Original URL: http://www.theregister.co.uk/2013/06/03/trust_nobody_with_your_personal_data_ever/

My bleak tech reality: You can't trust anyone or anything, anymore

Two-factor authentication? Fine, if you trust the Feds

By Trevor Pott

Posted in Security, 3rd June 2013 09:05 GMT

Opinion Virtually everything we work with on a day-to-day basis is built by someone else. Avoiding insanity requires trusting those who designed, developed and manufactured the instruments of our daily existence.

All these other industries we rely on have evolved codes of conduct, regulations, and ultimately laws to ensure minimum quality, reliability and trust. In this light, I find the modern technosphere's complete disdain for obtaining and retaining trust baffling, arrogant and at times enraging.

A simple problem

Let's use authentication systems as a fairly simple example. Passwords suck, we all know they suck, and yet the majority of us still try to use easy to remember (and thus easy to crack) passwords for virtually everything.

The use of password managers and two-factor authentication is on the rise, but we have once more run into a classic security versus usability issue with both technologies.

Two-factor authentication is a pain. I have to log in to over 20 different networks, websites and so forth every day. That number is only going to increase. I am not whipping out my phone and punching in a random string of numbers every time.

When you factor in session time-outs I probably have to enter a password over 100 times a day. Entering a password, pulling out my phone, bringing up the relevant application and then entering the code takes on average 30 seconds per login. If I were to use two-factor authentication for everything I would spend 50 minutes of every day just logging into things! This is inherently unsustainable.

The other alternative is a password manager. Password managers come in two basic types: ones that live on your local system and ones that store their information on a remote system.

Much to both Microsoft and Apple's dismay, the era of individuals using only one device is long over. I have two smartphones, a tablet, a netbook, a notebook, a luggable, a desktop and three personal virtual machines. All of which get used every single day. I am an edge case, but in technology, today's edge case is tomorrow's mainstream.

This means that in the real world the system-local password manager is completely useless. If I am going to generate some uncrackable, randomly generated password string and store it in my password manager, then I need to get at that password from any device I use. This means I need a centrally accessible password store. Once more, this bifurcates my options.

The first option is to use a cloud-based service like LastPass. LastPass is amazing - simple to use and effective. It has browser plug-ins for all major browsers that can autocomplete your passwords for sites you have to go to, and it generally makes the whole process of logging in as unobtrusive as possible.

The basics of the service are that you put all of your passwords into LastPass and it stores them in the LastPass cloud. You then log in once (per browser) and LastPass handles your authentication to all websites you visit.

Of course, this still means having a password that you can realistically remember in order to get into LastPass in the first place. This might seem like a single point of attack, but the software solves it by offering various forms of two-factor authentication. So you still have to drag out the smartphone – or use the fingerprint reader – but only once, per browser, per system, per day.

The second option is to create something like LastPass but host it on a server you control. The problem with this approach is that every version of this kind of software I've seen so far is utterly pants and comes nowhere near to LastPass in terms of usability.

Trust factors into authentication

Both these options have their own significant problems. The centralised LastPass store is an unbelievably tempting target for every ne'er-do-well on the planet. Although it is defended by a team of über cyber ninjas, if LastPass should fall, everyone who uses it is screwed.

LastPass doesn't store your master password anywhere that anyone can get at it, but an encrypted copy of your passwords are stored on their servers; if you've been paying attention to advances in password and encryption cracking techniques, you'll know the "only got the encrypted copy" response is not nearly as comforting today as it once was.

While you would be far safer if you used random generated passwords for everything – which is sort of the point of LastPass in the first place – you can store non-randomly generated passwords within LastPass as well. Those passwords would ultimately be quite vulnerable.

Far more worrying to me than the somewhat difficult to imagine prospect of a random criminal breaching LastPass's security, downloading all my passwords and then decrypting them, is the vulnerability of those passwords to the United States government.

The US government has been pretty open over the past decade about the fact that it simply does not care one whit for privacy, civil liberties and other such petty concerns. Certainly, the US PATRIOT Act ensured that non-US citizens have even fewer rights than the (already heavily degraded) few that remain to Americans, something that has been upheld in court but which remains contentious (PDF, 24 pages).

Even assuming that LastPass has no back doors by which it can find out what the passwords are, US law lets the government demand that LastPass turn over the encrypted passwords without even telling the individual affected by the order. The US government measures their computing in acres; they can find your passwords if they really want to.

Assuming that there was a Last-Pass-Alike that I could install on my own servers, I could solve one trust issue – the fact that I don't trust the individuals who work for the US government not to abuse their powers – by ensuring that the password storage is located in my country and subject only to my nation's laws. (An issue that many are concerned about.) That's a great first step, but it falls down on the other side of the equation.

The only security from criminal attack I could gain by striking out alone is that of herd immunity: the hope that so many people deploy the same solution I use that the odds of them attacking my setup become small. That's known as "gambling", because a concerted effort would fold my servers like a cheap tent - even if I was doing my best to defend them.

A centralised cloud service like LastPass defended by the top industry experts in the field is going to be far more secure than anything I run on my own servers. I'm not a security expert, like one of the guys LastPass hires to audit their design and implementation. I am certainly not as good as all of them put together.

There are solutions

The ultimate solution to this problem would be a virtual appliance that I could install on my network which would stream updates and security configuration changes from a centralised cloud service. Here I could tap the expertise of a group like LastPass while still ensuring that the information I care about is subject only to the laws of my nation.

The truly paranoid would worry about backdoors being built into the app. The solution to that is independent audits. A requirement for those audits is that the auditors come from different jurisdictions, making it impossible to claim that all the auditors could have been ordered – or coerced - by any one entity to overlook such critical flaws.

Updates should be delivered via a pull (rather than push) mechanism, the updates posted to the site and the server software going out to grab them. There should be no means by which the centralised service could directly interact with the deployed base of servers. These updates could be similarly scrutinised to ensure that they do not introduce any back doors into the system.

I could go on, but I believe the point is made. We are heading into a world of cloud computing where trust is going to be a huge issue. It is no longer simply a matter of trusting that the software you buy works as advertised.

We now have to worry about ongoing and increasingly complex security threats, not only from criminals, but from governments whose laws and approaches to privacy and civil liberties diverge greatly from our own.

Trust as a design principle

The technosphere doesn't think like this. Very few design their products around trust, or the lack thereof. We've become obsessed with how the technology works and what that technology can enable; technology is easy, people are hard. How the technology we create integrates into the larger reality of politics, law, emotion and the other people-centric elements, is often overlooked.

In some cases it is simply a matter of having a limited target audience; American firms designing for American users, for example. It is impossible for most to really understand the intricacies of trust issues in all their variegated permutations. It is human to be limited in our vision, and scope of understanding.

The 2000s saw "secure by design" become a catchphrase as the exponential spread of always-on internet connectivity made remote attacks from random hostiles a part of everyday life. This decade seems to have latched on to "integrated by design" - a marriage of hardware, software, networking and cloud services under banners ranging from DevOps to Software Defined Networking/Storage/etc.

"Trustworthy by design" has been completely ignored, quietly brushed under the rug as inconvenient and bad for business. It is the elephant in the room that we collectively feel powerless to address. Companies don't want to waste resources worrying about it. Governments are all too often part of the problem, not the solution.

End users buy into marketing campaigns designed to make us feel as though we are somehow suspicious and guilty for worrying about such things. The scorn that technology companies – and technology magazines, reporters and bloggers – heap upon the concepts of privacy have made desiring control of your own data something that will get you ostracised.

We have created a culture of thoughtcrime - those desiring privacy are guilty of something, obviously, otherwise why would they want said privacy?

Demand change

We need a new movement in computing, one that looks at all seven layers of the OSI model plus an extra three that take into account the human element, then works to design around every one of them.

As technologists, we must stop looking at user data as one more thing to monopolise and monetise; we need to treat data as sacrosanct.

We, as users, must not allow our data to be used to lock us into “solutions”, or be mined by corporations or governments. It's easy to understand the importance of securing data when we talk about passwords, but other forms of data are equally important. A journalist's contact list being mined could endanger their sources. As much as we hate to acknowledge it, revealing an illness or even an ethnicity that someone has kept carefully hidden could end up costing them their livelihood – or in some locales, even their lives.

Our data is no longer entirely under our control. As users we must examine every link in the chain of custody and ask ourselves "who could potentially gain access to our data and how?" We must demand steps be taken to ensure that nobody but us should ever have access to our data for any reason unless we explicitly allow it.

We need to demand this of the companies that create our applications. We must demand this of our governments and even the companies we work for. The alternative is a world without secrets; a world where one mistake – no matter how minor – can haunt us for a lifetime.

Humans are not particularly forgiving. We are cliquish and tribal, we seek constantly not to include others but instead to find reasons to exclude them. Our history is littered with discrimination based on every conceivable factor of our existence. This has manifested in everything from light heckling to segregation, slavery, torture and genocide.

It is easy to look at the more awful and extreme end of that spectrum and say that this is something that happened only in humanity's barbaric past, or in far-off places. We can abstract away the horrors of Darfur and Burma by telling ourselves that the people involved are somehow less than us - different, less civilised. How many are aware of the irony of the selfsame thought, one that creates an "us" and a "them" based on what would be nothing more than data in a spreadsheet: Country of Origin?

What happens when a racist gets hold of a great big blob of data? Could they misuse laws like "stand your ground" to find and harm people appearing in certain spreadsheet fields they don't like? Have we even begun to figure out how the misuse of this data could alter housing, insurance and related pricing? What would the mob do with that information when it feels entitled and on a mission? After all, Reddit sure got the Boston bombers' identities wrong.

We are not ready for Google Island. The human race has not evolved that far. We cannot even grant our governments powers to invade privacy without their immediate and blatant misuse. Powers created strictly to protect national security and deal with the very real threat of terrorism are used to spy on people putting out too many bags of garbage for collection.

Giant government databases of information that is supposedly properly curated aren't even right all the time - tapping US senators as terrorists among other failures. Are we really ready to have these same people dealing with mountains of unstructured data they've harvested from the tattered remains of our ever-increasingly-easily decrypted privacy?

Very few among us - maybe none - are worthy of the level of trust required to have complete access to our activities, beliefs, actions, associations and desires. Acknowledgement of this means designing the systems that store all of that information in a way that treats everyone as untrusted by default.

Are we – as creators and implementers of technology, as well as users and consumers of said technology – willing to ensure that data custody becomes as fundamental to design as security, connectivity and ease of use? If not, are we prepared for the future that our apathy will create? ®