Ramblings on Identity Verification in the Future

Recently I read this post on Hacker News (https://news.ycombinator.com/item?id=18180153) about how a PSN account got poached by another user. And I got a too good to be true email from someone, and questioned whether or not it was generated by a computer. Because AI has gotten really good…

This led me to question how identity verification will be done in the future. So far, the surest way seems to be two factor authentication. ANYTHING that triggers suspicious behavior on any website, such as logging in from a location that is highly unusual, will cause a two factor authentication. Via SMS.

For phone calls, it’s usually done by pins, social security numbers, addresses, and so on.

But all this information can be compromised. Even the SMS can, theoretically, be hijacked since it’s a wireless signal that is sent to your phone. I’m sure there’s a way to do it.

With the advent of machine intelligence, and compromises in our data, will there be a surefire way to guarantee that the person that is using the device or on the phone is who they are?

Afterall, lyrebird.ai already can mimic your voice, and there are projects like deepfakes which can replace your face. Sure, they are not generated in real time, but they could be if there is sufficient computing power. For example, if it takes a human 300 milliseconds to respond, then with sufficient computing power, a computer could generate a response and time it at 300 milliseconds to reply. Even if you establish a connection between two parties, and time the response that it takes, and make it so that the bounds are near impossible for computers to process and relay that information back and forth, what if the connection was hijacked already from the beginning?(Side question: How would one figure out the absolute lower bound number on a computation? Is this impossible?)

The only sensible solution that I can think up of for now is that there needs to be a solution where the captured data cannot be faked. For example, if I was speaking through a phone, the voice recording that I transfer over the network has to be guaranteed that it’s from me, and that it hasn’t been tampered.

First, there must be some kind of coding scheme embedded in our devices that guarantees that the data capture device’s time taken is foolproof. So no more of this metadata that can be easily changed by programs when you capture photos, recordings, etc. It has to be tamper proof. Maybe, via public/private key cryptography, we can engrave the private key on the device, in silicon or something, and everyone would have access to the public key. By sending the encrypted data, applications with the public key can decrypt it, but the private key would guarantee that hopefully there’s only one person that has that key.

Now the question is how to protect that key - which leads me to wonder if there’s some way that we can use our biological features to generate a consistent key. Can we take some biological signal that cannot change no matter how much we change, and put it into some function, that will always produce a consistent private key, guaranteeing that this person ? Who knows. Maybe, we can measure our telomeres at that instant down to the nearest microsecond? I have no idea…

The other thing I remembered was quantum entanglement. Maybe, just maybe, we can create quantum entangled devices, somehow embed it onto ourselves, and use that to communicate.

But now the other question is: how do you guarantee that the agent on the other side doesn’t get their devices robbed?

Anyhoo, this is an interesting question to think about. How do we guarantee that the person we are talking is who they are? And how do we guarantee that stuff that is made in our society is genuine and real, when computers keep getting better and better?

First Company Hackathon

Last week, I partook in my orgnization’s Hackathon. The problem statement revolved around improving data quality. It was rather tough, but definitely a rewarding experience because we got 2nd place/~10 teams. This was my 3rd hackathon, and I was quite surprised and pleased with the results.

Good Points:

  1. I liked the problem statement. It was definitely relevant, and was a problem where if a group presented a good potential solution, there is some semblance of it being brought to life.
  2. Environment setup was good. Each time had EC2 instances and an RDS server. My only gripe with this is that configuration is still too tough to get everything working. But that is the nature of our business - one mispelling or configuration error, and the whole thing goes kaboom!
  3. Our idea, and slide decks were on point. We pretty much had a top slide deck, and a very useful/practical idea that provided benefit to business. This reminded me of a critical law I learned in school: Akin’s law of Spacecraft Design(https://spacecraft.ssl.umd.edu/akins_laws.html)

    20. A bad design with a good presentation is doomed eventually. A good design with a bad presentation is doomed immediately.

Bad Points:

  1. Presentations were too long. We had 10 minutes for the demo, but with 10 minutes + transition times + teams going over, it was more like 2 hours. Personally, I’m a little desensitized to slide decks. I want to know what the teams have created. What would be nice is to have the team just make a video over the weekend and submit it to the judges. The video would cut out all the transitions, and crystalize and condense the information into a perfect, shiny crystal
  2. As a team, we spent too much time debating on what to present and what to do. I think most of that time is wasteful - in a hackathon, there really isn’t any time to build out anything fully fleshed out. I wished that we focused on a minimum, minimum viable product, and moved forward. Nothing fancy(well maybe the front end) going on in the back - just some working prototype to show what the workflow would look like.

Overall, it was a pretty good experience. I had some fun, and I’d definitely do it again. But with some tweaks =/.

AWS VPN in Japan

This weekend I tried to setup a AWS VPN proxy in Tokyo, Japan. My main reason for doing so was I wanted to watch Netflix in Japan. I followed the instructions on this link: https://hackernoon.com/using-a-vpn-server-to-connect-to-your-aws-vpc-for-just-the-cost-of-an-ec2-nano-instance-3c81269c71c2 using OpenVPN.

But there were a couple of modifications I had to make to make this work:

  1. You need to uncomment out two lines in /etc/openvpn/server.conf. Every configuration that starts with a ; is effectively a commented out configuration. One for something equivalent to:

    push "route 172.31.0.0 255.255.0.0"
    push "dhcp-option DNS x.x.x.x"   # Push your preferred VPN DNS - google eg. 8.8.8.8
    push "block-outside-dns" 
    (https://forums.openvpn.net/viewtopic.php?t=22039)
    
  2. Check if there are any leaks or problems. I’ve checked the websites https://whatismyipaddress.com/proxy-check and https://ipleak.net/ for any traces of my original source ip. There was none.
  3. You need a modified command like:

     scp -i "Jvpn.pem" [email protected]e.amazonaws.com:~/  .
    

    To transfer your generated ovpn file to your local directory

  4. Use Tunnelblick and the generated ovpn file to connect to your vpn. Make sure to look at the logs for any breaking issues.

So I do all these checks, and I’m pumped to try out my new VPN so that I can watch some Netflix in Japan. Like Rick and Morty and Terrace House. So I login to Netflix, and try to start watching a show….

And then, I am greeted by this familiar friend:

This would have been an happy ending if it worked. But it didn’t =(.

How are they finding out that I’m behind a proxy??!

  1. Apparently AWS has a public JSON of all their ip address ranges (https://ip-ranges.amazonaws.com/ip-ranges.json). The first elastic IP address I put in was on there, but the second one I got was not. But are do they have another secret list? There’s really nothing I can do because companies buy blocks of ip addresses with their name on it… No matter what I do, they would still know that the ip is from amazon.com.
  2. Suppose that the elastic ip address that I used is not on their radar. Do they still know that my account was registered in the U.S. and adjust accordingly? It’s not like one person can connect from the U.S. at 1 PM and suddenly connect from Japan at 5 PM. Unless they can teleport…

Anyhoo, I’m a little disappointed that I can’t go on Netflix Japan. If they are using some techniques that align with #2, then a VPN is virtually useless. It leads me to wonder if there are other sophisticated techniques to detect proxies. I wonder, if at the packet level, if there is a difference between a packet sent from the U.S. vs. a packet sent from Tokyo. Even just by timing, wouldn’t you be able to figure this out?

For example, this is a simple ping to Google. This is with vpn turned on and off:

#VPN ON
PING google.com (172.217.161.78): 56 data bytes
64 bytes from 172.217.161.78: icmp_seq=0 ttl=43 time=187.722 ms
64 bytes from 172.217.161.78: icmp_seq=1 ttl=43 time=186.720 ms
64 bytes from 172.217.161.78: icmp_seq=2 ttl=43 time=189.030 ms
64 bytes from 172.217.161.78: icmp_seq=3 ttl=43 time=186.826 ms
64 bytes from 172.217.161.78: icmp_seq=4 ttl=43 time=188.989 ms
64 bytes from 172.217.161.78: icmp_seq=5 ttl=43 time=186.898 ms
64 bytes from 172.217.161.78: icmp_seq=6 ttl=43 time=189.009 ms
64 bytes from 172.217.161.78: icmp_seq=7 ttl=43 time=199.305 ms
64 bytes from 172.217.161.78: icmp_seq=8 ttl=43 time=192.338 ms

#VPN OFF
--- google.com ping statistics ---
9 packets transmitted, 9 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 186.720/189.649/199.305/3.794 ms
PING google.com (172.217.161.46): 56 data bytes
64 bytes from 172.217.161.46: icmp_seq=0 ttl=48 time=164.479 ms
64 bytes from 172.217.161.46: icmp_seq=1 ttl=48 time=163.677 ms
64 bytes from 172.217.161.46: icmp_seq=2 ttl=48 time=166.483 ms
64 bytes from 172.217.161.46: icmp_seq=3 ttl=48 time=163.280 ms
64 bytes from 172.217.161.46: icmp_seq=4 ttl=48 time=163.296 ms
64 bytes from 172.217.161.46: icmp_seq=5 ttl=48 time=164.817 ms
64 bytes from 172.217.161.46: icmp_seq=6 ttl=48 time=162.720 ms
^C
--- google.com ping statistics ---
7 packets transmitted, 7 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 162.720/164.107/166.483/1.179 ms

(I know the ip is different, but they’re location check out to California).

If Netflix measures the round trip times of packets, calculate things like standard deviation, percentiles of packets, total response time between actions, etc and feeds it into some statistical model, they can easily figure out that there’s a high chance that this person is behind a proxy.

Anyhoo, unless I have a breakthrough, I guess I’ll be sticking to Netflix US for the time being. At the very least, I now have my personal VPN in Japan. The silver lining to all this is that my personal VPN is wicked fast =D.

One Excuse I'd Rather Not Make

I came back home from work one day this week, and I really didn’t want to code anymore. So I didn’t.

So I lounged around and watched Netflix.

But then this thought occurred to me:

Is I don’t feel like doing it” even a valid excuse?

And what is the reasonable justification for not doing what you should be doing?

I don’t feel like working out.

I don’t feel like doing homework.

I don’t feel like taking care of my kids.

Shouldn’t be:

I can’t work out because my shins are busted?

I can’t do my homework because I’m tired.

I can’t take care of my kids right now because I’m sick.

In summary, I don’t think emotions should dictate our actions. There’s going to be days when you’re going to be super motivated to go for that run, and code the night away. At the same time, there’s going to be crappy days when you really don’t want to take another step after a lousy day at work, nor make another damn stroke on the keyboard. Not because you’re tired, but because you just don’t feel like it.

Why should you work towards your goal only during your good days, and halt during your bad days, solely based on your emotions?

I think you just have to keep at it. Be desciplined. Take just one more stroke. One look. One more step towards your goal.

There are times when the weather is perfect, and the sun is right up in your face and day is gorgeous. But then there are days that are so murky that you start to question the existence of a light source? Regardless, the sun is still there. It still rises and sets.

Similarly, you just have to work on yourself. Chip away the sculpture you are making one piece at a time. Because the moment you drop the chisel, you gotta pick it up again. It’s so much better to hold onto it, chip even a miniscule piece of what you want to accomplish, than let your muscles relax and let it lose all tension and focus.

True Friends

What is the most depressing thing about maintaining friendships is when you realize that the other party never held your relationship to the same value that you’ve held it. Or that the friendship never had any substance except for the fact that it was two people shooting the shit.

The evidence of how your friend who you thought you were close with breaks down when you’re in a time of trouble. Or when you’re in a position of weakness and low status. The people who you’ve thought would help you, don’t, and let you down. Maybe they’ll look down upon you.

There is a custom in Korea where if your mother or father dies, your friend visits you in the funeral home, pays respect with a bow, and gives you some money to help offset the expensive cost of running a funeral.

My dad and I traveled for a funeral in Korea for my grandmother, and since we live in the States, the funeral shed light on who were my father’s closest friends. This is because my dad doesn’t live in Korea anymore(although he keeps in touch with his friends), and there’s hardly any chance for him to come back and go to the funeral of all his friends. That means that there is probably NO WAY for him to visit any of his friends’ parents funerals, and pay back the money he received.

My dad said he was disappointed that some friends whom he held in high regard never came to pay respects for his mother, because they know that it’s unlikely that they won’t be able to recover the money they give him. That it was an asymmetric relationship, where you’d go to lengths for your friend, but he wouldn’t do the same for you. Others drove 3-4 hours to pay respects to my grandmother.

But now he knows.

There was a situation for me as well when I was in a pretty rough spot, and I needed a place to stay for one night and be picked up from a train station. Only one friend came through for me. And I’m deeply thankful to him for that.

I feel that I’m encountering this situation once more, and this is causing me to re-evaluate my old relationships, and makes me want to think about what friendships really are. Are they of convenience? Are they of support and encouragement? Is it, some degree my fault? And how do you even become close friends in the first place?

To me, it doesn’t matter how many people I know - I’d rather have few close friends who are like hail that pounds on the sidewalks than a bunch of snowflakes that melt as soon as they touch the ground. But I don’t want to be hail for those who won’t be hail for me.

Site built with http://lanyon.getpoole.com/ template. Thanks to @mdo for the original template!