Security ceremonies still fail despite decades of efforts by researchers and practitioners. Attacks are often a cunning amalgam of exploits for technical systems and of forms of human behaviour. For example, this is the case with the recent news headline of a large-scale attack against Electrum Bitcoin wallets, which manages to spread a malicious update of the wallet app.

I therefore set out to look at things through a different lens. I make the (metaphorical) hypothesis that human ancestors arrived on Earth along with security ceremonies from a very far planet, the Cybersecurity planet. My hypothesis continues, in that studying (by huge telescopes) the surface of Cybersecurity in combination with the logical projection on that surface of what happens on Earth is beneficial for us earthlings.

I have spotted four cities so far on the remote planet. Democratic City features security ceremonies that allow inhabitants to follow personal paths of practice and, for example, make errors or be driven by emotions. By contrast, security ceremonies in Dictatorial City compel inhabitants to comply, thus behaving like programmed automata. Security ceremonies in Beautiful City are so beautiful that inhabitants just love to follow them precisely. Invisible City has security ceremonies that are not perceivable, hence inhabitants feel like they never encounter any. Incidentally, we use the words “democratic” and “dictatorial” without any political connotation.

A key argument I shall develop is that all cities but Democratic City address the human factor, albeit in different ways. In the light of these findings, I will also discuss security ceremonies of our planet, such as WhatsApp web login and flight boarding, and explore room for improving them based upon the current understanding of Cybersecurity.

1. INTRODUCTION

Cybersecurity has gone through many theoretical breakthroughs, practical developments, worldwide deployments, subtle flaws and their fixes in a continuous loop — which should also cover Intellectual Capital (IC) [14]. Often, cybersecurity is simplistically understood as a property of a technical system, namely one that Scientists design, in the best case along with its security measures, and then pass on for Engineers to build as actual technology. More precisely, that technology consists of interconnected, heterogeneous pieces, such as a browser running on a client host and a server running in the cloud.

The human factor.

But security measures continue to fail today. An ever green example comes from the authentication failure due to poor password choice, with the weakest of 5 million passwords leaked in 2018 still being “123456” [12]. A few more examples are outlined below. It is clear that the so called human factor may be crucial for the fate of security measures. Therefore, it is insufficient to look at a technical system in all sorts of ways to make sure its security measures work; by contrast, it is necessary to look at the technical system holistically with humans, namely study the effectiveness of the security measures of the socio-technical system that intertwines the given technical system with its users. Therefore, although the mentioned authentication failure is certain to affect the socio-technical system, it may not be entirely due to the inscribed technical system.

Humans may make errors, such as mistakes, namely failures to do what they genuinely wanted to do, or slips, namely momentary lapses that lead to taking an unintended action [18]. Humans may choose to deliberately counter cybersecurity for various reasons, such as perceiving it as burden. For example, although card-and-PIN authentication to enter premises or record work times may be in place, cards are often left in a public card rack outside the entrance near the PIN pad [31]. Humans may also fall victims of social engineering scams, hence favour someone else’s malicious aims [17]. We must realise that humans are far from being automata perfectly executing the program that the Technocrats prescribed. Hence, scientists must reinforce their joint efforts, particularly with Technocrats collaborating with colleagues from the Humanities, in order to improve their focus on a technical system as just one sub-system of a larger socio-technical system. As a result, scientists may still pass only a technical system on for Engineers to build, but the resulting technology will be secure when used in practice by humans.

Security ceremonies.

Example technical systems are protocols, such as the HTTP protocol, and notably protocols that also incorporate security measures, namely security protocols, such as the HTTPS security protocol. Correspondingly, example socio-technical systems are ceremonies, such as the HTTP ceremony, and notably ceremonies that also incorporate security measures, namely security ceremonies [9], such as the HTTPS security ceremony [10].

With its emphasis on security and the human factor, this article focuses on security ceremonies. These will be named by their main functional objective, for example a “flight boarding ceremony”.

Hypothesis (methaphorical).

Security ceremonies are not yet fully understood and are extremely hard to get right, particularly for their inherent human factor. The main hypothesis of this article is that human ancestors arrived on Earth along with security ceremonies from a very far planet, the Cybersecurity planet. Contacts with that planet have been lost entirely, hence humans and security ceremonies have been evolving on Earth and on Cybersecurity entirely separately.

The ultimate goal of this article is to understand why security measures continue to fail on our planet and how to strengthen them. Therefore, the hypothesis of this article also states that studying (by huge telescopes) the surface of Cybersecurity in combination with the logical projection on that surface of what happens on Earth is beneficial for us earthlings because it gives us a new analysis lens. In particular, not only will this further our understanding of that planet but, as is the case with any space exploration, it will favour a broader and more structured understanding of what we experience on Earth — in this case, in terms of security. The results discussed below will establish this hypothesis as fact.

Article contribution.

This article elaborates on the little we know about the Cybersecurity planet. I have spotted four cities so far. Democratic City features security ceremonies that allow inhabitants to follow personal paths of practice and, for example, make errors or be driven by emotions. By contrast, security ceremonies in Dictatorial City compel inhabitants to comply, thus behaving like programmed automata. Then, security ceremonies in Beautiful City are so beautiful that inhabitants just love to follow them precisely. Finally, Invisible City has security ceremonies that are not perceivable, hence inhabitants feel like they never encounter any.

This is, in short, my current, limited understanding of Cybersecurity. Following the stated hypothesis, it combines what can be seen of that planet by telescopes from Earth with what can be predicted on the basis of terrestrial experience. A key argument that I shall develop is that all cities except Democratic City address the human factor, albeit in different ways. In the light of these findings, I will also discuss security ceremonies of our planet, such as WhatsApp web login and flight boarding, and explore room for improving them upon the basis of the current understanding of Cybersecurity.

Lexical considerations.

Because this article is solely about security ceremonies, these will be often referred to simply as ‘ceremonies’. Similarly, ‘security’ will often be used as a general concept, in fact referring to ‘security measures’.

Moreover, a ceremony will be addressed depending on the city in which it is used, so, a ceremony may have the features of being, respectively dictatorial, democratic, beautiful or invisible. A ceremony may even combine the four features to some extent, depending on whether it is used between which cities, consequently getting and variously mixing their respective influences and customs.

The features are attributes of the security measure that a ceremony uses. Therefore, any claim that is made for brevity about a security ceremony should be, more precisely, referred to the part of the ceremony that forms a security measure. For example, stating that “a security ceremony is beautiful” means that its security measure, say an authentication measure, is beautiful.

Humans will be referenced by the male pronoun everywhere, except for the gate attendant, who will be referenced by the female pronoun to avoid ambiguity with the passenger.

Article structure.

This article continues by describing the current understanding of the four known cities of the Cybersecurity planet, precisely Democratic City (§4), Dictatorial City (§3), Beautiful City (§1) and Invisible City (§5). It develops a critical discussion (§6) and terminates with some conclusions (§7).

2. DEMOCRATIC CITY

Contrarily to the variety of vulnerabilities that have occurred on Earth, such as SSL Heartbleed [21], Shellshock [20] and key reinstallation in WPA2 [35], vulnerabilities in this city are not only purely technical but leverage the human factor. In Democratic City, security measures are hard to interpret, use and comply with for inhabitants. Inhabitants may then interact with security ceremonies differently from what the designers of the ceremonies expected, producing vulnerabilities. For example, some people may opt to abort or disable the automatic software update ceremony. Therefore, vulnerabilities exist here despite the Technocrats’ efforts at preventing them, and in fact all sorts of security incidents have happened over time.

In general, security in Democratic City resembles a huge number of scenarios noticeable in our planet, where the “IBM Security Services 2014 Cyber Security Intelligence Index” stated that “over 95 percent of all incidents investigated recognize ‘human error’ as a contributing factor” [28]. The relevance of the human factor to security has not changed over the last years, with the “IBM X-Force Threat Intelligence Index 2018” remarking that “the potentially detrimental impact of an inadvertent insider on IT security cannot be overstated” [32]. The “Verizon 2019 Data Breach Investigations Report” remarks that “Errors were causal events in 21% of breaches”, that “15% were Misuse by authorized users” and that “33% included social attacks” [34]. To put it simply, humans continue to be somewhat irrational and generally unpredictable despite their risk-benefit mental models [19] and the (technical systems’) use of motivating values and reward mechanisms [36].

Democratic City can therefore be understood by projecting the socio-technical attacks that we witness on Earth. Examples are easy to make. A couple of traditional ones are the sticky notes with login passwords or other security-sensitive information, or the post-completion errors during the log off procedure from a shared or public computer (with the result that the log off does not happen).

But more tricky ones have occurred. One dating back to a few of years ago derived from how a human could share a file he had on Dropbox or on Box with other humans [26]. Both systems allowed a human to generate a long, hence difficult to memorise, URL for the file; the human could then send this file-share URL in all sorts of ways to the people he wanted to share the file with. It might have been clear to (almost) everyone that the file-share URL would grant direct access to the file without any form of authentication, hence it was meant to be used with care, nevertheless two subtler vulnerabilities exposing the file were there:

• Users inadvertently put the file-share URL in the search bar rather than in the address bar, causing the search engine to index the file-share URL, hence various third parties to access the file.
• If the file was a text file containing a clickable link to a third party address, humans who clicked on that link caused referral data including the file-share URL to be sent to the third party, which was then enabled to access the file.

It is clear that these vulnerabilities somewhat get empiried from a purely technical standpoint because the technical systems were running as normal, namely as expected by its designers and without being violated at any rate. By contrast, we are in front of inherently socio-technical vulnerabilities: they stem from a combination of humans’ ignorance, misunderstanding, inadvertent behaviour or perhaps even deliberate, stubborn misconception that no vulnerability would affect them. Such stances have variously mixed over time, forming a variety of humans’ states of mind or personas that can be considered a large part of the cause of the vulnerabilities.

Along these lines, even the established policy of asking humans to change their passwords from time to time may falter. It is sound in purely technical terms because every secret could be discovered with infinite resources. But a socio-technical reading of it reveals the vulnerabilities tied to the reiterated human choices of passwords. These are customarily thwarted by technical checks requiring the password to be strong enough. But it was recently found out that humans often resort to simple, algorithmic changes of the previous password to build the new one, hence attackers just have to fine-tune their brute-forcing techniques.

We also know that security often intertwines with people’s safety. The 2015 “Chatham House Report” shouts out loud that “Some nuclear facilities do not change the default passwords on their equipment”, which implies that attackers may sneak in by trying out default passwords such as ‘0000’ or ‘1234’. It is hard to believe that highly trained and skilled operators do not change the default passwords (because of inadvertence, laziness or what sort of distorted logic), but this is reported to be the case even if public safety is involved.

It can be conjectured that these observations also apply to Democratic City on the Cybersecurity planet. It then seems fair to conclude that humans are somewhat incorrectly dealt with in this city because a large part of the responsibilities for many security failures seem to fall on them. In other words, possible threats due to human interaction are not well accounted for. The question then arises as to whether there exist other cities on the planet where humans integrate with the technical systems more smoothly, namely in such a way that the resulting ceremonies are secure. The sequel of this manuscript shows that the answer could be affirmative.

3. DICTATORIAL CITY

I spotted another city on the Cybersecurity planet, Dictatorial City. Here, humans interact with the technical systems in a nearly opposite fashion to that of Democratic City.

Inhabitants’ freedom and responsibility of making choices is reduced to a minimum, such as to determining whether to initiate a ceremony or not. If they opt to engage, then the ceremonies are fully automated and compel humans to specific interactions, somewhat in the style of Poka-yoke. Therefore, humans are not left the choice of deciding how to take a specific step with the system and what information or object or device to use in that step. This does not mean that humans have lost their potential maliciousness or are infallible, but merely that the ceremony receives them securely, namely without hindering its security measures.

So, in this city, human interactions with the technical systems are fully determined by the latter. The only reliance on humans is to memorise simple (namely short and trivial) secrets or carry predetermined objects such as identity documents, or special devices that could be some evolution of RFID cards or smart tokens. Therefore, humans are never required to invent and retain by heart strong (namely long and complex) secrets, and the Dropbox/Box vulnerabilities mentioned above do not exist here because the corresponding features are inhibited by the technical systems. In other words, the ceremonies enforce limited interactions with humans, hence those interactions cannot overturn the security measures.

We do not know much more, yet, about Dictatorial City, but can try again to understand it by projection of what we encounter on Earth. It can be expected that humans are never required to make those difficult and often casual choices on whether and how to continue in front of a website whose certificate the browser cannot validate, because a malicious man-in-the-middle cannot be ruled out. Similarly, this city does not host an SSH configuration that is popular on Earth. When a human connects to a remote host via SSH for the first time, the system displays a message of the form:

The authenticity of host www.dmi.unict.it can't be established.
RSA key fingerprint is 2b:05:ff:64:91:60:24:3a:6e:83:c7:7a:c5:85:0a:41.
Are you sure you want to continue connecting (yes/no)?

By denouncing the lack of a viable public-key certification system, the human is asked a very nasty question that will normally get a blind ‘yes’ answer because out-of-band verification of the fingerprint is tedious. The risk of man-in-the-middle rises again, especially because SSH could be used from a remote, untrusted location such as a cafe. (If the human continues the first time, the fingerprint is then stored locally and the message will no longer be displayed, hence a successful attack would become persistent and stealth).

By contrast, a security ceremony that can exist in this city could be inspired to the recent NIST guidelines on authentication, which contain what can be termed the “NIST 2017 Password Setup” ceremony. It rests on the security measure of having the computer choose each secret pseudorandomly by executing an algorithm and also set a threshold for failed verification attempts (to thwart password bruteforcing). Then, secrets can be as short as “6 characters in length and MAY be entirely numeric”. This subverts the previous and currently most widespread “NIST 2004 Password Setup” ceremony, whose implementation constrained the hu-man to invent a robust password (of sufficient length and with alphanumeric and special characters) \cite{6}. The newer ceremony is the more dictatorial because it fully removes the human choice of a password. The older ceremony is, in turn, more dictatorial than the pre-existing ceremony, say “Unconstrained Password Setup”, which allowed the human to even choose a weak password.

It is not fully understood how the technical systems are administered in Dictatorial City. We do not know whether such systems are intelligent enough to maintain themselves without human intervention but conjecture that such intervention, if needed, is not malicious and is correct — as if at least humans who are administrators were well-programmed automata. Both options would take to a logical extreme, for example, the ways mandatory access control and military systems are administered on Earth.

In summary, human interaction will never undermine security ceremonies in this city of the Cybersecurity planet. Unfortunately, we do not know how to fully accomplish this on Earth as, for example, existing measures to prevent humans from deliberately sharing their secrets are not fully effective and scalable. But neither Dictatorial City is ideal, as I have spotted no evidence that security ceremonies here do not suffer purely technical issues. In other words, there may still exist technical bugs, hence not due to interactions with humans, thus in the style of the examples made above \cite{21,20,35}.

4. BEAUTIFUL CITY

Security is beautiful in this city, hence inhabitants will receive the security ceremonies, are attracted to them and naturally use them as prescribed by their designers. A logical consequence of this assumption is similar to what we observed in Dictatorial City \cite{13}, that whatever vulnerabilities a security ceremony might have would not be due to how humans execute the ceremony, but to technical bugs. However, humans here are not somewhat enslaved but, rather, fulfilled by the interaction with the technical systems.

Inspired by as little as we know about this city, I have been working on trying to reproduce a similar human experience of security on our planet. Viganò and I postulated that security is beautiful if it satisfies a triple of abstract requirements: to be a primary system feature, not to be disjoint from the system functions to be secured, and to be ambassador of a positive user experience \cite{5}. I am going to expand them below.

The first one is unsurprisingly by itself, as it appeals to the security-by-design principle that we have known for years. Therefore, a technical system, say a web site, should be designed with security in mind since the beginning; this normally enhances the effectiveness of the security measures of the system without making it overly clumpy. Experts in security should then engage with and contribute to the design of the technical system since the design inception. This is also the case with kitchen appliances, for example, because these are getting more and more interconnected through the IoT. For example, when security is not fully accounted for by design in this area, the crooks could be granted a “potential way to steal humans’ Gmail credentials from a Samsung smart fridge” \cite{22}. The fridge failed to validate SSL certificates, thus enabling a man-in-the-middle attack.

The second requirement insists on what even security-by-design fails to prescribe very clearly, that the secure access to a system be exclusive, namely the only possible one. In other words, there is no point building a strong security ceremony without disabling a simple bypass. The relevance of this requirement can be appreciated by evaluating (a variety of) scenarios that have neglected it on Earth. For example, let us think of a web site secured via HTTPS, yet allowing access also via HTTP for whatever legacy or performance reasons; the latter obviously puts credentials at risk.

It is worth mentioning yet another attack that becomes possible if the second requirement is neglected. It sees a human access a Wi-Fi network using whatever security protocol that does not prescribe SSID validation: it becomes trivial for an attacker to setup a fake SSID with the same name as the target SSID and harvest clients’ login credentials upon the odds that the clients chose the fake SSID.

The third requirement of beautiful security is perhaps the most abstract one yet most crucial. Security ought to be positive, nice, rewarding and, generally speaking, a somewhat desirable thing to have and comply with. While the bottom line of this feature may be subjective, the requirement aims at something that can be generally considered positive. (For example, despite subjectivity, it might be hard to find people who would genuinely dislike Nutella spread or Ferrari cars).

There is at least another relevant example of something very popular on Earth whose perception has been fully upturned from negative into positive: the use of chewing gum. When I went to primary school, chewing gum was forbidden because “it causes cavity!” but quite the opposite holds today. Thanks to simple changes in the ingredients, such as removing sugar and adding fluorine, chewing gums are often used to thwart cavity when tooth brushing is not handy. I advocate a similar twist of the plot to happen with security ceremonies through beautiful security.

A possible twist could occur by seeking out to design ceremonies as an engaging and fun game \cite{13}. An episode of the Peppa Pig cartoon portrays a group of kids wanting to be part of a “secret club” as soon as they come to know of its existence, and they are very willing to pronounce a password \cite{23}. Where people’s perception of security is negative, can we manage to upturn it into such a positive one as is in the cartoon? For example, inspired by existing work \cite{15}, we could think of a “Gamified Password Setup” ceremony whereby a human derives his password through a game that is certain to yield a strong secret.

I conjecture that the use of the web interface of WhatsApp on our planet conforms to the beautiful security principle. Figure 1 shows my understanding of the “Current WhatsApp Web Login” ceremony, featuring the human, the app running on the human’s smartphone, the browser running on the human’s computer, and the WhatsApp server. Activities are written in capital letters. They may be conducted locally, namely appear inside a square box such as DISPLAY for the browser’s activity of portraying some data, or ENJOY for the human’s full use of the chat; alternatively, they may be dictated by the human, hence they (become meta-activities and) replace the information that annotates the arrows, such as H\text{OPEN} for the human’s activity of instructing a browser to open a server. Steps 1, 4, 5 and 11 involve human activities; in particular, 4 and 11 take place over visual channels with the human \cite{16}. The other steps form the technical part of the ceremony; in particular, step 6 occurs over an optical channel, as it consists in the activ-ity of scanning through a camera, while all other technical steps are TLS-protected, hence authenticated and confidential, channels.

It can be seen that the browser transmits its identifier to the server, which issues a passcode for the browser, stores it and sends it across. The browser displays it as a QR code, namely sends it to the human on a visual channel. The human recognises it as some QR code (hence the notation hides the parameter) and operates the app running on his smartphone to scan it. The app sends the passcode (just read through the QR code) to the server, which matches it to its stored version and sends the corresponding acknowledgment message. Only if the acknowledgment is positive does the app output the chat to the browser. The browser finally makes the chat available to the human through the visual channel.

The main goal of the ceremony is to authenticate the browser to the app so that the latter can securely share its chat with the former in step 9. This is coherent with the official WhatsApp policy, which claims that the server does not store any chats. Although this version of the ceremony makes it evident that the server facilitates the browser-to-app authentication, the full ceremony details are proprietary. For example, it is not fully clear how exposing the chat on the server preserves end-to-end encryption.

In terms of beautiful security, I find it most important to stress that the passcode is 128 characters long, hence it would have been too tedious for the human to read from the browser and tap in the app, and a “Tap-in WhatsApp Web Login” ceremony would have been hardly beautiful. Having the human point the phone to the browser and scan the QR code is (a crucial design choice that is) being well received— the vast use of the web interface of WhatsApp supports the claim that QR-code scanning conjugates usability, simplicity, security and also some beauty.

This example gives me hope that beautiful security can be reached also on Earth. However, considerable effort will be needed, for example involving large-scale human studies to distill out the features of beauty that security ceremonies could leverage in general.

5. INVISIBLE CITY

In Invisible City, inhabitants cannot see the security measures of ceremonies, hence, security is not perceivable by humans although it is still there. Humans are able to conduct the somewhat obvious activities to pursue their intended goals while not worrying about their security implications. Those activities are secure anyway, yet without any apparent security measures in place. Therefore, I am trying to spot, for example, whether in this city a human can access his bank account securely on any electronic terminal he merely stares at, coherently with what we know, that “The ideal security user experience for most users would be none at all” [36]. In parallel with seeking such evidence, I have also been studying how to make security ceremonies more invisible on Earth. Viganò and I suggested integrating security measures with functions or, alternatively, with other measures that humans would already accept as routine [3].

A similar notion of invisibility has been recently suggested in the context of system patching [7]. It is a reversal of the defense-in-depth principle for the sake of improving the user experience, yet preserving the overall security.

A pioneering example is the Iphone 5S’s integration of the screen wake-up button with the fingerprint sensor. This idea stemmed from the observation that people were used to a stand-by display being off to preserve battery, hence to the need of pressing some button to wake it up when they sought to use it. Integration in this case combines a routine activity, such as screen wake-up, with an important security measure, namely user authentication to the phone, and here is the resulting “iPhone 5S Wake-up” ceremony. By contrast, the previous “iPhone 5 Wake-up” ceremony was based on pressure of the wake-up button and would continue with the separate and more traditional authentication measure of tapping a PIN in.

Other examples of how to make security ceremonies more invisible than before can be drawn from the integration of two security measures. One is the use of one password to both decrypt a hard disc and access a user account; another one is the use of a single button on cars’ remote controls to both toggle the power-door locks and the alarm system. However, two separate measures could be harder to violate in certain scenarios.

Airport security offers a remarkable example here. It has become extremely relevant at least because it comes to support passengers’ safety. It derives from a variety of possibly interconnected security ceremonies, the main ones aimed at passengers’ check-in, security controls, and flight boarding. Let us focus on the last one, which takes place face-to-face between a passenger and a gate attendant, with the participation of the gate scanner and a database as technical systems. My understanding of the traditional, most widespread version is shown in Figure 2, ceremony “Flight Boarding I”. It is the version that sees the attendant perform the full checks to authenticate the passenger and determine that he is authorised to board the particular aircraft waiting behind the gate. The ceremony is presented with the same style used above for activities and channels. In particular, a meta-activity also appears here, $H_{SCAN}$, which also delivers a (bar or QR) code to the gate scanner, thus it occurs on an optical channel. Steps 3 and 4 are technical and assumed secure. The remaining steps unfold over visual channels, in particular step 5 on a channel between attendant and gate scanner, and steps 1, 6 and 7 on a channel between passenger and attendant.

Passenger $P$ gives gate attendant $A$ three pieces of information: the passenger’s face, his id, such as an identity card or a passport, and his boarding pass. Traditionally, the boarding card would be on a special paper, but has lately evolved to a printout or to a version displayed through the passenger’s smartphone. The attendant begins by checking id authenticity and validity (e.g. it has not expired), and then matching face to id photo. The attendant then checks validity of the boarding pass (e.g. its date is correct) and matches the id name to the boarding pass name. Another important match is between the flight number reported on the boarding pass and the flight number currently assigned to that gate. When all these five activities succeed, the attendant has authenticated the passenger and has some evidence, through the boarding pass, that he is authorised to board the particular aircraft at the gate. Up to approximately the mid 1990s (depending on airports), the ceremony would jump straight onto step 6 (of Figure 2) because a valid boarding pass was considered sufficient authorisation evidence. In fact, the use of database technologies allows the attendant to seek extra authorisation confirmation from the BEGIN A, B, S

1. H_OPEN https://web.whatsapp.com/

OPEN https://web.whatsapp.com/

2. B

ISSUE pass(B) STORE pass(B)

3. pass(B)

DISPLAY QR(pass(B)), H

4. QR(pass(B))

RECOGNISE QR(·)

5. H_SCAN_FROM B

SCAN_FROM B

6. QR(pass(B))

SET p, pass(B)

7. A, p

SET ack, if p = pass(B) then ‘OK’ else ‘KO’

8. ack

SET c, if ack = ‘OK’ then chat(A) else ‘ERROR’

9. c
10. c

DISPLAY c, H

11. c

ENJOY c

END A, B, S

Figure 1: The Current WhatsApp Web Login ceremony airport database. The attendant then scans the (bar or QR) code of the boarding pass number through the gate scanner, and this causes a query to the database, whose outcome is displayed. The attendant then matches the details of flight and passenger as displayed with those on the boarding pass (the notation hides the parameter of the former because the attendant trusts the scanner to display details about the boarding pass just scanned, hence the attendant does not need to find the boarding pass number through those details). Only if this activity succeeds too, is the passenger allowed to go through, otherwise he is stopped for further scrutiny.

I observe that there are a number of activities for the attendant to carry out per each passenger of a long boarding queue, precisely two VALIDATE and four MATCH activities. These may turn into a source of tiredness or boredom, hence cause errors or deliberate activity deviations or simplifications. In support of this conjecture comes a headline that saw a passenger complain to have taken a wrong flight, reaching a wrong destination [25]. Another similar event occurred recently [24]. Arguably, the attendant got at least her final MATCH activity (of Figure 2) somewhat wrong. With airport security being so sensitive at present, this event could be turned into various threats should a passenger attempt it deliberately and not report it. Threats may range from terrorists targeting a specific flight without disclosing its purchase, to business threats such as a passenger hopping on a more expensive flight than the purchased one, or even sending someone else to fly on his ticket without paying the fee. These could become more effective by exercising some social engineering activities on the attendant, such as simple distraction.

I remark that this is my own version of a widespread boarding ceremony and, of course, there are many variants also in use. One rests on an electronic boarding pass shown on the passenger’s smartphone through a dedicated app or as a PDF document. In my personal experience, it would seem that, with this ceremony variant in use, the attendant routinely dismisses the “VALIDATE bp” activity, plausibly because it is not clear how to do that. However, an electronic version of a boarding pass is at least equally easy to fake as the paper version. This choice of the attendant’s signifies that she is opting to offload the verification effort on the technical systems, because she is assuming that the gate scanner can take that effort and check the pass against a relevant database. A sibling observation is that there is some redundancy in the attendant’s activities aimed at checking passenger authorisation, as these consider both information she gathers from the boarding pass and information she reads from the display integrated with (or connected to) the scanner.

These notes inspire a process to make the security measures (of passenger authentication and authorisation) of this ceremony more invisible for its human participants, for the attendant especially. One way would be to offload the measures as much as possible on the technical components, provided these exist. I therefore suggest to completely dispose with the boarding pass and leverage an electronic id, which can be easily scanned. The resulting ceremony, “Flight Boarding II”, is given in Figure 3. Its security is certain to have become more invisible for the passenger because he does not need to carry a boarding pass anymore. It is substantially more invisible for the attendant, who is merely left with two MATCH activities altogether. Two of the early activities of the attendant’s are no longer necessary, and two are postponed. In particular, id validation is postponed but demanded to the gate, which is therefore no longer a simple scanner (it will perform some cryptographic verification of some digital certificate). The verification that the passenger is at the right gate is still for the attendant to carry out, though deferred till after step 5, when the relevant information becomes available. It is a match between the flight number currently assigned to the gate, which is public information, and the flight number as it is displayed to the attendant following the boarding pass scan.

A technical observation is that the database is queried by the electronic id number with the addition of the current time in order to retrieve the most imminent flight first — the passenger might of course fly more than once on the same passport, hence a number of flights would be associated to the same id, though with different dates (or times if we admit that a passenger can take off more than once in a day from the same airport). Also, passengers often use a boarding pass as a memo of the flight to take and of the gate to target, but a dedicated airport app would easily deliver the same, and more easily updated, information, also reducing the inherent risk of missing a flight. With smartphones increasingly, if not fully, pervading our lives, checking an app is bound to become better received than carrying a specific document such as a boarding card and at the same time checking the airport displays. On the other hand, although the attendant must still check that the passenger is at the right gate, her activities are dramatically reduced. The main outcome therefore is a more invisible security ceremony for both passenger and gate attendant. This supports the claim that ceremony Flight Boarding II achieves stronger passenger authentication and authorisation than ceremony Flight Boarding I due to the reduced risk of passenger or attendant’s errors, deliberate deviations or simplifications.

I sketched this ceremony in 2016 [3] and, borrowing systems already in use at Border Control at least in the UK, conjectured a further amendment during my talk, that “the passport has a scan of your fingerprint, and so you just go through even without a human attendant there, you just go through, scan your passport, scan your finger, and you would be let in or not. Doesn’t it work like that to enter the UK if you have an electronic passport nowadays?” [3]. I was speculating on a flight boarding ceremony whose security is yet more invisible for the attendant. It is ceremony “Flight Boarding III”, here shown in Figure 4 remarkably with an empty attendant’s role. Its gist is that the electronic id that an approaching passenger hands out for the gate to scan also stores securely some biometric information, such as fingerprint or face scan, of the passenger’s, which the gate matches to the homologous information scanned live from the passenger. The final check that the passenger is at the right gate is now shifted from the attendant to the gate, and the same applies to the definition of the verdict.

But spring 2016 seemed early to revolutionise the airport experience according to ceremony Flight Boarding III, and I was criticised that my idea would take too long to work at a gate, up to ten or fifteen seconds per passenger. I replied “Yes, but tomorrow it will take three seconds. The question is, would a human attendant take less than ten seconds?” [4]. This has almost become reality today, with a similar ceremony “clearing up to 10 passengers a minute” since November 2017 through a pilot in Miami airport [22]. Also British Airways has started testing similar techniques at Heathrow Terminal 5 [1], and Dubai International airport is testing a face-scanning fish tunnel to catch passengers’ attention and make their face scanning a yet more invisible security measure [8]. These ceremonies are different but share the gist of making passenger’s authentication and authorisation measures as invisible as possible, ultimately without a human attendant. The passenger’s electronic id may have to be scanned just once through the entire airport experience, if at all. Even more recently, a system is being tested that leverages a database of passengers’ electronic passports built over time while passengers apply for a new passport. As a result, a passenger would no longer need to carry his electronic id [38] at boarding time, because his face, or any other biometric info, would be scanned and matched to the information stored in the database about the passenger. The resulting ceremony, say “Flight Boarding IV”, omitted here, would become even leaner than Flight Boarding III, by dis- mising the e-id entirely.

These observation reassure us that the invisible security revolution has already began also on our planet. With bio- metric scanning techniques getting more and more perform- ing, the invisibility of security ceremonies will thrive. Earth seems to be evolving as advocated by the “Minority Report” film [37] but at least the privacy implications are yet to be fully explored. However, removing the human component from the enforcement of security measures may also have negative consequences that are yet to be explored fully. For example, a human attendant may observe passengers’s sus- picious behaviour and notice countless elements that tech- nology would not unless it is specifically programmed to do so.

6. DISCUSSION

All cities are distinct, and it is clear that only the cere- monies that are used in Democratic City ignore the human factor; hence, such ceremonies cannot be used in other cities, whose ceremonies, conversely, attempt to address that fac- tor.

Therefore, a ceremony may exist in more than one city among the other three, as summarised in Table 1, which is discussed below. I also conjecture that ceremonies may exist outside cities, combining partial features of the neighbouring cities.

Table 1 compares the features of being dictatorial, beautiful or invisible that the most relevant ceremonies introduced above exhibit. To offer a useful summary, contents are simplified to tick, cross and tilde, with the latter indicating some existence of a feature. Defining the precise range of each feature exceeds the scope of this article, therefore quantitative arguments on the extent to which a feature is present, or on which of two ceremonies has more of a feature cannot be made here. Likewise, one may be left wondering whether the Current WhatsApp Web Login ceremony could be made yet more beautiful or whether there exists a flight boarding ceremony resulting yet less dictatorial for the attendant than Flight Boarding I (arguably the former question seems more relevant than the latter). However, the top level of invisibility for a participant is easy to define through the emptying of the participant’s role, as with the attendant’s in Flight Boarding III. The empty set symbol stands for the empty role, and the question mark is often used on the ‘beautiful’ feature to indicate the inherent subjectivity.

If a security ceremony invites more than a single human role, then the three features may vary across participants and, therefore, must be evaluated on each. This is the case with flight boarding, at least originally. So, every column of Table 1 forks on each flight boarding ceremony.

We know that Dictatorial City cancels human choices during the interaction with the ceremonies. Therefore, it is clear that Unconstrained Password Setup is not dictatorial. Equally, the first two boarding ceremonies are not dictatorial for the attendant and, in particular, do not prescribe anything like having the attendant fulfill an activity checklist that is guarded and guaranteed by someone else or by machines. Both iPhone wake-up ceremonies are not dictatorial because the human can decide to remove their security measure and wake up a phone without any authentication at all.

It can be seen that six other ceremonies are dictatorial, including Flight Boarding IV for the passenger, because the passenger cannot influence the security of the measure (because it is invisible). Three other ceremonies are somewhat dictatorial, as the tilde indicates. As mentioned (§4), the older version of the NIST password setup ceremony turns out less dictatorial than the newer version because only the older allows the human to choose the password.

---

Useful information for enthusiasts:

• [1]YouTube Channel CryptoDeepTech
• [2]Telegram Channel CryptoDeepTech
• [3]GitHub Repositories CryptoDeepTools
• [4]Telegram: ExploitDarlenePRO
• [5]YouTube Channel ExploitDarlenePRO
• [6]GitHub Repositories Keyhunters
• [7]Telegram: Bitcoin ChatGPT
• [8]YouTube Channel BitcoinChatGPT
• [9] Bitcoin Core Wallet Vulnerability
• [10] BTC PAYS DOCKEYHUNT
• [11] DOCKEYHUNT
• [12]Telegram: DocKeyHunt
• [13]ExploitDarlenePRO.com
• [14]DUST ATTACK
• [15]Vulnerable Bitcoin Wallets
• [16] ATTACKSAFE SOFTWARE
• [17] LATTICE ATTACK
• [18] RangeNonce
• [19] BitcoinWhosWho
• [20] Bitcoin Wallet by Coinbin
• [21] POLYNONCE ATTACK
• [22] Cold Wallet Vulnerability
• [23] Trezor Hardware Wallet Vulnerability
• [24] Exodus Wallet Vulnerability
• [25] BITCOIN DOCKEYHUNT

Contact me via Telegram: @ExploitDarlenePRO