This magic word "Cryptography"

This is a real life story. We were building an enterprise with micro-payments involved and stuff. We needed a terminal/kiosk network, and this task was bound to be outsourced. So my boss had found a company XYZ that offers ready-made solutions, and he asked me to investigate their offer. I returned to him with my verdict:
— we can't use this XYZ service, because they require our users to submit their passwords to XYZ and then XYZ logs into our system on user's behalf. This is plain out wrong, and should not be implemented ever.
He argued on the basis «a well established company can not possibly sell us junk» — so stunningly true! yeah! So he decided to carry out his own investigation.

A few days later he informed me of his decision:
— I have presented the XYZ's offer to a computer security specialist N. He advised us against using the XYZ's services because they do not employ cryptography.

So the story has ended quite happily. Thanks to the magic of the «cryptography».

Making A Game: Siberian Dice

I was asked to shed some light on the development process of Siberian Dice. Surprisingly, there are interesting aspects to speak about.

First of all, it was not meant to be a mobile application. It was all started as a purely mathematical endeavour. Initially, we wanted to investigate some properties of the game, once it appeared so elegant and sophisticated to us. At a certain point we decided to develop an AI, in order to produce some «real» games for further investigation, where by «some» I mean an amount orders of magnitude greater than a human can produce simply by playing the game full-time for several years.
So we did.
Read more →

A new game in town: Siberian Dice aka 37.6

Lame Heron has released a wonderful board game — embarrassingly simple albeit tremendously rich in strategies. This is an ancient game played by some indigenous tribes of Siberia isolated from the rest of the world for millennia. This marvelous game remained undiscovered until recently. Being invented and developed in nearly complete cultural isolation this game employs mechanisms very alien to a player of «western» origin. Although the mathematical and physical substance of the game is not from the parallel universe — it is still cubical dice and a hexagonal board well known to everybody — the dice are used in a very unorthodox manner, they are randomizers and the moving pieces at the same time. The goal of the game is also surprising, it does not fall in any usual category, it is not a «capture» goal, nor a «advance to» goal, neither is it a «connect» goal, not even a «dominate», yet it is a very simple condition clearly followed from the rules and easily readable on the board.
Read more →

How many capital letters does your password contain?

Do you really, i mean really, believe that computers are afraid of capital letters? and punctuation? Don't tell me that you want to scare off people, not computers, it would be even more ridiculous, given a second thought.

How would you feel if a service provider asks you: «please include at least three capital letters, seven underscores, and a number thirteen in your password»? — weird? You better adjust your attitude. The first ingredient is already required by some, more to follow soon.

Seriously, have you ever tried to think why all those «password choosing» policies are so ridiculous and stupid, are they as beneficial as people believe?

The serious answer to the question is given in my new paper on the password authentication: arxiv.org/abs/1505.05090 and its summary is as follows: «The password policies are futile, because they have no formal mathematical foundation at all, and this is why they are all as ridiculous as homeopathy».

Here i want to present some fun aspects of the problem.

The two most prominent protagonists of computer security MS and Google directly contradict each other:

DO NOT USE:
Common letter-to-symbol conversions, such as changing «o» to «0».
USE:
similar looking substitutions, such as the number zero for the letter 'O'
No one notice. These both password creation policies are equally respected. Who are we to doubt the Wisdom of the Titans!?

Also, the Titans teach us that there is an inherent contradiction between security and memorability. Of course the Titans do not condescend to proving their claims. We are supposed to make a leap of faith. I don't have faith, i need a proof, or at least some evidence supporting the claim. Here is the claim:

Human memory is limited and therefore users cannot remember secure passwords.
Call me when you find any evidence of that.