By Alex Salkever Jell-O and Magic Markers seem innocuous enough. Who would have thought they would become weapons in the ongoing battle over circumventing computer security and protecting digital copyrights?
Some music fans have discovered that they can evade Sony's CD copyright-protection system by blackening the edge of the disk with a felt-tipped pen. In Japan, a Yokohama National University professor Tsutomo Matsumoto made gelatin molds bearing fingerprints that were able to fool several high-tech fingerprint scanners about 80% of the time. First reported by cryptographer Bruce Schneier in his bimonthly Cryptogram newsletter, the whole process takes 10 minutes or so, from pressing the finger into soft plastic to pouring in warm gelatin for the mold.
Ah, the simplicity of innovation. These examples underscore two technology rules that anyone with half a brain understands. Rule No. 1: Usually, where there's a will, there's a way. Rule No. 2: Most technology has dual uses -- for good or evil. Nuclear fission can be used either to light or to level cities. Orbiting satellites can be used to track the weather or spy on unsuspecting citizens. Cryptographic software can be used by hospitals to guard patient data or by organized crime to scramble the contents of hard drives and elude law-enforcement authorities.
BRAIN TRUST. Any kid knows that Magic Markers are great for art projects. Now it turns out they're also wonderful for confusing copyright-protection schemes that rely on garbled data along the edge of a CD. Likewise, harmless Jell-O could be a tool for breaking into secret corporate databases or military installations.
These new disclosures reveal another big lesson. The best security relies on restrictions that only the user knows. By that, I mean passwords or some other information we hold inside our brains and not anyplace else. That's why banks and credit-card companies like to have your mother's maiden name for security access -- how many people know that? Authentication should involve something you have and something you know. They call this two-part authentication.
Sony's process wasn't two-part. In an effort to prevent music buyers from ripping music into MP3 format to store on their hard drives, burn onto CDs, or trade on the Internet, Sony's copyright-protection system puts a bunch of unreadable data on the outer rings of the CD. This confuses computer CD drives, which look to that portion of the disk for initial instructions. Standard CD players don't read that part of a disk.
PRINT SNATCHERS. Fingerprint authentication devices are also often thought to be sufficient in themselves. They try to match a mathematical template of a fingerprint stored in a computer's memory to a real fingerprint offered by a live person. Matsumoto, however, created a simple process and posted his results online -- with explicit instructions and photo-illustrations, no less.
More frightening still was a second process he illustrated that uses plastic laminates and imprintable copper circuit boards to lift latent prints from a clear surface and create a similar fingerprint mold using gelatin. This method is slightly more complicated but likewise uses store-bought materials and basic knowhow -- and could allow anyone to lift prints off a glass, window, or other surface, and use them to gain access to a system as someone else.
A simple solution to both of these breaches is the trusty old password. For example, Sony could create a password system combined with a software mechanism that could even allow a user to make a single copy for their hard drive but not to distribute that copy. That's already common with software, which often requires buyers to input a serial number printed on the box.
SIGNIFICANT IMPROVEMENT. Likewise, fingerprint-scanner makers should explain to buyers that their device is most effective as part of a broader security strategy. The scanners should be used in tandem with passwords, not as a primary line of defense by themselves.
Will that make for airtight security? No, but nothing is perfectly secure. In most cases, though, the mere inclusion of a second sentry significantly lessens chances that information will be misused by outside parties. Two-part authentication is a sound security principle that smart companies will follow. Salkever covers computer security issues weekly in his Security Net column, only on BusinessWeek Online