rastplats

A lot of stuff came together today.. I now have a place to live and a topic for my research thesis that I’m writing this year. All done and all good. More posts will follow on both of these topics..

..and photos. Definitely photos.

For about a year and a half I’ve been meaning to write a paper on my research in description driven modeling. I know what I want to say, and pretty much how.. but still no paper. Just a few lines of rambling and some sketchy notes from a think-night at Bar Nancy  over a Little Creatures (an aussie beer) a few months ago.

Today I approached my course coordinator about writing up that paper instead of doing a scheduled unit of coursework.. and while the paperwork needs to be done and permissions from various scholars are needed, she pretty much said yes on the spot. There might actually be a paper on that work one day.

About bloody time..

Right now it’s 3am in the morning and it’s a fairly cold and windy night.. I should be cuddling in a warm soft bed under a massive doona, asleep.. Yep, thats precisely what I should be doing, but am I?

Not really no..

..not even close..

…damn

I’m spending the night in the computerlab at uni hacking on an assignment due later this morning.. debugging causal ordering of messages using logical vector clocks in a distributed C application is pretty much the opposite of what I want to do at the moment. If only I could blame my shitty time-allocation on someone else..

My paper on the ethical implications of performing surveillance through the use of data mining and clustering on output gathered by using technologies intended for non-surveillance purposes. The paper can be downloaded here.

Abstract: During the course of our daily lives, the activities we undertake interact with a wide range of systems. The information that gets recorded in these when we shop, perform bank transfers, pass toll booths etc can when put together disclose a lot about ourselves. This information is highly valuable to companies who can use it to increase profits by e.g targeting marketing or handle insurance claims investigation and policy adjustments. In order to gain this knowledge, surveillance is undertaken by harvesting the data disclosed to these systems. In this paper we look at two different technologies, where the intended purpose isn’t surveillance, but which can be used to gain knowledge on the participating individuals. The information which can be extracted, the potential benefits of the systems and the implications this can have on our privacy is discussed and the ethical implications of using these technologies is analyzed using established ethical theories.

When logging on to my internetbank I have to issue both a password and pass the so called Factor2 Authentication. Sounds impressive doesnt it? Probably an updated version of the Factor1 system too.. but does it work? Nope. Two words: Hot Air. I’ll try to argue why.

The system is based on a set of 9 icons which each are chosen from 3 different categories, each user can choose his/her own set of categories. The user then select 3 icons and their individual order and this becomes the Factor2 authentication passphrase. When logging in the icons must be clicked out of a selection of 9 (with 6 incorrect semi randomized ones) in the selected order for the system to log on the user. If the wrong icon is clicked or the incorrect order entered the user has to start all over.

So lets look at the imposed security. Obviously the three correct icons must always be present which incurs that a couple of reloads of the Factor2 page will present three static icons and six that change over time. This leaves us with a set of three icons which can be combined in 6 different ways since the r-permutations are P(3,3)=3!. Password cracked.. This vector of attack is however too simple so lets assume that all icons are static to be able to continue the reasoning. This leaves us with a total of 504 r-permutations, P(9,3)=9*8*7. This can be compared to a three-letter password out of an alphabet with 9 characters, would anyone consider that safe? Since everyone can select their own categories and icons the users are of course highly likely to select items close to their personal life to make it easier to remember, thereby making it not only a short password but also an easily guessed one since the attacker gets hints by the available icons. It can be argued that this scheme is safer than a traditional password since it isn’t vulnerable to a keylogger. Nice try but totally false. Not only is it vulnerable to a framegrabber or screen recording software but it is also highly vulnerable to piggybacking since the cursor can be easily tracked on the screen.

So the conclusion is thus that if an attacker gets hold of the password to an account, this “added security” is unlikely to stop anyone for more than at most a few attempts. Any attacker that can gain access to the password will bypass the Factor2 authentication in minutes. Enforcing good computer security isn’t hard and it usually doesn’t come with a catchy slogan or trademark (and in these days of open-source not even a pricetag), so why do we still see this kind of crap safeguarding our assets? No one would accept a 5-pin padlock on the bankvault but on the internet everything seems to go if its got nice colors. Or perhaps a nifty animation. Or both.

In a few hours I’ll be handing in my paper on the Chameleon Fault Tolerant Infrastructure after many hours of hard work during the past few days. The paper is available here for those interested. I’ll blog a bit more about it tomorrow, right now I need sleep.. badly.