Slashdot Mirror
Apple Patents Power Adapter That Recovers Lost Passwords
Sparrowvsrevolution writes "Apple has patented a power charger that also serves as a password recovery backup. If a user forgets his Macbook's password, for instance, he simply plugs in the cord, and it would provide a unique ID number stored in a memory chip in the adapter that acts as a decryption key, unscrambling an encrypted copy of the password stored on the machine. The technique, according to the patent, incentivizes better password use by avoiding traditional password recovery techniques that annoy users and lead to disabled or easily-guessed passwords. The new technique is only secure, the patent admits, in cases where the user leaves a mobile device's charger at home. So the idea may make the most sense for long-battery-life devices like iPods, iPads and iPhones rather than laptops, at least until laptop batteries last long enough that users don't take their power adapters with them and expose them to theft."
Well that's a reasonably stupid idea. Store the password with something many users are going to carry around with their laptop...
And even if you didn't.. you forget your password on the road, then what? And this is less annoying than having to answer a previously entered question?
Kills the 3rd party accessory market. Because you won't be able to get "crypto" power blocks from anyone else. Wanna bet?
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
Than a normal USB security token? It seems like a power adapter is likely to be taken with the user. A smaller token could be carried on the person of the user. Or you can just write your password on a post-it in your wallet.
The Daddy casts sleep on the Baby. The Baby resists!
Why not have it on a microSD card?
Password use *one way* hashing systems for a reason.
Thank you Apple, for once again eliminating desktop security.
Given the number of people I see charging up their smartphones in the office, I'd say the Apple patent people haven't quite grasped that smartphone battery life is a long way from what many people would like.
(Also, given that most non-computer devices like iPhones charge over USB, this seems distinctly less impressive. 'Put some data on some flash memory inside the battery charger' and transmit it over the USB connection hardly requires the kind of ingenuity that sending passwords up a DC power cable to a laptop does.)
Cupertino has started dosing again.
I object to power without constructive purpose. --Spock
OK, it's a daft idea for various security related reasons -- but that's fine. People patent daft ideas all the time; doesn't mean they plan to implement them.
What I don't get is, why bring power adapters into it? Why not patent a more general case, then if someone builds it into a power adapter, the patent covers it. If someone builds it into (say) an MP3 player, the patent covers that too.
Security is only as strong as it's weakest password recovery method.
This whole idea completely forgets that the whole purpose of your password might be to stop you little-brother/offspring/tech-illiterate-housemate (ie: anyone who lives with you) from screwing up your device.
"I forgot my charger at home. May I borrow yours?"
I've have over 15 mac laptops, never had a problem with any of them, EXCEPT 13 out of 15 needed a new power adaptor. I dont like this idea one bit.
1. what's wrong with storing the key on a flash drive instead? Only that it wouldn't be patentable?
2. goodby one-way password hashing?
besides not being feasible, this idea is 1) not new 2) trivial, so it should not pass the patent review board. That is, if there was one.
As if they need a technical restriction, when they're so heavy handed with the legislative restrictions.
I'd never buy, for example a phone, that didn't have a micro USB charger, or a stereo that had a wacky propitiatory interface like an "ipod dock".
It shouldn't be legal to block or tax 3rd party accessory makers, and what's needed is more forced standards for consumer screwing companies like Apple.
... a paper clip which is capable of encrypting eBooks.
I suppose its better than going to the Apple store, shuffling your feet and mumbling sheepishly you somehow forgot your password, but what if I have a power adaptor and swiped your phone, can I now hack it?
A feeling of having made the same mistake before: Deja Foobar
So, I plug in a device that can read this special number from a power adapter, and not only can I unlock the user's device -- I can actually see their password (which they likely use elsewhere)! Some hacker will eventually build this for $20 in parts, and I can amaze my friends. Sounds like fun.
Seriously?
Boot while holding down Apple-S /var/db/.AppleSetupDone
mount -uw /
rm
shutdown -h now
Bam. Administrator access and all the password resetting glory you need thereafter.
I don't even have a Mac and I know how to do it. How fucking easy does it need to be?
-- I wanna decide who lives and who dies - Crow T. Robot, MST3K
From TFA: "So the idea may make the most sense for long-battery-life devices like...iPhones"
In what universe is an iPhone a "long-battery-life" device?
It seems to me this was done, not for security, but for business reasons. Now Apple can use the DMCA to keep other companies from making a power adapters for Apple products.
And even then, it's only secure if nobody breaks into your home. And you'll need a separate power adapter for use outside home. Under these conditions, you can ditch the home power adapter and replace it with a piece of paper with the password written on it.
This is just a rather ridiculous convenience/security tradeoff for now, but it will be interesting once the enhanced power adapter becomes required.
Think of the possibilities. Every device and accessory, even every component of the computer, could have cryptographic protection built right into the hardware in a way that cannot be reverse-engineered. A secure computer can only contain secure hardware (and vice versa), only approved devices can be connected to an approved computer, only an approved computer can run an approved operating system, and only an approved operating system can establish an internet connection. It will be a glorious future.
All hashes are one way because data is thrown away. You can't even reverse simple checksums like CRC32.
This system doesn't store a plaintext password. It's like a secondary authentication system. Think SSH: You can authenticate using a password OR public key cryptography.
Put another chip in the wall outlet, that will communicate with a charger device using BPL, Data over Powerline, short range communications, RFID, or bluetooth; e.g. a "Password recovery" agent installed in a device somewhere else in the home plugged into another wall outlet, or built in to the outlet itself. wireless AP, linksys box, NAS, TVs, other home appliances would be good candidates to form a BPL-enabled self-organizing P2P network for facilitation of password recovery and theft prevention.
Some of the devices could incorporate a GPS location reading. If the device's location has changed significantly, then it is less familiar.
When the user logs into their computer, and authenticates, there will be a program they run on their computer to cause the power unit to "learn" which will scan the BPL or bluetooth for other devices.
Require the presence of other "familiar" home devices, for the password recovery procedure to be initiated.
This could also help if the charger got damaged or lost... just plug a new one in, enter the "House PIN #", and have it build the same shared secret key based on the identities of the familiar devices surrounding it that have an agreed upon shared key.
Also, high theft-risk non-mobile devices could enter an auto-lockdown mode, if powered on and no "familiar devices" are around.
2. Outlaw passwords for things that don't need passwords at all. I.E. news sites.
3. For sites that need a password, but not a secure one (like Slashdot), use minimal password system - i.e. you give them 9 things (food/music/etc.) you hate, plus one you like and when you log on, select which the thing you like, that are confirmed by a permanent cookie on your PC. If the cookie gets erased/you use a new PC, they email you a new cookie.
4. For things that need a secure password, outlaw the top 1000 most popular passwords. If people try to use them, say Not allowed, too easily guessable. If they use one from the top 100, give an insulting warning message, such as "a 40 year old atari computer could guess that password in 10 seconds"
5. Teach people to use password algorythms: i.e. base password of 6 letters/numbers + 1 additional letter found in your username + 1 from the website's url. (i.e. Pa55w0 + 2nd letter from my usrename + 3rd letter from website. For Slasdot that would be Pa55w0ua
excitingthingstodo.blogspot.com
Makes you wonder what Apple is doing now...without your consent or knowledge.
All it took is sticking a PostIt note on the side. Can I now patent moving the sticky to the inside of my closet, where it will be more secure from friends and allow me to take the charger for travel?
The more junk they cram in the power adapters, the harder it is for 3-rd party companies to make copies without Apple's consent.
It was worthless before and it's still worthless now. I'm not even upset that they patented this trivial and non-novel idea.
"When information is power, privacy is freedom" - Jah-Wren Ryel
I keep hearing this about patents.
If it's trivial and non novel then why is no one doing it or previously put a patent on it?
It's not trivial or non-novel. it's just not being done.
Non impediti ratione cogitationus.
...kinda worries me. Does this mean Apple is going to file lawsuits against anyone who has a GUI tool that asks someone their user name and password?
write your password on a post-it and stick it to your power brick. Much cheaper.
It's not going to stay "power adapter with password," that's just the simplest and most abstract (read: absent real hints of product plans) example they came up with for the purposes of the patent.
I predict that eventually the communications will go elsewhere, for a push-button support system like OnStar for AppleCare. Subscription fees FTW!
When I was a kid, we only had one Darth.
If it's trivial and non novel then why is no one doing it or previously put a patent on it?
Well apart from the fact that this particular idea is stupid (thus, nobody doing it), sometimes things just luckily don't get patented, like "fuel cells on a computer" and "fuel cells on a cell phone" which were both shockingly not patented up until this year. Somehow even among swarms of lawyers, a few conceivable ideas go unpatented sometimes. Shocking, I know.
This idea is both trivial (passing data to a power adapter which attaches to a port that can also pass data? Wow not like half the USB-charged devices on the planet do that!) and non-novel (acts as a security key like the metric shit-tons of USB fobs that have been on the market over the last decade).
"When information is power, privacy is freedom" - Jah-Wren Ryel
You miss the point of the patent. It's to prevent other people from doing something which reads on their invention. Not necessarily to implement it themselves.
That said, Apple will probably use this, but I doubt they will turn this into their default and only password recovery method. More likely, it will be an (expensive) optional add-on. This is direct in-house competition to all the crazy ways third parties offer to keep passwords secure for the Windows environment.
You have taken a patent and assumed how it will be implemented, and attacked that. Pretty much your basic strawman argument.
"Sir, we need your password" becomes "Sir, we are confiscating your laptop charger."
Brilliant idea. Not.
wrong. at least this time ;)
lots of good reasons for apple to do this. they want you to continue to use apple hardware and they have a lock-in effect going on. other than that mag-lock stuff, a power brick was a power brick. batteries are starting to be chipped/locked, but so far, I've not seen power sources be locked.
I bet we'll see that soon, though.
also, apple did this because they could, not because its a strikingly good idea for the world. you *can* send data comms along a power path and double-up on it. you *can*. but is there a good reason to? there sure is value in keeping power sources somewhat dumb. they push power (current) at you at a fixed voltage or voltage set. no need to crypto-up that path!
I bet there is also a patent defense plan here. anyone who wants to 'talk' along that path will probably get hit with an apple patent threat-suit, legit or not.
it does seem like a dumb idea, overall; but apple is getting a few things from this. its not about users. heh - lately, nothing is ever about the users (benefit).
--
"It is now safe to switch off your computer."
It's a shitty idea. The fingerprint reader on my laptop is a much better solution.
Right, so again - why has no one done it before?
It's actually quite a good idea. If you forget your password you're not screwed, since you can unlock your device when you get home.
You'll notice they didn't patent the "metric shit-tons of USB fobs", but a different way to authenticate a device.
Whether it's different enough from a separate USB dongle that can unlock the computer is something the patent office should deal with.
It's actually quite a good idea. If you forget your password you're not screwed, since you can unlock your device when you get home.
It's a good idea if you want joke security, and the passphrase screen most phones have is poor enough. I hope they won't allow this authentication method to bypass any full-disk encryption. It will be common knowledge among thieves and black hats that you can unlock an iShiny using the included power adapter that's usually plugged into the device when it's laying around. What could possibly go wrong?
"When information is power, privacy is freedom" - Jah-Wren Ryel
It is often trivial and obvious. Many people will do something that is an obvious application of an existing principle to something else and not patent it BECAUSE it is trivial and obvious. Another reason is only the RICH companies (like Apple, Microsoft,et al.) can afford to patent EVERYTHING that comes out of their mouths. Also, they are often the only ones with the hubris and sense of entitlement to do so.
It's trivial (given that there have been other methods for creating a password backup) but it is novel (because it's doing it in a stupid place).
However it's so pointless and retarded I can't think of an analogy that even comes close. Hang on, unicycling through a minefield while trying to piss on a Van de Graaff generator made of sodium. I bet nobody's done that before!
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
You can forget many passwords. But who would forget the password for the device he uses every day?
So, if someone robs my home they can get all the supposedly secure information stored in my machine if they also take the charger? And this passes as secure? As you kidding me?
If they want an external piece of hardware to unlock my computer, just make it use the IR or Bluetooth and be small - so I can keep it on my person. Other than that, it'll be pretty much useless.
This is not a patent, this is an application publication. You can tell because it says "pub no" in the upper right corner instead of "patent no". For reference:
Link to publication from TFA
Link to a real patent (believe it or not)
TFA author can't tell the difference, which is incredibly obvious once you know what you're looking for. And a lot of applications never become a patent.
Now that the application has published, anyone who knows of any prior art might be able to let the patent office know about it if this application isn't examined before the new law kicks in September 16 this year. See the America Invents Act, section 8 (starts bottom of page 32).
This post expresses my opinion, not that of my employer. And yes, IAAL.
Ahh good, so if I'm traveling and take my laptop (a nice 17" MBP), I have to take a different power cable, because if I don't, someone can just use my power cord to get into my accounts. Since the only time I use my laptop is when I'm traveling, that effectively makes the power cord that came with it useless, and I get to pony up another $80 for proprietary Apple power cord.
The only way this wouldn't be a negative feature for me would be if it were entirely optional. Otherwise it makes my purchase *worse*.
Put it on a $2 USB dongle that I never have any reason to take *anywhere*. That actually makes sense.
--Jeremy
Jesus was a liberal
Why not just write it on a piece of paper and store it at home in a drawer somewhere.
The publication is not only about power adapters. I don't know if the average slashdotter has the brain-power to understand that, though.
Take a look at the silly ol' PDF. You'd think the Forbes guy would have too. This stores a "password secret". I.e. a password hint, not necessarily a password. This is a good idea I think as it grounds the device to you. Instead of giving that hint to anyone, the hint is further protected by the power charger requirement.
This doesn't push out a password, it further protects a password hint. This improves security. It doesn't open a new vector for attack that doesn't already exist.
Also, as with most things, turn it off if you don't want it.
Brilliant! Now the person, who breaks into my apartment and steals my Macbook, no longer has to guess my password. He just takes the charger, and thus all my personal data with himself. What a shitty idea from Apple!
- the color-changing case
- the mouse with rotary dial
- liquid cooled notebooks
- et bloody cetera
The first to find a Slashdot article about an Apple patent that actually was implemented gets my next 5 Mod-points as "Insightful", no matter how stupid their posts. Yes, even if you are one of my foes.
Fandroids hate facts.
non-novel idea
Where's it been done before? If it hasn't been then it certainly is novel, by definition.
As for "obvious", it's funny how people who didn't come up with the idea say it's obvious AFTER they heard someone else come up with it. "Obvious" isn't the same as "easy to understand".
but all your complaints about the patent basically don't make sense if you read the article.
It obviously doesn't make it worse if it's optional. It make it better for those that want it, and no different for those that do.
I didn't say it was obvious. It's stupid and therefore I would hope nobody else would come up with this idea, even though it's quite simple and uses existing technologies. I guess it's novel in it's stupidity.
"When information is power, privacy is freedom" - Jah-Wren Ryel
USB sticks have been doing this forever.
Never tried it, but along these lines...
It is obvious you do not know the meaning of the word "otherwise". Re-read his post again, only this time think about what the words mean.
Wouldn't this plan require breaking the cryptographic hash function used to store the password, if they were to "decrypt" it as they said?
No one's seemed to notice that the inventor here is the legendary Bud Tribble... http://en.wikipedia.org/wiki/Bud_Tribble
Abstract
Disclosed herein are systems, methods, and non-transitory computer-readable storage media for storing a password recovery secret on a peripheral such as a power adapter by receiving a password recovery secret at the power adapter via an interface with the computing device...
Claims:
1. A method of storing a password recovery secret on a power adapter, the method comprising: receiving a password recovery secret associated with a computing device at an electrical power adapter via an interface with the computing device; and storing the password recovery secret on a memory in the electrical power adapter.
2. The method of claim 1, wherein the password recovery secret is based on a password, wherein the password is encrypted using a key comprising a universal unique identifier associated with the computing device.
7. The system of claim 6, further comprising: a fourth module configured to control the processor to verify the received password recovery secret with an authentication server.
12. The non-transitory computer-readable storage medium of claim 11, wherein the peripheral device is at least one of a power adapter, an external hard drive, a network router, a smartphone, a mobile device, a remote control, an external monitor, and a printer.
BACKGROUND ... Although the examples and discussion in the disclosure are directed to a power adapter, other peripherals can be substituted as well, such as a printer, portable hard drive, docking station, wired or wireless network router, backup device, flash drive, a smartphone, a mobile device, a remote control, and an external monitor. Multiple peripherals can operate in conjunction or simultaneously.
[0004] Computing devices, such as desktop computers, laptop computers, smartphones, PDAs, and so forth, include security measures requiring a user to enter credentials, such as a username and password, to obtain access to the computing device. However, it is inevitable that at least one user will forget their username and/or password. One approach to recovering this information is to log in as an administrator to reset the password, but this approach often fails because the user typically forgets the administrator credentials or forgets that the administrator account even exists. Another approach is to prompt the user to enter a password recovery phrase, such as "what is your mother's maiden name?" However, users typically enter this information once during account creation and often forget what they entered as the password recovery phrase. Yet another approach relies on biometrics, but this approach is not useful when the user is not nearby the computer or when the user dies, for example.
[0005] Many users view the above approaches as too inconvenient, especially if they involve a system administrator. The result is that the user chooses not to use a password or uses a trivial password, such as a short password or an easily guessable password. Especially in the case of portable computing devices, this presents a security risk if an opportunistic thief steals the device. Although it can be difficult to provide both convenient password recovery and security in all use scenarios, one increasingly important scenario involves protecting a portable computing device when a user carries the device separately from a commonly associated peripheral device. If this particular use scenario can be protected and password recovery can be provided in a convenient way, then the user is more likely to use a password, and protection will be increased.
[0006] Accordingly, what is needed in the art is an improved way to recover lost or forgotten electronic credentials, while still protecting the computing device in the common case when it is not with its associated peripheral device.
[0028]
Fandroids hate facts.
So basically... You get your laptop stolen, and it's EASIER for someone to get into it without having to break a password or reinstall the OS? Cool. No thanks.
Now we only need to steal the cord to get the identity, another win for apple security
You're so intent on trolling you don't even bother reading complete posts. But then that's normal for you, isn't it? Fucking dumbass.
Credit cards can be cheaper than cash in terms of pure numbers, but it's a gamble and to my flawed brain with all it's cognitive mess ups I prefer something I can hold.
1) You're relying on that payment at the end of the month.
- If you bank goes bust you need the BoE to print enough money for the bailout.
- If your company has a cashflow problem (your own company, or a company you work for), you could be screwed pretty quickly. There's a chance that one late payment snowballs into complete bankruptcy
2) It's a debt system. For the period of time you owe the card company you're in the debt system just that little bit more. This changes the way we think about money. This in turn changes us, what we do and more. More than that, it actually changes how we think about each other; this is a bit hard to get one's head around.
In a simple way I was looking at my bank account this month and thought to myself; I only have a credit card bill coming out each month (yes, really, I've worked at this!) I'm always checking up on that. If I didn't have that I wouldn't need to worry for my bank account. For me that's priceless.
A key thing about working in cash is it's haptic feedback; you know what's going on. It keeps you in touch.
I've learnt this about cash because I've been living in Argentina. There, over 10 years after their last crash banks offer 20% discounts at supermarkets and still people prefer cash. Likewise my girlfriend only uses the bank for big discounts like this and her wage only because she pretty much has to. As an example she gets a 40% discount with her gym for automatic payments. And you know what they do? EVERY month they raise the price without telling her.
That's the price of not staying in touch.
The thing is, I always thought I knew what £1000 is, but until I started using cash I didn't realise how out of touch I was. You have to use nothing but cash for at least a month to have any experience to judge. It's a bit like arguing the toss on vegetarianism, how's to know if you haven't properly experienced both eating meat and not eating meat, for example?
Of course it's harder to quantify the advantages of cash vs a credit card's cashback % and section51 rights. But I think there has been some studies, something along the lines of people spend more when they see a number (because it's harder to judge). Like I say though, we always think we can judge better than we really can.
I'd love to have a number in my head along the lines of "I'll only use this credit card if I get a discount of >20%" because the risks have been budgeted for. I think the number in my head is probably less important than that section51 refund rights.
Just look at some of the things people do with Bitcoins for example, you wouldn't agree to work for a month without pay, yet this is what people have been seen gambling with.
A blog I run for the wealth
This does not sound very well thought out. Why not just include a thumbdrive sized serial-numbered dongle that does the same thing? This can then be easily thrown into a safe-deposit box or personal fire safe and the user has no problems bringing his charger along on his trip. Although I'm sure the whole idea is to intimidate the user into paying for an additional "travel charger" that does not enable password recovery.
[B]atteries are starting to be chipped/locked, but so far, I've not seen power sources be locked.
I bet we'll see that soon, though.
Where I live, we have this law, which I don't see why couldn't be expanded soon. I think the US has some goal set with the lock-up business.
Upward mobility is a slippery slope - the higher you climb the more you show your ass.
The power adapter preserves passwords for whom?
The mind conceives, the body achieves, the spirit manifests.
There is much more here then meets the eye ... ... cops will be able to find stolen equipment by its APPLE secret unique ID with highly specialized equipment of power lines.
This is APPLE's answer to APPLE Store theft.