Skip to main content


about michael farb

Michael FarbMichael Farb is a Research Programmer with Carnegie Mellon CyLab. Michael comes to CyLab after many years in industry as a mobile device developer in publishing, logistics, transportation, and after one too many encounters as an identity theft victim. He is working with researchers at CyLab to provide smartphone end-users with practical solutions for securely exchanging their identity data.

[ email ] | [profile]

CyLab Chronicles

Q&A with Michael Farb (2011)

posted by Richard Power

CyLab Chronicles: From smartphones to tablets, from wireless to GPS, from mobile apps to the Cloud, Mobility is rapidly and profoundly changing computing all around us; what do you see as the challenges and opportunities in this space of Mobility and Security? How does mobility impact security? How is Security impacting Mobility?

Michael Farb: Mobile applications provide instant gratification for our rapidly inflating to-do lists. The more we get done, the more we want to get done. The security challenge is to prevent us from deluding ourselves that since we perform a task quickly there is little chance anyone is “watching” us digitally. Mobile applications also make it easier and faster for us release information when may have not been very thoughtful about the personal ramifications. What does all this data about us add up to? If it misrepresents us, what can we do about it? The challenge here is how to prevent the aggregation of our public data to protect users anonymity. We are constantly moving more of our analog and stationary digital tasks to mobile digital tasks, many of which only access our data stored in the cloud. Fortunately, there is a grand opportunity to take advantage of these mobile platforms to enhance security since their small screens demand very simple interfaces. Privacy warnings can be graphically represented on attention-grabbing areas of the screen. Similarly, when a secure channel is missing, users may be made aware. Complex security tasks, such as exchanging public keys and ensuring their owner's identity, can be simplified to a few smartphone device screen comparisons in person, which is exactly what our KeySlinger application does.

CyLab Chronicles: Tell us about KeySlinger. What does it do? What issue does it address? What problem does it solve? What capability does it provide?

Farb: KeySlinger is the result of research at Carnegie Mellon’s CyLab that resolves a specific security problem. The problem: How can we start a trusted relationship between people, on the fly, without people having sophisticated knowledge of security protocols? In the past, people may meet to digitally sign each other’s PGP keys, which leverages physical proximity to bootstrap trust. This method, however, requires all parties to have some sophisticated knowledge of security protocols. Another method would be to use a certificate authority that signs keys. The latter method requires considerable investment in infrastructure and administration and, as such, is not a good fit for small, spontaneous groups. To solve this, we easily bootstrap secure communication in-person with a smartphone, which most people already own, in just a few easy steps. KeySlinger is designed to allow users to store any data, such as a public key, in their phone’s address book. When users run KeySlinger, they select their own key from the address book, enter a pair of short numbers and confirm a 3-word list matches that displayed by other users' phones.

CyLab Chronicles: How does one get a hold of KeySlinger? How is it installed? How is it used? What can users expect from it?

Farb: KeySlinger is available for Android, iPhone, iPad, and iPod Touch devices from the Android Market and iTunes App Store. One instance of the application is installed on each user's phone, and two or more users can establish trustworthy communications. KeySlinger can be used stand-alone for secure contact exchange, but even better, can be used in combination with compatible third-party applications, such as the encrypted SMS application TextSecure by Whisper Systems. KeySlinger is intended as a tool that any developer can use from their application to exchange their custom data. The result is a set of imported keys for each user in the phone’s address book. Attacks are automatically detected via the word list confirmation, and users can be confident that trustworthy communication is possible when complete. No central administration or sophisticated security knowledge is needed.

CyLab Chronicles: What are your thoughts about mobile apps, and mobile security apps in particular? What are the benefits and disadvantages of operating in such an environment, both for developers and users?

Farb: Mobile devices and applications are only going to continue to proliferate. They are easy, quick, and extremely popular. Companies are so eager to promote their smartphones in this space that all the developer tools are free. However, it does mean that security should be on the forefront of every mobile developer's mind. We are building these thin-client solutions on mobile devices to access massive amounts of could-based data and software. We should always be thinking about how to protect the channels this data travels across. The only cost to a developer might be the annual fee that each company requires for access to its application marketplace submission process, which right now is between $25 and $200, per smartphone marketplace. It can be bewildering to new developers if you want to release a mobile app for a wide variety of platforms. None of the smartphone operating systems exceed 30% of the market share in Q3 2010. To build software for the most phones you'll have to learn Objective-C, Java, Symbian C++, C# .NET and each systems software development kit (SDK), if you don't know some of them already. There are a few platforms now that will allow you to build natively run applications in HTML, JavaScript or Ruby called PhoneGap and Rhodes. These are truly cross-platform frameworks that offer their own libraries in each device’s native language, which allow you to run a common scripted program in the same language. They are still evolving, but may be the future for one-language development for any smartphone device. Mobility to security means the last excuse developers can give themselves that obscurity means security. Releasing mobile software that uses any wireless communication without a thought to consumers’ privacy or security is irresponsible. We should be asking ourselves: If the device is stolen, is my data secured? If communications are monitored is the channel secure?

Download the app and learn more about KeySlinger.

See all CyLab Chronicles articles