Category Archives: Security

Full Disclosure

Posted on by

Full Disclosure and the Boston Farecard Hack

This preference for secrecy comes from confusing a vulnerability with information about that vulnerability. Using secrecy as a security measure is fundamentally fragile. It assumes that the bad guys don’t do their own security research. It assumes that no one else will find the same vulnerability. It assumes that information won’t leak out even if the research results are suppressed. These assumptions are all incorrect.

The problem isn’t the researchers; it’s the products themselves. Companies will only design security as good as what their customers know to ask for. Full disclosure helps customers evaluate the security of the products they buy, and educates them in how to ask for better security. The Dutch court got it exactly right when it wrote: “Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings.”

Meanwhile, Down Below

Posted on by

Phone conversation overheard in Hell’s IT department:

Sir, I have to get you to change your password to comply with the new protocols.

It’s to keep our servers safe, sir. We’re at risk. There are a lot of hackers out there.

Well, yes, sir, many of them are hellraisers, and ultimately that’s a good thing, but we were pwned last week and a religious inspirational page was up instead of ours.

It’s computer jargon, sir, never mind. This is about your password.

Sir, we have a great firewall but I’m afraid it’s not good enough anymore.

No, sir, more brimstone won’t help. It’s the internet sir — there are too many savvy hackers out there, and we have to stay ahead of the curve.

Yes, having Al Gore help start it and then look foolish for claiming to have invented it was genius. So was getting him to champion global warming so that lots of people could deny it. But your password sir. It needs to be changed. At least eight characters, with capitals, numbers and symbols.

I know 666 is your number, sir. Everybody knows. That’s the problem.

Yes, eight characters. And to give you a horns up, fifteen characters is coming as soon as we upgrade the server software. And you’ll have to change it every 60 days. Can’t use words in the dictionary. Also, even though I know you will, I must tell you not to write it down.

No, sir, writing it in blood still counts.

I won’t argue with that, sir. It’s a pain in everyone’s rear. But if it’s any consolation, these policies are being adopted topside, so if it’s any consolation, you can say they are using the security measures from hell.

Yes, sir, I know “alphanumeric of the beast” doesn’t have the same ring to it. Maybe PR can help you with that sir. Goodbye, sir.

Finger on the Button

Posted on by

Kill Switches and Remote Control at Schneier.

Don’t be fooled by the scare stories of wireless devices on airplanes and in hospitals, or visions of a world where no one is yammering loudly on their cellphones in posh restaurants. This is really about media companies wanting to exert their control further over your electronics. They not only want to prevent you from surreptitiously recording movies and concerts, they want your new television to enforce good “manners” on your computer, and not allow it to record any programs. They want your iPod to politely refuse to copy music to a computer other than your own. They want to enforce their legislated definition of manners: to control what you do and when you do it, and to charge you repeatedly for the privilege whenever possible.
“Digital Manners Policies” is a marketing term. Let’s call this what it really is: Selective Device Jamming. It’s not polite, it’s dangerous. It won’t make anyone more secure — or more polite.

I Saw It In a Movie, So It Must Be Real

Posted on by

The War on Photography

Photographers being treated as security threats, because that’s how Hollywood portrays things

A movie-plot threat is a specific threat, vivid in our minds like the plot of a movie. You remember them from the months after the 9/11 attacks: anthrax spread from crop dusters, a contaminated milk supply, terrorist scuba divers armed with almanacs. Our imaginations run wild with detailed and specific threats, from the news, and from actual movies and television shows. These movie plots resonate in our minds and in the minds of others we talk to. And many of us get scared.

And we overreact, because we respond irrationally when faced with unusual risks. We can’t properly assess them.