Weaponized Authentication

Just a meager 15 years from now you’ll be slotting a hot code pack into your server which teaches it to be like a person walking down the street in a shady neighborhood. How do I know? Because I’ve been working on it for a few years now.

Why wait fifteen years? Wait, that’s not actually a question you’d ask. Actually, you wouldn’t ask anything at all. Instead, you’re probably presuming this is an article about Artificial Intelligence security or some other form of machine-based personality disorder.

Nope.

So let me tell you why your server should act like a person walking down the street in a shady neighborhood.

We’ve surmised some thirty and then some attributes of inherited paranoia associated with how you humans deduce the intent of a person you don’t know. So this is more biomimicry than about machines pretending that they can think like people. Now you’re thinking machines that think like people is also biomimicry… And while that’s true, have you ever considered shut up?

The point of this is article is to prepare you for supplanting identification techniques with intentification techniques. And I can do it. I already prepared a crowd earlier this year at the illustrious Troopers conference in Heidelberg, Germany and the sublime Paranoia conference in Oslo, Norway, so now it’s your turn.

While examining a large variety of forms of authentication, I realized that damn, this authentication thing does not hold up. I’m not saying it doesn’t work (although it doesn’t). It’s shockingly empty of any notions of consistency vital to maintaining security. And it’s all because of identification, one half of the mechanism that makes up authentication (the other half is authorization for you who fell asleep in authentication class).

Identification, you know, is a great thing that just works (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Pete Herzog. Read the original post at: Cylance Blog