Author Topic: Screen Shot  (Read 7004 times)

0 Members and 1 Guest are viewing this topic.

Offline earthbound

  • Full Member
  • ***
  • Posts: 120
    • View Profile
    • earthbound.io
Re: Screen Shot
« Reply #45 on: December 26, 2013, 09:03:34 pm »


:o

I'm frankly surprised and a little disappointed to see a screen capture where the profile registration requires that level of real-world information: full name, birthday, and SSN#/Passport#/Driver's License#??

I hope that the only way in which that information is used is as a basis to generate the public/private key pair tied to an identity? And if that is the case, why should the keys necessarily be generated from information which is itself mediated by any nationality? Furthermore, why is the required information given with a bias to the nationality of the United States?

Keyhotee will, I hope and believe, be part of a global information/currency freedom (and security) revolution. I therefore strongly suggest that the information used to create any identity be abstract enough to thoroughly disintermediate the generation of an ID from anything necessarily having to do with any one nationality.

I suggest changing the ID creation mnemonics to three "security questions," and providing a very long list of rather obscure questions which only someone who is not any kind of, uh . . . Superior Sibling . . . :) would know. I also suggest that the name and birthday fields be optional, and that they be labeled "full name OR alias" and "obscure identifying number" (with a suggestion that SSNs, etc. are not obscure enough.)

It should also offer a link to very specific suggested steps for absolutely securing the information provided to generate the ID (e.g. three different digital and three different paper backups, all secured at different physical locations where you can trust them to be absolutely safe), and it should very pointedly demand that this be the case before it will allow the ID to be created. For the paper backups, that should be printouts of the information tied to the id, sent in nondescript envelopes, to three different people or locations (in sufficiently diverse areas of the planet) whom you trust with your life.

(Hint: an internet search for "excellent security questions" offers some really good leads)

I'm also a bit alarmed by the push here in some comments to tie a service which is disintermediated by design into integration with other, mediated services, for "security??"

A good spy can tell you that if any important information of yours is controlled by a third party (in particular companies or organizations), it is not a matter of whether any adversary can cheat or extort to acquire that information, but how motivated and resourceful they are.

If any third party has access to any useful information about you, you should consider that information--and all information which is routed through that party--potentially public, period.

So, at the very least, if this aspect of the design of ID creation goes unchanged, I personally would recommend that anyone creating an ID provide harmlessly false instead of true information, if you want your Keyhotee ID absolutely secured.
I think I'm not alone when I say I'd like to see more and more planets fall under the ruthless dominion of our solar system. -Jack Handey

Offline bytemaster

Re: Screen Shot
« Reply #46 on: December 26, 2013, 09:52:25 pm »
All information is optional and was chosen merely because it is easy to remember for most users

It is used as a salt that makes attackers pick an individual




Sent from my iPhone using Tapatalk
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline earthbound

  • Full Member
  • ***
  • Posts: 120
    • View Profile
    • earthbound.io
Re: Screen Shot
« Reply #47 on: December 27, 2013, 03:25:37 am »
I see.

I didn't understand your second sentence there.  ???
I think I'm not alone when I say I'd like to see more and more planets fall under the ruthless dominion of our solar system. -Jack Handey

Offline bytemaster

Re: Screen Shot
« Reply #48 on: December 27, 2013, 03:43:04 am »
I see.

I didn't understand your second sentence there.  ???

It is one thing to guess all common pass phrases, but if you have to pair that with a name and SSN then your search gets much harder.  The attacker would have to choose to attack your brain wallet rather than 'any brain wallet using supercalifragilisticexpialidocious as a password'.

We also stretch the brain wallet with about 5 seconds of memory intensive computational time upon creation of your profile.
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline super3

  • Sr. Member
  • ****
  • Posts: 260
    • View Profile
Re: Screen Shot
« Reply #49 on: December 27, 2013, 05:13:42 am »
We will have polish that up later, but this is great progress! BitMessage is going to have a very bad day when this is released.

Offline VEscudero

  • Newbie
  • *
  • Posts: 9
  • Trustworthy Bitcoin Trader (https://bit.ly/BTrade)
    • View Profile
    • VEscudero's Blog
Re: Screen Shot
« Reply #50 on: December 27, 2013, 11:36:56 am »
We also stretch the brain wallet with about 5 seconds of memory intensive computational time upon creation of your profile.

Definitely it's good news to know that you are applying some countermeasures against brute force attacks. However in SQRL, as the master key should be rarely used, even importing an encrypted key with the right passphrase is delayed for 1 minute instead of 'just' 5 seconds.

Could it be possible to let users setup their own preferences to truly secure their master keys?

In my opionion, a delay like 5 seconds could be the default, nevertheless if the user choose an advanced or expert view, she should be able to adjust Keyhoote preferences to match her security needs from the very beginning.
« Last Edit: December 27, 2013, 11:42:51 am by vescudero »
★ VEscudero's service for Buying and Selling bitcoins ★
Bitcoins: 1VESCU4YLvNYhmTsJRgFKKn3bLFeeWtJm | PTS: PsxSZXwYw5vh2Nzi6aQvpEumdk8KoZrorz | VEscudero's Blog

Offline sharpayq

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Screen Shot
« Reply #51 on: December 30, 2013, 11:05:23 am »
 :)

Offline arcke

  • Full Member
  • ***
  • Posts: 115
    • View Profile
    • Diaspora
Re: Screen Shot
« Reply #52 on: December 30, 2013, 04:23:06 pm »
About the year of birth input field. Personally I prefer to see the full year when I am entering this information, so instead of 65, I could choose 1965. Does anyone disagree? It would just have "smoothened" my first Keyhotee GUI impression, so I am bringing it up.
OpenPGP: 0x22d7e9cc35375665
PTS - PawnbhoiXhmkrKJEPAsCiwkpP81nRXJGTD
Diaspora profile - https://pod.orkz.net/u/arcke

Offline rysgc

  • Sr. Member
  • ****
  • Posts: 289
    • View Profile
    • DACZine.com
Re: Screen Shot
« Reply #53 on: December 30, 2013, 05:12:18 pm »
About the year of birth input field. Personally I prefer to see the full year when I am entering this information, so instead of 65, I could choose 1965. Does anyone disagree? It would just have "smoothened" my first Keyhotee GUI impression, so I am bringing it up.

Yeah that's more intuitive 
DACZine.com - Receive all the latest DAC and BitShares community news straight to your inbox. Signup here or Submit news

Offline kmtan

  • Full Member
  • ***
  • Posts: 55
    • View Profile
Re: Screen Shot
« Reply #54 on: December 31, 2013, 05:01:30 am »
not bad design for the UI