Comments on: Musing about openness and security

By: david cushman

david cushman — Wed, 21 Nov 2007 10:53:44 +0000

I was at Digital Identity when this news (above) broke. Made me think, very much like JP, that it ain’t being human (what’s more natural than sharing your child’s name or where you live) that’s the issue – it’s the lock that’s the problem.
If we have systems which equate a smattering of social information about us with our identity then we’re going to run into trouble. Actually, we’re not – they are.
More here:
http://fasterfuture.blogspot.com/2007/11/whoops-there-goes-your-identity-mass.html

By: Dominic Sayers

Dominic Sayers — Wed, 21 Nov 2007 10:29:46 +0000

I see I am late to the party as usual. Sorry Shefaly.

By: Dominic Sayers

Dominic Sayers — Wed, 21 Nov 2007 10:27:21 +0000

As of today, if you're a parent in the UK you no longer need to worry about revealing your date of birth or bank details to the bad guys. The department of Revenue and Customs has done it for you.

By: Shefaly

Shefaly — Wed, 21 Nov 2007 08:08:55 +0000

If all else fails we can always rely on our government to mislay data that can really enable identity theft big-time if the password could be cracked… :-)

http://news.bbc.co.uk/2/hi/uk_news/politics/7104945.stm

By: Martin Budden

Martin Budden — Sun, 18 Nov 2007 19:59:25 +0000

I agree with your statement “We should not build systems that make use of simple easily-accessible information as security tokens and devices.”

Security aware people take this advice – they don’t create passwords or PINs based on their date of birth, for example.

However I don’t have any control over the authentication mechanisms used by institutions – and they do use date of birth. In the past month both my credit card company and my mobile phone company have required me to tell them my date of birth as part of their authentication process.

By: Bev D

Bev D — Fri, 16 Nov 2007 14:25:58 +0000

I am not sure about date of birth as an identification system…many people in the world don’t use the Julian calender so what is their date of birth? How can you even identify that the date of birth entered is correct?
The American system has become too rigid I know of many people born in Asia or Africa who have no idea of their actual date of birth and many who do not even have birth certificates…This system of authentication is wrong in my opinion and how much would it really cost to change it. Don’t institutions spend thousands to move away from applications they are becoming too dependent on? They too realise its safer that way..as for a national id card being issued – I can just see another Holocaust coming from that.

By: Andrew Yeomans

Andrew Yeomans — Fri, 16 Nov 2007 14:09:15 +0000

It’s a hard problem to find good authentication credentials. Certainly internet databases and search engines have already made “date of birth” and “mother’s maiden name” much less valuable to guarantee authenticity.

But the same problem eventually applies to any other secret. Whether it’s a “random” password, “your favourite teacher”, “your childhood hero” or whatever: as soon as you have told someone, it’s no longer a true secret. Based on probability of re-use and on the trustworthiness of who you tell, these might still be useful for a while to give a reasonable degree of proof of who you are. And shared secrets are still a fairly cost-effective system, not requiring special hardware. But are only going to get less effective in the future.

And as for biometrics, they are not secret either; just considered to be difficult to forge, at least under carefully controlled measurement conditions. So there’s likely to be an increase in their use in the next few years, but will be expensive if implemented in the most secure way, and may conflict with “privacy” demands too.

So I’m coming to the conclusion that we will be forced to move to a “something you have” credential system, at least for authentication where it matters. Perhaps this is an (liberal shock horror) National ID Card; or Tesco Clubcard; or USB dongle; or mobile phone. Which, if you need to be sure is used by the right individual, also needs a shared secret or biometric – but at least that only need to be shared with the device, not the central database.

By: Tim Hoang

Tim Hoang — Fri, 16 Nov 2007 13:06:58 +0000

JP – excellent blog. There’s so many people jumping on the social networks are a security threat. Has there actually been any crimes commited because someone looked on Facebook and saw someone’s birthday. I’m not saying it cannot be done but has it? Don’t understand your skeleton analogy though

By: stephen ashton

stephen ashton — Fri, 16 Nov 2007 12:58:23 +0000

Very interesting and well timed. Too add to your point the regulatory environment is now telling me that I can’t have address prompts on email headers because I may send confidential data to the wrong person; I will be put on a “non-distribution list” so that I am specifically prevented from sending mails to a “conflicted” or interested party; I will have to encrypt and decrypt the simplest things (which should raise levels of paranoia and suspicion to new heights); I have to prevent “inappropriate” access of staff to customers so that we can’t actually help them and I will of course have to classify, store and be able to retrieve in a blink of an eye every relevant piece of information that Big Brother wants to see.

As you rightly say, if my intentions were dishonourable I would not be using any of these processes in the first place. For me the theme is becoming “blunting the competitive edge of technology”. Am I turning to the dark side?? Or emerging into the light

By: Mark Samuels

Mark Samuels — Thu, 15 Nov 2007 12:59:18 +0000

I agree about single sign-on being the key – not just in the private sector, but also the public sector. A bunch of key government agencies – JISC, Becta and Janet – have made a fair amount of progress here, encouraging more than 100 education institutions to join a federated system.

Other public sector bodies have been keen to follow the model, but – well – a bit slow…

http://knowledge.computing.co.uk/2007/08/single-sign-on-.html