Creators of Trust Me, It’s Art ask users to sacrifice their own Internet security to make a statement about Internet security.
But don’t ask Taulant Ramabaja to contribute one of his passwords.
“Nobody who’s technical would ever ask anybody for their passwords,” the 21-year-old startup CEO said at a recent tech community gathering he organized in Kosovo’s capital, Pristina. “I know technical people who broke up with their girlfriends because they asked for their Facebook passwords.”
But on the Slovenian website Trust Me, It’s Art people regularly submit what they say are their passwords, which then instantly appear in an online gallery of some 600 submissions.
Now, you might be wondering, why on earth would anyone do this?
It’s “the rush that you get when you enter your password. You find it in the gallery. It’s always staring at you. You feel vulnerable,” said Jure Martinec, who created the Trust Me It’s Art site with fellow graphic design students Klemen Ilovar and Nejc Prah in Slovenia’s capital, Ljubljana.
The site launched in June, born of the students’ curiosity about what kinds of things people would submit. For now, there’s clearly a Slovenian bias, with entries like klobasa, which means “sausage.” Eventually, they hope to turn the passwords into a physical installation.
Ilovar said the idea is to make users aware that their private information isn’t all that private.
“Like Facebook and other applications, you give some information about yourself, and this is, basically, you’re giving much more than you know,” he said. “We’re just more honest. We don’t want to use it. But this is the biggest information you can give to some other person on the Internet.”
The three insist they’re not doing anything nefarious with the information, and they warn that users should not feel secure about anything submitted to the site. Speaking over Skype recently, they all laughed, declaring over one another, that “It’s not really safe — that was not the point. Maybe it’s not so smart to tell that.”
All submissions are anonymous, and they’re continuously shuffled. But there aren’t any special security precautions. Ilovar even says he wouldn’t mind if a hacker did exploit the passwords.
“That would be a positive reaction for us, for the page, for the project, so if anybody does that, well, we don’t support it but it would be positive thing for the project,” he said, because it would underscore just how insecure the Internet is.
In fact, the website creators say they wouldn’t shut down Trust Me It’s Art if a hacker were to find a way to use the passwords.
Dan Goodin, the security editor of the U.S. tech website Ars Technica, says the approach of Trust Me It’s Art’s creators is wrong-headed.
“It reminds me of somebody saying that to demonstrate and raise awareness about street crime, you should take a taxi, (have it) drop you off in the middle of the most dangerous neighborhood at 3 a.m. in the morning and see if you can leave. And, you know, if you get beat up, it’ll show you how dangerous street crime can be,” Goodin said.
Any password that’s submitted to the site can be easily exploited by hackers, Goodin said.
“Hackers will cut and paste every single password that is displayed by these artists in this project and they will be trying those passwords in the future," he said.
In other words, submitting a real password to Trust Me It’s Art is offering hackers another tool in their arsenal for future attacks.
Ramabaja, who runs the startup in Pristina, said submitting a fake password is also risky.
“Even if it’s not your password, it’s still probably, mentally, psychologically connected to what you do or to your actual password or something,” Ramabaja said. “So if someone really wanted to get your password. They could probably use that as a starting point.