In the short term, what would I do to improve internet security?

Discourage people from using a service where a single XSS or XSRF attack will compromise a significant fraction of users.

Here’s how it could go down:
1. User’s Vidoop cookie is stolen from their browser. Say, through an XSS attack on MyVidoop.com or a browser bug.
2. Attacker now has the cookie and has three attempts to guess the users’ 7 to 9-bit password. 1-2% of users would be compromised just by guessing. BAM. 1% of your users just had their bank account emptied.
3. If the attacker fails in step 2, they can snag the user’s cookie again when they reauthorize. Rinse. Lather. Repeat.

That is significantly worse than the status quo, because users have to put all their trust in Vidoop’s site to be vulnerability-free.

Contrast that with plain ol’ passwords. I only need to trust my own machine. If it’s compromised with a keylogger, then I’m screwed regardless. But at least I don’t need to trust that some start-up is XSS-free.

Even if I pass this level of security it still doesn’t bestow authorisation which should be a secondary level of security confirmation and finally access being a third.

For example I can use my openid identity to state an authentication claim that I am samksethi to a website and request authorisation to a particular service.

With Openid 2 there are a number of attribute challenges (SREG, AX) that can be made i.e I have to respond to name, date of birth, mothers maiden name etc. “One” of those by the way could be a visual prompt.

If I am correctly identified then I would like to see a http://www.microid.org produced as my unique key from my opeid broker and returned to the site I wish to enter.

This would then confirm my authorisation and finally access is then upto the site I have accessed i.e what level of access am I an admin or just a subscriber

I personally like the work that Chris Messina is doing with OpenID and hCards as well as Steve Ivy on trustlists via xfn. http://redmonk.net/more_monkinetic/xfn-blogroll/

Distributed Open Identity is a difficult balance between simple ease of use and complex security. Vidoop are trying one method, Sxips uses others as does JanRain. Then of course we have Microsoft with CardSpace and information cards.

waiting to hear the Good News!

We provide improvements over the usernames and passwords that you use everywhere today.

We provide improvements over the password managers that are built in to web browsers today. (For example, you can have myVidoop email or SMS you with an alert any time something unusual happens on your account, or you can remotely disable access to your stored passwords in case you accidentally left yourself logged in at an internet cafe.)

Finally, and perhaps most significantly, we’re helping to improve the overall state of Internet security by providing a sustainable economic means to get strong authentication into the hands of each and every user.

In security, there’s always more work to do, and we’re always on the lookout for ways to get stronger security in the hands of even more people. If, during your research, you come across any practical ways for us to improve, please let us know.

The bigger picture has to do with economics. In the security world, we all understand the strength of smart cards, tokens, SMS OTP, etc… The problem has always been cost and scalability. We intend to knock down the barriers that keep stronger authentication out of the hands of the general public. One element of doing that is making stronger authentication a standard part of one’s web experience. With the economic characteristics of the grid (used as a what-you-know security factor) we are certain we can destroy those barriers and deliver stronger authentication to everyone at no cost.

In the short term, what would you do to improve internet security?

Luke Sontag
Co-Founder, Vidoop

Second, an ATM PIN is 13 bits compared to Vidoop’s 7-8 bits. So, congratulations. Your scheme is 1/32nd as strong as 30-year old ATM technology.

My biggest beef is the disingenuous “hacker proof” claims your company has been making. It is clearly susceptible to malware, just like any other password manager. It’s also vulnerable to phishing and man-in-the-middle attacks.

You claim that the grid mechanism requires “more difficult attacks”. This is an extremely naive view. There are off-the-shelf components that can automate attacks against Vidoop today. These have been successfully used in practice against financial institutions using on-screen keyboards. Once there is any financial incentive, “more difficult” becomes “0-day exploit by a Russian 12-year old”.

Out-of-band SMS one-time authentication tokens are a valid idea. Unfortunately, no users will ever opt to receive an SMS message every time they want to access any of their passwords.

The short answer is that the entire bundle of categories for a given user are the same each time a grid loads.

Search for the word ‘bundle’ on my FAQ: http://scott.blomqui.st/2007/1.....ut-vidoop/

I am trying to crack into somebody’s Vidoo-protected account - here is the grid: a car, a bird, a skyscraper, a cat, a boat… I am trying to guess the right images - is it a skyscraper and a cat? No, i am wrong. lets give it another try - the new grid is: a woman, a car, a bottle, a plane, a boat… you get the idea! Some of the right images have to be in every attempt to log in!

There is a grid of 12 images. You can choose up to 5 categories. How long time is it going to take to guess the right categories? There are right images in every grid - how many grids do I need to figure the right categories out?

Maybe I am missing something but it seems to me it cannot take more than one hour to get into any account. What am I missing?

Today most of us protect the cash in our checking accounts with a tiny little 4-digit secret in the form of an ATM PIN. And if you ever give a waiter 3 minutes alone with the corresponding card, it’s trivial for him to clone it. With the requirement for an attacker to both clone a card and guess the PIN successfully, however, the security layers build together to provide security that’s good enough for every bank.

I agree that a cookie is not as strong as using some sort of physical second factor every time. We give our users the option to never store a cookie and to always require an out-of-band activation step.

We’re working on some partnerships to layer in additional second factors (think hardware tokens), and one of the more interesting characteristic of our system is that our what-you-know factor (the grid) can subsidize or even completely pay for a conventional what-you-have factor. (See Luke Sontag’s post at http://blog.vidoop.com/archives/33 for more details.)

The bottom line for us is that every single user gets fine-grained control over the tradeoffs between usability and security, and no matter where they set the line, the mechanism requires more difficult attacks, and yields less than the 100% success rate that a stolen password provides.

I addressed most of the other points that you make on my blog the other month. You should take a look there, and please don’t hesitate to get in touch if you have any other questions.

http://scott.blomqui.st/2007/1.....ut-vidoop/

Scott Blomquist
CTO, Vidoop

SG

What the hell is the point of adding yet one more layer to a sign-in scheme that’s meant to remove such things?

As we say in these parts, daft!

No matter what you choose for password, there’s one thing for sure: in about 100 requests, the most frequent pattenrs and shapes will be one of your passwords.

I do not say it can be breaked within a second; but it certainly does not last more than an hour - even if you use a human instead of a computer.

But wait! The computer is “pre-authorized”. Translated through the bullshit filter, that means “a cookie”, which they probably call “two-factor authentication”.

“There’s no way for someone to obtain your credentials and create a robot that hacks into your accounts.”

Vidoop is entirely vulnerable to screen-scraping and cookie-stealing malware. This is exactly how image-based login systems have been attacked and broken in the past. This is trivial to implement.

Even if we assume the attacker doesn’t screen-scrape, once you have stolen the cookie, you have three trials to guess an 8-bit password. That means 1.5% of infected Vidoop users would have all their passwords compromised by the dumbest attack possible.

Fortunately, Vidoop is destined for failure and won’t have a large enough user base for anyone to bother attacking it. Any users they do have will get what they deserve: FAIL.

personally I would not trust them nice but I would prefer to give my 100th to charity because thats a 100th of well nothing… is still nothing

Microsoft did alot of research in this area…

regards

John Jones

http://www.johnjones.me.uk