Digital Security: The Weakest Link

Online security

When the elite of the digital security world gathered at Vancouver’s CanSecWest conference earlier this year, the focal point was the geek equivalent of a bench-press competition: a computer hack-off called Pwn2Own (if you’re not hip to the lingo, “pwn” is Internet slang for “thump an opponent”). On a table sat three laptops, each running a different operating system – Apple Leopard, Windows Vista, Ubuntu – and each waiting, helplessly, to be violated. It took Charlie Miller, a balding security evaluator from Baltimore, all of two minutes to crack the Macbook Air – walking away with the computer and a $10,000 cash prize. Conferences like CanSecWest are specialized gatherings where tech heavyweights such as Google and Microsoft talk digital security the way Trappists talk theology or Tiger Woods talks knockdown shots. For mere mortals, however, the real arena of concern in digital media is not the channel between the server and your computer, which can stretch thousands of kilometres, but the 75 centimetres between you and your computer. To cite a game show: you are the weakest link. Everyday contact with the world of online security is, for most of us, made through PINs and passwords. In our personal lives, we use such ciphers to access money and medical information; in our professional lives, we use them to admit ourselves, physically and digitally, to the myriad spaces in which we work. The current wisdom is that your password should be eight or more characters, using symbols and upper- and lower-case letters while avoiding real words or personal information. Something like “H&*gdDu3!M7p,” – a long, nonsensical, never-before-seen string of letters, numbers and punctuation. This approach to personal cryptography has only one drawback: no one has ever used it and no one ever will. If you go to the trouble of making a password so difficult that it is genuinely secure, you’ll have to write it down to remember it – which rather defeats the purpose. Mohammad Mannan and Paul van Oorschoot, two researc­hers from Carleton University, have come up with an elegant solution to the problem: the “object based password” (ObPwd), which works by allowing people to use “digital identifiers” – photos, text, songs, movies – to create their passwords. In my case, I downloaded the ObPwd plug-in for my browser, highlighted (on a website) the opening salvo of Camus’s The Outsider (“Mother died today. Or perhaps it was yesterday, I don’t know.”) and then right-clicked it. From the digital information encoded in the object, the plug-in produced a 12-character alphanumeric code for me – “e80MrtHylKyV.” Clicking on the same object will always produce the same password. A service like ObPwd is a boon to the forgetful: you don’t have to remember the string of code – only that your “password” is the first two sentences of The Outsider (or, if you prefer, a video of Elton John on The Muppets Show or a jpeg of Jon Benet Ramsey). As long as you can find your “password” on the Internet, it will produce a code for you, and you can be as sneaky or subtle as you like in its selection. Yet the root problem with codes and phrases isn’t their simplicity or complexity. It is, rather, that going to a web page – which may not be what it claims to be – and tapping in a series of characters to authenticate our identity is fraught with peril. Microsoft, Google and Pay Pal (the payment arm of eBay) are among the founders of an industry organization proposing a path around this hazard. They call it the Information Card, or I-Card, and it operates like a digital passport. Rather than logging in to my bank or email account with “nibbles23” or a quotable bit of existentialism, I’ll gain access using a secure digital identity that is administered by a third party. Analysts say it’ll be a few years before I-Cards are common currency: it’ll take that long to get the requisite millions of websites to support the new system. To establish my identity using the I-Card, two entities – my computer and the site – will perform a ciphered digital “handshake,” with the computer confirming that I exist. At that point, my lone comfort may be existentialism, because the weakest link in the chain will have been removed: me.