Schneier on Security
A blog covering security and security technology.
« Chinese Hackers |
| Friday Squid Blogging: Squids in Medicine »
December 14, 2007
Short fiction by Ramon Rozas III.
Posted on December 14, 2007 at 2:46 PM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Heh. A funny, well written story.
Interesting. Apparently, in the future it will be easier to travel in time than to crack a password based on a surname. Maybe after 3 wrong guesses the planet blows up?
Maybe I'm humorless or missing something, but I thought this was a well-written story with worlds of potential whose ending fell flat on its face.
I call Emperor Has No Clothes.
And thats why I rechristened my mothers family to the " I don't know" family. Try extracting that from me under torture!
What's amazing is that anyone still knows of the "Eighteenth Brumaire of Louis Napoleon". It's actually more of an advertisement for good journalism than communism, but from a Fox news perspective they are about the same thing.
The only problem with that story is that "mother's maiden name" is a worthless security question, because it's a matter of public record. So if you answer it truthfully, anyone can look up the correct answer, whereas if you give a false answer, then you have to remember what false answer you gave *in that instance*, just like any other "password".
If you're going to have a "security question", let people choose their own question, so that they can pick a question that they and *only* they know the answer to, but which they'll never forget.
This reminds me of a time I was in a hospital waiting room. One of the 'personal identifiers' they asked for on forms was the classic mother's maiden name.
Sitting about five chairs away was a very old man, getting help filling out a form from a clerk and a younger (relatively speaking, she looked close to retirement) woman who was with him. All was quiet and not at all notable. Until....
Clerk: "What's your mother's maiden name?"
Old man: "What?"
The clerk repeated herself louder, loud enough that the entire waiting room heard; I don't think he missed the question, I think he didn't believe it!
After a good minute of thinking on it, he came up with an answer, which he said at a similar loud volume level to what the clerk had used (so much for that 'security').
Then he turned to the woman accompanying him and said, "My mother's been dead for over seventy years!"
(Makes me wonder, though. Dead well before the Second World War and now that piece of information about her is floating in a database somewhere.)
Lighten up. It's not supposed to be highbrow writing.
Thanks for the laugh. It's a funny story.
When I opened an account recently with an Autralian bank I put ")ç)(/*%87q345KJJDJHkhskdjiuw£à!è£àéè?=()+"*"ç*ç-.,,,." for my mother maiden name thinking the system would never ask for it provided I had my User ID, Password. WRONG, it sure got me into trouble.
I have to admit that I always use the same (invented) answer to that question everywhere. Somewhat more secure than my mother's real maiden name, but not much more so....
In Spain mothers don't change name when they marry, so my mother's maiden name is my mother's current name. Not very secure as a "security question". Actually something like 30% of all children are born out of wedlock nowadays. I expect the percentage must be lower in the US, but even there many women choose to keep their maiden names. So "your mother's current name" is a good guess to that stupid question.
My mother's maiden name is mom, as that's what I called her first.
@Spider: Who's on first?
(http://www.phoenix5.org/humor/WhoOnFirst.html, at least until someone notices it's infringing copyright.)
A fine example of social engineering at work. Remember kids - just because a time traveller looks like you doesn't mean they really are you - if they have the technology to time travel, they're going to have pretty good makeup technology also. Don't give out identifying information to time travellers!
So they guy had kept in his memory the 'fencing' scar and "Eighteenth Brumaire" in memory but not his mother's maiden name?
Was your mother from Europe by any chance?
We may be related!!
I think it's a clever gimmick, the kind of thing worthy of a 2-page short story. It's a story, people. If you're finding it implausible, please think just a *little* outside the box. Tech changes and grows. If someone came to you with something recorded on a 3280 mainframe tape, or even an 8-track, and wanted info off of it, most folks would have a bit of trouble. No one said you had to be able to defend this story in a crypto dissertation, jeez.
@ Unix Ronin
"let people choose their own question"
Probably not a good idea. As a user concerned about security you don't need it -- you can work with the canned questions by creating a 'lie' that you remember, or even a unique 'lie' at each place you are forced to use the question -- but as a person implementing such protection mechanisms you have to consider the fact that many people apparently choose questions like "what colour is blue"?
How did you know my usual security question is "what colour is blue"?
What kind of a a dumb question is "What color is blue?"! I don't know much about security, but I would never use "What color is blue" as a pass question. Sheesh.
My secret pass question is "What color is red?".
But the ANSWER is "Blue".
It's believable, I think - how many stories have we heard of backup plans that were thoroughly tested, all except for the recovery part?
Perhaps his mother's maiden name was on a tape that got fried. Perhaps the "secure storage" company that keeps the backup tapes won't release it to him until he provides his mother's maiden name.
After all - computer interfaces are bad enough to lead to all sorts of "Nooo!" moments now. Any reason to expect they'll get much better, as they get much more complex?
Hope it get more people to read Ken Mcleod
If that happens to you, do you tell him?
Except my banking online site has just implemented a "new security feature" where I had to chose *five* such "security" questions from a list that they provided, and give answers to those questions.
The site will, apparantly, ask me some of those questions at "random" times when I 'm logged in.
It's not a tiny little tin-pot bank either, it's a major UK building-society.
Baffling, and very disappointing.
I am confused with people's reactions. I read the story and thought one of two things regarding its intent:
1) A satirical play on the cynicism of the usefulness of the 'security question' model altogether.
2) A clever narrative on social engineering.
Why is everyone taking it so seriously? Like it wasn't a joke? "The ending fell flat on it's face"... Seems like the whole point was to write this mediocre, yet entertaining short, only to reveal its intent in the last sentence, which follows the proper literary structure for short fiction.
I say kudos! It made me laugh.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.