allow our movements and metrics to be tracked in all sorts of ways and to have those movements and metrics tied to our actual identity. We are not going to retreat from the cloud—to bring our photos and email back onto our hard drives. We live there now. So we need a system that makes use of what the cloud already knows: who we are and who we talk to, where we go and what we do there, what we own and what we look like, what we say and how we sound, and maybe even what we think.

That shift will involve significant investment and inconvenience, and it will likely make privacy advocates deeply wary. It sounds creepy. But the alternative is chaos and theft and yet more pleas from “friends” in London who have just been mugged. Times have changed. We’ve entrusted everything we have to a fundamentally broken system. The first step is to acknowledge that fact. The second is to fix it.



Matt Honan provides a thoughtful critique of popular security techniques, but little about why personal security is so wretched by design, nor why purveyors of bad security are never fined and jailed.

Security professionals often claim that you get the quality of security you are willing to pay for, and the easiest to use and cheapest is usually ineffective, so cough up more cash for our very best. The best cash comes from governments and their contractors and they want security that is not available to citizens. Sell crap personal security to the citizens, they urge, so they will be ever more dependent upon us.

For that reason national (which always includes corporate contractors) security gets a lot more attention and funding than personal security. An argument could be made that it should be the other way around: bottom up security for citizens rather than top down from authorities, if citizens are secure that includes national level, but national security does not secure persons -- even demonizes them -- it secures foremost those within the secret world of national security.

That argument does not please the national security believers whose faith is based on knowing secrets the citizenry does not.

Comparing the wealth of personal security measures required for national security participation -- background checks, certification of users of natsec systems, physical tokens, counterintelligence, lie detectors, prison sentences -- and the poverty of security for the ordinary citizen is mused but dismissed as unpatriotic deranged raving. Indeed, it is possible to acquire considerable wealth peddling shoddy personal security products, from faulty encryption, porous anonymizers, fake IDs, pepper spray, pistols, references, college degrees, religious faith, hypnotic social media.

It might be fair to say that personal security goes begging in order to maximize national and corporate security wealth protection. A citizen trying to get security against authoritarians is likely to be accused of aiding and abetting national enemies of free markets. The consequence is a campaign to promote the notion that an innocent citizen has nothing to hide from the biggest players in security -- governments and their contractors conjoined by agreements to keep the best security highly secret and out of reach of citizens, thereby treating tax-paying and gullible citizens as enemies.

One way to answer Matt Honan's lament to "fix it," is to advocate and implement security measures developed for national security for use by citizens. That would require declassification of the secret measures, a difficult prospect and one governments and their contractors will likely use to generate a war on terrifying citizen security against official and commercial surveillance, profiling and prosecution, as has been the case since governments were invented.

Deliberately crippled personal security is no accident, it is national policy worldwide, cloaked in highest secrecy. If possible, get a top-level secrecy clearance and learn how the best security works and enjoy the privilege. 

Passwords are a tiny part of the problem, the biggest part is keeping secret the best security for the few who collude to gain entry, access and control of the wealth of nations.

Have to disagree with Matt on the "cloud here to stay." The cloud is custom-built to spy on users, its lack of security is a prime feature, like cellphones, adopted from the Internet.