Yellow dots

I learned something creepy about printers today.  It turns out, most major printers add pale yellow dots to every page, which encode the date and time of the printout, as well as a serial number tying the paper to a specific printer.

It's called "Printer steganography."  According to Wikipedia, Steganography is "[T]he art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message[.]"

Now that I'm aware of this, I'm having trouble thinking of anywhere I could print out a document without making it obvious where I am.  I can't do it at home, because duh; I can't do it in the newsroom at school because I'm one of like 10 people who can get in, and they[1. "They" being any powerful or well-connected person or group that either has something against me or makes any kind of mistake that leads them to believe they have something against me.  Or someone less well-connected, but with a serious vendetta against me and access to, for example, the above-linked EFF site where the Xerox printer dots are decoded.] could compare the time on the stamp to the times that computers were in use;  I can't use the computer lab at school because they make everyone sign in... I can't remember how the computers work in the library, but I do know I have to pay for copies.  Maybe they don't log people's names.

Not saying I have anything particularly sensitive to print out, and as far as I know nobody hates me enough to track me down by stealing pieces of paper I might have printed, but the whole idea totally creeps me out, anyway.

Replacing passwords with jewelry

Wired writes about Google's effort to eliminate the password as a means of authenticating your identity online.  Passwords are incredibly insecure, and only becoming more so.  They will never again be a good way to protect your data.

Passwords are a cheap and easy way to authenticate web surfers, but they’re not secure enough for today’s internet, and they never will be. 

Google agrees. “Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” Grosse and Upadhyay write in their paper.

Fortunately, Google is working on a solution.

Thus, they’re experimenting with new ways to replace the password, including a tiny Yubico cryptographic card that — when slid into a USB (Universal Serial Bus) reader — can automatically log a web surfer into Google. They’ve had to modify Google’s web browser to work with these cards, but there’s no software download and once the browser support is there, they’re easy to use. You log into the website, plug in the USB stick and then register it with a single mouse click.

They see a future where you authenticate one device — your smartphone or something like a Yubico key — and then use that almost like a car key, to fire up your web mail and online accounts.

In the future, they’d like things to get even easier, perhaps connecting to the computer via wireless technology.

“We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” the Googlers write.

The future may not exactly be password-free, but it will at be least free of those complex, hard-to-remember passwords, says Grosse. “We’ll have to have some form of screen unlock, maybe passwords but maybe something else,” he says, “but the primary authenticator will be a token like this or some equivalent piece of hardware.”

Personally, I can't wait until this technology comes out.  I like jewelry, but I've never been able to come up with anything I would be particularly motivated to wear, or to make work with my outfit.  But having a ring that was my key to the internet would be perfect.

Also: security and stuff.

EDIT 7:58pm -- I actually think a bracelet would be a lot cooler.   Would that work?

Wired illuminates the dark truth about password security

(via Boing Boing) ...It turns out, it's not there.

Well, that's not totally fair.  Some password-y methods for securing your information are less awful than others, for now.  But in an article he posted yesterday on Wired, Mat Honan (victim of teenage Twitter identity theft) outlines the many horrible ways that passwords fail us as a security measure.

During the formative years of the web, [...] Because almost no personal information was in the cloud—the cloud was barely a wisp at that point—there was little payoff for breaking into an individual’s accounts; the serious hackers were still going after big corporate systems.

So we were lulled into complacency. Email addresses morphed into a sort of universal login, serving as our username just about everywhere. This practice persisted even as the number of accounts—the number of failure points—grew exponentially. Web-based email was the gateway to a new slate of cloud apps. We began banking in the cloud, tracking our finances in the cloud, and doing our taxes in the cloud. We stashed our photos, our documents, our data in the cloud.

Eventually, as the number of epic hacks increased, we started to lean on a curious psychological crutch: the notion of the “strong” password.

The major point is that a lot of security experts from companies that rely on seeming secure (banks, stores, email) are happy to give an explanation of best-possible-practices, but those practices are a massive pain in the ass.  And because they're a massive pain in the ass, nobody follows those instructions.  Because that result is predictable -- it happens every time -- the companies can be held accountable for their failure to compensate.  Rather than keeping people secure, they let them put themselves into a position where they feel at fault if their account with that company is compromised.

Mat doesn't have a hugely easy to swallow answer to the password problem -- basically, as computers get smarter, we need to start relying on them just being able to figure out whether it's really us -- but the lack of a clear solution isn't an excuse not to worry about the problem.

Here's Mat's article, Kill the Password: Why a String of Characters Can't Protect Us Anymore, again.

This next article is an older one, from last month, called Fighting Hackers: Everything You've Been Told About Passwords Is Wrong, by Markus Jakobsson.

He underlines the same points about a system not being secure if the users won't use it securely, and proposes methods for creating stronger passwords.  Essential to his approach is memorability -- a password is best if it's easy for you to remember, but not at all reasonable for someone else to guess.

So how do we select strong and memorable passwords? Here’s how: Think of a story, something weird and memorable that happened to you. Like that time you went jogging and stepped on a rat (ugh). Your password? “JogStepRat”: Your personal story boiled down to three words. If this really happened to you, you won’t forget. And no one else can guess it – unless you’ve told everyone that story, but then you’d just pick another, more embarrassing source story you’d never share!

This approach isn’t just conjecture: It works. It’s been tested at a large scale, and this type of password has twice the bit security of an average password. I kid you not.

Take a look at your security online, and try to tighten up your weak points, like matching usernames and passwords across platforms.  And read those articles, there's a lot of good stuff in them apart from the excerpts I posted.

Kill the Password: Why a String of Characters Can't Protect Us Anymore, by Mat Honan Fighting Hackers: Everything You've Been Told About Passwords Is Wrong, by Markus Jakobsson

CryptoCat

I don't do a lot of online chatting, but nonetheless I don't want my conversations watched. We know that Facebook monitors our conversations on their website, explicitly to scan for criminal activity (already pretty creepy) but who knows whether that information is staying in those bots for those purposes.  Every app asks for a bunch of permissions, so your information might be filtered into dozens of advertisers' statistical analysis. But I can barely get the regular internet to work, there's no way I can set up a secure chat service. (I tried to use Tor once, it went horribly.)  Unfortunately, the same is true of a lot of people who need that protection a lot more than me.

This quote is from Wired's article about CryptoCat, and its creator, Nadim Kobeissi:

 When faced with the torture of using crypto software or the torture of a repressive government, some dissidents have — intentionally or not — opted for the latter.

CryptoCat -- URL: crypto.cat -- is a secure chat service that's easy and pretty.  I know it is, because I used it.  I opened it up on two computers and talked to myself.  You set up a custom or randomly generated URL for a single-use chat, and you can invite people in through Facebook or give them the URL.  Kobeissi also has an adorable video on Vimeo explaining the service.

The program is open-source, so anyone  can look at the code.  It's secure, and it doesn't save your information.  Cat-themed though it may be, this is a very important worldwide resource, and could save lives in more oppressive countries.