My bleak tech reality: You can't trust anyone or anything, anymore

Two-factor authentication? Fine, if you trust the Feds

The essential guide to IT transformation

Opinion Virtually everything we work with on a day-to-day basis is built by someone else. Avoiding insanity requires trusting those who designed, developed and manufactured the instruments of our daily existence.

All these other industries we rely on have evolved codes of conduct, regulations, and ultimately laws to ensure minimum quality, reliability and trust. In this light, I find the modern technosphere's complete disdain for obtaining and retaining trust baffling, arrogant and at times enraging.

A simple problem

Let's use authentication systems as a fairly simple example. Passwords suck, we all know they suck, and yet the majority of us still try to use easy to remember (and thus easy to crack) passwords for virtually everything.

The use of password managers and two-factor authentication is on the rise, but we have once more run into a classic security versus usability issue with both technologies.

Two-factor authentication is a pain. I have to log in to over 20 different networks, websites and so forth every day. That number is only going to increase. I am not whipping out my phone and punching in a random string of numbers every time.

When you factor in session time-outs I probably have to enter a password over 100 times a day. Entering a password, pulling out my phone, bringing up the relevant application and then entering the code takes on average 30 seconds per login. If I were to use two-factor authentication for everything I would spend 50 minutes of every day just logging into things! This is inherently unsustainable.

The other alternative is a password manager. Password managers come in two basic types: ones that live on your local system and ones that store their information on a remote system.

Much to both Microsoft and Apple's dismay, the era of individuals using only one device is long over. I have two smartphones, a tablet, a netbook, a notebook, a luggable, a desktop and three personal virtual machines. All of which get used every single day. I am an edge case, but in technology, today's edge case is tomorrow's mainstream.

This means that in the real world the system-local password manager is completely useless. If I am going to generate some uncrackable, randomly generated password string and store it in my password manager, then I need to get at that password from any device I use. This means I need a centrally accessible password store. Once more, this bifurcates my options.

The first option is to use a cloud-based service like LastPass. LastPass is amazing - simple to use and effective. It has browser plug-ins for all major browsers that can autocomplete your passwords for sites you have to go to, and it generally makes the whole process of logging in as unobtrusive as possible.

The basics of the service are that you put all of your passwords into LastPass and it stores them in the LastPass cloud. You then log in once (per browser) and LastPass handles your authentication to all websites you visit.

Of course, this still means having a password that you can realistically remember in order to get into LastPass in the first place. This might seem like a single point of attack, but the software solves it by offering various forms of two-factor authentication. So you still have to drag out the smartphone – or use the fingerprint reader – but only once, per browser, per system, per day.

The second option is to create something like LastPass but host it on a server you control. The problem with this approach is that every version of this kind of software I've seen so far is utterly pants and comes nowhere near to LastPass in terms of usability.

Trust factors into authentication

Both these options have their own significant problems. The centralised LastPass store is an unbelievably tempting target for every ne'er-do-well on the planet. Although it is defended by a team of über cyber ninjas, if LastPass should fall, everyone who uses it is screwed.

LastPass doesn't store your master password anywhere that anyone can get at it, but an encrypted copy of your passwords are stored on their servers; if you've been paying attention to advances in password and encryption cracking techniques, you'll know the "only got the encrypted copy" response is not nearly as comforting today as it once was.

While you would be far safer if you used random generated passwords for everything – which is sort of the point of LastPass in the first place – you can store non-randomly generated passwords within LastPass as well. Those passwords would ultimately be quite vulnerable.

Far more worrying to me than the somewhat difficult to imagine prospect of a random criminal breaching LastPass's security, downloading all my passwords and then decrypting them, is the vulnerability of those passwords to the United States government.

The US government has been pretty open over the past decade about the fact that it simply does not care one whit for privacy, civil liberties and other such petty concerns. Certainly, the US PATRIOT Act ensured that non-US citizens have even fewer rights than the (already heavily degraded) few that remain to Americans, something that has been upheld in court but which remains contentious (PDF, 24 pages).

Even assuming that LastPass has no back doors by which it can find out what the passwords are, US law lets the government demand that LastPass turn over the encrypted passwords without even telling the individual affected by the order. The US government measures their computing in acres; they can find your passwords if they really want to.

Assuming that there was a Last-Pass-Alike that I could install on my own servers, I could solve one trust issue – the fact that I don't trust the individuals who work for the US government not to abuse their powers – by ensuring that the password storage is located in my country and subject only to my nation's laws. (An issue that many are concerned about.) That's a great first step, but it falls down on the other side of the equation.

The only security from criminal attack I could gain by striking out alone is that of herd immunity: the hope that so many people deploy the same solution I use that the odds of them attacking my setup become small. That's known as "gambling", because a concerted effort would fold my servers like a cheap tent - even if I was doing my best to defend them.

A centralised cloud service like LastPass defended by the top industry experts in the field is going to be far more secure than anything I run on my own servers. I'm not a security expert, like one of the guys LastPass hires to audit their design and implementation. I am certainly not as good as all of them put together.

Next gen security for virtualised datacentres

Next page: There are solutions

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story


5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?