Found an interesting item over the weekend, and while I couldn’t come up with one explainer comic about it, I did think of three or four jokes on the subject. So in an experiment I call, “Can maki draw a comic every day?” I’ll be spreading out this topic over the course of the week. There will be a break on Wednesday for Nadir’s comic and maybe Thursday, too, if I only end up with 3 jokes about cryptography. Shall we, then?
Seems a team of neuro and computer scientists have devised a password authentication method that is immune to coercion***. That last sentence was the title of their report translated from scientific jargon into english: Neuroscience Meets Cryptography:Designing Crypto Primitives Secure Against Rubber Hose Attacks. Authored by Hristo Bojinov, Daniel Sanchez, Paul Reber, et all, the piece lays out a clever method of teaching somebody a 30-character password without them consciously knowing it.
Some background: Any computer security consultant will tell you that the weakest link in any system is us. Movies show us complex security networks being hacked by scruffy dudes with fancy tools and computers with readouts from 1982 and no mouse. In reality, systems are compromised by that guy who leaves the password on a post-it note on his desk or that soldier who found a thumb drive1 (our modern-day poisoned-can-of-soda-in-the-vending-machine) and plugged it into his laptop without considering that it might have been full of worms. Hacking a password is as much about psychology as it is about computer science, and the average human is pretty lazy when it comes to security precautions.
Now, what Bojinov and his team have reportedly done is made every cyberpunk, Gibson fans’ dream come true: They’ve buried a password in implicit memory. The quieter cousin to declarative memory, implicit memory is where all the things that you know, but don’t think about knowing reside—like tying your shoes or riding a bike. Also called procedural memory (of which muscle memory is a subset), it’s a weird corner of your brain that is separate from the rest of your memories. For example, people with amnesia who practice a task get better at it despite not remembering the task at all2. Similarly, all skeptics should be familiar with the illusion-of-truth effect, where people with long-held knowledge that is proven false, will later continue to remember that knowledge as being true.
Drawing from this, Bojinov’s team was able to teach subjects a password hidden in a task. While they couldn’t tell you what the password was, when confronted with an authentication system similar to the teaching method, they could reliably pass authentication. What this implicit password guarantees is that the subject can never tell it to anybody, nor can they leave it posted to their monitor for anybody to see. It’s locked away in their head without any way to access it aside from repeating the task from which it was learned.
How did they do it? I’ll get into that tomorrow. Of course, if you like spoilers, you can always read their report linked above. Cheerio.
This post was brought to you by Krypton (Kr).
***I know what you’re about to type in the comments. Stop it. I already have a comic in the queue about this.
1Really, kids. Don’t pick up random thumb drives.
2Tangent: In what is probably one of my favorite experiments, subjects with retrograde amnesia (think Memento) were shown to dream about Tetris without remembering what it was.