Читать книгу Security Engineering - Ross Anderson - Страница 120

1 1 The story is told in detail in chapter 9 of the second edition of this book, available free online.

2 2 Very occasionally, a customer can confuse the bank; a 2019 innovation was the ‘callhammer’ attack, where someone phones up repeatedly to ‘correct’ the spelling of ‘his name’ and changes it one character at a time into another one.

3 3 Our university's auditors wrote in their annual report for three years in a row that we should have monthly enforced password change, but couldn't provide any evidence to support this and weren't even aware that their policy came ultimately from NIST. Unimpressed, we asked the chair of our Audit Committee to appoint a new lot of auditors, and eventually that happened.

4 4 NIST SP 800-63-3

5 5 This was done to undermine an argument by then FBI Director James Comey that the iPhone was unhackable and so Apple should be ordered to produce an operating system upgrade that created a backdoor; see section 26.2.7.4.

6 6 Government attempts to set up single sign-on for public services have been less successful, with the UK ‘Verify’ program due to be shuttered in 2020 [1394]. There have been many problems around attempts to entrench government's role in identity assurance, which I'll discuss further in the chapter on biometrics, and which spill over into issues from online services to the security of elections. It was also hard for other private-sector firms to compete because of the network effects enjoyed by incumbents. However in 2019 Apple announced that it would provide a new, more privacy-friendly single sign-on mechanism, and use the market power of its app store to force websites to support it. Thus the quality and nature of privacy on offer is becoming a side-effect of battles fought for other motives. We'll analyse this in more depth in the chapter on economics.

7 7 This doesn't work for branchless banks like Monzo; but they do take a video of you when you register so that their call centre can recognise you later.

8 8 There's been pushback from users who see a ReCAPTCHA saying ‘click on all images containing a helicopter’ and don't want to help in military AI research. Google's own staff protested at this research too and the military program was discontinued. But other users still object to working for Google for free.

9 9 Full disclosure: I consult for them.