Here’s How Darpa’s Robot Ship Will Hunt Silent Subs

Articles of Interest, National security, Terrorism, Cyber Terrorism & Related Crimes, Science & Related Space Technology, Technology & Digital Security, U.S. MARINES & Military Comments Off

Dec 312012

Here’s How Darpa’s Robot Ship Will Hunt Silent Subs

WIRED / Danger Room
By Spencer Ackerman
December 27, 2012

DARPA’s former headquarters in the Virginia Square neighborhood of Arlington. This agency recently moved to 675 North Randolph Street, near the Ballston Common Mall.

Submariners like to say there are two kinds of ships: subs and targets. The Pentagon’s futurists want to turn that aphorism on its head, and develop a new kind of surface ship that can turn a sub into a target. Naturally, the sub-hunter won’t have a human on board. Here’s how it’s going to work.

The video above is a new promotional piece of machinima (do people still say that?) released by the defense contractor Science Applications International Corporation, which has a $58 million contract with Darpa to build its unmanned sub-hunter of the future. That maritime robot, called the Anti-Submarine Warfare Continuous Trail Unmanned Vehicle, or ACTUV, doesn’t exist yet and won’t for years. But here SAIC at least sketches out how the long, thin and “radically different” ACTUV can keep surface ships from becoming targets.

The really interesting thing here is how different the surface-gliding ACTUV is from the now-familiar drones that litter the skies. Even the longest-flying drones can only stay in the air for 30 hours or so. SAIC intends for this thing to stay on a hunt for 60 to 90 days.

What’s more, SAIC is designing the ACTUV to be way more autonomous than contemporary drone aircraft: After a sailor powers it up and helps guide it out of port, she can go on a long vacation while the ACTUV speeds out to the open water to use its long-range acquisition sonar and other advanced sensors to scan for submarines, while automatically steering clear of any nearby surface ships.

Assuming SAIC isn’t over-promising (much), the sonar pods underneath the belly of the ACTUV create an acoustic image of a submarine and pursue it at high speed — although that’s something that can only happen when the ACTUV gets fairly close to its quarry. (More on that in a second.) Once the ACTUV thinks it’s got something, it pings nearby Navy ships through a satellite link. If a sailor thinks the ACTUV has made a mistake, he can convey that back to the unmanned ship and it’ll move on.

If not, the ACTUV operates alongside the fleet, with coordination not often seen with aerial drone tactics. SAIC apparently wants the ACTUV in constant communication with a mothership and Naval aircraft that would fly overhead and drop sonar charges to hunt the mystery sub, with the ACTUV speeding along to keep pace with the swift submarine. SAIC seems to intend for the ACTUV to follow the sub back to its home port (!) if necessary, or until a human in the fleet commands it to break contact. The ACTUV, in case you were wondering, isn’t armed.

How all this will happen isn’t yet clear. The subs that really give the U.S. Navy pause are cheap diesel-electric models, which are technologically puny compared to the Navy’s nuclear-powered subs but can be much quieter and harder to track. Russia sells them; Iran claims to have them. SAIC’s video suggests that the ACTUV can’t actually find the diesel-electric sub on its own: The scenario here depends on a Navy commander suspecting there’s an enemy sub in the area and deploying a P8 Poseidon surveillance aircraft (successor to the P-3C Orion) to drop sonar buoys to find it. The ACTUV sprints out in a certain pattern while “predict[ing] that long-range sensors will be able to completely envelop” the area where the sub might be “and prevent successful evasion.” So not an exact science, but its sonars are said to get more precise the closer the ACTUV gets to the suspected sub target.

The on-board hardware described generically in the video relies on “collected data and sophisticated logics” to “infer the intent” of watercraft. So that should at least make the ACTUV cognizant of any sizable metal thing that seems to be tracking a Navy ship. And if SAIC is right that the ACTUV can really hear the diesel-electric subs, then that enemy sub really may become the ocean’s newest target.

Direct Link: http://www.wired.com/dangerroom/2012/12/actuv/

Court OKs warrantless use of hidden surveillance cameras

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Firearms, Weapons & Personal Safety, Investigative, Law Enforcement, National security, Terrorism, Cyber Terrorism & Related Crimes, Technology & Digital Security Comments Off

Nov 252012

Court OKs warrantless use of hidden surveillance cameras

In latest case to test how technological developments alter Americans’ privacy, federal court sides with Justice Department on police use of concealed surveillance cameras on private property.

C/NET News
by DeClan McCullagh
October 30, 2012

Warrantless Government Surveillance

Police are allowed in some circumstances to install hidden surveillance cameras on private property without obtaining a search warrant, a federal judge said yesterday.

CNET has learned that U.S. District Judge William Griesbach ruled that it was reasonable for Drug Enforcement Administration agents to enter rural property without permission — and without a warrant — to install multiple “covert digital surveillance cameras” in hopes of uncovering evidence that 30 to 40 marijuana plants were being grown.

This is the latest case to highlight how advances in technology are causing the legal system to rethink how Americans’ privacy rights are protected by law. In January, the Supreme Court rejected warrantless GPS tracking after previously rejecting warrantless thermal imaging, but it has not yet ruled on warrantless cell phone tracking or warrantless use of surveillance cameras placed on private property without permission.

Yesterday Griesbach adopted a recommendation by U.S. Magistrate Judge William Callahan dated October 9. That recommendation said that the DEA’s warrantless surveillance did not violate the Fourth Amendment, which prohibits unreasonable searches and requires that warrants describe the place that’s being searched.

“The Supreme Court has upheld the use of technology as a substitute for ordinary police surveillance,” Callahan wrote.

Two defendants in the case, Manuel Mendoza and Marco Magana of Green Bay, Wis., have been charged with federal drug crimes after DEA agent Steven Curran claimed to have discovered more than 1,000 marijuana plants grown on the property, and face possible life imprisonment and fines of up to $10 million. Mendoza and Magana asked Callahan to throw out the video evidence on Fourth Amendment grounds, noting that “No Trespassing” signs were posted throughout the heavily wooded, 22-acre property owned by Magana and that it also had a locked gate.

U.S. Attorney James Santelle, who argued that warrantless surveillance cameras on private property “does not violate the Fourth Amendment.” (Credit: U.S. Department of Justice)

Callahan based his reasoning on a 1984 Supreme Court case called Oliver v. United States, in which a majority of the justices said that “open fields” could be searched without warrants because they’re not covered by the Fourth Amendment. What lawyers call “curtilage,” on the other hand, meaning the land immediately surrounding a residence, still has greater privacy protections.

“Placing a video camera in a location that allows law enforcement to record activities outside of a home and beyond protected curtilage does not violate the Fourth Amendment,” Justice Department prosecutors James Santelle and William Lipscomb told Callahan.

As digital sensors become cheaper and wireless connections become more powerful, the Justice Department’s argument would allow police to install cameras on private property without court oversight — subject only to budgetary limits and political pressure.

About four days after the DEA’s warrantless installation of surveillance cameras, a magistrate judge did subsequently grant a warrant. But attorneys for Mendoza and Magana noticed that the surveillance took place before the warrant was granted.

“That one’s actions could be recorded on their own property, even if the property is not within the curtilage, is contrary to society’s concept of privacy,” wrote Brett Reetz, Magana’s attorney, in a legal filing last month. “The owner and his guest… had reason to believe that their activities on the property were not subject to video surveillance as it would constitute a violation of privacy.”

A jury trial has been scheduled for January 22.

Direct Link: http://news.cnet.com/8301-13578_3-57542510-38/court-oks-warrantless-use-of-hidden-surveillance-cameras/

Army wants to monitor your computer activity

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security, U.S. MARINES & Military No Responses »

May 122012

Army wants to monitor your computer activity

U.S. Army Times

By Joe Gould – Staff writer

May 5, 2012

In the wake of the biggest dump of classified information in the history of the Army, the brass is searching for ways to watch what every soldier is doing on his or her Army computer.

The Army wants to look at keystrokes, downloads and Web searches on computers that soldiers use.

Maj. Gen. Steven Smith, chief of the Army Cyber Directorate, said the software was one of his chief priorities, joking that it would take the place of a lower-tech solution: “A guy with a large bat behind every user as they go to search the Internet.”

“Now we’ve been in the news — I don’t know if you’ve seen it — with a little insider threat issue,” Smith continued.

Smith did not mention Pfc. Bradley Manning by name. However, the effort comes in the wake of the former intelligence analyst’s alleged leak of hundreds of thousands of pages of classified documents to the anti-secrecy organization WikiLeaks in 2009 and 2010. Manning faces a military trial on 22 counts, including aiding the enemy.

According to Smith, the Army will soon shop for software pre-programmed to detect a user’s abnormal behavior and record it, catching malicious insiders in the act. Though it is unclear how broadly the Army plans to adopt the program, the Army has more than 900,000 users on its computers.

Smith explained how it might work.

“So I’m on the South American desk, doing intelligence work and all of a sudden I start going around to China, let’s say,” Smith said. “That might be an anomaly, it might be justified, but I would sure like to know that and let someone make a decision, almost at the speed of thought.”

The scenario echoes the allegations against Manning: As an intelligence analyst charged with researching the Shiite threat to Iraqi elections, Manning raided classified networks for State Department cables, Afghanistan and Iraq war logs and video from a helicopter attack, according to courtroom testimony.

Software of the type Smith describes is at various stages of development in the public and private sectors. Such software could spy on virtually any activity on a desktop depending on its programming, to detect when a soldier searches outside of his or her job description, downloads massive amounts of data from a shared hard drive or moves the data onto a removable drive.

The program could respond by recording the activity, alerting an administrator, shutting down the user’s access, or by feeding the person “dummy data” to watch what they do next, said Charles Beard, a cybersecurity executive with the defense firm SAIC’s intelligence, surveillance and reconnaissance group.

“It’s a giant game of cat and mouse with some of these actors,” Beard said.

What’s exciting, Smith said, is the possibility of detecting problems as they happen, on what cybersecurity experts call “zero day,” as opposed to after the fact.

“We don’t want to be forensics experts. We want to catch it at the perimeter,” Smith said. “We want to catch this before it has a chance to be exploited.”

A government wide effort

The Army’s efforts dovetail with a broader federal government initiative. President Obama signed an executive order last October that established an Insider Threat Task Force to develop a governmentwide program to deter, detect and mitigate insider threats.

Among other responsibilities, it would create policies for safeguarding classified information and networks, and for auditing and monitoring users.

In January, the White House’s Office of Management and Budget issued a memo directing government agencies that deal with classified information to ensure they adhere to security rules enacted after the WikiLeaks debacle.

Beyond technical solutions, the document asks agencies to create their own “insider threat program” to monitor employees for “behavioral changes” suggesting they might leak sensitive information.

The interagency Insider Threat Task Force is aiming to complete work on the new standards by October. These standards may address training and employee awareness protocols, said John Swift III, senior policy adviser to a task force now working on the draft policy.

Deanna Caputo, lead behavioral psychologist for Mitre Corp., said both technical solutions and monitoring of human behaviors are needed for a successful detection and prevention program.

“To think that we can tackle the problem simply by technical solutions is a mistake,” Caputo said.

A “culture of reporting” is essential, she said. “We need to up the ante and expect a little bit more from our people” to report abnormal behaviors among their co-workers. However, “there is a fine line with that [reporting]. People need to trust they are in a safe environment to do their job.”

Carnegie Mellon’s Software Engineering Institute has compiled 700 insider threat case studies, and come up with two broad profiles of insiders who steal intellectual property in business settings.

One is an “entitled independent” disgruntled with his job who typically exfiltrates his work a month before leaving. The other is an “ambitious leader” who steals information on entire systems and product lines, sometimes to take to a foreign country, such as China.

According to Patrick Reidy, who leads the FBI’s insider threat program, such users may be conducting authorized activities for malicious ends, and their actions would not register on intrusion detection or anti-virus systems.

“People look at computers and networks but not people and data,” he said. “The insider threat is all about people.”

Reidy, Swift and Caputo discussed the effort at a defense industry convention in Washington, D.C., on April 4.

The ‘Pre-Crime’ division

Private industry and the Defense Advanced Research Projects Agency are among the entities that have technological solutions in various stages of progress.

Raytheon’s SureView software captures any security breach or policy violation it’s programmed to find and can “replay the event like a DVR,” for a local administrator or others to view, according to the company’s website. The software’s trigger is programmable and can be set to any behavior considered suspicious or not.

Working with Raytheon, a group of cadets from the U.S. Military Academy at West Point last year conducted a simulation of an insider attack at a forward operating base. Cadets looked at how to fine-tune the way SureView detects potential threats and eliminate false positives for innocuous behavior, said West Point computer science professor Col. Greg Conti.

“It was very powerful, very flexible and allowed you to monitor with very fine resolution activities on the desktop, and the real trick becomes how you detect anomalous behavior,” Conti said. “Predictive models are kind of the holy grail. When you see that no one else has done something but bad guys, you can start being predictive.”

At SAIC, which is testing a behavior analytics system, Beard likened behavioral modeling to the Pre-Crime unit from the science fiction movie “Minority Report.” Instead of using psychics to stop crimes before they occur, the software would be programmed to detect behavior that has preceded malicious acts in the past.

In real life, researchers are examining the behavior of malicious insiders to see what actions they took before they acted out. That in turn would be used to teach the software what behavior to flag.

“We may want to administer policies that say, ‘Gee, gosh, why do you really want to download 300 [megabytes] of stuff or a gig of data in a single session?’ ” Beard said. “We look for the antecedents of behavior that would suggest based on past history that bad things are going to take place.”

That could be visiting restricted websites, requesting access to information outside of one’s job description or asking for large amounts of storage media — or likely some combination of the above. Individually, the actions may not seem problematic, but combined and in the context of human intelligence, they could raise alarms.

“We start taking those things and recombining them to say, ‘What is going on in the environment?’ ” Beard said. “Any one of those things independently can be totally innocuous and innocent, but when you put them together — plus their job, plus their access, plus the things they are working on — you may be looking at it as a counterintel kind of thing.”

Drawbacks and challenges

Cybersecurity expert Michael Tanji, an Army veteran who has spent nearly 20 years in the U.S. intelligence community, said he sees potential drawbacks and unanswered policy questions. He asked how the Army would implement such technology without unintentionally stifling cross-disciplinary collaboration among soldiers.

Knowing they are being monitored, personnel might avoid enterprising or creative behavior for fear it would be flagged by monitoring software, he said.

Tanji also predicted the technology would come at a considerable financial cost, both to warehouse the data collected by the software and to pay the added staff needed to monitor the reports it generates.

“A brigade-sized element that uses computers on a regular basis would probably need a company-sized element just to keep up with the data that comes in,” he said.

Reidy, the FBI official, said such concerns were valid. Because software may report benign behavior as malicious and vice versa, he cautioned against using technical solutions alone to solve insider threats.

“After a major incident, and no offense to any vendors, but the charlatanism always goes up,” he said. “It’s absolutely amazing how many phone calls I get from people who say they have solved the WikiLeaks problem or solved this or that problem. Everybody’s got to eat, but it’s simply not true.”

Finding bad behavior amid the vast sea of keystrokes, downloads and Web browsing on military computers is no easy task, DARPA acknowledges.

A DARPA solicitation for Suspected Malicious Insider Threat Elimination, or SMITE, announces it is attempting to recognize “moving targets” — telltale patterns of behavior amid “enormous amounts of noise (observational data of no immediate relevance).”

The program, based in behavioral science, would have to distinguish anomalous behavior from normal behavior, and deceptive and malicious behavior from anomalous behavior, the solicitation reads.

A solicitation for another program — Anomaly Detection at Multiple Scales, or ADAMS — uses accused Fort Hood shooter Maj. Nidal Hasan to frame the problem. It asks how to sift for anomalies through millions of data points — the emails and text messages on Fort Hood, for instance — using a unique algorithm, to rank threats and learn based on user feedback.

The program is trying to look beyond computers to spot the point when a good soldier turns, whether that means homicidal or suicidal or ready to dump stolen data.

“When we look through the evidence after the fact, we often find a trail — sometimes even an ‘obvious’ one,” the solicitation states. “The question is, can we pick up the trail before the fact, giving us time to intervene and prevent an incident? Why is that so hard?”

Direct Link: http://www.armytimes.com/news/2012/05/army-wants-to-monitor-your-computer-050512w/

Pentagon-backed ‘time cloak’ stops the clock (Update)

Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Firearms, Weapons & Personal Safety, National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security No Responses »

Jan 112012

Pentagon-backed ‘time cloak’ stops the clock (Update)

PhysOrg.com News

January 4, 2012

By Bill Steele

January 4, 2012

Pentagon-supported physicists on Wednesday said they had devised a “time cloak” that briefly makes an event undetectable.

In this 2011 illustration, provided by Cornell University, scientists demonstrate how they have have created, a new invisibility technique that doesn’t just cloak an object _ like in Harry Potter books and movies _ but masks an entire event. It is a time masker that works by briefly bending the speed of light around an event. Cornell scientists explain what they are talking about in this 2011 illustration that shows that if this technique is ever scaled up an art thief can walk into a museum and steal a painting without setting off laser beam alarms or even showing up on surveillance cameras or your eyes. (AP Photo/Heather Deal, Cornell University)

Interested In Waveguide? - Learn more about waveguide Our extensive website has it all - www.space-machine.com

In movie magic, people and objects can appear or disappear or move from place to place in an instant. Just stop the camera, move things around and start it again. Now, Cornell researchers have demonstrated a similar “temporal cloak” — albeit on a very small scale — in the transport of information by a beam of light.

The trick is to create a gap in the beam of light, have the hidden event occur as the gap goes by and then stitch the beam back together. Alexander Gaeta, professor of applied and engineering physics, and colleagues report their work in the Jan. 5 issue of the journal Nature.

A laser beam passes through a “split-time lens” – a specially designed waveguide that bumps up the wavelength for a while then suddenly bumps it down. The signal then passes through a filter that slows down the higher-wavelength part of the signal, creating a gap in which the cloaked event takes place. A second filter works in the opposite way from the first, letting the lower wavelength catch up, and a final split-time lens brings the beam back to the original wavelength, leaving no trace of what happened during the gap. Image: Gaeta lab

The researchers created what they call a time lens, which can manipulate and focus signals in time, analogous to the way a glass lens focuses light in space. They use a technique called four-wave mixing, in which two beams of light, a “signal” and a “pump,” are sent together through an optical fiber. The two beams interact and change the wavelength of the signal. To begin creating a time gap, the researchers first bump the wavelength of the signal up, then by flipping the wavelength of the pump beam, bump it down.The beam then passes through another, very long, stretch of optical fiber. Light passing through a transparent material is slowed down just a bit, and how much it is slowed varies with the wavelength. So the lower wavelength pulls ahead of the higher, leaving a gap, like the hare pulling ahead of the tortoise. During the gap the experimenters introduced a brief flash of light at a still higher wavelength that would cause a glitch in the beam coming out the other end.

Then the split beam passes through more optical fiber with a different composition, engineered to slow lower wavelengths more than higher. The higher wavelength signal now catches up with the lower, closing the gap. The hare is plodding through mud, but the tortoise is good at that and catches up. Finally, another four-wave mixer brings both parts back to the original wavelength, and the beam emerges with no trace that there ever was a gap, and no evidence of the intruding signal.

None of this will let you steal the crown jewels without anyone noticing. The gap created in the experiment was 15 picoseconds long, and might be increased up to 10 nanoseconds, Gaeta said. But the technique could have applications in fiber-optic data transmission and data processing, he added. For example, it might allow inserting an emergency signal without interrupting the main data stream, or multitasking operations in a photonic computer, where light beams on a chip replace wires.

Waveguide Rotary Joint - RF-Lambda Waveguide Rotary Joint multiple ports up to 120GHz 3KW - www.rflambda.com

Time cloaking doesn’t involve a DeLorean, just a kilometer of optical fiber coiled up on a lab table, supervised by postdoc Moti Fridman and research associate Yoshi Okawachi.

The experiment was inspired, Gaeta said, by a theoretical proposal for a space-time cloak or “history editor” published by Martin McCall, professor of physics at Imperial College in London, in the Journal of Optics in November 2010.“But his method required an optical response from a material that does not exist,” Gaeta said. “Now we’ve done it in one spatial dimension. Extending it to two [that is, hiding a moment in an entire scene] is not out of the realm of possibility. All advances have to start from somewhere.”

Fridman’s work was part-supported by the Defense Advanced Research Project Agency, or DARPA, a Pentagon unit which develops futuristic technology that can have a military use. Its achievements include DARPANet, a predecessor of the Internet.

More information: Nature journal announcement:

Now you detect it, now you don’t (pp 62-65; N&V)

A ‘time cloak’ that makes an event temporarily undetectable, albeit on the picosecond scale, is described in this week’s Nature. The work could represent a step towards the development of spatio-temporal cloaking.

Recent developments in spatial cloaking show that it is possible to hide an object by manipulating electromagnetic waves around it, creating a ‘hole in space’. Such devices currently have limited functionality. Here Moti Fridman and colleagues demonstrate that a related effect, temporal cloaking, can be achieved. They manage to create a ‘hole in time’ for around 40 trillionths of a second (40 picoseconds).

The fibre-based system steers light ‘around’ an event so that no evidence (a change in the temporal or spectral properties of the light beam) of the event is detectable, by speeding up and slowing down different parts of a light beam. This effect is achieved using a split time-lens that breaks light up into its slower (red) and faster (blue) components, thereby creating a tiny temporal gap.

Provided by Cornell University

Direct Link: http://www.physorg.com/news/2012-01-pentagon-backed-cloak-clock.html

Logging In With a Touch or a Phrase (Anything but a Password)

Dec 262011

Logging In With a Touch or a Phrase (Anything but a Password)

The New York Times

By SOMINI SENGUPTA

December 23, 2011

Fred R. Conrad/The New York Times

One touch-recognition password involves turning an image of a combination lock 90 degrees.

Passwords are a pain to remember. What if a quick wiggle of five fingers on a screen could log you in instead? Or speaking a simple phrase?

Video about Biometric Passwords

Fred R. Conrad/The New York Times

In another alternative to the password, one would sign one’s name on a small screen.

Fred R. Conrad/The New York Times

Nasir Memon of N.Y.U.’s Polytechnic Institute has been working on touch recognition in iPads.

Neither idea is far-fetched. Computer scientists in Brooklyn are training their iPads to recognize their owners by the touch of their fingers as they make a caressing gesture. Banks are already using software that recognizes your voice, supplementing the standard PIN.

And after years of predicting its demise, security researchers are renewing their efforts to supplement and perhaps one day obliterate the old-fashioned password.

“If you ask me what is the biggest nuisance today, I would say it’s the 40 different passwords I have to create and change,” said Nasir Memon, a computer science professor at the Polytechnic Institute of New York University in Brooklyn who is leading the iPad project.

Many people would agree. The password has become a monkey on our digital backs — an essential key to our many devices and accounts, but increasingly a source of exasperation and insecurity.

The research arm of the Defense Department is looking for ways to use cues like a person’s typing quirks to continuously verify identity — in case, say, a soldier’s laptop ends up in enemy hands on the battlefield. In a more ordinary example, Google recently began nudging users to consider a two-step log-in system, combining a password with a code sent to their phones. Google’s latest Android software can unlock a phone when it recognizes the owner’s face or — not so safe — when it is tricked by someone holding up a photograph of the owner’s face.

Still, despite these recent advances, it may be premature to announce the end of passwords, as Bill Gates famously did in 2004, when he said “the password is dead.”

“The spectacularly incorrect assumption ‘passwords are dead’ has been harmful, discouraging research on how to improve the lot of close to two billion people who use them,” Cormac Herley, a researcher at Microsoft, the company that Mr. Gates founded, wrote in a recent paper. Mr. Herley suggested instead that developers try “to better support the use of passwords” — for example, by helping people protect their wireless connections from eavesdroppers. “Passwords,” Mr. Herley continued, “have proved themselves a worthy opponent: all those who have attempted to replace them have failed.”

The touch-screen approach of Professor Memon in Brooklyn works because, as it happens, each person makes the same gesture uniquely. Their fingers are different, they move at different speeds, they have what he calls a different “flair.” He wants logging in to be easy; besides, he said, some people find biometric measures like an iris scan to be “creepy.”

In his research, the most popular gestures turned out to be the ones that feel most intuitive. One was to turn the image of a combination lock 90 degrees in one direction. Another was to sign one’s name on the screen. In principle, the gesture can be used to unlock a device, or an app on the device that safely holds a variety of passwords.

Despite their resilience, passwords are weak, notably because their users have limited memories and a weakness for blurting out secrets. Most people need dozens of them, and they tend to pick ones that are so complex they need to be written down, or so simple they can be easily guessed. Recently, criminals have become adept at stealing passwords by sneaking malicious software onto computers or tricking users into typing them into an illegitimate site.

Companies like Facebook and Twitter have sought to address the frustration with passwords by allowing their usernames and passwords to open the door to millions of Web sites, a convenience that brings obvious risks. A thief with access to a master username and password can have access to a host of accounts.

Rachna Dhamija, a California computer scientist turned entrepreneur, sought to combat those weaknesses by breaking up the password. The user first logs in to the service that Ms. Dhamija built, UsableLogin, and signs in with her own partial password. Behind the scenes, the service verifies that the user is on an authorized device, and pulls the third piece from the cloud, generating a unique password for any Web site that the user wants to log in to — Facebook, for instance. In other words, one piece of the password rests with the user, another is stored in her device, and a third piece is kept online.

“You take a secret and you spread it across,” said Ms. Dhamija, whose service was recently acquired by Webroot Software, based in Broomfield, Colo. “You’re spreading the risk. The password is not stored in its whole form anywhere.”

But even if a user has been authorized at the start of a session, what if someone else gains access to her computer an hour later? Darpa, the Defense Department’s technology research arm, has invited security researchers to develop ways to verify a user every instant, based on the way the individual uses the machine — “for example, how the user handles the mouse and how the user crafts written language in an e-mail or document,” it explains on its Web site.

Each of these techniques is driven by the notion that a password alone is an insufficient means to verify online identity. Think of them as a fortification: a password-plus.

Many companies use a smart card or a security “dongle” — a small piece of hardware that plugs into the computer and functions as a key — as that second step of verification to allow access to internal networks. Today, biometrics — an individual’s unique physical traits — are emerging as an alternative.

At least a half-dozen banks in the United States ask their customers to verify who they are by reciting a two-second phrase to a computer over the phone, in addition to punching in their PINs. It could be as simple as “at my bank,” and a million customers could recite the very same phrase and still sound unique, according to Nuance Communications, a company based in Burlington, Mass., that makes the technology.

As mobile phones become bodily appendages for people worldwide, they too are emerging as instruments to verify identity. Google introduced its two-step process earlier this year. It sends a six-digit code to an application on a Google user’s cellphone to be entered, along with a password, when signing onto a Google account on a computer or tablet. The code can also be sent as a text message for those who don’t have smartphones, or it can be conveyed through a phone call.

The extra step is not mandatory, and the company will not say how widely it has been adopted. But as vulnerable as passwords are to theft and compromise, Google says, it is increasingly important for a user’s identity to be verified through another channel — a cellphone, in this case.

“I think we’ll start to see people using their mobile devices as their pervasive identifiers,” said Brendon Wilson, a security researcher at Symantec. “The password will no longer be the final arbiter that you are you. You will see layers on top.”

Direct Link: http://www.nytimes.com/2011/12/24/technology/logging-in-with-a-touch-or-a-phrase-anything-but-a-password.html?nl=todaysheadlines&emc=tha25

Older Entries