<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 2016-04-04 18:28, John Clark wrote:<br>
<blockquote
cite="mid:CAJPayv3AeirwOuCMA3E1mqzVr6JVKW-=0QzuwQ9KPnDNnxQ35Q@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><span
style="font-family:arial,sans-serif">On Sun, Apr 3, 2016
Anders Sandberg </span><span dir="ltr"
style="font-family:arial,sans-serif"><<a
moz-do-not-send="true" href="mailto:anders@aleph.se"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:anders@aleph.se">anders@aleph.se</a></a>></span><span
style="font-family:arial,sans-serif"> wrote:</span><br>
</div>
<div class="gmail_extra">
<div class="gmail_quote"><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<blockquote class="gmail_quote" style="margin:0px 0px
0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span><span
style="font-size:large;font-family:arial,helvetica,sans-serif">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;display:inline">
>> </div>
I presume that wouldn't include the entire world
knowing my credit card number.</span></span></blockquote>
<span> <br>
</span>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;display:inline">
> </div>
The problem with credit card numbers is that currently
we use security by obscurity: much of your protection
comes from me not knowing your number, rather than
restrictions on how I can use it. A good
authentification system would make knowing your card
number useless to me, just as me knowing your email
address doesn't allow me to hack your mail server</div>
</blockquote>
<div><br>
</div>
<div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif"><font
size="4">But if you knew all there is to know about
my mail server including passwords and private
encryption keys you could hack it. </font></div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
If I knew all the information, of course. But then I would already
have access. If I knew your credit card number but did not have the
proper access (say biometric or surveillance recognition), then I
could not get in. You could do the same thing with the email server
too: if it only allows access to people who were you when it was
initialized, it will be pretty secure. <br>
<br>
<blockquote
cite="mid:CAJPayv3AeirwOuCMA3E1mqzVr6JVKW-=0QzuwQ9KPnDNnxQ35Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> <br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;display:inline">
> </div>
Now imagine a 100% surveillance world. In this world
there would not be a need for a passwords or codes,
since in principle whenever you wanted to use your card
the system could just trace you back to the moment you
got the card at the bank years before.</div>
</blockquote>
<div><br>
</div>
<div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;display:inline"><font
size="4">And if somebody knew all there was to know
about "the system" they could hack that too and
successfully pretend to be me. </font></div>
<font size="4"> </font></div>
</div>
</div>
</div>
</blockquote>
<br>
Remember Kerckhoffs well tested principle: knowing a system
architecture does not make it unsafe if it is a good architecture.
In reality system security depends a lot on implementation, and this
is where real insecurities tend to hide. But if you have a solid (or
highly redundant) system then the adversary would have a tough time.<br>
<br>
I am sure it is always possible to fool a security camera or
biometric algorithm. But if there are ten independent cameras and
algorithms, then fooling them all at the same time (and
unobtrusively) becomes very tough. If the overall system doesn't
have a simple point of failure (like letting all the camera data go
through the same hackable server) but instead collates distributed
information, then it will be very hard to crack. And the metric is
not impossibility of cracking it, but that the cost/effort is too
high to make it worthwhile. <br>
<br>
<br>
<blockquote
cite="mid:CAJPayv3AeirwOuCMA3E1mqzVr6JVKW-=0QzuwQ9KPnDNnxQ35Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;display:inline">
> </div>
Personal continuity makes for a great authentification
system. <br>
</div>
</blockquote>
<div><br>
</div>
<div>
<div class="gmail_default" style="display:inline"><font
size="4"><font face="arial, helvetica, sans-serif">
Provided people trust it, provided they believe that
the continuity the system displays is the truth.
Should they believe the system if everybody can hack
it? And if the system is secure because it keeps
passwords and encryption keys secret can I also keep
passwords and encryption keys secret? <br>
</font></font></div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Proving a system is trustworthy in the technical and social sense
will always be a complex process. <br>
<br>
The security of the above 100% surveillance system is not in any
secret keys, but just checking that the person withdrawing money is
contigious with the person opening the account. There is no secret,
just a hard to forge surveillance trail. <br>
<br>
Note that authentification is different from secrecy. In a 100%
surveillance world there are going to be few if any secrets, but one
can still authentificate things. Since subverting a system is about
secretly changing it, it becomes hard in this world. <br>
<br>
<pre class="moz-signature" cols="72">--
Anders Sandberg
Future of Humanity Institute
Oxford Martin School
Oxford University</pre>
</body>
</html>