Please could you introduce yourself briefly Pete Herzog?
I am the Managing Director of a security research nonprofit. I do OSSTMM, Hacker Highschool, advising, presenting, and a little go-go dancing – but I am not good at the last one.
During 2019 data breaches are still a growing problem. What should individuals and organizations do to protect their online identities?
Eeeeep! They are a growing problem. But the problem comes from 2 places: we are getting less effective at cybersec despite more tools being available and better. Secondly, identity is a really really hard problem because it is so weak. The weakest of all aspects of security. And it leads to most other security controls breaking like authentication, non-repudiation, and even subjugation.
How do we improve it? Improve how identity is stored and shared so it is much more accurate. And secondly, train people in security analysis to make them more effective with the products that do work well.
What would you say to the global issue of identity when it nation states take it upon themselves to dictate what the identity can be? Looking at China in this case.
The global governments have ALWAYS controlled identity. It is a social construct and controlled by social construct they ALL dictate it. China is just getting a bad rap over it because, you know, the dictatorship, oppressive government thing in our news.
Identity needs to go back to the people.
How could Vereign help in that direction?
Vereign is a federated network built on open protocols and open systems using an open database (blockchainy-ish) to keep records. It falls in our hands to conserve our identity and the people we share it with to propagate that trust in a p2p fashion, much like we do in real society. You are only you because of the people around you who know you IRL. That makes who you are. Not because a card says so.
Sort of how GPG/PGP’s web of trust tried to do?
Similar but with more modern understanding of communication protocols and controls.
Read more about the relation between the two here.
Can people manage identity, though? Governments are managing identity not simply because they can, but because they are a natural „stamp of existence“. Is there an independent, trustworthy way to confirm that person X is indeed person X, and not person Z? You need a sufficient amount of witnesses to confirm person X is X, but then these witnesses also need to be trusted. And in the end if you go to a bank that doesn’t know you, or to request a driving license, will the bank rely on a) the word of a few strangers it doesn’t know b) the stamp of a government.
We have to because the Government sucks at it. If they did not commit fraud it would not be the LARGEST problem we have. We cannot have centralized identity because we cannot have centralized trust. That is the biggest weakness in identity today. Your folks did not commit fraud when they named you. But you could still do so in reporting who you are to government census/offices.
The government identity thing only works for the people who think it works. For the rest there is corruption, fraud, black money, and a whole host of other unsolvable problems without better identification.
In a world of synthetic identities, impersonation attacks, deep fake voice and video, how do we know who is real online?
Currently, we cannot easily. We like to trust that most is and most people are nice but that just is not really something proven. Actually, at this point there is no reason to just have your IRL identity online. I recommend you fracture it as much as possible and be many selves in many online places so that you cannot be centrally tracked and doxxed. At least until we have a valid identity system in place and non-repudiation can hold people accountable.
Are digital identity and data breaches so intertwined, or are they separate problems? You can do a SQL injection to extract incorrectly stored credits cards without breaching someone’s identity, government managed or not. And should not we solve the two problems separately.
Do not get me wrong, identity is not the solution to all problems nor is it the cause. Identity is just one of 12 necessary controls we know of and an integral part in at least half of all controls. So solving any one problem does bring us closer to solving others.
Vereign: Government identities are at the basis of a lot of the services we use necessary for modern day society to function. Identity checks are still necessary for some transactions, but in your private and professional life you only need to be sure you are talking to the same person or organization you have built trust with over time. We do add an aggregation of validations from trusted 3rd parties which can be reused across applications to verify details or aspects of the other side you are talking to to strengthen that trust.
What mechanisms are there (perhaps to be developed) to manage a 3rd party that goes rogue. Or is compromised in a manner that now is essentially sabotaging the system and perhaps bringing down the portion of the „web of trust“. Since we can anticipate that, is there some thinking on how to address it?
Vereign: We currently have notifications and a tamper-proof audit log. You can see when someone is trying to misuse the functionality.
Pete: The best part of the audit logs is so that everyone else can see that we’re not centrally capable of tampering with anything.
A 3rd party rogue happens all the time in the current system. We cannot address that if we do not have a federated system. With a central system it’s impossible to manage or address in a timely manner. In a federated system it would be immediately rejected or marked as untrustworthy.
Interesting. It is not a byzantine general problem problem?
Kind of. The world is a trustless system and to be honest, I am not sure how much of it we can make trustworthy. I envision that, like in a real-world scenario, there will be huge swaths of untrustworthy identities who are trustworthy between each other but nobody else. We will not know until we grow the system.
Do you have more technical information on that (the tamper proof log)? E.g. is it using merkle proofs?
Vereign: You can read more about it in our White Paper „4. The Technical Solution“ & in this article.
Speaking about identity: There is a saying “Nobody cares about backup, people only care about restore”. How do we secure our restoration mechanisms? They are a usual attack vector to all online identity systems.
That is a tough problem that requires maintaining the integrity of the stored data and the restored data while knowing if the data being replaced is legit newer data or garbage. There are so many kinds of attacks that restoration depends on intent— why are you doing this? We cannot secure it all so knowing the value of something, why is it there, allows us to apply specific controls and therefore actually have a shot of doing it well.
How does Vereign manage the restore?
Vereign: We use a „Social Recovery“ mechanism. There are two or more trusted people from your verified live address book you can select to help you restore your access. Also there is a preventive mechanism for misuse of that functionality. There are also more features planned in the pipeline. It’s not an easy thing to solve and there are not perfect solutions so far.
And what is that thing that you use to prove that you are you? A private key? How is it stored?
Pete: Part of the problem is that identity is both a human and physical thing that we need to tie to a „cyber“ presence. For a lot of what needs to be done, globally the technology and the know-how is in its infancy.
Vereign: That is correct. It’s stored on one or more devices you manage and protected with a second factor. Currently a PIN.
Isn’t that hard from a usability perspective? People barely manage passwords..
Vereign: Keys are hard to manage, but in our case you do not really see them.
One of the great improvements, but lately single point of risk on the internet are certificate authorities: How are they usually protected from attacks?
CAs have authority to sign on your behalf even backwards in time. Although secured to the best technological and organizational measures possible.
You were part of co-creating an innovation with us on how to secure your signature, so only you can sign. Could you tell us more about it Pete Herzog?
Most commonly these are protected by authentication controls which are really weak. Sure, they layer the hell out of them but a broken identity will get through all layers at once. Which is generally how they’re broken. In the last few years more is being done to add a physical layer and storing the keys physically away from the network in parts so that getting them requires the time to retrieve all the pieces and put them back together. That is actually a pretty sweet, innovative trick for protection.
First, they do not use the best security. It’s not viable to do so neither monetary nor practically. Since CAs use a central trust, they can do whatever they want and clean up the logs. Good luck proving it was not you. Now you might think, why would they care to do that to me? Sure, you could think that. But there is a huge difference between risk and trust. They are selling trust but you are buying risk. That is the problem. Trust is what you have when you accept risk. You should not have to accept that much risk.
In one of your initiatives “Hacker HighSchool” Pete, you teach kids cybersecurity skills and awareness. What are the top three things they learn applicable to us as adults?
Hackerhighschool.org was developed to teach teens to think for themselves. Hackers do that really well. They look things up they do not understand. They dig deeper. By understanding things you also see new perspectives. So the three things are: resourcefulness, empathy, and critical thinking. Probably not what you were thinking but really cyber safety and cybersecurity are a byproduct of those things. And the important fourth thing is the ability to learn from your failures. Perfect mix for any school child.