Two Factor Authentication

Let’s talk about Heartbleed for a second, shall we? Perhaps not about the bug itself, but rather about it’s real world ramifications. What does a small implementation mistake mean for an average citizen of the web? Well, probably the most important implication here is that all three of your favorite passwords are now compromised forever. They are all likely on a number of big lists, tied to your email address, real name and god only knows what else. These lists were and still probably are harvested from vulnerable servers, tucked away in some dark corner of the web passed by reference via torrent files. Of course it is entirely possible that your emails and passwords were never harvested and saved for posterity, but are you willing to take that chance?

Heartbleed

If you don’t know what Heartbleed is, stop reading this right now and go change ALL your passwords. I’ll wait.

If I was a nefarious individual (or an employee of a clandestine American intelligence agency operating without any public oversight whatsoever) and I was in a possession of a large number of username and password pairs harvested during the bountiful Heartbleed season, I’d continuously run them against various free email services and social networks. After all, why not? There are still many people out there who do not think Heartbleed was a big deal, or that the are somehow immune to it by virtue of not being very tech savvy. There also exist people who have changed their passwords, but will revert back to their old standbys once they judge enough time has passed. And all of these people will likely be owned. The sad truth is that any password you have used while Heartbleed was in effect, is now forfeit forever. You can never, ever use it again. At least not unless you wish to keep that account under your control.

This is how it goes: if I know a password for one of your social networks, games or other bullshit accounts, chances are it is the same one you use for your primary email account. If I know the password for your primary email account, I literally own your life. I can reset any of your other passwords, I can look at your pay stubs, likely log in to your bank account, approve charges on your credit cards, cancel your utilities and etc. Just about everything you do online feeds back to your email, and uses email notifications to warn you about possible fraud, illicit access or misuse of your accounts. That email is protected by a single password and once I know it I can go in and proceed to lock you out of it. This is really bad.

In the real world, when we want to secure something and prevent other people from accessing it, we typically use a key. Assuming that your lock of a good quality and it can’t be easily picked, the benefit of using a key as an authorization/access method is fairly obvious: it is a physical token that is easy to control. You usually only have one or two keys, and they can’t be easily replicated without physically taking them to a locksmith. So as long as you keep your key safe, and don’t give it to anyone, your possessions are as safe (or at least as safe as the lock and safe integrity will allow them to be).

Keys

These are physical tokens. They are non-trivial to replicate without physical access. When you lose one, you know almost instantly that it is gone.

We also use combination locks, but they are inherently less secure. Sometimes that’s exactly what you need. For example, if you want a friend to get your textbook from your locker in the hallway you can just tell them your combination. Unfortunately, everyone else within the earshot will also know your combination at that point. This is partially mitigated by the fact that most of combination locks let you change their code. Unfortunately, if you don’t know someone might have overheard your combination, or even seen you enter it, you won’t be compelled to change it. This type of lock gives us the convenience of not having to carry around a key, and to easily grant others access in exchange for lessening of overall security. Instead of relying on a physical token that unlocks the door, you instead use a secret pass-code which can be overheard, guessed or even extracted from you via subterfuge. This is why combination locks age common on high school lockers, or bicycle chains, but your car or your house will typically use a key based lock.

Combination Lock

This is a password/secret based security device. The combination can be stolen without you ever knowing. If someone knows the combination they can share it indiscriminately at virtually zero cost.

At the dawn on the internet age, we did not really have an affordable and logistically sound way to model physical keys, so we settled for password based authentication. It is functional, but not a perfect solution as evidenced by the fact people get their accounts “hacked” all the time. The fact that passwords get compromised so often is a feature of their design. They rely on a users doing something we humans were never really good at to begin with: retaining random codes in memory.

With the way our minds evolved, our memory is very referential. We rely on context cues for retrieval and management of our memories. We are good at remembering people, events and emotions and facts that tie into them. Unfortunately that does not help us with passwords, which to be secure must be completely random and devoid of context or emotional content. If your password is based around something or someone who is dear to you, then it will be both easy to remember and easy to guess. If you use words, you leave yourself vulnerable to a brute force dictionary attack. So not only do you need a password that is devoid of context, emotional investment, but also is unpronounceable and a complete gibberish.

If you only needed to remember a single completely random string, this wouldn’t be that bad but we all have dozens of online accounts. Ideally, you should use a unique password for each of them. If you re-use the same password on all the services, then a tiny coding mistake on one of them can potentially leave all of your online accounts wide open. So in an ideal world you would have to remember 20-30 unique random, unpronounceable complex passwords. And all of them should be more than 30 characters long if you want to stay ahead of the curve and make them difficult to crack via rainbow tables. This sort of mnemonic feat is something beyond the capability of any modern man.

This is simply not what we are wired for. And so, most of us have three or four favorite passwords that we re-use all over the internet. The savvier netizens have some sort of stratification in which they use the strongest, most complex password for their primary email / bank account, and then a number of lesser passwords for various other services. Most people however don’t do this, but instead rely on a kind of chronological password system. They have their current password which they use for all the important stuff, their previous password they use on things they could not have been bothered to change and old passwords they no longer really use, save for a few ancient accounts, and maybe as a throw-away password here and there. This is why Heartbleed is so scary. Because of it, all these three or four passwords are now more or less public knowledge and you’d be a fool to use them ever again.

Passwords are broken by design. They simply do not work for what we’re trying to use them. They have been a good compromise up until now, but it is time to move on. If we want even an illusion of security online, we need to start using physical keys again.

When I took an infosec course in college, I remember discussion we had about two factor authentication. It was a very good solution to the password problem. It works by combining a secret (something you know) with a physical token (something you have) and requiring both these elements to be used together at the same time. Knowing someone’s password is useless without also obtaining physical access to their token. Stealing someone’s token is useless without knowing their password. While it does not protect you from a MITM attack, use of a changing/rotating token can limit it’s the scope from permanently compromising the account to merely a temporary breach. It is really a perfect solution… Except it was logistically impossible.

Back then the only reliable way of implementing this scheme was to issue a user a little electronic, battery operated, key-chain token, with a tiny LCD that would display rotating numbers. It was something you did when you were a big technology company with a big security budget to blow: like Microsoft, IBM or Oracle maybe. The expense of creating, issuing, mailing, replacing and managing such devices was so mind-boggling that most banks and credit card companies refused to even consider it. It wouldn’t even be an option for all the fledgeling new free web services that were revolutionizing the way we did business online. It was a beautiful pipe dream: it would be amazing to have two factor auth on everything, too bad it will never, ever happen. And even if it would, how the hell would that even work? Would you even be able to strap 40+ RSA tokens to your car keys? Would men have to think about investing in man-purses or fanny packs to carry all those plastic tokens, cards and dongles? It wasn’t something that was affordable by the web companies or desired by their users.

RSA Token

RSA Tokens have always been and still are an industry standard. They’re good, but they are expensive to maintain, and users constantly lose them, forget them and generally hate to carry them around.

Fast forward to 2014 and we live in a completely different technological landscape. Most of the internet connected human beings who participate in e-commerce already own and always carry around perfect physical, internet-enabled tokens. Hell, they not just carry them – they treasure them. To many, these devices are cherished status symbols. I’m of course talking about cell phones.

An unique property of a cell phone that distinguishes it from other electronic devices is that it can receive phone calls and text messages. Unlike email, the SMS system is tied to a physical device. In most cases it is impossible to read your text messages without physical access to your phone, and any interruption service (due to interception) is likely to be noticed. So if I build a website that challenges you to enter a randomly generated security code after you enter the correct password, and then I text that code to your phone… Well, we just implemented 2 factor authentication for free.

Flip Phone

Technically, this is a perfectly valid physical token for SMS based 2-Factor authentication. It’s probably pretty safe to assume that everyone who uses the internet regularly probably also owns a phone just like this, or better.

Actually, scratch that. It’s not free, because sending text messages costs money. Also, implementing a system that can send text messages merely to the few existing cellular networks (all of whom have price-fixing and non-competition agreements with each other but for some reason can’t make their networks work together) in US is already a major pain in the ass. But still, it is a viable option. And a one that has no barrier of entry and can be readily used by just about anyone who can operate a cell phone. Not even a smart phone mind you but a basic, flip phone even. But if you don’t have money or resources to implement and SMS based solution, and you expect your users to be savvier smart phone owners you can do it in software at little to no cost.

All you need is a phone app that implements the HMAC-based OTP Algorithm. Most modern phones (even the Blackberries) have enough processing power to run an app that can reliably generate a random security code every 30 seconds. The Google Authenticator app is only a one example, and there are many other, and they are all cross-compatible. If the user doesn’t like or trust Google they can choose an equivalent solution from one of the dozen other vendors. Implementing the challenge response on the server side for the HMAC-based OTP is so trivial it can be even shipped as a one-click install WordPress plugin.

Google Authenticator

Google Authenticator on iOS. Contrary to popular belief this is not a Gmail Login app, but a full implementation of the HMAC-based OTP algorithm and it will work with any service (including LastPass).

In the age of both the ubiquitous cell phone use, and rampant identity theft, two factor authentication is now so trivial to implement it would almost be foolish not to. To wit, most prominent online services already use it: Facebook, Twitter, Google, Yahoo, Microsoft, Tumblr. You name it. Most of these offer an option to use SMS and software based solution. All are disabled by default, but can be enabled at any time. And in the aftermath of Heartbleed it would be foolish not to use it.

Few months ago you could have made a compelling case why you might not need two factor authentication on your email, and I might have believed you. But then we’ve seen a live proof that a simple coding slip-up can compromise half of the internet in the blink of an eye, and that point is no longer valid. You need two factor authentication on everything you can. That is the only way to give yourself at least a fleeting chance against the next bug of this magnitude. It is also the only way to prevent someone from extrapolating your next password based on your last seven previous ones, which, as we established, must be assumed to be public knowledge now.

You’d be astonished to see just how many online services already implement 2-Factor Auth. You’ll probably be doubly astonished that almost none of them are financial institutions or banks. So while you may not be able to make the place which holds your money to be more secure, you can make sure that at the very least your email (which is the gateway to your bank anyway) is. So I implore you to at least consider it.

Now, if you want to maximize your security, this is probably what you should do:

  • Sign up for a password manager such as LastPass or 1Password
  • Use the password manager to generate 30+ character long, completely random passwords for everything.
  • Secure the password manager with a 30+ character pass-phrase you can remember.
  • Enable 2-FactorAuth for your password manager (possible for LastPass at least)
  • Enable 2-Factor auth on all the services that support it, on the off chance that they get man-in-the-middled or in case your password manager is compromised.

This of course won’t make you 100% safe. Nothing ever really will. But it will ensure your identity is a little harder to steal. And that’s actually a good defense mechanism. Effort is the anathema to a black hat. Hacking is a low effort high profit kind of game, and it is much easier to move to the next guy who thinks he is invulnerable to Heartbleed than tackle someone who had enough foresight to click a button 3 times to enable 2 factor authentication.

Posted in technology | Tagged | 7 Comments

Hearthstone

The Warcraft franchise is a vast, ever growing, almost sentient thing. It includes a number of extremely popular strategic games, the worlds biggest MMO, spawned world’s first MOBA, inspired series of licensed novels, toy lines, an obscure and unpopular tabletop RPG and even a semi-popular CCG. When I say “semi-popular” I’m speaking in relative terms. For example, Magic The Gathering is genuinely popular. It’s the biggest card game out there, and the Warcraft CCG is nowhere near as ubiquitous or respected. Then again, my local Wallmart and Game Stop never carried MTG cards (you’d buy those in specialized nerd-friendly establishments), but they always seemed to have exactly five Warcraft CCG blisters behind the glass somewhere. So while few people actually knew about it and played it, it was always somewhat more accessible because cards were sold just about everywhere you could buy other Blizzard merchandise.

Personally I have never collected it, because I swore off CCG’s after I was done with Middle Earth: the Wizards. Honestly, I don’t care what you say: that game was motherfucking amazing, and we played it like a decade before Peter Jackson introduced Tolkien to the Internet by way of movies. But in addition to being obscure hipster game, it also had really cool set of rules which emphasized exploration, resource gathering and gearing up your heroes in almost RPG like fashion rather than the simplistic MTG wizard duel setup. It was nuanced game which could be won by persuading more factions to join your cause, or by throwing the ring into the volcano. After playing it for a few years, MTG and it’s clones seemed like a step down, and a waste of money. So I never actually got into the Warcraft card game. My evil arch-nemesis brother however bought , traded and eBay-sniped enough cards to build not one, but several competitive decks. So whenever we felt like playing, he would let me pick one of his decks, and then he would proceed to completely obliterate me with one of the remaining ones.

Warcraft CCG

First person view of me totally losing this game.

If you have ever played MTG, the Warcraft game is much like it, but simpler. For example, there are no lands but instead any card can be played face down as a resource that can be tapped just like a land. Some cards are special resources called “quests” which are played face up, and can be fulfilled (usually by tapping things) to give you a reward (usually extra card draws) and become regular resources afterwards. Personally I think the Magic resource mechanic is more intuitive, but Warcraft one ends up being simpler once you get used to it.

The only other departure from the MTG model is the fact that instead of playing a nebulous, invisible and anonymous wizard, you instead start by playing a hero card. Heroes have hit points, abilities and if they are equipped with weapons and armor they can make attacks just like the minions do. This makes for interesting strategies sometimes: for example, if you’re playing a warrior your goal is essentially to use minions as a meat shield until you gather enough resources to equip all your epic armor and weapons at two-hit your opponent while being neigh invulnerable. It’s a fun little game. Where it lacks in depth, it makes up with dynamic, fast paced gameplay.

Why am I talking about the Warcraft CCG here? Because Blizard’s new video game Hearthstone is exactly that game (it even uses a lot of same art on the cards), but even simpler and in digital format. I guess you can call it a CCCG. That’s a thing right? I mean, I know that there exists a digital version of MTG so I’m assuming they are simply following an existing business model and are attempting to steam-roll over it gliding on the massive (but very slowly waning) popularity of WoW.

Pretty much everything that made the Warcraft CCG unique and different from MTG is gone in Hearthstone. The quests and resources are replaced by “mana crystals”. You get one extra crystal each turn, up until you have ten ensuring a rather linear progression. At the beginning you can only play weak, basic cards, and must wait til later to play the big and scary ones. The character cards are also gone, replaced with the basic WoW classes. Each one has 30 hit points and one ability which costs 2 mana to play. Depending on class it could be direct damage spell, heal or a summon spell for a basic minion. Armor is gone, replaced with spells that give you temporary armor that basically pads your hit points. Weapons typically do not cost resources to swing, but instead have set durability which decreases with each attack until they break. All decks must have exactly 30 cards, which makes the system somewhat rigid and inflexible. Other than that it plays exactly as the real life CCG. Or, if you will, exactly like Magic, if Magic had weapons and was on the computer (which I guess it is, but bear with me here).

Sometimes you lose

Sometimes you lose very, very badly…

Hearthstone is free to play, but you will probably end up spending like $80 on card packs in the first few weeks because it is just too tempting not to. It feels exactly like a real world CCG. The game starts you off with a nice set of basic common cards, and you can unlock about a dozen uncommons and rares by playing the set of tutorial games against the computer. Then it slowly feeds you more cards as you start playing against real people online, each time you level up. But the higher you go, the least frequent are the new card drops and eventually they dry up. You also get small but consistent amounts of gold for each win which you can use to buy new card packs, but it is a slow grind… So the store conveniently accepts real world currency.

Blizzard doesn’t really pressure you into making purchases, because they don’t have to. They leave it to other players. When all your friends are crushing your starter deck with their legendary card sets, spending $2 to get 12 cards, 2 of which are guaranteed to be rares, and there is a small chance you will also get one or more legendaries starts to seem like a bargain. It’s a bit insidious because you do need at least a few decent cards to be competitive. You don’t necessarily need the epic and legendary level ones (though they are nice) but you do need more than just the basic set to actually build a deck with a good synergy.

Sometimes you win

Sometimes you dominate. I think I might have made this guy cry IRL.

There exists a crafting mechanic which lets you destroy cards you don’t like/need and turn them into “magic dust” you can then use to create new cards. Unfortunately this is economical only for the basic common cards you want to obtain for specific effects or abilities. Crafting rare and epic cards is not entirely practical as they require way to much dust.

The game has a ranking system which will ensure you are queued with the people whose decks suck about as much as yours, so deck envy is mostly an issue when playing against real life friends. Though if you always play ranked, then you will eventually hit a rank where skill alone won’t be enough to overpower much stronger decks. There also exists Arena mode in which each player get a randomized set of cards from which you build your deck leveling the playing field a bit. Unfortunately Arena costs either gold or real money to play, but it also offers prizes to winners. On a single Arena ticket you can keep playing until you lose total of 3 times. The more wins you score, the better prize you get: basic prizes include gold and free card packs, but with enough wins you might also get epic or legendary cards.

Deck building tool

Deck building tool

Like any collectible card game,Hearthstone has been engineered from the ground up to separate you from your hard earned cash. It’s actually quite insidious how tempting it is to just keep throwing cash at this game. and how easy it is to justify it afterwards (“I might have spent more than I intended to, but I got Onyxia legendary and two golds so it was probably worth it”). I hate this aspect of the game, but at the same time I can’t stop playing it, because it is actually a surprisingly decent CCG. Unlike a lot of free to play games, Hearthstone is a lot of fun.

The rules are incredibly simple, the game play is intuitive (you just drag and drop cards) and the pace of the game is very fast and engaging. The actual game UI is great (I especially love the fact you can fuck around with the game board and destroy the scenery while waiting for the opponent to make a move) and pulling off mad combos is extremely satisfying. While it is tied into the Warcraft franchise I think it stands on its own pretty well. You don’t have to know anything about the Warcraft lore to play it, but if you are a current or former WoW player it just adds to the experience.

I usually recommend enjoyable games to my readers, but I’m not sure if I can do that with clear conscience for this game. The truth is that it is addictive, and in the first two weeks you are going to spend as much money on it as if you would on a brand new AAA FPS, if not more. So, don’t play it. But if you do, my battle tag is reset#1266 so feel free to add me.

Posted in video games | Tagged | 2 Comments

Captain America: The Winter Soldier

Marvel seems to have figured out the superhero movie formula. Ever since The Hulk (which was was a bit of s stinker) every single-hero movie has been a gradual improvement over the previous one. I think part of the success is the established shared continuity which allows new films to build on mistakes, or success of previous entries. Whenever something doesn’t work or doesn’t sit well with the audiences, it gets aggressively retconned and “corrected” in the next installment, while things that do work get referenced back giving the Marvel Cinematic universe feel large, complex and interconnected. It is a magical universe of infinite possibilities that allows them to blatantly defy the conventional Hollywood rules and expectations.

Most blockbuster movie franchises never get past the second sequel. Even much beloved, and once ground-breaking Nolanverse Batman re-imaging keeled over in the third installment. Marvel Studios have nine movies and a TV seires already in the bag which are either direct sequels to each other or very closely connected sharing same characters and themes. They have four more movies currently in production and another dozen in early planning, or drafting stages. The only movie franchises that even come close to this kind of output are the “cult classics” such as Nightmare on Elm Street (9 movies) or Friday the 13th (12 movies) which roughly have been releasing one sequel or re-imaging for each new generation of horror fans coming of age for the last 30 years. Marvel built their movie library in less than a decade, and unlike above-mentioned horror series (each of which had a number of atrocious flops and low budget cash-grabs), pretty much every installment was an absolute box office slam dunk, and an instant favorite both among the fans and movie critics. This is unprecedented. The techniques Marvel is using right now to make sweet, sweet love to our wallets every summer will be studied and taught in film schools of tomorrow.

The Winter Soldier Poster

Captain America: The Winter Soldier movie poster.

Captain America: The Winter Soldier is yet another example of how Marvel Studios seems to be incapable of screwing up. Against all odds and all expectations they continuously find fresh and new things to do with their flagship heroes. Iron Man 3 was pretty much what you might have expected from an Iron Man movie. Thor: The Dark World was an interesting thematic escalation that showed logical progression and character development both for the main hero and Marvel Cinematic Universe’s most beloved villain. The latest Captain movie is a little bit of a re-invention, mostly because it has to be. The First Avenger was a cheerful rah, rah, go America patriotism and Natzi punching which was exactly what it needed to be to make the origin story work. But now that Steve Rogers is in the twenty first century and there are no more Natzi’s to punch, what do you do with him?

Marvel decided to put him in a Bourne Identity style spy thriller and surprisingly it works surprisingly well. Steve Rogers not only has to deal with the culture shock of living in the future, but also with being a soldier in a world which does not have designated bad guys anymore. Instead of fighting Nazis he now works for SHIELD where no one seems to be capable of ever telling the truth, everyone has an agenda or a secret mission and nothing is what it seems. He has to sink or swim in the sea of lies, subterfuge and secret plots. Does this work change him? Does it make him jaded? Nope.

Even while in midst of an escalating internal SHIELD spy intrigue Rogers sticks to his boy scout morals, and remains a beacon of idealism and honesty. You would think that someone like that would be eaten alive by the seasoned spies and career lairs but the exact opposite actually happens. Captain is far from being naive, and his unshakable moral compass works like spy kryptonite. Against all odds, this approach works, and it works amazingly well. It is really refreshing to have a likeable, relateable and morally unambiguous hero to not only exist but also persevere in a jaded and cynical environment of a modern spy thriller.

The movie is darker and grittier than any other Avengers offering so far. It grapples with actual topical real world issues such as morality of preemptive strikes against “potential future threats”, implications of allowing powerful top secret intelligence organizations operate without oversight, dangers of drone warfare and drone policing escalation and etc. But despite heavier subject matter it never feels pondering and gloomy like that awful recent Superman film. Captain doesn’t brood or skulk – he punches evil in the face, and this is why we love him. This is why he is the hero we need, and the hero we deserve.

Personally I am sick and tired of seeing the brooding anti-hero archetype being shoved into every super hero property out there. It was cool back when Nolan’s Batman did it the first time around, but the gritty, overwhelming realism quickly overstayed it’s welcome and became insufferable by the third movie. Captain America is a breath of fresh air: he is neither Bond nor Bourne nor Batman. He is a man out of time, and a character seemingly taken from a completely different movie. He doesn’t play spy games: he smashes through the conspiracies. He is the antibody that aggressively attacks and destroys the disease that plagued both SHIELD and Hollywood super hero adaptations in general.

Granted, making your characters nuanced is generally a good writing advance. Steve Rogers can at times be a bit one dimensional, or even somewhat dull. There are some, like New York Magazine’s Abraham Riesman who think Captain should be more of a jerk to make him more interesting:

Cap remains a fundamentally dull character on screen and in the comics: He only grips us because of his place in a larger story, not because his character is inherently fascinating.

It doesn’t have to be that way. Captain America has the potential to be much more interesting — but only if he’s a jerk.

While on the surface this might seem like a common sense advice, I don’t think I agree with it. In fact, I think Riesman’s ideas to improve Captain by making him a sexist, racist, homophobe (because, hey that’s a thing they did in that Mad Men and Rogers is sort of from that kind of shitty time period) is so awful I won’t even dignify it with a proper rebuttal. I’m fairly sure it is self explanatory why we shouldn’t turn a hero who wears stars and stripes as part of his costume into a hateful bigot. But let’s read between lines and pretend Riesman did not just write an essay begging Hollywood to be more bigoted and exclusionary (as if it needed any excuse). Let’s pretend his advice was just about adding conflict and nuance to one dimensional superheroes. I still don’t think it works.

Internally conflicted, nuanced protagonists don’t seem to work really well with the comic book hero narratives. Batman is a notable exception, but for him the internal turmoil is big part of the source material. Other heroes do not typically have this sort of baggage, and tacking it on actually diminishes them as characters. It backfired horribly in Man of Steel and it continues to suck out the fun out of each and every single Spider-Man reboot Sony feels compelled to churn out on an annual basis to keep their licenses from lapsing. I think as audiences we have had our share of overpowering, depressing, gritty realism, and we are done with it. We want our superheroes to be larger than life, and fight crazy space monsters rather than struggle with existential dread. The Avengers was the most successful and most beloved super-hero feature yet, and it didn’t even have an ounce of grimdark and despair. It did not need it. It wasn’t appropriate.

But if you want to make a film that is darker and more serious in tone and topic matter, do it the way The Winter Soldier did: juxtapose it against the larger than life superhero. Pepper your gritty settings with occasional idealists, optimists and selfless heroes. While such characters may seem dull on paper, they really stand out in the finished product. In a setting where everyone is jaded, morally compromised and dead inside someone like Steve Rogers becomes interesting precisely because he is more normal, adjusted and easier to relate to. Or, you know, don’t do any of these things and let Marvel continue dominating the box office until super heroes go out of style.

What did you think of the movie? Let me know in the comments.

Posted in movies | Tagged | 8 Comments