Monday, January 21, 2013

Next Gen Credentials and Security

The password system that dominates personal authentication is becoming more and more unwieldy. As users acquire more and more accounts on more and more computer systems, it is becoming less and less reasonable to expect them to choose unique passwords for each. Passwords can be forgotten, so systems designers build in reset mechanisms that can be socially engineered or otherwise exploited. Many users choose the same password for every system or at best choose from a small set of passwords. One crooked web-site could allow the attacker who administrates it access to all of a users accounts on other systems. An even bigger problem is that most users simple passwords that are vulnerable to dictionary attacks, rainbow tables, or other attacks.

Google is exploring the possibility of using hardware based authentication. The idea is that the user would wear a ring or have a key fob that could be used to authenticate with either the device or with the customer's online accounts or both. This is a promising approach. This isn't perfect, but it the seems to have fewer problems than any other approach that I have seen.

In addition to passwords, most banks use a second authentication system whereby users re-verify via a non-password mechanism. Users must type in a one-time use code that is sent to a separate account. They are required to re-authenticate this way every the user tries to log in using time a new device or account (or whenever cookies are cleared).

Biometrics seemed promising, but the credentials (fingerprint, retinal pattern, etc) can't be changed. If an attacker cracks the encryption and steals the signature, he or she can log into your account for life. It might be a pain to replace an authentication ring but it is possible.

Another approach suggested by Turing Award winner and CAPTCHA inventor Manuel Blum was to use a "hard" function (computationally intensive to invert) to compute a password. The user could use a simple single password along with the site name as an input. The password would then be computed automatically. One problem with this approach (and a MAJOR pet peeve of mine) is that different sites have different password restrictions. Can't we agree on a standard set and move on? Or at least post them next to the login screen to hint to users what password they might have chosen.

Another problem with Blum's approach is that it would require a hardware device as well as manual input of data. Although it could be implemented in software, it would then be vulnerable to any trojans that had gained access to the user's system. According to Kerpersky, these trojans are the second most prominent threat next to malicious urls (many of which attempt to install trojans). A naive implementation of the hardware authentication token might be vulnerable to the same attack, but an active device could mitigate the threat by compute Blum's "hard" function (probably a cryptographic hash) in hardware. The software it interacts with could provide an "authentication domain" (my term) and the user could enter a simple PIN, a third unique code would then give the device a third auth component. Of course such a device would still be vulnerable to a Trojan that read the hashed inputs, but not if it was implemented in hardware and added the auth token directly using the network hardware.

Then an end user would only be as vulnerable as the network security in the many routes on the internet.

So what can we conclude? Information security is incredibly hard. There is no silver bullet, but the next generation of security will likely require some combination of hardware and software--biometrics may play a role also. A simple system is necessary, preferably a single sign-on system.

The logistics behind this advancement are daunting, but today's tech companies have made some incredibly impressive advances in the past twenty years. I believe that a consortium involving Google, Apple, and Intel could make it happen. Improved security would improve life for everyone save cyber-criminals.

Monday, January 14, 2013

When will Big Tech buy Big (Small) Content

Currently, the music business is dying. It isn't that we aren't listening to music. Artists haven't stop making music. What HAS happened is that the big record companies have stopped being able to print dollar bills just by printing CDs.

But content isn't dead. People pay for Netflix. People pay to go to the movies. People sign up to premium music streaming services. Music attracts a lot of attention on the internet and a lot of Ad dollars.

The rise of the Internet has cut the record companies out of a lot of the business, though. Bands can find a following on the Internet and distribute music on their own. Or they can build a faithful audience and make money playing concerts and selling memorabilia. Bands such as the Grateful Dead and Phish have been following that business plan for years. The Internet just makes it easier.

So what are record companies to do? They still own content, but they can't produce the returns that they used to be able to. The business has changed. They can't manage technology very well (people hate VEVO and its technical glitches). They can't drive the eyeballs the way that they used to.

So what's going to happen?

I have a theory. Big tech companies such as Google, Apple, and Amazon will buy record labels in order to cut out the middleman. What can fat cats in LA studios do to help us listen to music? Why can't social media pick hot artists and tech companies promote them through their technology.

The record companies who have mostly been bought out by media conglomerates are not releasing financial numbers, but it is safe to say that they haven't been perform well. Sooner or later, their parent companies will demand better performance and divest themselves of their music catalog. Who better to buy them than Google, Apple, Amazon, or Facebook?