no-one-is-safe-denzel

In the second season of “Game of Thrones,” a character brags about having an impenetrable safe in which he keeps all of his vast riches safe from those who would steal his fortune. That safe isn’t quite what it seems — don’t worry, I won’t spoil the show — but its appeal is obvious: Who wouldn’t want to protect their prized possessions with something that can’t be cracked?

Unfortunately, a safe offering that level of protection can only exist in a world where dragons emerge from funeral pyres and the dead walk. In the real world, every security tool — whether it’s meant to protect physical objects or digital information — has a weakness just waiting to be exploited. The closest thing we have to true security requires a pine box and six feet of dirt.

That truth has been made evident numerous times in recent months, whether it’s through the Heartbleed bug that compromised the security of two-thirds of the Internet or the ransomed iPhones that helped prove that “digital security” is an oxymoron, and it will only become more clear as nefarious hackers, technical helplessness, and digital illiteracy continue to affect us all.

But it’s even more frightening to think that there’s little the average person can do about that. Most proposals to fix digital security, or at least patch some of the holes in existing systems, come with their own set of problems. They’re not always insurmountable, but they exist.

Consider biometric security, which was included with the iPhone 5s to give consumers an easy way to unlock their smartphone or purchase an application without requiring a password. It’s not as easy to replicate someone’s thumbprint as it is to guess that their passcode is 1234, but that doesn’t mean biometric security will be infallible, as David Sirota wrote in NSFWCORP:

Think about it in practical terms. Whereas in today’s password-based system you can protect yourself after a security breach with a simple password change, in tomorrow’s biometric-based system, you have far fewer – if any – ways to protect yourself after a security breach. That’s because you cannot so easily change your fingers, your eyes or your face. They are basically permanent. Yes, it’s true – security-wise, those biological characteristics may (and I stress “may”) be less vulnerable to a hack than a password. But if and when they are hacked in a society reorganized around biometric security systems, those systems allow for far less damage control than does a password-based system. In effect, your physical identity is stolen – and you can’t get it back.

Then there’s the recommendation that people devise unique passwords for every site they visit. While this might help people secure their information when one website is compromised, it’s also impractical for the average person, according to researchers at Microsoft, who argue that people should reuse passwords. As I wrote when the study was published,

Expecting the average person to remember a bunch of unique passwords is like expecting a husband on a sitcom to remember his anniversary. Therefore, it’s better to take that stupidity into account by reusing passwords. But you’d better be smart about selecting the sites that use the same password – an important site can be lost in a group of unimportant ones just as easily as an anniversary can be lost in an overflowing sea of sitcom tropes like “in-laws visiting” or “family road trip.”

And finally there’s the so-called “dead hand” system, which requires its operator to check-in at set intervals to make sure the person is still alive. Despite the system’s promise – who doesn’t want their porn files removed from their devices before someone stumbles on it during the sixth stage of grief (digging through the deceased’s stuff to find money or secrets) — it’s not perfect, as the Guardian reported this morning when one was activated by mistake:

Arrigo Triulzi, the co-founder of security firm K2 Defender, had set up the system to protect against attempts to silence his research. Such programs typically require a user to check in on a periodic basis to prove that they are still alive and well; if a check-in is missed, the system assumes the worst has happened and carries out the instructions it has filed away.

In Triulzi’s case, that involved wiping his local machines, and disseminating his research around the world, encrypted so that only trusted friends could read it. Fortunately, Triulzi wasn’t actually dead or under arrest, but in an Italian hospital on an IV drip for a case of antibiotic-resistant pneumonia.

There are no impervious safes, and there aren’t going to be any developed any time soon. Not until dragons start flying around and a bunch of blue-eyed corpses walk again, at least.