Slashdot Mirror
Picture Passwords More Secure than Text
Hugh Pickens writes "People possess a remarkable ability for recalling pictures and researchers at Newcastle University are exploiting this characteristic to create graphical passwords that they say are a thousand times more secure than ordinary textual passwords. With Draw a Secret (DAS) technology, users draw an image over a background, which is then encoded as an ordered sequence of cells. The software recalls the strokes, along with the number of times the pen is lifted. If a person chooses a flower background and then draws a butterfly as their secret password image onto it, they have to remember where they began on the grid and the order of their pen strokes. The "passpicture" is recognized as identical if the encoding is the same, not the drawing itself, which allows for some margin of error as the drawing does not have to be re-created exactly. The software has been initially designed for handheld devices such as iPhones, Blackberry and Smartphone, but could soon be expanded to other areas. "The most exciting feature is that a simple enhancement simultaneously provides significantly enhanced usability and security," says computer scientist Jeff Yan."
I'd have to train myself to remember the strokes to draw something with the same movements and pen lifts. Sounds like a pain in the nuts to me.
The movie "Safe House" with Patrick Stewart had something similar.
Excuse me while I gather the virgin sacrifice and assemble the pentagram required to solve your problem
I don't belive it. Most of the pictures can only be drawn in a order, which everybody will use, so it isn't safe. Also, if the begining cell is part of the pass, you have to always start exactly on the same place, which is harder than a pass.
And.... why is it safer? a pass with chars a-zA-Z0-9 has 36^lenght combinations... randomly distributed...
...about drawing penises on goatse photographs?
:)
That would be one way to keep things secure though - it's hard for someone to guess your pass picture if they can't bring themselves to look at the background...
-- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
I doubt this will really work, most people when they draw and write so it slightly diffrent each time. They may have to sit down and aim exactly and prepare which will take too much effort for most people. I doubt this will take off its the old security vs convenience. At this point ill take the convenience of a text password.
I can't even consistently write my signature, let alone some arbitrary picture.
I can't draw...
"Little does he know, but there is no 'I' in 'Idiot'!"
A normal signature is a picture drawn in a certain fashion with a specific flow and strokes.
We have had signature recognition for a while.
Whats new?
liqbase
You say that, but it's EXACTLY what you have to do to learn kanji or kana... or hanzi, for the Chinese.
That's right, there's a proper way to write every one of the thousands of characters, right down to stroke order and placement.
You didn't read carefully enough. You draw whatever picture you want. The background image is just to give you a frame of reference so you know where you started.
It still sounds like a bad idea to me for the second reason you mentioned. I do not see this as being any more secure than enforcing strong passwords. I can see it maybe being useful for touch/stylus devices, but that's a different matter than overall security.
I wonder how many users will just end up drawing Stars, Hearts, and Smiley Faces?
-The world would be a better place if everyone had a hoverboard
If you have to draw a picture to login, it's going to be very easy for people to see what you're drawing just by being near you.
With typed passwords that is a lot more difficult.
Or you could add 2 alpha-numeric characters to an existing text password, for more than 1000 times security.
There are only so many places to start drawing your password on a picture and a human would recognize that. People would probably draw birds in the sky and dogs on the ground, right? Also, I would guess that people would make linear leaps with their pictures: someone will draw a bird, and not a fish, in a picture of a tree.
That said, I'm not saying that this isn't a worthwhile endeavor, just that it wouldn't necessarily be as secure as it looks at first glance.
Will we need to draw a new picture every 90 days?
How many people will use a picture password of a stick man, tree, or a happy sun?
Yeah right. Maybe a thousand times better than a Joe Sixpack "god/sex" password but no way this is better than a good text password. The key-space is way smaller than a regular text password.
for those of us who couldn't draw Tippy to get into the Art school.
IMHO this is pretty good for people who can do calligraphy reasonably well.
;)
For example, to write Chinese characters properly, you need to remember the correct "stroke order" for each dash or dot in the character, and repeat it every time you write. The position where each stroke begins and ends is also fixed. It takes some training, discipline and drilling to learn writing like this though. For sloppy writers like me (I even had trouble writing pretty letters in school, mostly due to lazitude), this may not be such a good idea after all.
Especially if you have to do it with a mouse on a shiny surface
...the reality is that this story should probably be tagged 'security through never-being-able-to-access-your-stuff-again'
Friend: "The NIC is misconfigured..." Me: "No prob, I'll just telnet in and fix it." *Silence*
I think most people will associate the same things to the same background (eg. flowers->bee) resulting in even less combinations... also, the universe of "drawable things" is smaller than the universe of words, and that is smaller than the universe of pass...
People would just use lines for their picture, cracking will become a game of battleships at best and at worst a program will play it for you.
I like muppets.
1. An artistically-inclined person looking over your shoulder might be able to draw your image about as well as you can. With a conventional keyboard password, I can block the keyboard with my body so others can't see what I'm typing, and I can pretend to press keys that aren't in my password so even if they can see, they are thrown off. There is less you can do to block a screen you have to look at to draw properly.
2. Some people's hands shake when they've had too much caffeine, most people's fingers get stiff when they've been out in the cold, and some people have degenerative diseases which make typing a one-letter-at-a-time proposition. Drawing would be very difficult in all of these circumstances. Perhaps this is why TFA says that 5% of users couldn't recreate their image within three attempts a week after first coming up with it.
I don't think this technology is going anywhere any time soon.
My truck is like a series of tubes.
8==D
Who'd have guessed you could use the same password in both systems?
How about a little mini game, where your actions make up the password...like...jumping on X car and shooting a sign at X height and dragging the sweater under a sign, when the timer hits X:XX....or some crazy combination like that. You know, just like how we would unlock stuff or get extra lives by doin weird random things in Super Mario Brothers or any other kind of video game. I think this is WAAAY MORE secure if you add this on top of a text password. With what I just described above you can do things so many different ways!!
At least my idea for a Dance, Dance, Revolution password authentication scheme is still intact.
Patent pending, patent pending, patent pending.
Worst Sig Ever
I'm a sysadmin. A user calls me and says "I forgot my password". How do I reset it? After confirming the person's identity yada yada, saying "I've reset your password to 'somepassword'" is easy. How do you say "Your new password is a flower. No, not a daisy - more like a poppy, or maybe a droopy rose. The stamen is just a little squiggle. Maybe a couple of squiggles - not very large. Little dots on top. Don't forget the stem. I added a little flourish of wild grasses because I thought that would look nice. OK, let's give up on that one. Do you like monster trucks?"
What would the image equivalent of 'pwgen -s -y' create for me?
Anyone remember that they used pictures as passkeys in Johnny Neumonic, that crazy movie with Keanu Reeves?
1. "People possess a remarkable ability for recalling pictures": If anybody ever accidentally sees you drawing your passgraphics it will be easy from him/her to remember what you drew. 2. People are not good at recreating the exact same movements every time. While different versions of my natural signature look similar they are never exactly the same. The software will need to be able to cope with that. How well that works you can experience with any device using a stylus detecting handwritten characters. It typically takes me two to three attempts to enter my password on my handheld correctly that way. What's so new about the concept? It's not really different from zig-zagging over a keyboard creating an arbitrary password.
Sharks with frickin' laser beam are one MILLION times more secure.
So you don't even have to hit the same points. And this is supposedly "more secure"?
Imagine a password program that allowed for "close enough" typing. Would you consider it "more secure"?
If your password was "peach", would you want the system to accept "apple" as being "close enough"?
Because "penis" wasn't a common enough password before...
I've seen other instances of picture passwords, but instead of doodling on them, a series of points were clicked on the picture. The user would have to remember the areas clicked and the order in which they were selected. This seems faster, more secure and less prone to error than drawing a picture just to log in to something.
All this hifalutin tech to solve a simple problem. Sheesh.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
How many ways are there to sign in with an X?
... oh something like, "Oops! I'm a little short today", with total confidence.
Doesn't the iphone have accelerometers? It's no great feat to foresee that becoming very popular. Why not have the phone/pda/plamtop differentiate dance moves? If you can't do the Fox Trot, maybe master hopping on one foot. Of course, it oughta be smart enough to tell which foot, jump height etc.
The hopping password might be really handy. When someone tries to mug you and your iphone won't accept your sign-on to transfer the extortion amount to their account, you can say
If you remove the background picture and the act of displaying what you draw to everyone within eye-shot, I've already done that at http://shaunwagner.com/index.html?page=Projects%2FJavascript%2FMouse+Password
Does it work? No. It is far too difficult to draw the same image twice without seeing what you are drawing. If you can see what you are drawing, so can everyone else - then they can draw the same image.
The previous comment is purposely vague and generalized, but all of the facts are completely true.
I bet I could crack 75% of these right off the bat by drawing a cock or boobs.
It's a small conceptual leap to go from this 1998 stroke-based password idea to the present idea of drawing a picture to capture strokes which are then turned into a password. Looks like prior art to me!
Some days it's just not worth chewing through the restraints.
your average forum avatar is 25kilobytes
your average good alphanumeric password is 9-18 bytes
guess which one would be harder to crack, even with a "fuzzy" range
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
"The most exciting feature is that a simple enhancement simultaneously provides significantly enhanced usability and security."
I fail to see how this idea could even *remotely* be construed as providing "significantly enhanced useability". The security aspect is at least arguable (and I actually don't buy that either), but in no way shape or form could such an idea *ever* be called "more useable." Consider:
* It takes me about a second to type a password. How long would it take me to move my mouse pointer to the appropriate spot on the screen to start my "picture" and then draw it? Wouldn't a more secure "password" require more strokes? An extra character or two in your password takes a fraction of a second to type. A couple of extra strokes in a picture would necessarily take *much* longer to complete.
* What happens if I make a stroke in the picture wrong? I can't just delete it. *Maybe* I could if I was provided some kind of eraser, and the stroke that I messed up on didn't intersect any other strokes. I've erased pen strokes with the Gimp and other such tools; it's no fun. You have to zoom way in and carefully and slowly erase all of the pixels you touched without disturbing any others. What a pain. Or maybe the password-picture input system would have a stroke-by-stroke undo kind of like the Gimp has? My god, what a complex piece of software one's password input route has just become!
* Just about every human-computer interface ever invented has the ability to take text input from the user. So typed passwords are *always* an option. Not every interface allows you do draw pictures however. How am I going to enter my SSH password (or its picture equivalent) from a VT100 terminal?
I could go on and on. This is basically a really, really stupid idea, which I think is obvious to just about everyone. This will absolutely never catch on, and never make it past this guy's thesis or whatever academic setting it came from.
Their idea sounds like a rip-off from Kanji, the Chinese characters; Those learning the calligraphy must draw the words according to certain strokes in a certain order & way.
But seriously, the basic Kanjis are around 3000! So, unless we all start using that "new" password method from kindergarten to train ourselves, it would just result in way too many locked accounts & miserable users & support teams!
Mod points are a dangerous tool. Abuse them wisely.
Idiots will still just draw an X. Most passes will be easy to brute force with simple dictionary-like lists.
To boldly use to and too two times and get it right too! They're not gonna believe their eyes when they see it there!
Here's a headline for you;
"Public Key Authentication more secure than Picture Passwords"
Besides picture passwords are as annoying as hell, require a GUI and mouse, and aren't really all that much more secure than plain text passwords. You can still brute-force the picture sequence. You can still pick them up sniffing the network, you just need to be about three times smarter than a rock instead of barely smarter than a rock.
I'll take ssh authorized_keys over picture passwords any day.
455fe10422ca29c4933f95052b792ab2
In current password fields, we at least get asterisks to hide the text we're writing, but with a picture to be drawn: People can see the pictrue, the background & the way you're drawing that picture!
You call this security enhancement?!?
The "new" method only works if you only login from your house, away from prying eyes, and never ever use it outside. Add to that, it makes social engineering hacking attempts much easier.
Stupid idea.
Mod points are a dangerous tool. Abuse them wisely.
"thousand times more secure than ordinary textual passwords. "
Sure, but like a half the poster have already said you are going to have a 80% of end luser drawing happy faces, smileys and stick figures with giant cocks. Easy to dup and a thousand times less secure than a regular pass.
Plus the problem with the signature recognition people have talked about in other posts is that the tools already available at retail stores all suck nuts. You ever try signing your name for a credit card transaction?
It never looks right or feels right and it always looks screwed up different every single time.
ACK
Many years ago we did authentication this way:
The system displays a long random number (e.g. 40 digits) plus some tick marks. You pick certain digits, do a simple operation with them, and enter the result. E.g. ( 5th digit + 2nd digit) * 12th digit. We did that after a normal password.
thegodmovie.com - watch it
So, according to the movie "Hackers", the most common passwords are "god," "sex," "love" and "secret."
With this pass-image scheme, the favorite pass-images will be what? Boobs, penises, and goatse.cx?
After all, I thought that was the biggest problem with passwords.
First there were letters, now there will be ... drawings?
hmmm....
... wasn't that a show on Nickelodeon with Bill Cosby? He'd show you his password for various systems, and make silly sound effects to go with whatever sort of line he was drawing. It had a theme song: Picture Passwords, Picture Passwords, lots of fun with Picture Passwords, lots of fun with crayons and with pencils!
That might be a good idea until you get one of these messages.
Password expired, please change your name.
...some little SOB passed a magnet over my Etch-a-Sketch, which totally ruined my secure signature. grrrrrr... closely watching those hacker types in the office.
Yep, this idea is as solid as sand. Had to much to drink, or? Christ, my signature is never "exactly" the same, and I sure as hell can't draw.
Life was hell, then I discovered Linux...
The best security revolves around more than one piece of information. I can spy on you while chatting innocently and get hold of you logon password, people are very careless around friends/colleagues. However I won't be able to logon as you if I also require your secureId card or other similar technology.
So basing a logon on a single technology is flawed, you need more than one, e.g. something I know (password) and something I own (fingerprint, secureId card, keychain, rfid button etc). You may be able to get one, but its unlikely you'll get both.
Andy.
How about gesture-based passwords? In order to log onto your computer, you have to stand in front of your webcam and do the hokey-pokey?
Stasis is death. Embrace change.
On my Toshiba tablet, it has an applet to use your signature or drawings for authentication at login.
from 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
to 45 2F 6E 40 3C DF 10 71 4E 41 DF AA 25 7D 31 3F
It's not about pixels, but strokes or gestures and speed. Think of it like "one short stroke SouthSouthEeast in this region done so fast, two strokes going North in that around X speed, a curve up in this area, a circular gesture in that"
from 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
to 45 2F 6E 40 3C DF 10 71 4E 41 DF AA 25 7D 31 3F
Boss : What the f*** are you doing, its half past 10 ??? Employee : I am drawing pictures since morning sir Boss : Why the f*** on earth you waste time on drawing childish drawing on a Monday morning ??? Employee : I am trying to log in to my f***ing computer you moron...
The day "they" can say "without a doubt" it was YOU, is the day they will frame you for something you didn't do.
Be careful what you ask for. You might get it.
Sucks for the blind.
AC
.sdrowkcab erutangis ym etirw I
I beg of you.. Imagine the call..
User "I have forgotten my password"
admin "let me just reset it for you, the default password is a square with a star inside started at grid co-ordinates 0,3 going to 0,10 then down to 10,10... Don't forget to lift your pen at each courner"
Just kill me now please.
Digital signature
Oh no:
Password too simple. Password must be at least 8 strokes with at least one diagonal one and one wiggly one.
I figure this will be easier for malicious people to guess the correct drawing (albeit without necessarily being able to guess the starting point and stroke patterns. If you add those pieces of info in, however, it will go from being trivial for anyone to access by guessing to being almost impossible for anyone to access.... Unfortunately, that "anyone" likely includes the legitimate owner of the account.
Congratulations. You've designed perfect security. Why bother letting only the person you want in when you can just keep everyone out? :-)
Check out my sci-fi/humor trilogy at PatriotsBooks.
some util takes a snapshot and sends info by backdoor ? the whole thing fails ? even voice recognition looks good, but what if someone records voice and bypasses the checked input ? Security needs to be unique and non-reproducible(direct / indirect) by others
I did something like this myself about 5 years ago. I put up a window with a 16x16 grid and drew a pattern onto it with the mouse. Order did not matter but each pixel contributed some number of random bits to the password. The random bits assigned to the pixels was generated from a short text "password" (salt) at the start, so knowing only the figure was not enough. The result is a password with lots of pseudo-random bits, yet it was easy to remember the pattern.
J
Hello? Stick men??? Come on. Everybody is going to use boobs!
Makes "is the caps lock key down" seem down right ordinary.
Mike
... could be come a viable security model again at some stage in the future. From whom do we need to be secured?
I've never understood the fascination with pictographic security measures. It seems very rube-goldberg and introduces several counter-intuitive factors that could end up locking out legitimate clients from their own data, if something were to happen to them that would permanently alter how they enter such a code. (The same could be said for biometric security measures, as well...)
For example, what if the user were to end up blind, paralyzed or damages / loses part of the limb used to enter such a code? At least with alphanumeric sequences, there are several ways to accomodate such changes.
May pictographic codes were cool back in the days of Johnny Pneumonic, but realistically they're not exactly practical for everyday use. There's a few websites out there, like SpyMac that employ pictographic codes, however, they lost a good chunk of their user base after it was put into effect. (Not sure if they're still using it now though...)
8==8 Bones 8==8
Want a password that is 1000 times more secure? Just add two extra characters. Woohooo.
How is this supposed to work with ssh (text only) logins?
Gentlemen, you can't fight in here! This is the War Room.
I was a consultant at a large UK retail bank and we were going to use a type of picture/CAPTCHA on the online banking solution. Except that the RNIB (Royal National Institute for the Blind) consultancy operation basically told us that if we went ahead they would be forced to "go to the newspapers" and also would consider taking action under DDA (Disability Discrimination Act) legislation.
It's really important to consider (in the UK at least) that around 10% of the online population will not be able to see or draw images clearly on a computer screen and therefore, whilst graphical authentication is fantastic security for most of us - it does not work for all of us. As soon as you present a 'way out' for those that cannot see as well as the average human, you have introduced a loophole in your security system and the investiment in CAPTCHA or imagery is threatened.
NB: in the UK, under DDA we have to provide "a reasonable alternative" for disabled users - however, the strength of the RNIB lobby is really turning that into "You must not discriminate in any way against a sight impaired user" - so by making it impossible for impaired sight users to use this strong authentication from TFA is in fact discriminatory against them...
rd
But on the subject of security, how would these passwords be stored? One nice thing with plaintext is that you never have to store anyone's actual password, only the hash of it. I suppose you could still create a hash of "1. stroke 47degrees 3%, 2, stroke 270degrees 22%" or whatever the password device spits out, but it seems to me that as this system requires a more sophisticated way of interpreting fuzzily matched movements, there might be problems with this approach or it could introduce weaknesses.
:D ), adjusting lengths, perhaps. But this would probably have the effect of narrowing the password space making it easier to crack the passwords. I'm not an expert in this area, I'd be interested to know if they've thought about this or if anyone else knows a bit more about it.
You could use some algorithm to simplify the users drawing, rounding angles (I punned!
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
I once challanged a girl to write worse than my best, and won. No I'm not happy about it. Some of us simply can't draw, or write, or sign signatures.
That said, how do the wordblind manage the CAPTCHA challanges? Must be hell for them.
Yes. Also the picture will require at least one instance each of cross-hatching, scumbling, and stippling.
yeah, and of course, in the 4 million lines of code required to implement all the motion-tracking and image-processing there won't be any more bugs than in the 50 lines of code required to compare two text strings...
Someone learned how to draw my fish.
"To be is to do." --Socrates
"To do is to be." -- Aristotle
"Do-Be-Do-Be-Do..." --Sinatra
I can already see the movie scene where they crack the chief of the FBI's laptop by guessing his pictogram.
Stacey: Try drawing a massive cock..
Arnie: I'm in. Lets get to work
I wrote my first program at the age of six, and I still can't work out how this website works.
I put a key-logger, mouse-logger, and screen-logger on your system (hardware ones, that is). I retrieve the loggers and memorize every mouse movement and keypress in the video. If necessary, I record a several instances of you opening that archive. If I want that archive badly enough, I'll break even that security.
In hell, you will find a mountain of broken, feces-covered typewriters and a stack of copies of the First Folio.
How many stage magician "mind reading" acts are based on how easy it is to work out what someone's drawing based on the way the other end of the pen moves?
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
"If a person chooses a flower background and then draws a butterfly as their secret password image onto it, they have to remember where they began on the grid and the order of their pen strokes."
come on - they can't remember a passphrase never mind how to draw a house......
then there's the "I'm stupid and forgot my password" links and things have have to do to reverify....
might help, might not..
Because no one can remember which fucking pictures they picked, or which spots on pictures they picked.
So even the account owners themselves get frequently locked out.
Doesn't mean that it's more secure.
If your password was "peach", would you want the system to accept "peacj" as being "close enough"? Actually, it'd be more like:
If your password was "peach", is "pichu" close enough?
Some basic in authentication.
-Something you know (password)
-Something you are (biometrics)
-Something you have (key, token, gsm phone)
Making the password more secure does not make the access authentication much more secure.
I went to the DMV to get my license. The lady asks for my id so I give her my Canadian id. She hands it back saying "I'm sorry I need something with a picture on it". So I draw a little picture on it! "I'm sorry", she says, "That's not good enough.". So what, I gotta be a f**king artist to drive in this country????? Yeah I probably butchered that joke....
Newcastle Uni in the news again! Way to go... Toon Army! Grindalf
The purpose of existence is to make money.
Meh indeed.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
I got to test this system. The real cool part is that when you draw the picture, the system obfuscates it with an asterisk. My picture contains a hunter and a numeral "2". When I draw the picture, I can see it, but everyone else sees asterisks.
Why should one care what order the strokes are penned in for any given character, as long as the character comes out looking the same. It strikes me as a horribly pointless thing to be wasting cycles learning...
I have never penned my O's the way they wanted me to in my mechanical drawing class, except for when the TA was watching, nobody could tell...
"I'll have a Guinness, no wait, make that a Coors Light" -Grad student I work with, who shall remain anonymous...
Up, up, down, down, left, right, left, right, B, A. Go read this... And then get the hell off my lawn!
Any plan which depends on a fundamental change in human behavior is doomed from the start.
Personally, I would come up with, essentially, a scribble with multiple lines, curves, and dots. I wouldn't need to see the image of it, so even if someone watches me draw, there would be little chance that they could imitate it. Same idea as avoiding words for passwords. This would be better to use for corporate or financial security; I don't see this as being practical for accounts and devices that don't have sensitive information or potential for major abuse.
My webcomic
I can't draw, and I don't want to anyway. I also sincerely doubt I could draw a circle the same way twice.
;-).
But I can look at most of my 14000 digital images and tell you where it was taken and when. 4 different pictures of me and the same 2 people and I can tell you where each one was just by the way the people look. I think it would be very tough for a computer to figure that out, much less someone looking over your shoulder. Assuming you had enough images that it couldn't be strictly memorized.
Very interesting, I think showing a picture from a large collection and having me idetify where it was taken would be pretty secure, certainly better than using one password for all of my servers
Well, I was only referring to what the movie said. However, if you want to be pedantic, there was a study a while back that supposedly uncovered the real top 10 passwords. I have no idea how they got this data, and it appears to be a survey of the UK. YMMV.
Glenda Ruth Blaine uses a picture-based password in Niven and Pournelle's The Gripping Hand.
//Information does not want to be free; it wants to breed.
Good luck if you're blind.
I'm not blind or otherwise disabled and I'm still sick of people shoving this entire class of people to the side.
Seriously now, how can this be better than text password? People just use common words as password such as "password" itself, what will prevent these people from using common pictures such as a circle? And fingerprint reading is a much better password than drawing -- you don't need to remember anything, just swipe your finger.
Penmanship and drawing are no longer really taught, much less learned, in most schools.
Plus, what if you get carpal tunnel? What if your hand is in a cast, or infected and bandaged, or whatever?
A picture is worth a thousand passwords.
My thoughts exactly :)
I worked on a project at the UK National Physical Laboratory http://www.npl.co.uk/ in the mid 1970's. A couple of applied physists had played around with a graphics tablet and come up with a graphical scheme for authentication. My job was to turn their code into algorithms and write a specification to be used in their patent application.
Their idea of an NDA was the Official Secrets Act, so I won't go into any details.