This entry was posted
on Saturday, October 12th, 2013 at 2:12 am and is filed under Computers, Privacy and self ownership.
You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.
The real story, IMHO, is not so much that the art of cracking has advanced, but that there is still no good solution to the problem of user authentication. Some companies are going for biometrics of some sort, but those systems have problems too. The concept of three-factor authentication — something you know, something you have, something you are — has been around for a while, but I haven’t heard of any systems using it. Lots of system use two-factor. But there are problems with these things too.
The other real story is that despite significant publicity about cracking, lots of systems have crap for authentication mechanisms. For example, one financial system I use was allowing the entry of fairly robust passphrases, but internally truncating them to 10 characters. I discovered this when I suddenly couldn’t log in. They had “fixed” the system by matching the input fields to what they were actually using. Truncating my passphrase to the 1st 10 characters worked fine.
The human side of this sucks as well. My employer just switched to a web-bases sign up for benefits. It was a mess, though a small one. I had to call to get it straightened out, and the person I spoke with made no effort to ensure that it was really me on the phone. For the vast majority of people, this whole world of electronic security is a new and vast unknown. In fact, as Kevin Mitnick demonstrated in his book, the notion of real security is, in most cases, not understood at all. So, to refer to cybersecurity as an arms race is rather optimistic, since most people and computer systems aren’t employing any arms at all, for practical purposes.