Tag Archives: security

Enhanced cellular blockchain

I thought there was a need for a cellular blockchain variant, and a more sustainable alternative to cryptocurrencies like Bitcoin that depend on unsustainable proofs-of-work. So I designed one and gave it a temporary project name of Grapevine. I like biomimetics, which I used for both the blockchain itself and its derivative management/application/currency/SW distribution layer. The ANTs were my invention in 1993 when I was with BT, along with Chris Winter. BT never did anything with it, and I believe MIT later published some notes on the idea too. ANTs provide an ideal companion to blockchain and together, could be the basis of some very secure IT systems.

The following has not been thoroughly checked so may contain serious flaws, but hopefully contain some useful ideas to push the field a little in the right direction.

A cellular, distributed, secure ledger and value assurance system – a cheap, fast, sustainable blockchain variant

  • Global blockchain grows quickly to enormous size because all transactions are recorded in single chain – e.g. bitcoin blockchain is already >100GB
  • Grapevine (temp project name) cellular approach would keep local blocks small and self-contained but assured by blockchain-style verification during growth and protected from tampering after block is sealed and stripped by threading with a global thread
  • Somewhat analogous to a grape vine. Think of each local block as a grape that grow in bunches. Vine links bunches together but grapes are all self-contained and stay small in size. Genetics/nutrients/materials/processes all common to entire vine.
  • Grape starts as a flower, a small collection of unverified transactions. All stamens listen to transactions broadcast via any stamen. Flower is periodically (every minute) frozen (for 2 seconds) while pollen is emitted by each stamen, containing stamen signature, previous status verification and new transactions list. Stamens check the pollen they receive for origin signature and previous growth verification and then check all new transactions. If valid, they emit a signed pollination announcement. When each stamen has received signed pollination announcements from the majority of other stamens, that growth stage is closed, (all quite blockchain-like so far), stripped of unnecessary packaging such as previous hash, signatures etc) to leave a clean record of validated transactions, which is then secured from tampering by the grape signature and hash. The next stage of growth then begins, which needs another pollination process (deviating from biological analogy here). Each grape on the bunch grows like this throughout the day. When the grapes are all fully grown, and the final checks made by each grape, the grapes are stripped again and the whole bunch is signed onto the vine using a highly secure bunch signature and hash to prevent any later tampering. Grapes are therefore collections of verified local transactions that have grown in many fully verified stages during the day but are limited in size and stripped of unnecessary packaging. The bunch is a verified global record of all of the grapes grown that day that remains the same forever. The vine is a growing collection of bunches of grapes, but each new grape and bunch starts off fresh each day so signalling and the chain never grow significantly. Each transaction remains verified and recorded forever but signalling is kept minimal. As processing power increases, earlier bunches can be re-secured using a new bunch signature.

Key Advantages

  • Grape vine analogy is easier for non-IT managers to understand than normal blockchain.
  • Unlike conventional blockchains, blocks grow in stages so transactions don’t have to wait long to be verified and sealed.
  • Cellular structure means signalling is always light, with just a few nearby nodes checking a few transactions and keeping short records.
  • Ditto bunching, each day’s records start from zero and bunch is finished and locked at end of day.
  • Cellular structure allows sojourn time for signalling to be kept low with potentially low periods for verification and checking. Will scale well with improving processing speed, less limited by signal propagation time than non-cellular chains.
  • Global all-time record is still complete, duplicated, distributed, but signalling for new transactions always starts light and local every new day.
  • Cellular approach allows easy re-use of globally authenticated tokens within each cell. This limits cost of token production.
  • Cells may be either geographic or logical/virtual. Virtual cells can be geographically global (at penalty of slower comms), but since each is independent until the end of the day, virtual cell speed will not affect local cell speed.
  • Protocols can be different for different cells, allowing cells with higher value transactions to use tighter security.

Associated mechanisms

  • Inter-cell transactions can be implemented easily by using logical/virtual cell that includes both parties. Users may need to be registered for access to multiple cells. If value is being transferred, it is easy to arrange clearing of local cell first (1 minute overhead) and then check currency hasn’t already been spent before allowing transaction on another cell.
  • Grapes are self-contained and data is held locally, duplicated among several stamens. Once sealed for the day, the grape data remains in place, signed off with the appropriate grape signature and the bunch signature verifies it with an extra lock that prevents even a future local majority from being able to tamper with it later. To preserve data in the very long-term against O/S changes, company failure etc, subsequent certified copies may be distributed and kept updated.
  • Signalling during the day can be based on ANT (autonomous network telepher) protocols. These use a strictly limited variety of ANT species that are authenticated and shared at the start of a period (a day or a week perhaps), using period lifetime encryption keys. Level of encryption is determined by ensuring that period is much smaller than the estimated time to crack on current hardware at reasonable cost. All messages use this encryption and ANT mechanisms therefore chances of infiltration or fraudulent transaction is very low so associated signalling and time overhead costs are kept low.
  • ANTs may include transaction descriptor packets, signature distribution packets, new key distribution packets, active (executable code) packets, new member verification packets, software distribution, other admin data, performance maintenance packets such as load distribution, RPCs and many others. Overall, perhaps 64 possible ANT species may be allowed at any one time. This facility makes the system ideal for secure OS and software distribution/maintenance.

Financial use

  • ANTs can contain currency to make valuable packets, or an ANT variant could actually be currency.
  • Optional coins could be made for privacy, otherwise transactions would use real world accounts. A coin-based system can be implemented simply by using the grape signature and coin number. Coins could be faked by decrypting the signature but that signature only lasts one period so by then they will be invalid. Remember, encryption level is set according to cost to decrypt during a period. Coins are globally unique due to different cells having different signatures. Once grapes are sealed no tampering is possible.
  • One mechanism is that coins are used as temporary currency that only lasts one period. Coins are bought using any currency immediately before transactions. At end of day, coins are converted back to desired currency. Any profits/losses due to conversion differences during day accrue to user at point of conversion.
  • A lingering cybercurrency can be made that renews its value to live longer than one period. It simply needs conversion to a new coin at the start of the new day, relying on signature security and short longevity to protect.
  • ANTs can alternatively carry real currency value by direct connection to any account. At end of each growth stage or end of day, transaction clearing debits and deposits in each respective account accordingly.
  • Transaction fees can be implemented easily and simply debited at either or both ends.
  • No expensive PoW is needed. Wasteful mining and PoW activity is unnecessary. Entire system relies only on using encryption signatures that are valid for shorter times than their cost-effective decryption times. Tamper-resistance avoids decryption of earlier signatures being useful.

With thanks to my good friend Prof Nick Colosimo for letting me bounce the ideas off him.

Advertisements

The future of cleaning

I’ve been thinking a bit about cleaning for various customers over the last few years. I won’t bother this time with the various self-cleaning fabrics, the fancy new ultrasonic bubble washing machines, or ultraviolet sterilization for hospitals, even though those are all very important areas.  I won’t even focus on using your old sonic toothbrush heads in warm water with a little detergent to clean the trickier areas of your porcelain collectibles, though that does work much better than I thought it would.

I will instead introduce a new idea for the age of internet of things.

When you put your clothes into a future washing machine, it will also debug, back up, update and run all the antivirus and other security routines to sanitize the IoT stuff in them.

You might also have a box with thew same functions that you can put your portable devices or other things that can’t be washed.

The trouble with internet of things, the new name for the extremely old idea of chips in everything, is that you can put chips in everything, and there is always some reason for doing so, even if it’s only for marking it for ownership purposes. Mostly there are numerous other reasons so you might even find many chips or functions running on a single object. You can’t even keep up with all the usernames and passwords and operating system updates for the few devices you already own. Having hundreds or thousands of them will be impossible if there isn’t an easy way of electronically sanitizing them and updating them. Some can be maintained via the cloud, and you’ll have some apps for looking after some subgroups of them. But some of those devices might well be in parts of your home where the signals don’t penetrate easily. Some will only be used rarely. Some will use batteries that run down and get replaced. Others will be out of date for other reasons. Having a single central device that you can use to process them will be useful.

The washing machine will likely be networked anyway for various functions such as maintenance, energy negotiations and program downloads for special garments. It makes sense to add electronic processing for the garments too. They will be in the machine quite a long time so download speed shouldn’t be a problem, and each part of the garment comes close to a transmitter or sensor each time it is spun around.

A simple box is easy to understand and easy to use too. It might need ports to plug into but more likely wireless or optical connections would be used. The box could electromagnetically shield the device from other interference or security infiltration during processing to make sure it comes out clean and safe and malware free as well as fully updated. A common box means only having to program your preferences once too.

There would still be some devices that can’t be processed either in a box or in a washing machine. Examples such as smart paints or smart light bulbs or smart fuses would all be easier to process using networked connections, and they may well be. Some might prefer a slightly more individual approach, so pointing a mobile device at them would single them out from others in the vicinity. This sort of approach would also allow easier interrogation of the current state, diagnostics or inspection.

Whatever way internet of things goes, cleaning will take on a new and important dimension. We already do it as routine PC maintenance but removing malware and updating software will soon become a part of our whole house cleaning routine.

The future of prying

Prying is one side of the privacy coin, hiding being the other side.

Today, lots of snap-chat photos have been released, and no doubt some people are checking to see if there are any of people they know, and it is a pretty safe bet that some will send links to compromising pics of colleagues (or teachers) to others who know them. It’s a sort of push prying isn’t it?

There is more innocent prying too. Checking out Zoopla to see how much your neighbour got for their house is a little bit nosy but not too bad, or at the extremely innocent end of the line, reading someone’s web page is the sort of prying they actually want some people to do, even if not necessarily you.

The new security software I just installed lets parents check out on their kids online activity. Protecting your kids is good but monitoring every aspect of their activity just isn’t, it doesn’t give them the privacy they deserve and probably makes them used to being snooped on so that they accept state snooping more easily later in life. Every parent has to draw their own line, but kids do need to feel trusted as well as protected.

When adults install tracking apps on their partner’s phones, so they can see every location they’ve visited and every call or message they’ve made, I think most of us would agree that is going too far.

State surveillance is increasing rapidly. We often don’t even think of it as such, For example, when speed cameras are linked ‘so that the authorities can make our roads safer’, the incidental monitoring and recording of our comings and goings collected without the social debate. Add that to the replacement of tax discs by number plate recognition systems linked to databases, and even more data is collected. Also ‘to reduce crime’, video from millions of CCTV cameras is also stored and some is high enough quality to be analysed by machine to identify people’s movements and social connectivity. Then there’s our phone calls, text messages, all the web and internet accesses, all these need to be stored, either in full or at least the metadata, so that ‘we can tackle terrorism’. The state already has a very full picture of your life, and it is getting fuller by the day. When it is a benign government, it doesn’t matter so much, but if the date is not erased after a short period, then you need also to worry about future governments and whether they will also be benign, or whether you will be one of the people they want to start oppressing. You also need to worry that increasing access is being granted to your data to a wider variety of a growing number of public sector workers for a widening range of reasons, with seemingly lower security competence, meaning that a good number of people around you will be able to find out rather more about you than they really ought. State prying is always sold to the electorate via assurances that it is to make us safer and more secure and reduce crime, but the state is staffed by your neighbors, and in the end, that means that your neighbors can pry on you.

Tracking cookies are a fact of everyday browsing but mostly they are just trying to get data to market to us more effectively. Reading every email to get data for marketing may be stretching the relationship with the customer to the limits, but many of us gmail users still trust Google not to abuse our data too much and certainly not to sell on our business dealings to potential competitors. It is still prying though, however automated it is, and a wider range of services are being linked all the time. The internet of things will provide data collection devices all over homes and offices too. We should ask how much we really trust global companies to hold so much data, much of it very personal, which we’ve seen several times this year may be made available to anyone via hackers or forced to be handed over to the authorities. Almost certainly, bits of your entire collected and processed electronic activity history could get you higher insurance costs, in trouble with family or friends or neighbors or the boss or the tax-man or the police. Surveillance doesn’t have to be real time. Databases can be linked, mashed up, analysed with far future software or AI too. In the ongoing search for crimes and taxes, who knows what future governments will authorize? If you wouldn’t make a comment in front of a police officer or tax-man, it isn’t safe to make it online or in a text.

Allowing email processing to get free email is a similar trade-off to using a supermarket loyalty card. You sell personal data for free services or vouchers. You have a choice to use that service or another supermarket or not use the card, so as long as you are fully aware of the deal, it is your lifestyle choice. The lack of good competition does reduce that choice though. There are not many good products or suppliers out there for some services, and in a few there is a de-facto monopoly. There can also be a huge inconvenience and time loss or social investment cost in moving if terms and conditions change and you don’t want to accept the deal any more.

On top of that state and global company surveillance, we now have everyone’s smartphones and visors potentially recording anything and everything we do and say in public and rarely a say in what happens to that data and whether it is uploaded and tagged in some social media.

Some companies offer detective-style services where they will do thorough investigations of someone for a fee, picking up all they can learn from a wide range of websites they might use. Again, there are variable degrees that we consider acceptable according to context. If I apply for a job, I would think it is reasonable for the company to check that I don’t have a criminal record, and maybe look at a few of the things I write or tweet to see what sort of character I might be. I wouldn’t think it appropriate to go much further than that.

Some say that if you have done nothing wrong, you have nothing to fear, but none of them has a 3 digit IQ. The excellent film ‘Brazil’ showed how one man’s life was utterly destroyed by a single letter typo in a system scarily similar to what we are busily building.

Even if you are a saint, do you really want the pervert down the road checking out hacked databases for personal data on you or your family, or using their public sector access to see all your online activity?

The global population is increasing, and every day a higher proportion can afford IT and know how to use it. Networks are becoming better and AI is improving so they will have greater access and greater processing potential. Cyber-attacks will increase, and security leaks will become more common. More of your personal data will become available to more people with better tools, and quite a lot of them wish you harm. Prying will increase geometrically, according to Metcalfe’s Law I think.

My defense against prying is having an ordinary life and not being famous or a major criminal, not being rich and being reasonably careful on security. So there are lots of easier and more lucrative targets. But there are hundreds of millions of busybodies and jobsworths and nosy parkers and hackers and blackmailers out there with unlimited energy to pry, as well as anyone who doesn’t like my views on a topic so wants to throw some mud, and their future computers may be able to access and translate and process pretty much anything I type, as well as much of what I say and do anywhere outside my home.

I find myself self-censoring hundreds of times a day. I’m not paranoid. There are some people out to get me, and you, and they’re multiplying fast.

 

 

 

Estimating IoT value? Count ALL the beans!

In this morning’s news:

http://www.telegraph.co.uk/technology/news/11043549/UK-funds-development-of-world-wide-web-for-machines.html

£1.6M investment by UK Technology Strategy Board in Internet-of-Things HyperCat standard, which the article says will add £100Bn to the UK economy by 2020.

Garnter says that IoT has reached the hype peak of their adoption curve and I agree. Connecting machines together, and especially adding networked sensors will certainly increase technology capability across many areas of our lives, but the appeal is often overstated and the dangers often overlooked. Value should not be measured in purely financial terms either. If you value health, wealth and happiness, don’t just measure the wealth. We value other things too of course. It is too tempting just to count the most conspicuous beans. For IoT, which really just adds a layer of extra functionality onto an already technology-rich environment, that is rather like estimating the value of a chili con carne by counting the kidney beans in it.

The headline negatives of privacy and security have often been addressed so I don’t need to explore them much more here, but let’s look at a couple of typical examples from the news article. Allowing remotely controlled washing machines will obviously impact on your personal choice on laundry scheduling. The many similar shifts of control of your life to other agencies will all add up. Another one: ‘motorists could benefit from cheaper insurance if their vehicles were constantly transmitting positioning data’. Really? Insurance companies won’t want to earn less, so motorists on average will give them at least as much profit as before. What will happen is that insurance companies will enforce driving styles and car maintenance regimes that reduce your likelihood of a claim, or use that data to avoid paying out in some cases. If you have to rigidly obey lots of rules all of the time then driving will become far less enjoyable. Having to remember to check the tyre pressures and oil level every two weeks on pain of having your insurance voided is not one of the beans listed in the article, but is entirely analogous the typical home insurance rule that all your windows must have locks and they must all be locked and the keys hidden out of sight before they will pay up on a burglary.

Overall, IoT will add functionality, but it certainly will not always be used to improve our lives. Look at the way the web developed. Think about the cookies and the pop-ups and the tracking and the incessant virus protection updates needed because of the extra functions built into browsers. You didn’t want those, they were added to increase capability and revenue for the paying site owners, not for the non-paying browsers. IoT will be the same. Some things will make minor aspects of your life easier, but the price of that will that you will be far more controlled, you will have far less freedom, less privacy, less security. Most of the data collected for business use or to enhance your life will also be available to government and police. We see every day the nonsense of the statement that if you have done nothing wrong, then you have nothing to fear. If you buy all that home kit with energy monitoring etc, how long before the data is hacked and you get put on militant environmentalist blacklists because you leave devices on standby? For every area where IoT will save you time or money or improve your control, there will be many others where it does the opposite, forcing you to do more security checks, spend more money on car and home and IoT maintenance, spend more time following administrative procedures and even follow health regimes enforced by government or insurance companies. IoT promises milk and honey, but will deliver it only as part of a much bigger and unwelcome lifestyle change. Sure you can have a little more control, but only if you relinquish much more control elsewhere.

As IoT starts rolling out, these and many more issues will hit the press, and people will start to realise the downside. That will reduce the attractiveness of owning or installing such stuff, or subscribing to services that use it. There will be a very significant drop in the economic value from the hype. Yes, we could do it all and get the headline economic benefit, but the cost of greatly reduced quality of life is too high, so we won’t.

Counting the kidney beans in your chili is fine, but it won’t tell you how hot it is, and when you start eating it you may decide the beans just aren’t worth the pain.

I still agree that IoT can be a good thing, but the evidence of web implementation suggests we’re more likely to go through decades of abuse and grief before we get the promised benefits. Being honest at the outset about the true costs and lifestyle trade-offs will help people decide, and maybe we can get to the good times faster if that process leads to better controls and better implementation.

Ultra-simple computing part 3

Just in time v Just in case

Although the problem isn’t as bad now as it has been, a lot of software runs on your computers just in case it might be needed. Often it isn’t, and sometimes the PC is shut down or rebooted without it ever having been used. This wastes our time, wastes a little energy, and potentially adds functionality or weaknesses that can be exploited by hackers.

If it only loaded the essential pieces of software, risks would be minimised and initial delays reduced. There would be a slightly bigger delay once the code is needed because it would have to load then but since a lot of code is rarely used, the overall result would still be a big win. This would improve security and reliability. If all I am doing today is typing and checking occasional emails, a lot of the software currently loaded in my PC memory is not needed. I don’t even need a firewall running all the time if network access is disabled in between my email checks. If networking and firewall is started when I want to check email or start browsing, and then all network access is disabled after I have checked, then security would be a bit better. I also don’t need all the fancy facilities in Office when all I am doing is typing. I definitely don’t want any part of Office to use any kind of networking in either direction for any reason (I use Thunderbird, not Outlook for email). So don’t load the code yet; I don’t want it running; it only adds risks, not benefits. If I want to do something fancy in a few weeks time, load the code then. If I want to look up a word in a dictionary or check a hyperlink, I could launch a browser and copy and paste it. Why do anything until asked? Forget doing stuff just in case it might occasionally generate a tiny time saving. Just in time is far safer and better than just in case.

So, an ultra-simple computer should only load what is needed, when it is needed. It would only open communications when needed, and then only to the specific destination required. That frees up processors and memory, reduces risks and improves speed.

Software distribution

Storing software on hard disks or in memory lets the files be changed, possibly by a virus. Suppose instead that software were to be distributed on ROM chips. They can be very cheap, so why not? No apps, no downloads. All the software on your machine would be in read only memory, essentially part of the hardware. This would change a few things in computer design. First, you’d have a board with lots of nice slots in it, into which you plug the memory chips you’ve bought with the programs you want on them. (I’ll get to tablets and phones later, obviously a slightly different approach is needed for portable devices). Manufacturers would have a huge interest in checking their  code first, because they can’t put fixes out later except on replacement chips. Updating the software to a new version would simply mean inserting a new chip. Secondly, since the chips are read only, the software on them cannot be corrupted. There is no mechanism by which a virus or other malware could get onto the chip.

Apps could be distributed in collections – lifestyle or business collections. You could buy subscriptions to app agencies that issued regular chips with their baskets of apps on them. Or you could access apps online via the cloud. Your machine would stay clean.

It could go further. As well as memory chips, modules could include processing, controller or sensory capabilities. Main processing may still be in the main part of the computer but specialist capabilities could be added in this way.

So, what about tablets and phones? Obviously you can’t plug lots of extra chips into slots in those because it would be too cumbersome to make them with lots of slots to do so. One approach would be to use your PC or laptop to store and keep up to date a single storage chip that goes into your tablet or phone. It could use a re-programmable ROM that can’t be tampered with by your tablet. All your apps would live on it, but it would be made clean and fresh every day. Tablets could have a simple slot to insert that single chip, just as a few already do for extra memory.

Multi-layered security

If your computer is based on algorithms encoded on read only memory chips or better still, directly as hardware circuits, then it could boot from cold very fast, and would be clean of any malware. To be useful, it would need a decent amount of working memory too, and of course that could provide a short term residence for malware, but a restart would clean it all away. That provides a computer that can easily be reset to a clean state and work properly again right away.

Another layer of defense is to disallow programs access to things they don’t need. You don’t open every door and window in your home every time you want to go in or out. Why open every possible entrance that your office automation package might ever want to use just because you want to type an article? Why open the ability to remotely install or run programs on your computer without your knowledge and consent just because you want to read a news article or look at a cute kitten video? Yet we have accepted such appallingly bad practice from the web browser developers because we have had no choice. It seems that the developers’ desires to provide open windows to anyone that wants to use them outweighs the users’ desires for basic security common sense. So the next layer of defense is really pretty obvious. We want a browser that doesn’t open doors and windows until we explicitly tell it to, and even then it checks everything that tries to get through.

It may still be that you occasionally want to run software from a website, maybe to play a game. Another layer of defense that could help then is to restrict remote executables to a limited range of commands with limited scope. It is also easy additionally to arrange a sandbox where code can run but can’t influence anything outside the sandbox. For example, there is no reason a game would need to inspect files on your computer apart from stored games or game-related files. Creating a sandbox that can run a large range of agreed functions to enable games or other remote applications but is sealed from anything else on the computer would enable remote benign executables without compromising security. Even if they were less safe, confining activity to the sandbox allows the machine to be sterilized by sweeping that area and doesn’t necessitate a full reset. Even without the sandbox, knowing the full capability of the range of permitted commands enables damage limitation and precision cleaning. The range of commands should be created with the end user as priority, letting them do what they want with the lowest danger. It should not be created with application writers as top priority since that is where the security risk arises. Not all potential application writers are benign and many want to exploit or harm the end user for their own purposes. Everyone in IT really ought to know that and should never forget it for a minute and it really shouldn’t need to be said.

The future of biometric identification and authentication

If you work in IT security, the first part of this will not be news to you, skip to the section on the future. Otherwise, the first sections look at the current state of biometrics and some of what we already know about their security limitations.

Introduction

I just read an article on fingerprint recognition. Biometrics has been hailed by some as a wonderful way of determining someone’s identity, and by others as a security mechanism that is far too easy to spoof. I generally fall in the second category. I don’t mind using it for simple unimportant things like turning on my tablet, on which I keep nothing sensitive, but so far I would never trust it as part of any system that gives access to my money or sensitive files.

My own history is that voice recognition still doesn’t work for me, fingerprints don’t work for me, and face recognition doesn’t work for me. Iris scan recognition does, but I don’t trust that either. Let’s take a quick look at conventional biometrics today and the near future.

Conventional biometrics

Fingerprint recognition.

I use a Google Nexus, made by Samsung. Samsung is in the news today because their Galaxy S5 fingerprint sensor was hacked by SRLabs minutes after release, not the most promising endorsement of their security competence.

http://www.telegraph.co.uk/technology/samsung/10769478/Galaxy-S5-fingerprint-scanner-hacked.html

This article says the sensor is used in the user authentication to access Paypal. That is really not good. I expect quite a few engineers at Samsung are working very hard indeed today. I expect they thought they had tested it thoroughly, and their engineers know a thing or two about security. Every engineer knows you can photograph a fingerprint and print a replica in silicone or glue or whatever. It’s the first topic of discussion at any Biometrics 101 meeting. I would assume they tested for that. I assume they would not release something they expected to bring instant embarrassment on their company, especially something failing by that classic mechanism. Yet according to this article, that seems to be the case. Given that Samsung is one of the most advanced technology companies out there, and that they can be assumed to have made reasonable effort to get it right, that doesn’t offer much hope for fingerprint recognition. If they don’t do it right, who will?

My own experience with fingerprint recognition history is having to join a special queue every day at Universal Studios because their fingerprint recognition entry system never once recognised me or my child. So I have never liked it because of false negatives. For those people for whom it does work, their fingerprints are all over the place, some in high quality, and can easily be obtained and replicated.

As just one token in multi-factor authentication, it may yet have some potential, but as a primary access key, not a chance. It will probably remain be a weak authenticator.

Face recognition

There are many ways of recognizing faces – visible light, infrared or UV, bone structure, face shapes, skin texture patterns, lip-prints, facial gesture sequences… These could be combined in simultaneous multi-factor authentication. The technology isn’t there yet, but it offers more hope than fingerprint recognition. Using the face alone is no good though. You can make masks from high-resolution photographs of people, and photos could be made using the same spectrum known to be used in recognition systems. Adding gestures is a nice idea, but in a world where cameras are becoming ubiquitous, it wouldn’t be too hard to capture the sequence you use. Pretending that a mask is alive by adding sensing and then using video to detect any inspection for pulse or blood flows or gesture requests and then to provide appropriate response is entirely feasible, though it would deter casual entry. So I am not encouraged to believe it would be secure unless and until some cleverer innovation occurs.

What I do know is that I set my tablet up to recognize me and it works about one time in five. The rest of the time I have to wait till it fails and then type in a PIN. So on average, it actually slows entry down. False negative again. Giving lots of false negatives without the reward of avoiding false positives is not a good combination.

Iris scans

I was a subject in one of the early trials for iris recognition. It seemed very promising. It always recognized me and never confused me with someone else. That was a very small scale trial though so I’d need a lot more convincing before I let it near my bank account. I saw the problem of replication an iris using a high quality printer and was assured that that couldn’t work because the system checks for the eye being alive by watching for jitter and shining a light and watching for pupil contraction. Call me too suspicious but I didn’t and don’t find that at all reassuring. It won’t be too long before we can make a thin sheet high-res polymer display layered onto a polymer gel underlayer that contracts under electric field, with light sensors built in and some software analysis for real time response. You could even do it as part of a mask with the rest of the face also faithfully mimicking all the textures, real-time responses, blood flow mimicking, gesture sequences and so on. If the prize is valuable enough to justify the effort, every aspect of the eyes, face and fingerprints could be mimicked. It may be more Mission Impossible than casual high street robbery but I can’t yet have any confidence that any part of the face or gestures would offer good security.

DNA

We hear frequently that DNA is a superbly secure authenticator. Every one of your cells can identify you. You almost certainly leave a few cells at the scene of a crime so can be caught, and because your DNA is unique, it must have been you that did it. Perfect, yes? And because it is such a perfect authenticator, it could be used confidently to police entry to secure systems.

No! First, even for a criminal trial, only a few parts of your DNA are checked, they don’t do an entire genome match. That already brings the chances of a match down to millions rather than billions. A chance of millions to one sounds impressive to a jury until you look at the figure from the other direction. If you have 1 in 70 million chance of a match, a prosecution barrister might try to present that as a 70 million to 1 chance that you’re guilty and a juror may well be taken in. The other side of that is that 100 people of the 7 billion would have that same 1 in 70 million match. So your competent defense barrister should  present that as only a 1 in 100 chance that it was you. Not quite so impressive.

I doubt a DNA system used commercially for security systems would be as sophisticated as one used in forensic labs. It will be many years before an instant response using large parts of your genome could be made economic. But what then? Still no. You leave DNA everywhere you go, all day, every day. I find it amazing that it is permitted as evidence in trials, because it is so easy to get hold of someone’s hairs or skin flakes. You could gather hairs or skin flakes from any bus seat or hotel bathroom or bed. Any maid in a big hotel or any airline cabin attendant could gather packets of tissue and hair samples and in many cases could even attach a name to them.  Your DNA could be found at the scene of any crime having been planted there by someone who simply wanted to deflect attention from themselves and get someone else convicted instead of them. They don’t even need to know who you are. And the police can tick the crime solved box as long as someone gets convicted. It doesn’t have to be the culprit. Think you have nothing to fear if you have done nothing wrong? Think again.

If someone wants to get access to an account, but doesn’t mind whose, perhaps a DNA-based entry system would offer good potential, because people perceive it as secure, whereas it simply isn’t. So it might not be paired with other secure factors. Going back to the maid or cabin attendant. Both are low paid. A few might welcome some black market bonuses if they can collect good quality samples with a name attached, especially a name of someone staying in a posh suite, probably with a nice account or two, or privy to valuable information. Especially if they also gather their fingerprints at the same time. Knowing who they are, getting a high res pic of their face and eyes off the net, along with some voice samples from videos, then making a mask, iris replica, fingerprint and if you’re lucky also buying video of their gesture patterns from the black market, you could make an almost perfect multi-factor biometric spoof.

It also becomes quickly obvious that the people who are the most valuable or important are also the people who are most vulnerable to such high quality spoofing.

So I am not impressed with biometric authentication. It sounds good at first, but biometrics are too easy to access and mimic. Other security vulnerabilities apply in sequence too. If your biometric is being measured and sent across a network for authentication, all the other usual IT vulnerabilities still apply. The signal could be intercepted and stored, replicated another time, and you can’t change your body much, so once your iris has been photographed or your fingerprint stored and hacked, it is useless for ever. The same goes for the other biometrics.

Dynamic biometrics

Signatures, gestures and facial expressions offer at least the chance to change them. If you signature has been used, you could start using a new one. You could sign different phrases each time, as a personal one-time key. You could invent new gesture sequences. These are really just an equivalent to passwords. You have to remember them and which one you use for which system. You don’t want a street seller using your signature to verify a tiny transaction and then risk the seller using the same signature to get right into your account.

Summary of status quo

This all brings us back to the most basic of security practice. You can only use static biometrics safely as a small part of a multi-factor system, and you have to use different dynamic biometrics such as gestures or signatures on a one time basis for each system, just as you do with passwords. At best, they provide a simple alternative to a simple password. At worst, they pair low actual security with the illusion of high security, and that is a very bad combination indeed.

So without major progress, biometrics in its conventional meaning doesn’t seem to have much of a future. If it is not much more than a novelty or a toy, and can only be used safely in conjunction with some proper security system, why bother at all?

The future

You can’t easily change your eyes or your DNA or you skin, but you can add things to your body that are similar to biometrics or interact with it but offer the flexibility and replaceability of electronics.

I have written frequently about active skin, using the skin as a platform for electronics, and I believe the various layers of it offer the best potential for security technology.

Long ago, RFID chips implants became commonplace in pets and some people even had them inserted too. RFID variants could easily be printed on a membrane and stuck onto the skin surface. They could be used for one time keys too, changing each time they are used. Adding accelerometers, magnetometers, pressure sensors or even location sensors could all offer ways of enhancing security options. Active skin allows easy combination of fingerprints with other factors.

 

Ultra-thin and uninvasive security patches could be stuck onto the skin, and could not be removed without damaging them, so would offer a potentially valuable platform. Pretty much any kinds and combinations of electronics could be used in them. They could easily be made to have a certain lifetime. Very thin ones could wash off after a few days so could be useful for theme park entry during holidays or for short term contractors. Banks could offer stick on electronic patches that change fundamentally how they work every month, making it very hard to hack them.

Active skin can go inside the skin too, not just on the surface. You could for example have an electronic circuit or an array of micro-scale magnets embedded among the skin cells in your fingertip. Your fingerprint alone could easily be copied and spoofed, but not the accompanying electronic interactivity from the active skin that can be interrogated at the same time. Active skin could measure all sorts of properties of the body too, so personal body chemistry at a particular time could be used. In fact, medical monitoring is the first key development area for active skin, so we’re likely to have a lot of body data available that could make new biometrics. The key advantage here is that skin cells are very large compared to electronic feature sizes. A decent processor or memory can be made around the size of one skin cell and many could be combined using infrared optics within the skin. Temperature or chemical gradients between inner and outer skin layers could be used to power devices too.

If you are signing something, the signature could be accompanied by a signal from the fingertip, sufficiently close to the surface being signed to be useful. A ring on a finger could also offer a voluminous security electronics platform to house any number of sensors, memory and processors.

Skin itself offers a reasonable communications route, able to carry a few Mbit’s of data stream, so touching something could allow a lot of data transfer very quickly. A smart watch or any other piece of digital jewelry or active skin security patch could use your fingertip to send an authentication sequence. The watch would know who you are by constant proximity and via its own authentication tools. It could easily be unauthorized instantly when detached or via a remote command.

Active makeup offer a novel mechanism too. Makeup will soon exist that uses particles that can change color or alignment under electronic control, potentially allowing video rate pattern changes. While that makes for fun makeup, it also allows for sophisticated visual authentication sequences using one-time keys. Makeup doesn’t have to be confined only to the face of course, and security makeup could maybe be used on the forearm or hands. Combining with static biometrics, many-factor authentication could be implemented.

I believe active skin, using membranes added or printed onto and even within the skin, together with the use of capsules, electronic jewelry, and even active makeup offers the future potential to implement extremely secure personal authentication systems. This pseudo-biometric authentication offers infinitely more flexibility and changeability than the body itself, but because it is attached to the body, offers much the same ease of use and constant presence as other biometrics.

Biometrics may be pretty useless as it is, but the field does certainly have a future. We just need to add some bits. The endless potential variety of those bits and their combinations makes the available creativity space vast.

 

 

Chips in everything, but at what cost?

Lots of press coverage today on the new ARM  Cortex MO+ chip, that will be about 1mm square and has a battery that lasts several years since it uses so little power. It is being hailed as the next big thing in the ‘chips in everything’ idea space.  Here’s a pic:

.

OK, here’s a better one 🙂

There is plenty of coverage of the new chip. Do a web search for popular press stuff, or the Freescale website press releases, but I like EW for this sort of thing: http://www.electronicsweekly.com/Articles/13/03/2012/53195/arm-announces-cortex-m0.htm

Like many futurists, I’ve been yacking about chips in everything for 20 years or more, but now it is almost here, the media are going nuts regularly with all the smart light bulbs, smart fridges, and the consequent kitchen rage, and the generally smart environments we will inhabit. Some of this stuff will be in demand, some won’t. The automated home as been launched again and again since the 1950s and there still is little evidence that we want most of the things that are possible. Smart waste bins have been around 20 years but only the most fanatical gadget freaks have one. Ditto internet fridges that order replacement milk or taps you can turn on from the office, and coffee machines that download new recipes off the net. Yes you can, but do you want to? Probably not.

It is certainly possible to put a 1mm chip in lots of things and add some sort of useful or fun functionality, especially since the chips will start at around 20p each, and the price will soon tumble to almost nothing. IPv6 will enable enough address space, and we’ll have to switch to that soon anyway. This chip doesn’t do everything, but when partnered with sensors and storage and comms, you have a pretty useful activator, and activators will be the basis of the grown up cloud. The 1990s future is starting to come over the horizon at last. Maybe slightly ahead of my usual ’30 years to the far future’ deadline.

On the other hand, the downside is pretty big too. Privacy and security will be enormously difficult to preserve in that kind of world. It won’t be long before the whole package can be sub millimetre. You can drop a few 1mm activators through the vents of an office copier/printer, intercept all the associated data and pass it all to a cleaner with a scanner later on. You could glue them to banknotes, or hide them in free pens, or in junk mail that goes in your office bin. No one would notice them, but you could spy on the holders pretty closely. Useful for spying on terrorists and criminals, but also a potential invasion of all our privacy. You could sugar coat them, sprinkle them from planes and let ants take them into caves to spy on rebels. Or just stick them on mosquitoes and let them go. Lots of civil applications and lots of military ones too. The list is endless. But, goodbye privacy, and goodbye security. Once again, there is still no free lunch.