You can probably implement it well with the equivalent of a TPM for smartphones. A physical chip with key storage that can access the GPS hardware directly. I don't know if the feature would be worth that much engineering, but there aren't any smartphone TPMs yet, anyway. (Those would be good to have for this application, regardless, so that you can store the secret somewhere software can't access.)
Those are all quite legitimate concerns that have to be considered when building such a thing. And (1) through (3) basically means you need a bypass mechanism, so you have to make sure your bypass mechanism is harder to hack than your authentication system. (Fortunately, it doesn't need to be convenient at all, because it'll be rarely used.)
Still, that's no reason to throw up one's hands and keep using a system with serious known flaws.
Do you care to cite a study that back it up? The time to approve/deploy this machines was probably insufficient to do an extensive health study.
I don't, because I don't care to do a literature survey at the moment.:-P But what I was actually referring to is that the health effects of the technique (Compton backscattering) were well-studied long before anyone tried to make and sell a machine that would actually do it. What I really mean there is that the X-ray dosage necessary to do useful Compton backscattering, compared to safe dosages for humans, was studied. That's coupled with the effects of X-rays and other ionizing electromagnetic radiation (based on dose), which has also been studied. Further, the inventor of the device filed a patent on it in which the safe dosage as a major limitation is discussed. (Namely, the problem to be solved in engineering such a device is getting a suitable image while still adhering to a low-dosage requirement, which he works out the math for.)
More exactly -- it combines minimum-wage people (TSA) managing medical-grade machines (radiation).
Not all things that produce radiation are "medical-grade". Moreover, there's no reason for them to be. There's a lot of radiation-producing effects and materials out there, and a lot of them are very, very small. Smoke detectors. CRTs. Scotch tape. Rocks.
It depends on how easily a person's "less-secure" location can be guessed. If the answer is "easily", you have a problem. You don't need GPS spoofing at all unless your entire authentication system is a black-box dedicated system, which is prohibitively expensive. The proposed solution is software running on a smartphone, which from a usability standpoint is great. The problem is that software can be sent fake data from hardware trivially easily. You can even just use the Android emulator to tell a piece of software fake GPS coordinates for testing purposes.
No, it requires both the password and A phone, but not necessarily THE phone.
Specifically, it requires the secret stored on the phone. The phone is not simply an algorithm for turning a password into a security token. It stores its own secret, independent of the password, that you would need to acquire.
However, even if it does require THE phone, how often do people loose their phone?
You mean how often do they lose their phone to someone who is interested and able to guess their password? A lot less often than how often people choose trivially-guessable passwords or have their passwords disclosed by a hacked website.
Security should include a password, a device and a biometric check. Without all three, you are just as vulnerable as having using only a password.
Strictly untrue. A password plus one of those two things is more secure than a password alone.
This is why you don't want to be specific about who exactly did this testing and what such testing actually entailed.
No, that's because I'm lazy and get tired of looking up the names of those organizations. Johns Hopkins APL and US Army Health Command are two. (Public Health Command? Something like that.) There's... two other organizations? Something like that.
The company themselves claims to have done some testing, but no sane person would believe their claims for pretty obvious reasons.
This is nonetheless the level we hold all consumer products to, despite the fact that they're equally dangerous. (Nobody really uses CRTs any more, so the most convenient example is no longer convenient.)
Safe enough for non-medical human exposure at least.
Better stop the sale of bananas, then. You're exposed to ionizing radiation from a lot of sources, including many human-created sources, on a regular basis.
I think his point was that if your phone or other device gives you access to all of your sites, then the single password on your phone is the same as using the same password on all your sites.
Right, except that it's not, because now a successful attack requires both the password and also the phone.
From a technical side, what is to stop somebody from getting their own phone running numerous passwords through it while intercepting the key that comes out to determine the algorithm used. Once you have the algorithm, you can spoof other systems, can you not?
This is basic cryptography. They could openly state exactly what algorithm they use and enable you to simply read the key. No interception or reverse-engineering necessary. It's still easy to make it secure. That's kind of why we spent so much time studying cryptographic algorithms. (Say, for example, PBKDF and zero-knowledge proof.)
From a user side, how is having a single password for my phone any more secure than using the same password on all the sites I visit?
Because the phone is acting as an active authenticator, rather than just supplying that single password. As a result, an attacker would need to possess the phone (or, realistically, the key contained in the phone) in order to authenticate to a site. So you're changing what they need to possess in order to carry out an attack. Also, when you're storing a secret in a phone, you're reliving it of the requirement of being memorable. A phone can store an arbitrarily-large secret with perfect recall, while you cannot. A phone can also do arbitrarily-complex cryptographic protocols using that secret, while you cannot.
Finally, from a paranoid side, the US courts have already ruled that what is on your cell phone does not need a search warrant. What is to stop the authorities from using your phone to obtain access to everything?
That's not quite set in stone, but let's assume it's true. It is slightly more convenient for them to just use your phone to log on to any web site as you than it is to serve those web sites with subpoenas for the same information. Unless the secret on the phone used for authentication is guarded behind a password or biometric input, which it probably should be.
...websites accepting a fingerprint in raw form as a password
How would that even work? Put your finger on an ink pad, press it to a piece of paper, and mail it to them? Because otherwise it's not in its "raw" form.
I'm pretty sure that just a few posts up, I explain why they don't do human testing.
And, as I already replied to you, "unbiased" is a facile requirement, since you'll just claim that anyone who did testing and found results that don't fit your "story" must be biased.
Mind if I ask you about your username, blueg? What does "blueg" stand for? Because I have a theory and that is something that you should probably state upfront instead of trying to hide it.
There's a "3" at the end of it, and it's a late-90s Macintosh. (Technically it was called the "blue and white G3", but that didn't do it for me.)
Also, please cite the 'analysis' you are referring to where it is shown how ionizing radiation is harmless no matter how many times you are exposed to it.
I never claimed that any study has come to those conclusions.
The fact remains that those machines have never been independently tested for their effects on human beings by an unbiased party...
That's facile, since you declare everyone who has tested them to be biased.
It's true that they haven't been tested for their direct effects on humans, since that effect is immeasurably small. Instead, they're tested for radiation dosage per scan. That result is compared to safe-dosage standards or is used in combination with models for radiation effects in humans to assess risk.
That's an indirect test. You'd just be testing the mutagenic effects of X-ray radiation, which are already well-studied. At this point, all you'd need to do is measure the total dosage of the machine, which they do.
(Most health complaints follow one of a few tacks. There are complaints that it's not tested at all and that the TSA is just lying to us about the fact that they're tested. There are complaints that the simple human models that are used are insufficient since the radiation deposition is not spatially homogeneous. There are people who think the only level of additional radiation that is acceptable is zero. And finally there are people who think that anything involving radiation is inherently scary and dangerous.)
They've made a lot of other changes, too. Any effects would take a while to set in, so there's necessarily a decent delay between a causative agent and the effect. They've hired more poorly-trained people (including people who send themselves through the baggage scanner) and they've changed policies and procedures about how things are scanned through the baggage scanners. A subtle difference that causes people to spend more time in the bad spots of a baggage scanner is almost as bad as joining every single scanned person in the backscatter machine.
Maybe.. maybe not.. Shades of the taser... [wikipedia.org]
Don't give me that bullshit just because you don't know. Not only is the analysis in the original patent, it's much-discussed in the scientific literature back when they were first trying out Compton-effect backscatter scanning of humans in labs. (I did research at an X-ray lab and have done backscattering, but not of anything living.)
The health effects were well-studied long before they even tried to sell them to the government. They did ensure the health effects were acceptably small, but nobody believes them, because it combines the TSA and radiation. One is always scary and the other is always incompetent (only one of the two deserve the label), and so the combination can't possibly be good.
You say you work for the government -- do you really think that "we're agreeing to study the health effects (again)" turned into cancelling their contract in less than a month *and* they dug up an excuse?
As far as the stated reason for cancelling the contract -- which is probably really the reason -- without additional information, I'm going to assume incompetence over malice. They probably simply did not realize that people would view it as such a big privacy problem. Surely the engineers didn't -- it's easy to get blinded into thinking your product has no flaws. I don't know about the government folks, but it can be hard to resist flashy new technology that will Totally Stop The Terrorists(tm).
The health effects were actually a key design criterion for the original product. Hell, they were a key criterion in the research that preceded the development of the product. In the patent (which is pretty readable for a patent), they work through the math for figuring out resolution and sensitivity given a maximum total dose, where the maximum total dose is limited to a well-accepted definition of "negligible".
It's not actually something you can test. You can test the emitted dosage, sure, but I guarantee you they did that. (Many times and by multiple different agencies, eventually.) You can't test the health effects directly because they're too infrequent. Even if you spent ages exposing thousands of people to the scans, the number of cancers caused by the machines is much lower than the random variability in the number of cancers gotten through other means in your test population.
The other X-ray scanners -- the ones not designed to put humans for them -- are probably to blame for that, if anything. The backscatter X-ray source isn't particularly powerful, but the other scanners use pretty serious radiation fluxes. They're shielded to protect the operator and passers-by, but some spots around the machine still expose you to a pretty decent level of radiation. (And, as you note, the operators are standing there for long periods of time.) They test the things for occupational safety, but that doesn't keep people from spending too long in the "don't spent too long here" zone.
This does appear to be the case for e-mail addresses. At least, I replicated what I suspect was your test -- I searched for someone who has both a Facebook and real e-mail address on file with Facebook but with only the Facebook e-mail address visible. I searched using their real e-mail address and found their page, despite the searched-for e-mail address not being visible.
Is it possible on Facebook to have no e-mail address visible and, if so, does it still work then?
Still, this is a pretty serious permissions flaw. Users that are not privileged to see information should not be able to search for it either.
As far as I can tell, if they have your phone number but it's set to not be visible to anyone else, it can't be searched for.
The only tests the author seems to have performed would not give any indication of what privacy setting was assigned to the phone number. So, all of his results could have been from people who had public phone numbers on Facebook.
I do know that Google now REQUIRES it just to open a Gmail account.
Nonsense. It requires name, birthdate (without any verification), gender (including "other"), and solving a CAPTCHA. There is a mobile phone number field, but it doesn't complain if you leave it blank.
Slashdot Mirror
You can probably implement it well with the equivalent of a TPM for smartphones. A physical chip with key storage that can access the GPS hardware directly. I don't know if the feature would be worth that much engineering, but there aren't any smartphone TPMs yet, anyway. (Those would be good to have for this application, regardless, so that you can store the secret somewhere software can't access.)
Those are all quite legitimate concerns that have to be considered when building such a thing. And (1) through (3) basically means you need a bypass mechanism, so you have to make sure your bypass mechanism is harder to hack than your authentication system. (Fortunately, it doesn't need to be convenient at all, because it'll be rarely used.)
Still, that's no reason to throw up one's hands and keep using a system with serious known flaws.
Do you care to cite a study that back it up? The time to approve/deploy this machines was probably insufficient to do an extensive health study.
I don't, because I don't care to do a literature survey at the moment. :-P But what I was actually referring to is that the health effects of the technique (Compton backscattering) were well-studied long before anyone tried to make and sell a machine that would actually do it. What I really mean there is that the X-ray dosage necessary to do useful Compton backscattering, compared to safe dosages for humans, was studied. That's coupled with the effects of X-rays and other ionizing electromagnetic radiation (based on dose), which has also been studied. Further, the inventor of the device filed a patent on it in which the safe dosage as a major limitation is discussed. (Namely, the problem to be solved in engineering such a device is getting a suitable image while still adhering to a low-dosage requirement, which he works out the math for.)
More exactly -- it combines minimum-wage people (TSA) managing medical-grade machines (radiation).
Not all things that produce radiation are "medical-grade". Moreover, there's no reason for them to be. There's a lot of radiation-producing effects and materials out there, and a lot of them are very, very small. Smoke detectors. CRTs. Scotch tape. Rocks.
It depends on how easily a person's "less-secure" location can be guessed. If the answer is "easily", you have a problem. You don't need GPS spoofing at all unless your entire authentication system is a black-box dedicated system, which is prohibitively expensive. The proposed solution is software running on a smartphone, which from a usability standpoint is great. The problem is that software can be sent fake data from hardware trivially easily. You can even just use the Android emulator to tell a piece of software fake GPS coordinates for testing purposes.
It's not really civil disobedience unless what you're doing is a crime.
No, it requires both the password and A phone, but not necessarily THE phone.
Specifically, it requires the secret stored on the phone. The phone is not simply an algorithm for turning a password into a security token. It stores its own secret, independent of the password, that you would need to acquire.
However, even if it does require THE phone, how often do people loose their phone?
You mean how often do they lose their phone to someone who is interested and able to guess their password? A lot less often than how often people choose trivially-guessable passwords or have their passwords disclosed by a hacked website.
Security should include a password, a device and a biometric check. Without all three, you are just as vulnerable as having using only a password.
Strictly untrue. A password plus one of those two things is more secure than a password alone.
This is why you don't want to be specific about who exactly did this testing and what such testing actually entailed.
No, that's because I'm lazy and get tired of looking up the names of those organizations. Johns Hopkins APL and US Army Health Command are two. (Public Health Command? Something like that.) There's... two other organizations? Something like that.
The company themselves claims to have done some testing, but no sane person would believe their claims for pretty obvious reasons.
This is nonetheless the level we hold all consumer products to, despite the fact that they're equally dangerous. (Nobody really uses CRTs any more, so the most convenient example is no longer convenient.)
Safe enough for non-medical human exposure at least.
Better stop the sale of bananas, then. You're exposed to ionizing radiation from a lot of sources, including many human-created sources, on a regular basis.
I think his point was that if your phone or other device gives you access to all of your sites, then the single password on your phone is the same as using the same password on all your sites.
Right, except that it's not, because now a successful attack requires both the password and also the phone.
From a technical side, what is to stop somebody from getting their own phone running numerous passwords through it while intercepting the key that comes out to determine the algorithm used. Once you have the algorithm, you can spoof other systems, can you not?
This is basic cryptography. They could openly state exactly what algorithm they use and enable you to simply read the key. No interception or reverse-engineering necessary. It's still easy to make it secure. That's kind of why we spent so much time studying cryptographic algorithms. (Say, for example, PBKDF and zero-knowledge proof.)
From a user side, how is having a single password for my phone any more secure than using the same password on all the sites I visit?
Because the phone is acting as an active authenticator, rather than just supplying that single password. As a result, an attacker would need to possess the phone (or, realistically, the key contained in the phone) in order to authenticate to a site. So you're changing what they need to possess in order to carry out an attack. Also, when you're storing a secret in a phone, you're reliving it of the requirement of being memorable. A phone can store an arbitrarily-large secret with perfect recall, while you cannot. A phone can also do arbitrarily-complex cryptographic protocols using that secret, while you cannot.
Finally, from a paranoid side, the US courts have already ruled that what is on your cell phone does not need a search warrant. What is to stop the authorities from using your phone to obtain access to everything?
That's not quite set in stone, but let's assume it's true. It is slightly more convenient for them to just use your phone to log on to any web site as you than it is to serve those web sites with subpoenas for the same information. Unless the secret on the phone used for authentication is guarded behind a password or biometric input, which it probably should be.
...websites accepting a fingerprint in raw form as a password
How would that even work? Put your finger on an ink pad, press it to a piece of paper, and mail it to them? Because otherwise it's not in its "raw" form.
I'm pretty sure that just a few posts up, I explain why they don't do human testing.
And, as I already replied to you, "unbiased" is a facile requirement, since you'll just claim that anyone who did testing and found results that don't fit your "story" must be biased.
Mind if I ask you about your username, blueg? What does "blueg" stand for? Because I have a theory and that is something that you should probably state upfront instead of trying to hide it.
There's a "3" at the end of it, and it's a late-90s Macintosh. (Technically it was called the "blue and white G3", but that didn't do it for me.)
Also, please cite the 'analysis' you are referring to where it is shown how ionizing radiation is harmless no matter how many times you are exposed to it.
I never claimed that any study has come to those conclusions.
The fact remains that those machines have never been independently tested for their effects on human beings by an unbiased party...
That's facile, since you declare everyone who has tested them to be biased.
It's true that they haven't been tested for their direct effects on humans, since that effect is immeasurably small. Instead, they're tested for radiation dosage per scan. That result is compared to safe-dosage standards or is used in combination with models for radiation effects in humans to assess risk.
That's an indirect test. You'd just be testing the mutagenic effects of X-ray radiation, which are already well-studied. At this point, all you'd need to do is measure the total dosage of the machine, which they do.
(Most health complaints follow one of a few tacks. There are complaints that it's not tested at all and that the TSA is just lying to us about the fact that they're tested. There are complaints that the simple human models that are used are insufficient since the radiation deposition is not spatially homogeneous. There are people who think the only level of additional radiation that is acceptable is zero. And finally there are people who think that anything involving radiation is inherently scary and dangerous.)
They've made a lot of other changes, too. Any effects would take a while to set in, so there's necessarily a decent delay between a causative agent and the effect. They've hired more poorly-trained people (including people who send themselves through the baggage scanner) and they've changed policies and procedures about how things are scanned through the baggage scanners. A subtle difference that causes people to spend more time in the bad spots of a baggage scanner is almost as bad as joining every single scanned person in the backscatter machine.
Maybe.. maybe not.. Shades of the taser... [wikipedia.org]
Don't give me that bullshit just because you don't know. Not only is the analysis in the original patent, it's much-discussed in the scientific literature back when they were first trying out Compton-effect backscatter scanning of humans in labs. (I did research at an X-ray lab and have done backscattering, but not of anything living.)
What's "this"?
The health effects were well-studied long before they even tried to sell them to the government. They did ensure the health effects were acceptably small, but nobody believes them, because it combines the TSA and radiation. One is always scary and the other is always incompetent (only one of the two deserve the label), and so the combination can't possibly be good.
You say you work for the government -- do you really think that "we're agreeing to study the health effects (again)" turned into cancelling their contract in less than a month *and* they dug up an excuse?
As far as the stated reason for cancelling the contract -- which is probably really the reason -- without additional information, I'm going to assume incompetence over malice. They probably simply did not realize that people would view it as such a big privacy problem. Surely the engineers didn't -- it's easy to get blinded into thinking your product has no flaws. I don't know about the government folks, but it can be hard to resist flashy new technology that will Totally Stop The Terrorists(tm).
The health effects were actually a key design criterion for the original product. Hell, they were a key criterion in the research that preceded the development of the product. In the patent (which is pretty readable for a patent), they work through the math for figuring out resolution and sensitivity given a maximum total dose, where the maximum total dose is limited to a well-accepted definition of "negligible".
It's not actually something you can test. You can test the emitted dosage, sure, but I guarantee you they did that. (Many times and by multiple different agencies, eventually.) You can't test the health effects directly because they're too infrequent. Even if you spent ages exposing thousands of people to the scans, the number of cancers caused by the machines is much lower than the random variability in the number of cancers gotten through other means in your test population.
The other X-ray scanners -- the ones not designed to put humans for them -- are probably to blame for that, if anything. The backscatter X-ray source isn't particularly powerful, but the other scanners use pretty serious radiation fluxes. They're shielded to protect the operator and passers-by, but some spots around the machine still expose you to a pretty decent level of radiation. (And, as you note, the operators are standing there for long periods of time.) They test the things for occupational safety, but that doesn't keep people from spending too long in the "don't spent too long here" zone.
Perhaps now people have learned an important lesson about letting engineers name products.
"Rapiscan -- it's scanning that's rapid. Clever, right? Nobody will ever misinterpret that!"
Do you have something like NoScript that inhibits the action of reCaptcha? Gmail requires a phone confirmation if you don't fill out the reCaptcha.
I've had to create throwaway Gmail accounts for a variety of things and have never seen the forced-phone-number thing.
This does appear to be the case for e-mail addresses. At least, I replicated what I suspect was your test -- I searched for someone who has both a Facebook and real e-mail address on file with Facebook but with only the Facebook e-mail address visible. I searched using their real e-mail address and found their page, despite the searched-for e-mail address not being visible.
Is it possible on Facebook to have no e-mail address visible and, if so, does it still work then?
I tested it with a friend's email address. Her "real" email address is not visible but by searching for it, I can find her page.
Are e-mail addresses the same as phone numbers now?
Still, this is a pretty serious permissions flaw. Users that are not privileged to see information should not be able to search for it either.
As far as I can tell, if they have your phone number but it's set to not be visible to anyone else, it can't be searched for.
The only tests the author seems to have performed would not give any indication of what privacy setting was assigned to the phone number. So, all of his results could have been from people who had public phone numbers on Facebook.
I do know that Google now REQUIRES it just to open a Gmail account.
Nonsense. It requires name, birthdate (without any verification), gender (including "other"), and solving a CAPTCHA. There is a mobile phone number field, but it doesn't complain if you leave it blank.
DHS has actually been one of the major government organizations for computer security for quite a while. US-CERT, for example, is a part of DHS.