Superconductor

Back in the days of the dot-com boom, I was talking to a major US airline about replacing their username/password system with certificate-based authentication. They already had a PKI deployed, at least in a minimal way – the people in the security division all had certificates and they had plans to roll the PKI out enterprise wide. They planned to use hardware tokens to hold users’ keys, and that’s why I was talking to them.

Apparently the people from other token vendors didn’t know much about side-channel attacks and other ways to hack hardware tokens. Because I was at least able to talk about this stuff in detail, they probably assumed that our tokens were proof against such attacks, although I certainly didn’t say that. But that was enough to make us the leading contender for a big order of hardware tokens. Hoping that an in-person meeting and demo would convince them to buy our USB tokens, a few of us hopped on a plane (taking flights operated by the airline that we were visiting, of course) and flew to the airline’s offices to show them how well our USB tokens worked.

We failed miserably.

A representative from the airline’s security group brought in his laptop for us to use in the demo, but when we plugged our token into the laptop’s USB port absolutely nothing happened. We had tested our tokens on a wide range of machines before flying out for the demo, of course, and we felt very confident that our demo would go off flawlessly. We were stunned by this failure and flew home determined to find out why we failed.

After a painful week of testing and research we found that there was a well-known problem with a particular chip set that made it not work with USB hardware, and it turned out that were unlucky enough for that particular chip set to be the one used in the laptop that was used in the demo. We hadn’t done our testing on any computers that used this chip set, so we were totally unaware that this problem existed. Even if we had, it would have been difficult to avoid the problem caused by it. Imagine asking a user if their computer uses a particular chip set – almost nobody would know the answer. So even if we knew about this problem in advance, it would have been hard to avoid in the demo.

Things like this happen all the time. Modern technology is complicated and doesn’t always work like it’s supposed to. If you’re in the business of developing new technology, this can make your job very tricky at times. Whatever you create has to work with the huge installed base of other technologies, each of which has their own particular set of bugs.

Before this particular incident, I sort of expected technology to work. Now I accept that there are going to be problems and that it’s probably impossible to find them all.