2 December 2012
Personal Security Weak on Purpose, Fix It
I am wondering if you'd review this article and comment on it on Cryptome:
I find the last few paragraphs contain a disturbing solution to the laid
"The security system will need to draw upon your location and habits, perhaps
even your patterns of speech or your very DNA."
"We need to make that trade-off, and eventually we will."
Kill the Password: Why a String of Characters Cant Protect Us Anymore
By Mat Honan
The other thing thats clear about our future password system is which
trade-offconvenience or privacywell need to make. Its
true that a multifactor system will involve some minor sacrifices in convenience
as we jump through various hoops to access our accounts. But it will involve
far more significant sacrifices in privacy. The security system will need
to draw upon your location and habits, perhaps even your patterns of speech
or your very DNA.
We need to make that trade-off, and eventually we will. The only way forward
is real identity verification: to allow our movements and metrics to be tracked
in all sorts of ways and to have those movements and metrics tied to our
actual identity. We are not going to retreat from the cloudto bring
our photos and email back onto our hard drives. We live there now. So we
need a system that makes use of what the cloud already knows: who we are
and who we talk to, where we go and what we do there, what we own and what
we look like, what we say and how we sound, and maybe even what we think.
That shift will involve significant investment and inconvenience, and it
will likely make privacy advocates deeply wary. It sounds creepy. But the
alternative is chaos and theft and yet more pleas from friends
in London who have just been mugged. Times have changed. Weve entrusted
everything we have to a fundamentally broken system. The first step is to
acknowledge that fact. The second is to fix it.
Matt Honan provides a thoughtful critique of popular security techniques,
but little about why personal security is so wretched by design, nor why
purveyors of bad security are never fined and jailed.
Security professionals often claim that you get the quality of security you
are willing to pay for, and the easiest to use and cheapest is usually
ineffective, so cough up more cash for our very best. The best cash comes
from governments and their contractors and they want security that is not
available to citizens. Sell crap personal security to the citizens, they
urge, so they will be ever more dependent upon us.
For that reason national (which always includes corporate contractors) security
gets a lot more attention and funding than personal security. An argument
could be made that it should be the other way around: bottom up security
for citizens rather than top down from authorities, if citizens are secure
that includes national level, but national security does not secure persons
-- even demonizes them -- it secures foremost those within the secret world
of national security.
That argument does not please the national security believers whose faith
is based on knowing secrets the citizenry does not.
Comparing the wealth of personal security measures required for national
security participation -- background checks, certification of users of natsec
systems, physical tokens, counterintelligence, lie detectors, prison sentences
-- and the poverty of security for the ordinary citizen is mused but dismissed
as unpatriotic deranged raving. Indeed, it is possible to acquire considerable
wealth peddling shoddy personal security products, from faulty encryption,
porous anonymizers, fake IDs, pepper spray, pistols, references, college
degrees, religious faith, hypnotic social media.
It might be fair to say that personal security goes begging in order to maximize
national and corporate security wealth protection. A citizen trying to get
security against authoritarians is likely to be accused of aiding and abetting
national enemies of free markets. The consequence is a campaign to promote
the notion that an innocent citizen has nothing to hide from the biggest
players in security -- governments and their contractors conjoined by agreements
to keep the best security highly secret and out of reach of citizens, thereby
treating tax-paying and gullible citizens as enemies.
One way to answer Matt Honan's lament to "fix it," is to advocate and implement
security measures developed for national security for use by citizens. That
would require declassification of the secret measures, a difficult prospect
and one governments and their contractors will likely use to generate a war
on terrifying citizen security against official and commercial surveillance,
profiling and prosecution, as has been the case since governments were invented.
Deliberately crippled personal security is no accident, it is national policy
worldwide, cloaked in highest secrecy. If possible, get a top-level secrecy
clearance and learn how the best security works and enjoy the privilege.
Passwords are a tiny part of the problem, the biggest part is keeping secret
the best security for the few who collude to gain entry, access and control
of the wealth of nations.
Have to disagree with Matt on the "cloud here to stay." The cloud is custom-built
to spy on users, its lack of security is a prime feature, like cellphones,
adopted from the Internet.