Clever? I've seen various security dongles, going back to the days when parallel ports were used, that did this.
The "innovation" is using the charger. But what if you lose your charger? Presumably there's a way of keying a new charger to the device without the old charger handy? Which would be a bit of a flaw in the model.
yes, to eliminate 3rd party ps... Or how long do you think the "device" will power and/or load from a non-key supply? ;-)
I can't tell from the post or the link - is this an issued patent, or simply an application?
This is for credential recovery, not device use. If you don't have the smart charger, you cannot recover, but you still can use the device. You just cannot recover the PW. In that case you have to wipe the device. If you loose the PS, get a new one and re-bootstrap. Yes, clever.
And if the power supply gets stolen with the device?
Then this is like writing your password on the back of the device...
or am I missing something?
This would be ideal for a tablet with multiple security levels: unauthenticated so my god-daughter can play games, authenticated so I can read email and work on personal docs, admin to change settings. It would be easy to forget the admin password if you only use it once every 3 months.
Yes a dongle would work, but someone who would forget the admin pass would also lose a tiny dongle (which would be needed maybe once a year). Since you use the charger regularly, you'll keep track of it.
Good for security paranoids? Probably not. Good for the other 99% of people? I think so.
what makes the difference to a usb smartcard reader? isnt this just the same embedded into the power plug?
btw, i believe "isi" is right, its to eliminate 3rd party vendors.
I keep one charger plugged in next to my bed, and some cheaper ones in my car, at work, etc. Only the one at home would unlock it, and if that one is stolen then I have bigger problems. :-)
No. The PSU doesn't contain your password. It just contains one part of the password recovery secret.
Not at all clever; power supplies are more likely to travel with a device than an independent recovery disk/dongle/USB-key. This is a step backwards.
Any reasonable patent system wouldn't allow a patent that can be explained in one sentence to someone with a little background knowledge in the field.
... not that I'm claiming the American patent system was reasonable.
From a security point of view this "invention" is no better than a sheet of paper with your account credentials that is mostly at home but sometimes also in your wallet (if the battery life is to short for your trip and you're not willing to buy another power adapter just to store your passwords). Personally I prefer the sheet of paper which has a really easy user interface ;-)
At last count, we've somewhere between 5 and 7 magsafe chargers in this house or stashed in a desk at work and 3 MacBook Pros (not including guests) and I defy you to figure out which charger came with which computer. (Ok, you can eliminate the cheap Chinese knock-offs that don't have an Apple logo on them.)
Perhaps clever, but how can this receive patent protection over similar schemes that use something other than a power adapter to store the recovery secret?
As some have alluded, the United States patent (and copyright) system needs a major overhaul.
"""No. The PSU doesn't contain your password. It just contains one part of the password recovery secret."""
The article says it could only contain partial recovery information. But the whole point of this is to make password recovery easy and if you still need a password recovery password then there is no usability gain. Even then, whenever you have your charger with you (which I basically always have) the security is reduced to whatever you have now.
I can see some merits in putting the key-escrow-device inside the charger (that most users will have nearby and notice, when it's lost) instead of adding just another dongle (that might be displaced to collect dust until it is undiscoverable, when needed).
Than again, I guess the clever part is filing a patent application simply for bundling two commonplace devices ;-)
@miiihi et al.: This prevents a snatch-and-grab at a coffee shop from giving access to your logged-in web accounts and personal files, assuming you have it set to require a password when you open the lid. Depending on your setup, requiring the criminal to take the charger as well could add a solid twenty seconds to the crime, which is definitely enough time to matter in such a crime of opportunity.
This is somewhat clever. But the entire rest of the world is moving AWAY from proprietary chargers and toward a common standard.
Also, given Apple's STELLAR record on durability of their chargers and cables (I'm on my 10th iPod cable, I think) how long is that key really going to remain safely tucked under your desk before it gets thrown out with the busted cable it's attached to. Again.
Why is something like this even patentable? It's obvious tech to anyone even slightly tech savvy. As people have pointed out it's just a dongle in another form.
I don't know if this is a good idea or not, from a product standpoint or from a security standpoint. But I can tell you the objections to patenting this are ignorant. Anytime someone comes up with a new idea, here they come...."anyone could have thought of that...it's obvious...I've seen it before..."
There are a lot of people out there who are extremely smart, I mean really, really smart, but they couldn't invent their way out of a wet paper bag. Go teach a class or something. Read Gladwell's 'Outliars' about people who had astronomical IQ's but couldn't imagine more than one or two uses for a brick.
And as far as the "broken" patent system is concerned, it's broken alright. You have no comprehension of how difficult and expensive this process is. Just keep repeating the same sound bites over and over again about crazy patents that shouldn't have been issued. I'm sure this will make you feel better. But the truth is, the USPTO altogether is unfriendly and to get a patent is more difficult and expensive than ever before. I say good for Apple. Good for Apple, I hope they succeed. And all the other inventors, big and not so big. Go for it.
This would be ideal for a tablet with multiple security levels:
I agree, in a corporate setting with laptops in and out the door it could be utilized to restrict certain resources to users only when they are docked in the office. I think instead of looking at it as a from a security standpoint on password protection it could be better utilized as a form of access control.
Does this mean that, with future generation devices, I'm going to have to use the %$$#! awful Apple charger cord with the %$$##@! awful strain relief?
So they put the TPM chip in the power supply bug and got a patent for it?
bug??? I thought that was a feature.. ;)
Rather obvious, by a simple process of elimination. Start with "what device is regularly connected to the computer but not necessarily carried with it". Arrive at this solution in one minute.
Definitely not worth a patent. Just another indication that the patent system is fundamentally broken.
@No one: "This prevents a snatch-and-grab at a coffee shop from giving access..."
If I was going to do a snatch-and-grab, I would try to avoid the "snatch" part of it.
I would probably try to discretely grab the laptop suitcase when it's put away. Then I would have good reasons to believe the computer is in it.
That way, I wouldn't necessary have to run away, making a big fuzz, alerting the surrounding. A lot more discrete to calmly walk away with a computer suitcase, being ready to run if necessary.
And of course, getting a laptop computer with it's accessories is more interesting than getting a "naked" laptop, without accessories. I think this is true for traditional laptop setups, too. Without any key paired chargers.
"But I can tell you the objections to patenting this are ignorant. Anytime someone comes up with a new idea, here they come...."anyone could have thought of that...it's obvious...I've seen it before..."
In the patent world, these are exactly the objections that are relevant to having a valid patent. If it's obvious to someone having ordinary skill in the art, it's not unobvious, and not novel. Furthermore, if you've seen it before, it's based on prior art.
And prior art there is. The method by which computing devices can communicate with and store information on chargers is well established. The Dell laptop I am using right now is plugged into a power brick with a DS2501 1-Wire chip (I found this out trying to track down the source of the error "Plugged in, not charging" and "Power adapter type cannot be determine, your battery will not charge"). Mobile phone vendors including Motorola and SonyEricsson have been known to put cryptographic chips into batteries and chargers in an attempt to lock out makers of unauthorized accessories.
In 2007 at the latest, Apple filed a patent involving a power adapter and a a device that would only charge with power adapters that the user has authorized, with the useful application stated as deterring theft of iPods from their rightful owners. At the least, the password recovery invention claim should be considered a derivative of the former invention, which has 5 years of useful life reduced from its patent.
Our intellectual property system, patents included, has failed to keep up with the new and changed reality of our creative world. Its workings are far below optimal in nurturing one of our most important sectors, pharmaceutical R&D. We need improved mechanisms that reward high-risk high-cost activities such as drug discovery and protect it from generic-drug poachers and unfair compulsory licensing, while exempting a wide class of uses and limiting patent scopes to protect academic researchers from patent hassles (our drug trial system, also needing in reform, is another tricky subject unto itself). Copyright and patent are widely abused to scoop up public domain works and public domain genetic material. The perpetual extension of terms can hardly be admired as an example of policy leadership.
This doesn't article doesn't touch on the drawbacks at all which I think are pretty critical.
For one, I always have the power pack with my laptop. Even if it's not plugged in, it's in my bag.
And secondly, I know many people have multiple power packs and many who have lost their original power pack. What's a user to do in a situation like this?
I can understand why you would want to highlight the more interesting part, but without discussing the cons, this article just comes off as another piece of Apple praising junk.
I think this will just get people to change their password from, "password" to "power". ;)
-----BEGIN PGP SIGNED MESSAGE-----
I agree with the others in saying that this isn't very original or even clever. As Seiran pointed out, it's very similar to what Apple and other vendors have been doing with accessories for years. That is, they've been adding chips & authentication to lock in customers & eliminate cheap competing products. On the security angle, there's been dongles, split keys, etc for a long time. Put two together is just incremental innovation.
This has little to do with security: it's about lock-in & creating the percpetion of better security (security theater). People mention snatch-and-grabs at coffee shops. I wonder how often this happens, as I don't know a victim personally. Most of the time, I hear about their car or house being robbed & everything of value being taken (chargers included). Then there's buying stuff with stolen credit cards. So, the most common bad situations aren't prevented. Additional issues others have mentioned like multiple chargers in the house add extra reason to not trust this solution.
The irony is that Apple is in a unique position for mobile security. They have a license of the ARM architecture that allows them to incorporate isolation & confidentiality features directly into their processor. There are numerous academic prototypes, like SecureCore or SecureME, that can defeat virtually every major low-level attack w/out huge performance losses. Additionally, they could easily employ one of the very secure microkernels & mobile protection software thanks to their tight control over hardware & limited number of devices. Hell, they could even buy one of the mobile vendors & force them to offer the solution on the new "secure, business grade iPhone." This would let them recover the costs of high[er] assurance software development ($15-25mil a product).
We won't see that happen, though. Instead, Apple will continue to patent nonsense, produce insecure toys, & sue anyone who says otherwise. This is what they've always done. I expect nothing different from them in the future.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
Clarification: "mobile vendors" meant "mobile security vendors"
Definitely not worth a patent. Just another indication that the patent system is fundamentally broken.
Yes it is and we are about to see it get worse...
As some people might know Nokia has been having problems for the past few years in the US with "talking heads" basically talking it's products down (partly due to the fact it is seen by many in the US as an "Anti-US Continental European faced Company").
Well to try and solve their woes they took on an a Microsoft Person and gave them sufficient seniority that he killed of all Nokia's developments and went down the Microsoft route for Nokia's phone OS. On the oft mistaken idea that there can be three major platforms in a a vertical technology area...
This turned out to be a remarkably bad idea and Nokia's woes went quickly from bad through worse and critical to "life support required".
Well it appears that the idea being promulgated now is to turn off Nokia's life support and do an organ harvest of the cooling corpse. And guess what Microsoft is aiming to get it's hands on Nokia's considerable collection of patents so that they can force back on the likes of Apple and Google.
So expect to see a lot of fairly stupid or obvious patents to start being granted by the USPO. Who incidently is activly engaged in getting as many patents through as possible in the same sort of behaviour as seen by the Fanny Mac etc dodgy mortgage trading.
This just looks like another USPO "quick hit it with the rubber approved stamp and cherching hear the cash hit the register".
An examination of the year on year numbers and types of patent issued by the USPO indicates that it's a growth industry for them and those involved with the legal side of patents.
This may be in part due to the stupidity of the likes of Apple and Microsoft trying t
I've often though the solution to laptop security would be something like my Prius smart key. As long as it is in my pocket or purse and I am in close proximity to my car, I can unlock the car and start it. But as soon as I walk away, the car won't unlock or start.
Extend that concept to the idea of a security dongle that you also keep in your pocket or purse, and that your laptop's screen would lock up and couldn't be unlocked until your "security dongle" was within a metre or so of the laptop, and unlocked automatically when it is. When you walk away from your desk to get coffee, your laptop locks up, and unlocks when you sit down again. Leave the laptop in a taxi, and nobody can read your top secret documents.
If the security "dongle" was on your person instead of attached to the laptop, it's less likely to be left with the laptop when you walk away, and less likely to be stolen or lost at the same time as the laptop.
Sorry probs with the mobile phone necessitating a reboot...
The last sentance of my above should have read,
This may be in part due to the stupidity of the likes of Apple and Microsoft trying to use the courts in any way possible on patent and copyright isssues to interupt the commerce of their competitors rather than on honest trade. So much so that one company who has already had judgment against Apple is involved with taking Apple to the Spanish courts for "extortion", if they win Apple could have very significant problems they will not be able to buy themselves out of...
This ought to be real popular with Law Enforcement.
I understand they have problems with encrypted filesystems now. In a few years, when grabbing the hardware, they'll be able to grab the power supply slash key too.
@ Clive Robinson
I appreciate the news bite. For the rest of you, here's a link to that story.
Spanish firm sues Apple for extortion
Paul: Such things exist. In fact, you can use your phone itself (or any bluetooth device) as the 'dongle'.
Encryption key storage though, that's another story.
@Clive Robinson: Sad but true. Seems nobody wants to compete on the merit of their products anymore and no amoral strategy is to bad to be used.
I am sure this will do wonders for the economy...
IMHO the patent system is not broke because it is doing exactly what it was always designed to do. In this sense the USPO has become a "regulatory capture"
the USPO serves the bigger US companies very well. Patents are easy to get, for any stupid idea, the only difficulty is deftly negotiating the process. As a consequence it now serves employment place for "rent-seeking lawyers, instead of somehow protecting the individual inventor.
There is a cost to this type of behavior and we are is seen today in the absence of US based start-ups. It's also part of the reason that so many smart Chinese are returning to China to start businesses.
The article postulates that fear of forgetting the password is an important factor causing users to choose short/easily guessable passwords or no passwords at all. In fact, the whole usefulness of this patent is based upon this assumption.
It seems strange to me. For me, password recovery never *ever* entered into decisions on password complexity. However, I understand that I'm not representative of a typical user (e.g. I use a portable password manager, which most users don't). What do you guys/gals think? Is there any data?
Because if this premise is false, then this patent is almost entirely irrelevant (just as a lot of other patents), as it addresses a very infrequent scenario of password recovery.
Due to a move I have recently changed a lot of banking, phone and other passwords (new accounts etc.). For whatever reason, I still keep forgetting them and keep locking stuff all over the place with my complex but incorrect passwords.
However, the reset mechanisms are quite smart and painless nowadays. In fact, so painless I wonder why I should bother trying to remember my password and rely on the reset mechanism EVERY TIME because it is easier to execute than memorizing 10 new passwords/PINs. For each credential I have a secret that allows me to reset the access credential, so all I need is to guard that secret.
In this case though, having your laptop stolen in the bag that also contains the PS is a vulnerability. If you know you will never need the reset facility and rather loose your (encrypted) data then just don't enable this split-key scheme.
@q: it's not irrelevant if the objective is to hamper makers of 3rd party power supplies.
Even if the feature is never used, the laptop may very well check for its presence, and display a warning if it's not there. Since it's patented, 3rd party power supplies would either have to try to sell it despite the warning (difficult), get permission (impossible), or implement it without permission. In the latter case, Apple could then use the patent to go against, say, distributors, or simply have these things confiscated at customs.
No need to ascribe to incompetence that which can be adequately explained by malice.
Is Apple doing this to make it illegal to use non-Apple chargers for Apple products? I'm reminded of the lawsuits about printer cartridges in the past, where vendors would put chips into the cartridges in order to prevent both refilling and selling generic/off-brand cartridges.
Consumerism at its best. Buy a spare power adapter. Pair the key with one adapter left at your house, and keep the unpaired second adapter with you. If your laptop and unpaired adapter are stolen, the password can't be recovered. I think it'd be a better idea to have a USB port on the adapter. Plug in a thumb drive, have the thumb drive paired, leave thumb drive at home. Funny thing would be to ignore the power adapter completely and have the USB drive paired directly from the laptop.
I'm seeing this as a way to tie people into buying expensive, propitiatory power supplies.
And of course once they're no longer produced a short way down the line; "Well, sir, we do have THIS year's Macbook to sell you..."
The good news is that this will make it less likely anyone else will do this!
Similar use models but with more interesting functionalities have been described in "intrusion-resilient" crypto and some other models.
one problem, though - I use at least two chargers (one at home, another in the office) and often needed to charge my laptop from someone else's charger...
I would like to point out that getting a patent does not protect the "invention" but sets the date from which you can claim protection for an invention. The reason the U.S. patent system is lenient is because you can't wave a patent in someone's face and destroy their business- you still have the huge task of proving:
--The idea is not obvious.
--The idea is not derived entirely from previous art.
--The idea has been actually taken in that what your competitor has done is exactly what you have described. It cannot be just similar, because then they could patent their version.
I do not think Apple can patent an idea that already exists by embedding it in a pwer supply. If they do defend it, then you could get around that by putting the recovery object in another convenient device and sue Apple for moving it there later.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.