Two-Factor Auth Turns Evil (and new age, lifehacking/lights, time transforms, Omidyar, helicopters)

Let me first clarify something about this new age business: of the stuff I’ve seen (more than some of you, much less than others), my judgment has been that about 95% is not relevant to my postings here.

In that category are:

– All the nice things that make you feel better, but whose effects are so weak they don’t apply to security

– The many forms of enhanced-placebo-effect and suggestion-under-another-name, which can offer the occaisional lesson but whose limits are better characterized by a scientific view

– The outright propaganda crafted with great subtlety to serve one interest or another (c.f Crowley’s high enthusiasm at joining British intelligence — and come to think of it, the man behind the Hamilton-Byrne cult was a veteran of the London Society for Psychical Research. Ah, the Brits… got their fingers in everything, as usual.)

The remaining 5% (and I am probably being overgenerous) is mostly the stuff that has an objective effect. Anything else isn’t security, it’s lifehacking.

Under this category find lots of tech… everything from the wonderful world of brainwave entrainment through sound and “trip goggles”, to the work of Persinger & Koren to Ludwig to Flanagan’s Neurophone — though I haven’t been able to get it to do much, sadly* — to the grandmaster of ’em all, Tesla. (Who did spades of work in this field, almost all of it unknown to the popular consciousness.)

* (In tests, crunchy organic raw carrots have so far won out in brain-boosting power. Hello, supermarket! I may need faster slew-rate op-amps in the first few stages, but I’ve put so much time into this friggin’ thing, I admit a certain degree of frustration.)

Nevertheless there IS, in both the technical and nontechnical parts of this 5%, evidence that certain aspects of the field are highly relevant to security. And not just because the main figures who appear to be going up against the biggest opponents there are, seem to be steeped in the stuff.

But more on that some other time. For the moment —


“More security”…? Bull-shit!

Phone numbers have become the new “beast ID,” to use apocalyptic libertarian parlance.

They do this job wonderfully. Phone numbers are a number nobody really minds giving out, but which most people only have one of. The ideal thing for tracking you everywhere you go… and conveniently tying all those data points “they” have on you together in all “their” Hadoop clusters and MOAR-DATA-GOTTA-HAVE-MORE-DATA-centers.

Only one flaw. Phone numbers are not quite as one-per-person-and-everyone-has-one as, say, the US Social Security Number. But not to worry, big business has an app for that!

Now phone numbers are getting the equivalent of credit scores… so they can weed out anyone who wants to preserve a shred of privacy by using a burner and “reward” anyone who gives their Main Real Personal Number. That’s right… burners mean you’re banned!

(Presumably the more generous you are with your number, the more “real” it looks and the bigger your red carpet. Nice girl, Bessie, that’s the way. Just over here, up this nice ramp.)

Of course, the company is going to be doing all the usual metadata analysis. So now we have a private-sector wannabe-NSA, directly getting data from webmail providers, your bank, your — whoever else uses Two-Factor Auth.

The worst part? TFA isn’t even all that secure. We’ve seen plenty of attacks against the stuff. Everyone from Aussie crooks cloning mobiles by hacking the bureaucracy, to exotic attacks on GSM itself.

Those who would trade liberty for security, indeed.

Lifehacking advice from a sadistic cult: Anne Hamiton-Byrne kept all the rooms as dark as possible. Maybe there’s a good reason to do the opposite?

(Use halogen bulbs, not fluorescent. Fuck fluorescent. The EU is a nice concept, but I don’t think anyone who wants to replace every light with fluorescents really has humanity’s best interests at heart.)

Moolah time transforms: I previously talked about how banks transform money in time to create it in the present. But ordinary people do this all the time for other things — “fake it till you make it,” for one, and just about the entire field of social engineering.

I also overlooked one thing… the importance of pointing out that money is just a proxy for value. Money is just where value terminates, like a field line on an electric charge.*

Anyone who’s stayed in a four-star hotel or shopped in an upscale mall or been to Argentina will understand that a given amount of economic value can be represented by much more money in some situations, and much less in others.

* One author, Schantz, holds that field lines don’t terminate on a charge, but on an “event horizon” some distance away from the charge. The upshot is that any movement of the charge begins with the field, and twice as much energy as we’d think is actually in play. But I’m getting far far away from the subject at hand.

Interesting perspective on Omidyar: “There’s very few restrictions [on the US press writing about the US government]. It’s not true when we’re talking about private power, especially major Fortune 500 corporations, or people worth more than, say, a billion dollars…

In other words: look out Government, you’re about to be pummeled by a crusading, righteous billionaire! And corporate America? Ah, don’t worry. Your dirty secrets—freshly transferred from the nasty non-profit hands of the Guardian to the aggressively for-profit hands of Pierre Omidyar—are safe with us.”

Unfortunately, the former assertion — that the US press can write anything they want about the US government — is rank bullshit. It may be true, of course, that they can write somewhat more what they want about the government than they can about corporations and the wealthy.

Not related to anything, but ask your favorite aeronautical engineer if their creations can do this:

“Based out of L.A.’s “Silicon Beach,” Telesign helps companies verify that a mobile number belongs to a user (sending those oh-so-familiar “verify that you received this code” texts) and takes care of the mobile part of two-factor authenticating or password changes. Among their over 300 clients are nine of the ten largest websites in the U.S., says Telesign’s CEO Steve Jillings, though he’s shy about naming them (at least on the record). He says that fraudulent and fake accounts are greatly reduced for customers who require a mobile number be attached to an account.

The company has had massive growth over the last three years thanks to online security concerns and breaches. Communication companies such as Google , Facebook and Twitter have famously enabled two-factor authentication. “The tide turned when Google started offering two-factor in 2010. When free email providers started doing two-factor, a lot of people asked why their financial services weren’t doing the same thing,” says Jillings, a tall New Zealander whose accent has faded thanks to years spent in the U.S., including a stint heading an email security company that did spam detection that sold to Microsoft in 2005 for $200 million.

Now Telesign wants to leverage the data — and billions of phone numbers — it sees deals with daily to provide a new service: a PhoneID Score, a reputation-based score for every number in the world that looks at the metadata Telesign has on those numbers to weed out the burner phones from the high-quality ones. Yes, there’s yet another company out there with an inscrutable system making decisions about you that will effect the kinds of services you’re offered.

“Companies simply send a user’s phone number to TeleSign via its REST API to receive a real-time score, risk level and a recommendation,” says the company in a press release. “TeleSign’s clients use this predictive data to prevent scammers and fraudsters from abusing services such as creating fake accounts, and for approving online transactions with greater confidence.”

“We each have a unique mobile identity tied to our phone number that is linked to a wealth of information, from where we live to our online activities. This makes the phone number the most efficient and conclusive method to identify fraud online,” said Telesign’s CTO Charles McColgan in the release. “PhoneID Score introduces a new way for companies to quickly verify transactions, block fake accounts, and prevent eCommerce fraud, based simply on a phone number.”

Telesign sees phone numbers as a replacement for social security numbers — a form of identification that can be instantly verified (thanks to your holding it in the hand), that comes with details about who owns it, what kind of phone it is (land line, mobile, VOIP, etc), how long they’ve had it, where they get their service, and which companies and apps they’re attached to.”

%d bloggers like this: