New Software Secures Data when Owners Walk Away

Makarand writes "Leave an operating laptop unattended on your desk and your sensitive data is accessible to anyone who gets hold of it. To limit this risk many users configure their systems to fall into a "sleep" mode after a period of inactivity and ask for a password before the system can be awakened. This constant re-authentication proves to be a headache for many users. Now a Professor and his graduate student at at the University of Michigan have come up with a system called Zero-Interaction Authentication (ZIA), described in this article in The Age, to protect data on mobile devices. The system works by starting to encrypt data the moment the owner walks away from the system. The owners wear a token with a encrypted wireless link with the laptop. If the token moves out of range the ZIA re-encrypts all data within 5 seconds. If the cryptographic token moves within range the system decrypts the information for the owner. The token, which could take many forms, is currently a wristwatch with a processor running Linux designed by IBM."

In Sovjet Russia

[Anonymous Coward]

Software walks away after owner has been secured!

Would that be the J R R Token

[cyber_rigger]

That you wear on your finger? :^)

Vulnerable to brute force cracking

[commodoresloat]

Gimme your watch, punk!

you call THAT secure?

[SHEENmaster]

I have a v8 engine block set to fall on my hard disk if I'm away for more than five minutes (3 minute walk to fridge(coke!) and back)!!!

Your security is nothing compared to that!!!!!

Re:Vulnerable to brute force cracking

[Tolchz]

Actually I believe the term is "rubber hose" cryptanalysis

Re:hmmm...

[pboulang]

... or maybe some secretly hidden sequence of key presses?

Re:Interesting article/research project

[EverDense]

Then you offer praise to whomever you worship that the company you work for didn't use
finger print authentication. Its a lot easier to replace a stolen device than a stolen finger.

Re:Interesting article/research project

[spruce]

So in your scenario, the big bad neighborhood bully beats the nerd to a pulp, and then logs on for some kernel hacking or something?

Token Driving anyone?

[Anonymous Coward]

I can just see it now. Using "TOKEN SNORT" while "TOKEN DRIVING" around the office cubes to pop open your co-workers workstation and send "I'm an idiot messages" To: Staff From: co-worker..

If it's an RF solution probably not very secure. On the other hand an IR emitting badge around the neck of the user could work.

To save my hand...

[wray]

Let me use a ring, then I only lose a finger when someone wants access :~)

Re:Interesting article/research project

[bloo9298]

Are you Eric Raymond?

Re:hmmm...

[AceyMan]

Yeah, great.

Four whiskeys later, and you've locked yourself out of your computer for the next 8 hours.

This would ruin pr0nsurfing as we know it....

Re:It'll be a movie plot element within 3 years.

[LostCluster]

You know, common movie elements won't understand this "token wristwatch that has a Linux-running microprocessor" thing, so let's dumb it down. How about he gets clubbed in order to get a piece of metal that has been engraved in some semi-random form so that when it's placed into its reader, it causes a door to be unlocked.

I know... call it The Key

Or! Use it in the opposite direction...

[KwisatzHaderach]

Like putting a bell on the cat. "Pat your manager on the back" and then you can rest assured surfing freely knowing that the next time he comes within 15 feet of your desk, a browser window will open maximized pointed to http://java.sun.com.

Or tag the girlfriend and always hide the pr0n!

Re:wouldn't it make more sense

[Cruciform]

I'm soooo sorry about the wastebasket, Sir. You see they were serving East Indian cuisine in the caf and I forgot my watch today. And you know those locks on the bathroom doors... once again Sir, my apologies.

Re:you call THAT secure?

[Anonymous Coward]

That's nothin' dewd. I have a grenade with a 5 minute fuse strapped to my box with a fishing line from the key to my belt. I've only lost one box this year - damn telemarketers caught me.

Plus...

[Anonymous Coward]

The could make a master token for the CEO, one ring to rule them all!

Re:wouldn't it make more sense

[FyRE666]

A good IT department will audit this (at least for the users that reside in the office... that goes for plain-view passwords, etc) and penalize users who do not [lock machine when leaving it unattended]

I used to have great fun with people who did this at a previous job where the majority of machines were Sun/Linux. One guy constantly left his machine logged in, so I'd sneak over and drop the security on his X server (xhost +), then have great fun randomly opening apps on his machine across the room. Since he was a hardcore Windows man (he was working as a Perl programmer, and didn't have any interest in the operating system) he had no idea what was going on.

Oh yeah, I also set up a cron job to open Netscape, pointed at the famous goatcx site at lunch every day on his machine for a while...

Re:Interesting article/research project

[PYves]

it's mostly a moral issue, really. with a big knife it's very easy to steal either or both.

Vulnerability already discovered!

[wirelessbuzzers]

It was discovered soon after the press release that the "zero interaction authentication" system was vulnerable to a transmission replay attack [slashdot.org]. This attack may prove fatal to the design; in any case, it should take a few years to get the kinks worked out, so don't expect it on your desktop any time soon.

Re:Breaks an important rule

[Anonymous Coward]

something you have: a memory of a password
something you know: a password
something you are: an animal with a brain that stores passwords

Re:To save my hand...

[XNormal]

So that's why Sauron made a ring of power instead of a bracelet of power!

Re:wouldn't it make more sense

[Sheridan]

but I have had serveral security related dongles and all of them were a pain in the arse.

Dude, you're definitely wearing your dongle in the wrong place!

Re:Use my technique

[Surak]

I keep all mission-critical and government-classified information on portable USB Flash DRAM-based storage devices. They're incredibly portable and can be brought to the gym, in the car, to work, back home, swimming, hiking, biking, etc.

I think you had a typo.

What you meant to say was
"and can be LOST at the gym, in the car, at work, at home, swiming, hiking, biking, etc.

Re:Is it really so hard?

[strick]

The best way I have seen to enforce is through a little social engineering known as baggy pantsing [tuxedo.org]

People usually fall for this trick exactly one-time.

Has anyone seen my pants?

Re:wouldn't it make more sense

[dasmegabyte]

Oh, hahaha! It is so fun to abuse the norms on Windows! Cretins, why don't they embrace our hilarious operating system which allows such cunning exploits as showing porn at lunc time, not to mention intuitive prevention from them! Just open a terminal, change directories to /bin/ and sudo -c chmod 500 me.mygroup xhost lol!