Subscribe:
|
Categories:
ASP.NET
ast_mono
Asterisk
Code
F#
FreeSWITCH
Guatemala
Humour
IL
Korean
Mei
Misc
Misc. Technology
Personal
Photography
Security
Spammers
VoIP
Sign In
[Giagnocavo]Michael::Write()
Wednesday, September 29, 2004
VeriSign makes it easier to pose as a child online
i-SAFE and VeriSign
announced their new product for kids
: a USB device that acts as a smart card with the cute name of “i-STIK“ . Apparently the problem of people posing as children online to later abduct them, or perhaps just get a thrill out of pretending to be 12 again and talking with kids, is very large. So the plan is to authenticate all kids online. VeriSign says adults posing as kids will stick out “like a sore thumb“, since they won't have a USB key/device/card/stick. What's wrong?
Well first, it won't work. There'll still be tons of kids without the cards, so it's dubious that other kids will stop talking to non-carded kids. Apart from that, software support is still non-existent. Last time I checked, IRC didn't offer a way to use a smart card. All sorts of communities would have to adopt this system. Also, it's “owned“ by i-SAFE and VeriSign, meaning that implementing the system comes at a benefit only to those companies.
Will the system allow kids to send S/MIME email? Half the people I know can't verify my signed email or have no clue what it was. One person (who works for a telecom company) got so confused about my signed email that he couldn't figure out how to foward the message (no idea which mail client he was using). And suddenly, i-STIK is going to solve all these software and end-user problems? Yea right.
The claims made on that page are so utterly ridiculous: “...empower our youth with the key to unlock safe doors on the Internet...“ and “...I am pleased that i-STIK technology will protect children from Internet predators...“. But these quotes show the lack of understanding and complete trust people are putting in this system. And this is where it gets bad.
Since this will be touted as “100% secure“ and “perfect“, (much as SSL is touted by cert-selling companies), the true issues will be ignored. Just like in biometrics, failure can be quite devastating, not because of the technology, but because of the trust placed in it. There are millions of kids in the states. That's a lot of tokens. And somehow, VeriSign is going to ensure that tokens aren't correctly issued? Remember, VeriSign is the company that couldn't even stop themselves from issuing fraudulent certificates in Microsoft's name. And now they're going to issue tokens to kids? Issuing a token to a child is harder, since this is supposed to be an “anonymous“ system -- i.e., no personal data of the child is stored.
So what happens when tokens end up in the wrong hands? Well, parents, children and teachers are taught to implicitally trust the tokens in whatever form they manifest themselves (an icon next to the person's name in the software?). Thus, when an attacker has a token, he can freely impersonate any child he wants, and even assume multiple childish identities (due to tokens being anonymous). Now instead of having usual caution when the attacker makes a move, everyone trusts that it's ok, “since the little kiddie icon is there“.
Fortunately, the system will probably fail due to other reasons, so we won't need to worry about this. But if it somehow succeeds (through clever marketing)... beware. The money going into such system would be much better spent on education for kids, parents, and teachers. If your child is going to happily run off with someone they met online, no amount of technology is going to save him/her.
Press release:
http://www.verisign.com/verisign-inc/news-and-events/news-archive/us-news-2004/page_016237.html
Security
Wednesday, September 29, 2004 9:13:23 PM UTC
Comments [1]
|
Trackback
Tracked by:
"http://gkuu4d4.biz/california-phone-book.html" (http://gkuu4d4.biz/california-p...
[Pingback]
Sunday, October 03, 2004 2:03:55 AM UTC
It's really amazing the steps people go through to 'fix' problems that are just so easy to fix by doing the most intuitive of things. If companies can keep computer literate adults from doing *fill in the blank* online, certainly parents, with no threat of getting sued or anything else can control it. Hmm, show you can't be trusted on the computer ---- well, pull the plug, change the accounts etc.
Your point about tokens ending up in the wrong hands is priceless... considering that Gmail accounts are auctioned off on ebay as is everything else, I'm sure a sophisticated predator could certainly procur such a thing - probably even use on from the kids they're molesting.
Bill
|
WilliamRyanAT NOSPAMgmail dot com
Name
E-mail
Home page
Remember Me
Comment (HTML not allowed)
Enter the code shown (prevents robots):
Live Comment Preview