I get a phonecall:
Hello, it that Mr Charles [middle name removed for reasons of paranoia] Elwood?
Who's calling?
I'm very sorry, but I can't tell you that until you confirm your identity, are you Mr .....
You've not got the hang of this have you? If you're going to ask me to verbally authenticate myself you're going to have let me know who you are, or who you are calling on behalf of, so I can cross-reference the number.
That's not how it works sir, I cannot speak to anyone except Mr Elwood. All I need you to do is confirm whether you are this person.
(This goes round and round in circles for a while until I get bored)
Ok, let's suppose I am Mr Charles [paranoia censor] Elwood, why are you calling me?
I'm calling from NHS [somewhere or other] regarding your appointment...
I try very very hard not to laugh as I continue the conversation and try and arrange an appointment, only to find that they think I live 10 or more miles out into the hills, rather than a few hundred metres from the city centre, and about the same distance from a nice big convenient location...
Anyway my point is I was phoned by someone who, by the conclusion of the call managed to divulge a large amount of personal information despite attempting to guard the information from falling into the wrong hands. All the authentication my caller had was my saying "let's suppose I am [insert name you're trying to ge hold off]" which is clearly not enough.
Now I'm lead to believe that the correct practice when dealing with suspect phone calls is to find out the party from which the call is said to have originate from, and independently find and call the real number for said party. This holds as safe provided the number lookup service(s) you use haven't been compromised. Where banks are involved, phone numbers can be found on statements, cheque books, paying in book and sometimes cash cards. Beware of anything recently delivered.
Of course that doesn't get round the fact that the unfortunate guy calling me would have had to divulge some kind of confidential and possibly sensitive information in order to verify himself.
Now there is a way round this. Public/private key authentication, a system that's been around for a good while now. I have PGP (circa 1991) in my head. OK, we'd need a bit of hardware for it, but consider it already works for SSL, the technology behind the ubiquitous padlock logo and secure connection stuff that most websites that handle anything of value use. SSL uses a more complex system, where a key can be signed by an authoritative entity, (employer, boss, etc) and so on up a tree of trust**.
Here's what needs to happen. Communication devices supporting this scheme would need to be a little more complex, and we'd all need some kind of hardware token (chip-and-pin cashcard springs to mind). Phone rings, caller ID says who the call is for, and that the caller is is either signed (just for verification) or signed and encrypted to the recipient's public key, encrypted caller id's can be decrypted by the recipient's token, and the claimed ID of the person verified by a lookup system that retrieves their public key from a keyserver, and does the opposite. Easy.
And we've got the tech to do it now, Kopete and gAim, multi-protocol messenger replacements both have a encryption capabilities that can be used to verify identity and hold private conversations through methods that can otherwise easily be eavesdropped on. Smoothwall, a linux based firewall/router/proxy/kitchen-sink comes with the ability to do this right out of the box. I could snoop on my housemates with the click of a button, further up the line my ISP, or anyone with a router that carries data between both ends of the conversation and microsoft could snoop, and I'm sure someone does.
Why are we not doing this? Well in the UK it's an offence to refuse to facilitate the decryption of encrypted data. Hopefully this will fall down in court at some point as it's flawed. Encrypted data or a bucket of entropy (cat /dev/random > decryptthis.txt) What about timed expiry keys? What about the stack of encrypted data on DVDs commonly known as region restricted movies (ok, that doesn't stop anyone but...) essentially the government is trying to make encryption illegal because the only people who care about is are people who know that not only Big Brother but the entire family is watching your every move. That and encryption is only as good as the keys. Keys get lost and stolen, however digital keys that can instantly be marked as stolen, and the locks changed by waving hands over a keyboard and mumbling rather than calling for a locksmith are definitely a step forward.
Now the government is in a good position at the moment, it's busy going through the death throes of ID cards and E-passports. An ID card the ideal token that everyone has? Could be the start of a grand age of trust where you can tell who everybody is. Or the beginnings of a dark age of deceit, where no-one is who they claim to be. We'd better face facts, the Government's record on personal information security is pretty good. If you happen to be up to something malicious that is.
* Well any kind of particularly unintelligent department. 'for Dummies' is probably trademarked, 'for Nationalised Public Services' is too specific and Nu Labour like public-private partnerships... I'll stop before the footnote dwarfs the rant.
** Well cycles are not prohibited and some schemes are more weblike, as in PGP's 'Web of Trust' but so it seems some people are more trustworthy than others.
Now edited for something resembling spelling and sense given I'm back at my desk with a browser that actually does stuff.
Add new comment