I've been mulling over some implementation ideas: We don't know who our customers are, and we don't want to know. That's great, right? But that creates a small problem. What do you do when a customer writes and says "I lost my login name!" or how about "I want to upgrade" ? In certain situations, you need to be able to piece the information together. And in certain situations you only want the situation to be pieced together by the right people.
So what I'm thinking is some pretty revolutionary. Besides anonymous tech support for paying clients, we could implement a type of shared secret. For example, the regular tech support folks may need to know the client's username. Either it is posted to us automatically, in encrypted form that only the techs can decrypt, or the user forces the post to us by ticking some box and perhaps entering in their password, which we still have to decrypt. That way the user gets control of if he wants to share his username. And the same can be implemented with the user's order ID, and if they are paying by Dalpay, their transaction ID. So would we want to stuff a transaction ID into an account, in some encrypted form? Currently there may be some way to brute force the transaction ID, I'll have to figure out the risks. Ooh, okay 2 shared secrets, one between the client and the tech support, one between the client and billing support. That should be the right thing, but again, is it elegant? That may be a HCI issue, but the security will have to be right first.
Lots of work to do before defcon. And more under-hood work to be done on the xB Machine. I'll contact Howard and tell him to jump on the blog and actually tell people what he is doing. I can see Florian registered (why?) but doesn't post.
-Steve
1 comment:
Well, we decided on what to do. It sure was interesting to say the least. We figured this was probably the weak link, so we added lots of salt for entropy, and we will probably asymmetrically encrypt the salt.
Post a Comment