When I started out in ‘the business of secure communications’ back in 1996, today’s Cybersecurity roots, there was a mantra that had been around for over a hundred years: Security Through Obscurity (STO) is a really bad idea.
At the time, working on moving secret stuff from here to there wasn’t just about ‘The Internet’ – designing security systems had a palpable element of physical access, integrated with electronic communication.
Today, the framework has become incredibly complex…but…the principles haven’t changed: move secrets through known systems using known algorithms protected by unknown keys. This is a One Way Street.
So where are we today? Oops. We continue to go backwards by working ‘security’ into that equation, that principle, in places other than the end: unknown keys – and this means key properties: what makes them unknown, keeps them unknown, sharing/lost aspects, etc. And we’re doing this by designing systems that add to the ‘known systems’. This isn’t necessary; nor is it desired by anyone operating those ‘known systems’ – it’s just security technologist’s inability to create, invent, and/or innovate with the properties of ‘unknown keys’.
So they start playing around with aspects of the ‘known systems’ where they don’t belong. And they’re getting away with it under the ‘Traffic Camera Conundrum’: How do we make an intersection safer? “Put a camera there – It’s Safer.” Why, how, when, for whom?!? What about all the secondary issues – privacy, individual rights, etc. Oh My. Circular reasoning: What is Safer? A camera, because…It’s safer. Huh?!
Our Security System offers Better Security because….it’s more secure. Huh?! And this is…in essence, Security Through Obscurity! The system designers are obscuring the fact that they aren’t actually working in the part of the principle where they belong…they’re wandering around in the ‘known systems’ aspects, putting Rube Goldberg contraptions with horizontal complexity masquerading as improved system security! This is tragic.
Because you don’t know this…you don’t understand this…you aren’t being told this…How On Earth can you tell what a true security improvement is?!?
Lucky for you, I’m here to help!
Here’s an example: you’ve probably heard of Two Factor Authentication. If you haven’t, you’ve used it: you log in (the 1st Factor), and they send you a text (Ta-DA! The 2nd Factor). Enter that stuff from the text, and off you go. Awesome! But…here’s the thing: Any and Every 2nd Factor is the same system security. Somehow, there has been an avalanche of years-long delivery of ‘better 2nd Factors’: your thumb…no…WAIT! Your eyeball! A PIN…how dreary…let’s get you a Cool Token Thingy To Hang Around Your Neck! NO!! I’ve got a new one – better security, remember?! The NEW Google Titan Key! (This is a FIDO implementation – 2nd factors based on Public Key math...which is identical to the 1st factor: public key math in TLS!)
OH. MY. GAWD!! It’s ONLY FIFTY BUCKS! And you’ll get…like…oh wait…you’ll get absolutely NO improved system security for that. Not a drop, dime, iota of improved security. It’s just another 2nd Factor…sooper DOOPER complex…inserted into the ‘known systems’ aspect of the principle – the wrong place!
There isn’t a bit of improved system security by making a 2nd Factor ‘better’. What there is…is a short delay. In a couple minutes, sometimes weeks, but never too long, The Bad People figure out how to interfere with that new ‘factor’. And…oops…the ‘improved security’ is…gone. Because it never was there to begin with.
Every single Two Factor security system can be manipulated by interfering with one of the factors. This is Immutable: making one of the factors ‘really sooper dooper complex’ is irrelevant to its strength. Its complexity does not add security – its entire purpose is to tie the 1st Factor key to the presenter. There’s a hundred plus year principle guaranteeing this. The security of the system is identical – fraudulently purporting to rely on a part of the ‘known systems’ by introducing a factor that ‘is harder to interfere with because of its complexity’ is hand-waving nonsense: it is obscuring the fact that the Security has not been increased through a KEY INNOVATION – which is the only part of the principle to be worked with – it’s Penn & Teller Fool Us sleight of hand! Improving the tie between the key owner and key presenter is only necessary when the 1st Factor key’s properties don’t provide adequate system security from the start.
We’re going the Wrong Way down the principled One Way Security System’s Street: If you want to know what improved security really means: look for a different key property not a different place to use one! Did the ‘new security system’ of your browser, financial app, payment processor, smart phone make the key less valuable – not the coolness of how, or where, or when you present it: If Someone Steals It, How Much Less Do They Get?!?
The less they get, the better the security! If the new system gives them less than they could steal before (which is certainly not the case after breaking Google’s Titan Key), then there’s been honest system security improvement. None of the stuff released in the 30 years I’ve been involved does this. None of it. That’s why I invented Qwyit. Honest system security improvement: the initial keys just get you into the system, where the actual individual participants then set the security level of their specific session keys. To borrow from that pizza store: Better key properties (1st Factor Keys), better security.
Paul McGough, Founder and CTO of Qwyit, LLC, a leading cryptosecurity technology firm, is a telecommunications expert with over 35 years of progressively responsible experience managing IT technology teams for the development, integration, implementation and support of financial, project management, database applications and security systems.
© 2022 Newsmax Finance. All rights reserved.