404: The day I got hacked
I don’t write my passwords anywhere or share them with anyone, I don’t open suspicious emails I receive, I make sure that I only access sites/apps that I feel are secure and legit & only log on devices that I own. Yet one of my social networking accounts got hacked to the point that I was locked out, completely unaware of what was happening with it.
I’m a person who meticulously looks at the application permissions before I install anything but, only because I was ignorant this one time the impostor/hacker won. Well, after much of a hassle I gained my access back and understood the real importance of security and privacy. The time I spent gaining back my access I felt like I almost lost my identity and credibility to my friends and family as they didn’t have the slightest idea that they were not communicating with me.
I know this is not something new and statistically speaking it happens to over a billion people one way or the other every year but I never expected it would happen to someone like me. Well, it’s not in our hands to stop those who trick the system but surely as engineers, we can fill the void between effective policing and the way applications are built from the ground up. I feel that security should not just be any other aspect of a software system but should act as a fabric around which different components of the system are built. So how do we bridge the gap? The idea is simple yet I find would be an effective solution to some classic threats like hacking, phishing, cyberbullying, etc. all the way from the digital era
The Problem
If you don’t find me working you will find me on the internet. We all agree that the internet is something that has changed the lives we live and the people we have become today. In a place where it acts as a messenger to represent the unrepresented, educates the uneducated, and strengthens the voices of the unheard, it has created many problems. I’m not asking you to get off the internet and go back to the caves (well I don’t mind if you want to) but all I along with many others questioning the way it is built for today. Think of the internet as a giant system; it has places you can go (nodes) and paths (links) you take to reach them. Anyone who connects can visit any place they want to. Well for me this appears as nothing short of people driving on the road but without a license.
. . .
So do you mean anyone who wants to operate the internet should have a license?
. . .
Well, it’s both, a yes and a no. I don’t say you need a license to find something on Google or read an article on Wikipedia or need it to shop on Amazon. But you need it in places where you identify yourself or claim to be someone. Also, when I say license I don’t literally mean it, my idea of the license is it resides on your phone or any device you use, some form of digital certificate that an application or part of the application uses to communicate.
. . .
But how can you say that these licenses (certificates) are not fabricated
. . .
Well, that's an interesting question. That gets us back to the question of identity. So in layman's terms, I think of these certificates as unique per device and across users that are tied to something inherent to the user may be like a Social Security number, etc.
The Idea
My idea is something based on my all-time favorite sitcom named Silicon Valley. I feel like we can harness the idea of Blockchain to create such a system. Some blockchain networks are private meaning we can have a setting wherein the users among this group can identify themselves like Hyperledger Fabric. It may be a hard task to decentralize the entire web as you would need to rewrite all the applications that exist today for the next-gen web, but I feel It would be fairly easy to decentralize the security and identity aspect of the system while communicating. Also, I’m not saying you maintain messages in blocks but I’m more interested in the identity part.
Why Identities Per Device and not Identities Per Person?
I feel that IPP is something that exists today and even though you can pinpoint the exact system that was used to commit the crime you can’t necessarily verify that the details of the user that were entered while creating an account in the IPP system are true. But if you think of an IPD system you can see that the identity can’t be stolen and is tied to the device that was used to commit the crime and since the identity/certificate was derived from something that can’t be altered or would be very difficult to alter I find it more reliable.
The challenge
- It is debatable the way identities are created and we would need to know what information would be necessary to create one. We can’t say let’s just use the last four characters of a Social Security number to create one, as we can couple it with n-other things like IMEI number.
- Besides that, a major challenge lies in supporting the network of identities i.e. the underline blockchain network. Remember these are memory and compute hungry systems and would be difficult for an organization to maintain one as we would need to account for different devices that share the network.
