Skip to content

Security Via Surrender

June 16, 2015

A new approach to protecting data and identity

Cropped from src1, src2

David Sanger and Julie Davis are reporters for the paper of record—the New York Times. Their recent article starts:

WASHINGTON—The Obama administration on Thursday announced what appeared to be one of the largest breaches of federal employees’ data, involving at least four million current and former government workers in an intrusion that officials said apparently originated in China.

The compromised data was held by the Office of Personnel Management, which handles government security clearances and federal employee records. The breach was first detected in April, the office said, but it appears to have begun at least late last year.

The target appeared to be Social Security numbers and other “personal identifying information,” but it was unclear whether the attack was related to commercial gain or espionage. …

Today Ken and I want to suggest a new approach to data breaches like this.

Before we explain the method let’s just say that it looks pretty grim for protecting data. If the White House cannot protect the emails of the President, and if the Office of Personnel Management cannot protect federal employees Social Security numbers, then perhaps it is time to give up.

We know huge sums are being spent on solving the security problem; many groups, centers, agencies, and researchers are working on it; countless conferences have their focus on this problem. But attacks occur, and we still lose information.

Perhaps it is a fundamental law of complex software systems that they will never be secure—that bad actors will always be able to break in and steal data. Perhaps this problem is unsolvable: not just hard, or expensive, or difficult. Perhaps it is as impossible to solve as trisecting an angle with only a ruler and a compass, or as impossible as the Halting Problem. Perhaps.

If this is the case, then we have a suggested approach to security that stops trying to solve the stealing-data problem. The approach is quite different and we will now explain it.


Jigoro Kano, the founder of the martial arts discipline Judo, once wrote:

In short, resisting a more powerful opponent will result in your defeat, whilst adjusting to and evading your opponent’s attack will cause him to lose his balance, his power will be reduced, and you will defeat him. This can apply whatever the relative values of power, thus making it possible for weaker opponents to beat significantly stronger ones.

Judo allows a “weaker” opponent to beat a “stronger” one. The idea is based on not resisting directly, but rather resisting indirectly. We believe that this principle can be used in security.


Our application of Judo is based on looking deeper at just what it means to steal some information such as your SSN. A SSN is only useful because there are transactions that are based on using it. The same goes for almost all the information that is being stolen. The information is only valuable because it can be used in some transaction that we wish to stop.

Thus the surrender idea is to assume that the data is going to be compromised. Perhaps we will make it even public? But we will start to protect the transactions in a way that does not rely on the false assumption that certain data is secret.

Our suggestions are far from new—indeed, they are being used all the time, and importantly, their safety and success have held up. Our point is to build a framework whose philosophy is not to do more than this, and to change expectations for the end-user experience. Here are some common examples:

  1. You forget your password—and even your username too—at a website but are easily able to click to have an account-reset sent to your registered e-mail address.

  2. Your credit card provider calls or texts you to verify a large or unusual transaction.

  3. Your bank or a government agency asks you a challenge question you provided last year.

  4. Your bank has you register all machines/IPs from which you access their website, asking you challenge questions for any new or not-recently-used one.

  5. Your access patterns are recorded and pattern-matched for self-similarity.

  6. Your health insurer, operating under the Affordable Care Act, must be able to demonstrate that its policies did not depend on knowledge of a pre-existing condition that was disclosed.

What we sacrifice under the Judo philosophy is the “Swiss Bank” expectation that one golden key unlocks access with no questions asked.

Lessons From Tax Refund Hijacking

Electronic filing of tax returns ought to be the most secure online transaction that most people partake in. Unlike electronic purchases, this happens just once a year, the partner is the U.S. Government, and the safeguards can embrace the whole of your identity with the government. Yet for each of the past few years there have been over a million cases of thieves filing false returns with stolen genuine personal information before the real person files, in order to hijack the refund.

Safeguarding details of your return is of course desirable, but it is off the point of safeguarding the refund transaction. Hence we say one shouldn’t rely on the same solution for both problems. Instead our attitude on the latter is that we should be prepared to just give up on the former—even if we have to be like Hillary Clinton or Mitt Romney.

What we believe needs to change is not what’s under the hood but rather what’s on our dashboard. We must forgo the passivity of thinking all one has to do is wait for the IRS message of deposit. There must be some validation of the destination that is interactive, such as asking a challenge question that you—the real you—provided last year.

It Had to Be You

The planted challenge question idea is an example of the static kind of knowledge-based authentication (KBA). There is also dynamic KBA, in which the questions are synthesized from information that the provider already has. These can be questions such as, what was the color of the car you bought in 2002? Both kinds of KBA are increasingly used against tax fraud.

Dynamic KBA can be used when there has been no prior interaction. There are further issues about how the provider gathers data for the questions. This Vermont government source notes issues with the use of public records. In keeping with our “surrender” motif, we don’t see how to stop this access—rather, we look to controls on how the access is used in transactions.

The Vermont source moves on to the idea of recording and analyzing patterns of keyboard use, which may be even more fraught. We wonder instead about a good way to blend KBA ideas with what we’ll call “access-based authentication” (ABA). Generalizing from the simple instance of using your e-mail to authenticate, the idea is to set up domains that only you have access to in their entirety.

To be sure, hackers might also gain access to your e-mail account used for validation, such as to roger a message about the destination of a tax refund. It won’t do for you to create a separate e-mail account used only with the IRS—rather we think such things play into hackers’ hands. Instead, your e-mail can safeguard the reality that only you use it. One idea is having a machine on which you are always logged in to your e-mail. This way any other activity shows up as supplementary.

The bad news in all of this is that assuring one’s identity is becoming a battle and there seems to be no simple way to assure victory. Our point is favor approaches that move the battle into areas an individual controls, opposed to ones controlled from outside.

Open Problems

Do identity protection and integrity of data use need a consistent paradigm more than new schemes?

8 Comments leave one →
  1. June 17, 2015 1:58 am

    I think that I am posting this comment.

    Am I sure?

  2. MattF permalink
    June 17, 2015 6:45 am

    A case in point of dynamic KBA: I applied, a couple of years ago, for a copy of my birth certificate from the NYC records department. I expected a gruesome struggle that might require a trip to NYC for a personal appearance, but it turned out to quite simple and all online. The city had apparently outsourced the critical part application process to a company that specializes in confirming online identity. They asked a couple of questions, based on public records– e.g., who I bought my condo from ten years ago– and it was all quite painless. I later heard from someone who works in the NYC Health Department bureaucracy that instituting the online application process only came after a huge battle.

  3. June 17, 2015 4:00 pm

    the US data breach you cite is absolutely staggering in its size (possibly one of the largest ever with possibly significant national security implications) and shows how far a difference there is between “apparent security” and “real security”. that stolen data is one of the crown jewels of US military industrial complex. there does seem to be much more security inside military industrial agencies.

    but you assert or float a “trial balloon” that maybe the problem is just too hard to solve. there is some case to be made there but the civilian US is also very IT incompetent at times. hearings are revealing that the computer systems in question were very antiquated even by US govt stds which is to say, far beyond/ below general industry standards (the US govt lags behind significantly). it also sheds some light on how massively overclassified a lot of US data is, and how many high security US govt employees there are (again staggering, it numbers in the millions). think there are significant technological solutions and industry best practices that the US govt was far behind in applying. and this shows how in some ways the civilian govt is starved of funds for basic level security with serious implications compared to the bloated military. and that its not even that easy to separate the two in the obvious way: the civilian agency was handling sensitive military related data (security clearances).

  4. June 20, 2015 11:18 am

    “A SSN is only useful because there are transactions that are based on using it. The same goes for almost all the information that is being stolen. The information is only valuable because it can be used in some transaction that we wish to stop.”

    I’d call this a false assumption. A major concern over the U.S. government breach is using all the private information from security checks for blackmail purposes. Asking for even greater stores of information for KBA purposes only exacerbates the problem.

    My instinct would be to flip this around and consider not storing a mountain of personal information that you don’t want stolen in the first place.

  5. June 26, 2015 10:04 am

    Very interesting post. After reading this post I started thinking of how hard security is and I ended up writing the following post. I talk about system security approaching it as a computational problem.


  1. cybersec 2015 summer horror stories | Turing Machine
  2. Code – July 2015 | iReidCode

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s