h a l f b a k e r yRomantic, but doomed to fail.
add, search, annotate, link, view, overview, recent, by name, random
news, help, about, links, report a problem
browse anonymously,
or get an account
and write.
register,
|
|
|
The security of any password based authentication scheme cannot protect you beyond WHAT your hacker can enter. Even when public key and encryption are implemented, your password can still be known through torture, key logger, social engineering, bedside eavesdropping and so on. In country like UK, you
are already guilty by not devulging password under authority subpoena. No matter how strong your encryption scheme is, the problem of having a unique password ( long string )is that it is still not unique enough and that it can be written down on paper. When you are placed in a life threatening situation, this uniqueness can only be protected by how much you can withstand physical and emotional force of pain. Brute force isnt likely to be government's cup of tea if they want you to crack in 24 hours. The magic question of hacker and authority is still "WHAT is your password" ?
Once WHAT is known, whatever related to WHAT is history.
Game & Performance based authentication (GPA) solves this problem because password uniqueness is no longer on one dimension. Besides WHAT, under the GPA-scheme, hacker has to know
HOW is your password
WHEN is your password
WHY is your password
WHERE is your password
The best way to capture these 5 dimensions of information is through the implemention of a game.
No 2 persons play a game the same way. Be it chess, DOOM, space invader, pac man, an individual's strategy (performance) is different from another. Even when I have a hacker watching over my shoulder when I play, there is no way this person can replicate my performance and strategy. Let say I am shooting a DOOM monster in the leg, I can shoot it at the knee (WHERE) 3 inches below the knee (WHERE) twice within 1 second but 2 seconds after 15:00 hour (WHEN) by unneccessarily re-loading my pistol between the 2 triggers (HOW) and still keep the monster alive because the monster should get up and scratch me ( WHY ). The hacker standing behind me is unlikely to emulate my strategy because I have spent hours perfecting my technique that I can do it blind folded. Performance is so unique that it is unlikely that the performer will be subject to torture because it takes time to heal from an injury in order to bring performance back to previous level of competency. If you know a particular sport and exercise that take years of hard work to build up your motion-sensor-captured SIGNATURE MOVE such as tennis, running, yoga, karate, golf, it will be even harder for a hacker to take up yoga classes and copy that move. This will be good news for sport celebrity, Guinness record and sport world record holder because performance is only one of a kind. If you run into problem with authority, you simply safeguard your password by blaming it on your being too old or too tired to perform. At least there is no law against being old. I dont mean that everyone must have a motion capture lab and race track installed in every house, this scheme can be implemented by playing a simple Java game of space invader. Imagine that your password compose of upper case and lower case letters and the 9 numeric keys. On the game screen, there are as many as 61 invaders awaiting to attack you. (26 uppercase +26 lower case+ 9 numeric keys=61). Each invader represents one of these keys, all you have to do to gain access is to shoot them in a special sequence while avoid getting hit. Since the invader attacks you randomly, brute force will become unattractive because it is made too slow. Let say the password is HhiJHOIjoiOIpU7, a hacker has to try shooting HhiJHOIjoiOIpU7 more than twice to find a performed sequence. There is no use to knowing the hit list sequence HhiJHOIjoiOIpU7 because the strategy is still the missing link.
If this idea is widely implemented in retail check out, I am envisioning people armed with bluetooth-equipped gun or joystick, just like the old west cowboy and then play a little shooting game and complete their purchases.
Monolith
http://monolith.sourceforge.net/
"Muddying the waters of the digital copyright debate." [Detly, Oct 04 2004]
Original Monolith File Processor
http://goroadachi.c...i/2001-monolith.gif
Primitive 'bakers were known to bone ideas [thumbwax, Oct 04 2004]
Version 2
http://aftergrog.dr...om/archives/Who.jpg
[angel, Oct 04 2004]
[link]
|
| |
Would you believe it? They already do that at my 1337 local grocery store!!1! |
|
| |
The objective of the game is to maneuver a pointing device from one side to the other side of a surface while keeping its tip touched to the surface. Given how dull this is, it's amazing how much people will give you if you can produce the right "signature". |
|
| |
what's the frequency kenneth? |
|
| |
[jutta], you crack me up. |
|
| |
As for the idea, I think it takes some people long enough to get through a checkout as it is... |
|
| |
Center of mass if I'm in a hurry, and head shots if the occasion calls for it |
|
| |
//I am envisioning people armed with bluetooth-equipped gun//
And I'm imagining them armed with a bullet equipped gun. It'll be the only way to get through the checkout before you grow old and die. |
|
| |
I think I`d rather just go with the dna security... |
|
| |
or better yet, why not use your Aura as a unique signature. |
|
| |
them things are harder to copy. :P |
|
| |
a shooting sequence really isn`t that hard to copy. it requires skill in that specific action. it would only mean that it doesn`t take hackerskills to hack anymore. |
|
| |
Thanks to a mis-spent youth I was a dab hand at a number of old coin-op arcade games: Defender, Gauntlet, Golden Axe & Streetfighter II to name a few. I doubt if I would be as good at them today. My point is linked to [jutta]'s; the users themselves have to be able to recreate their 'signature', whether this is a scribble on a receipt or a high score in a game is irrelevant.
If the system is based on a skill - how easy is it to replicate? I've had off days while playing table tennis and, damn it, I'm sure that I am doing the strokes right but I keep losing points! Its bad enough losing a game but to be charged with fraud for not recreating my password that'd be mental! |
|
| |
Sorry, but I don't like your original idea very much. But it did get me thinking about how to make it hard for someone to force you to reveal a key to decript a file, and I had some ideas. |
|
| |
I was surprised that the UK could legally make you reveal a password. I wonder how the following method would hold up in court. |
|
| |
What if you have a directory on your disk named "private and or potentially incriminating data". Now this directory has many files with filenames that don't directly correspond to their contents. Some of these files are encripted using one key and other files are encripted using a different key. You may use as many keys as you can remember. In addition, there are files with similar file names that appear to be encripted, but contain random data so that there is no known key that will generate a valid decripted file. There is a program in that directory for creating such dummy files. |
|
| |
Therefore, when you get the subpoena to reveal the keys to decript these files, you can give the keys for some of the files and make a plausible claim that the rest of the files have no known valid key. You can demonstrate the program in that directory to support your claim. The government could theoretically try to say that it is illegal to store a file for which you don't have the key to prevent such a thing, but then wouldn't that apply to any email provider storing an encripted email message? |
|
| |
A more realistic implementation would probably not be designed to so blatently game the system by at least making it look like the other files may belong to somebody else so you have a real reason for not knowing the passwords, but logically it's the same thing. |
|
| |
[sm] - have you read about the monolith file processor? |
|
| |
//I was surprised that the UK could legally make you reveal a password// |
|
| |
i can't remember my passwords for most things. guess they'd lock me up. ignorance is the ultimate security. |
|
| |
[Detly] No, and googling for "monolith file processor" gets zero results. What is it? |
|
| |
So, what you're saying is, that I need to shoot the staff of a Grocery Store in an alphanumeric sequence that not only matches my password, but has that certain "je ne se quois" that ne'er-do-well hackers can try all they want to *recognize* as being uniquely mine, yet not *duplicate.* |
|
| |
[Detly] Thanks. That's an interesting approach to rationalize free distribution of copyrighted material. |
|
| |
I guess my idea is also a way to rationalize breaking a law, but since it isn't a law where I live, I don't feel too bad. |
|
| |
I'm not saying that their argument is perfect - and neither are they - but I found it interesting. It could be though of as a more general type of encryption. One question is, if I copyright my private GPG key and use it to encrypt a copyright work, who has the copyright on the final file? |
|
| |
But this is getting off topic. |
|
| |