cat slave diary

Category: Rants

  • How to get around censorship

    The Great Firewall of Australia is still being worked upon by the evil legal minions of Senator Conroy. At the time of writing, it’s not illegal to tell you how to bypass censorware. I’m hoping that the legislation has no retrospective provisions in it (which would be really evil).

    Here’s how you get around censorship in case Australia decides to become a totalitarian state and block free and unfettered access to the Internet.

    Free and pretty easy

    • Tor. Install Tor into Firefox. Done.
    • Anonymizing Proxies. This is the easiest path, especially if you don’t use Firefox. Find one that is hosted outside of Australia. There’s heaps available.
    • P2P software helps transfer files around, but I only use this for downloading Ubuntu ISO’s. Seriously. Don’t breach copyright – it’s how I make a living. P2P is not particularly secure, and can be monitored and seeded by hostile entities.
    • Most messenger programs allow file transfers. Again, don’t breach copyright. Most Messenger protocols are unencrypted and thus can be monitored, and realistically, how do you know the other party is not a dog? See Chat Roulette for proof of this principle.
    • Most transparent ISP caches only work on port 80, and can’t work with SSL due to the way SSL works. Use SSL.
    • Most transparent ISP caches only work on port 80. Go to sites on ports other than port 80, such as port 81, 8080 or similar.

    Free, but might cost you your job

    • Using head office’s proxy in another country. If you work at a large multi-national, use their proxy. Remember, most workplaces have anti-pr0n acceptable use policies, and they’re more likely to police them than Australia. Otherwise, Done.

    Not free, but still fairly easy

    • SSL reverse proxies. There’s a fair few of these services around. Done.
    • VPN’s. Buy a Virtual Private Server (VPS) in another country, preferably the USA. Install OpenVPN, PPTP or IPsec on it. Done.
    • Set up a local web proxy server that has child-parent caches. Set up a remote parent cache in another country, or subscribe to a remote cache service. Done.

    There’s more ways to bypass this stupid proposal, but I’ll leave those off this list for now.

    I seriously hope that there will be mass protests and heavy campaigning if there is any legislation tabled.

    We need to show Senator Conroy that the government is truly misguided on this – voters unanimously don’t want to be censored. Parents don’t want it. ISPs and our entire IT industry doesn’t want it. The ALP support base hates it. Censoring Australia WILL lose the ALP power. It will allow all the tin pot failed nations on the planet to say, “We have the right to do this, Australia did it.”

    We must resist this most evil proposal in any way possible. See you at the protests.

  • Censorship – Bye bye Labor

    The Labor party is doomed to be a single term government. They are killing their support base – social progressives and young folks alike are abandoning ship like never before. I have never hidden my dislike for the conservative side of politics, but to totally kick sand in the face of your true believers time and time again is simply not smart.

    WIth 99% of the Australian public against mandatory filtering, I just don’t see how this is a vote getter. The filter will not protect my daughter from pr0n, predators using Skype or MSN, spyware, or preventing her viewing unsavory sites. It will not block the primary mechanism for distributing child and extreme pr0n – P2P networks. There is no point to mandatory filtering except to stifle political dissent.

    So why implement such an opaque scheme that’s already been abused and is open to further abuse? Who are the winners from this? Politicians don’t stick their necks out unless there’s a valid reason, and public morality is simply not one of them, especially when the idea is so repulsive to nearly all Australians except for a few ratbags. I can only imagine so it’s to shore up the crazy vote (Senator Fielding), without which Labor can’t govern.

    To give some perspective, is it acceptable for the Government to:

    • Discipline my child?
    • Determine what my child will read, watch, or do?
    • Decide on her schooling?
    • Decide on her religious beliefs, or lack of them?

    Government has no role in these key parenting decisions and in determining what she (and us all) will or will not see on the Internet. That’s every parents’ responsibility, and I will do it in my way – with no censorware. Her computer will be in a shared area until she can be trusted with her own, and even then… trust but verify.

    Labor – you must dump Conroy now. He is a liability to you retaining the 18-40 year old vote, and indeed the 99% of folks who don’t want the Internet censored. Without this core set of voters (about 45% of the eligible voters), you’re never going to win office in your own right again.

  • GMail – ORBS blacklist FAIL

    Hilarious fun for all the family. Google’s GMail service has been blacklisted by an ORBS product.

    These ORBS places are run by dumb ass vigilantes. The Internet just doesn’t need wanna-be-cops who have no legal basis for their operations. Just in case you’re wondering, I’ve been blacklisted by similar morons in the past and simply couldn’t get off their stupid lists, despite NEVER being a spammer and only sending maybe 30 messages a day from my host. Greebo, my not so clever cat, has more spam spidey sense than these oxygen bandits will ever have.

    So here’s the transcript:

    “Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 554 554 5.7.1 Rejected 74.125.83.43 found in dnsbl.sorbs.net (state 13).”

    Let’s look that IP up, as it’s not mine:


    % nslookup 74.125.83.43
    ...
    Non-authoritative answer:
    43.83.125.74.in-addr.arpa name = mail-gw0-f43.google.com.

    FAIL.

    Good luck getting off that list, Google! Let’s see if your billions of dollars and many lawyers will make it happen where my pleas fell on dumb ears.

  • Advanced Persistent Threat – risk management by a new name

    I am so sick of APT this and APT that. Advanced Persistent Threats, essentially state sponsored intelligence gathering, are no different to the age old espionage between EADS and Boeing – something that CANNOT be prevented by coining yet another new FUD term like APT. Espionage is at least the second oldest profession in the world, and moaning about whatever APT is called this week is not going to change that. If your CFO wants to leak information to a competitor, there is NO information security system ever built that has or can prevent that level of misconduct.

    Look behind who is promoting APT this time around. Companies that have IT security services and products to sell. I have worked in that industry for over 12 years now. We have enough work without ambulance chasing as part of our marketing plan.

    Remember SOX? Lots of FUD then just like APT today. Lots of “security” (and even non-security) programs designed to bring in so-called SOX compliance – and for what? There were more breaches and losses post SOX compliance than before and its getting worse! Lots of money was wasted on useless programs, and hundreds of millions if not billions of dollars went down the drain for no business return.

    If you ever wondered why business folks are rebelling against PCI DSS (which is actually fairly good), fear factor is to blame. We lose respect every time we yell “fire!” when there’s not even a match’s worth of smoke, and when asked for a solution, we want to bring in a DC-10 water bomber. It’s even worse when we come with a reasonable, cost effective, and long term solution and we can’t do it because of the reasonable expectation it’s just another false alarm.

    Stop doing it! We have plenty of good reasons to do security (properly), and APT is simply not one of them. If you’re going to yell “APT APT APT!” have the courage to talk about solutions and make them workable, effective, financially responsible, and not to just rabbit on about security theatre solutions to sophomoric movie plot threats. I am not diminishing those organizations like the oil and steel industry who are responding properly where they have a real expectation that industrial or state based espionage will occur or has occurred in the past, but responding to APT for 99% of organizations is just a complete WAFTAM.

    I hate APT and all the FUD surrounding it. Scaring the punters is chicken little or crying wolf. Get with the “do something” program. If you’re a news org, instead of talking about folks who got pwned, let’s talk about folks who through good management and effective IT Security programs have survived such “advanced persistent threats”.

    What would I suggest we do about APT? Let’s take it back a step – what would I suggest EVERY firm of more than about 10-20 employees should do. Let’s start at the beginning with:

    IT Security Management 101

    AS/NZS 4360 Standard for Risk Management (1999) and ISO 17799 (now 27000 family) is a great starting point. This stuff is simply not rocket science, any organization no matter what business (charity, big oil, health, military, government, financial, etc) can and should look at what they have today, and start implementing them if they have nothing.

    1. ISMS – Create an Information Security Management System. This requires an effective CSO or a CIO who are a force for change with a mandate to take the opportunity cost out of the equation. Spending money on IT security seems a cost for most orgs, but if you see it has an opportunity to do better, you will succeed. Security is a business enabler and indicator of growth. CIO / CSO’s that choose the negative “no” speed hump path simply don’t get it and should be replaced. However, in all cases, it’s important that the CSO or CIO can force business owners to do the right thing or make the business owners accept the responsibilities and risks of poor security decisions. Most orgs do not have an ISMS, and rarely do CIO’s / CSO’s sit on the board or are effective in any fashion. If the CIO / CSO has responsibility and accountability, but no budget and no power to improve things, resign. There’s no way you can effect substantial change when all software is insecure.
    2. Create and maintain IT security policies, procedures and allocate (and enforce) responsibilities. Someone has to have the power to say “turn that off”. Someone has to know when it’s time to “turn that off”. Someone should have known before hand that certain systems are more likely to end up in the “turn that off” category and have the power and responsibility to do something about it. The best IT security policy I ever saw* was 10 pages long, had less than 500 words (none of which were “don’t”) and 20+ images in it. Staff knew what they had to do and they did it as it worked with human nature rather than just saying “no” or “don’t do this” or “you’ll get the sack”. If your IT Security policies would make Stalin proud, occupies three massive binders, and is gathering dust in a cupboard, you’re doing it wrong.
    3. Create and maintain a global risk register. Start with an Excel spreadsheet if you have to, but most of you should probably go out and acquire one of the many excellent products out there that satisfy the ITIL marketplace.
    4. Create a catalog of all your assets (particularly DATA and the systems that handle that data!) and make sure it’s kept up to date. ITIL related products are your friend here – there’s heaps of asset register products out there, but make sure you register data assets as most are all about physical boxes. Assign all assets a classification and make sure folks know how things with that classification are to be dealt with. I prefer a simple three tiered classification system (public, internal, restricted), but whatever floats your boat. 90%+ of all orgs I deal with do not have any idea of what they are running nor the value of their assets or how they should treat them. I know of one org whose HR system was running on a desktop in a cupboard. Unacceptable. But if you don’t know it, you’re negligent, pure and simple.
    5. Perform a risk assessment of all assets, particularly critical ones. Risk assessments used to be popular, but I haven’t seen any done for a while now. This is a huge mistake. Put the risk assessments and any findings from reviews in there. Track, assign responsibilities and dates, and …
    6. Fix – Assign – Accept. Remediate what you can where it makes sense to do so. This doesn’t mean fix everything, just the things that matter. Insure (risk assign) the truly catastophic outcomes. Accept what’s left.
    7. Security is an enabler! Be treated how you’d like to be treated! Train the business folks and developers in secure requirements and coding. Adopt a SDLC and do it. Get and use a defect tracker. Get and use code control. If you’re doing agile, make sure security is a key deliverable of every single user story / sprint / milestone. Make sure your testers test for abuse cases as well as business cases. Think outside the box and think about your customers when you do your security. Security that doesn’t work is wrong. Security theatre is wrong. A multitude of security features doesn’t mean you’re secure. Do security well, and you’ll win because your customers / clients / users will love you and appreciate the efforts you made to make security transparent, easy and effective.
    8. Expect to keep up with the Joneses. You don’t need to be bleeding edge, but anyone running Lotus Notes from 2001 or IE 6 should put money aside to deal with the cleanup of any lame attack from the last X years. Just because you’re not paying out on cap ex this year doesn’t make you a good manager. Long term, you’re gonna pay. Even out the expenses and roll out new stuff all the time and retire old stuff all the time. Don’t be afraid to run XP, Vista, Linux, Windows 7, and Macs all side by side. You shouldn’t require everyone to use the same XP image from 2003 on modern hardware – that’s just stupid. Keeping up is the cost of using IT and those who update regularly pay less than those who wait. And wait. And then get attacked. Plant and equipment is tax deductible in most tax regimes, so there’s no excuse not to depreciate and retire old crap. It does mean you’ll need to cope with patching and scalable roll outs of new hardware and software. You need this anyway for those zero days.
    9. Get rid of crap that costs a lot to operate. Systems that need patching all the time are doing it wrong. Systems that are attacked all the time because they are insecure should be retired. These systems are not worth supporting. Make the ISVs realize that you only pay for secure software that requires little maintenance. Wean off any supplier who refuses to understand this most basic of requirements. They’ll go out of business, and you’ll save money. Ensure when you buy customized software or have it developed for you that the contract states that the ISV has to fix all security bugs for free and they are responsible for paying for the code reviews and penetration tests to prove that they are secure. That’ll keep the ISVs in line.
    10. Monitor and escalate. No system is perfect. Put in procedures to cope with the horse bolting, but try not to have your entire herd and all their tackle gallop out the stables.
    11. Don’t be a cowboy – do it all the time. A good ISMS is not a “fire once and you’re done”. You can’t buy a product that does it for you. This is a commitment like GAAP is a commitment to financial standards to use the same systems year in year out. Those that forgot this lesson are now paying for APT. I’m not going to justify why you need to do this stuff, it should be obvious.

    This stuff is simply not rocket science. It’s not new. Most well governed orgs already have this in place and have been doing it for a decade or more. The problem is that few orgs are well governed or have any particular driver to do IT Security well. Most CIO’s are untrained in security as they’re often accountants who are brought in to rein in costs – which is a mistake. Most CSO’s lack board presence and have no authority other than to be a speed hump. This has to change. Orgs who grew up overnight (like Google) will get hit –  and hard – by APT.

    I don’t want to hear about APT unless you have a solution to whatever you’re bleating about. If you’re going on about how the script kiddies have all grown up and now do exactly what they did before, but are now bank rolled by intelligence agencies, my question to you is “so what?” If you’re doing IT security and governance right, APT is just so much hot air.

  • Black Day For Australia

    Today, the Labor Government, pandering to a tiny minority of voters who will NEVER vote for them, will proceed with censoring our Internet.

    Many of these hard right wing “Christian” (who obviously missed the entire point of the New Testament) “voters” (Exclusive Bretheren, etc) do not have computers let alone TV’s or newspapers to be offended by the Internet. Worse still the Bretheren are some of the only people in Australia who are allowed not to vote. And for their vital electoral “support”, we all get censored. WTF!?!

    FUCK NO!

    Today, I start censoring the Internet for Australian Government departments. If your DNS name ends in “.gov.au”, there’s a pretty good chance you’ll not be able to see this site and the other sites I run. E-Mail from .gov.au sites will be delivered to /dev/null. In future works I create, I will make an explicit disallowance preventing Australian Government public servants and contractors from using my materials until the censorship mechanism comes down. I will encourage everyone I know to put up mandatory “.gov.au” filtering. See how you like it when the Internet is useless to you and you have to use personal Internet connections to get anything done.

    I will fight this censorship scheme in every way I can. I will publish mechanisms on how to bypass it. I will encourage people to defeat it, even if they don’t have to. I will campaign against my local ALP member. You’ve made a political activist out of someone who used to just rant about politics around the water cooler. I am not the only one. Labor is doomed for a generation or more by this one heinous act.

    Labor – shame shame shame. I’ve voted for you – stupidly it turns out – for my entire adult life. I’m sorry, but I’ll vote for Donald Duck before I grace your lice ridden corpse with the “1” mark ever again.

    Conroy – he who shall not be named from here on – you have are the Internet’s Public Enemy #1. You have cost Labor the next election, even with the Liberals in complete disarray. Labor cannot ever trusted to govern ever again.

  • Be careful for what you wish for

    Well, the Emissions Trading Scheme is dead – for now. Yay! I do a little dance on its grave. We’ll have to fight it when the double dissolution election comes up sooner than later.

    However, I wasn’t expecting the mad monk, Tony Abbot, to gain the Liberal leadership. That was a surprise, as I bet it was to the majority of the Liberal party MPs.

    With such a right wing, homophobic, anti-abortion, anti-pretty much anything we’ve achieved over the last forty years to several centuries, and top of that a truly hard core Catholic elected leader by the thinnest of margins (1 vote – a donkey vote *), the Libs will be in electoral wasteland for at least one and probably two more elections. Either the Libs will have to split into the electable bit and the unelectable’s, or they will have to try again in a few years after they get rid of Abbot.

    Abbot is simply unelectable – even my wife who leans in the Libs direction doesn’t like him. Sure, Abbot will make the hard core religious and climate deniers happy, but they’re a tiny minority here – and they already vote Liberal. All the moderate swinging voters – they who elect our governments – will abandon ship once they realize just how backward Abbot is on so many things.

    With Abbot being the mental giant that he is, he’s going to oppose pretty much all Government bills. I bet he opposes a really stupid little bill and that’ll be the trigger. KRudd could phone it in and win.

    Bring it on – maybe enough of the disaffected voters will move to the Greens and we can get some real carbon reduction instead of the reward-the-polluters ETS.

    * I bet the idiot ^H^H^H^H^H Member of Parliament who cast the deciding donkey vote (‘no’) is regretting their ineptitude tonight. The silly thing is that the vote was almost certainly cast by a moderate Liberal. That moron has ensured they stay unelected for at least another four and most likely seven years.

  • Emissions trading scheme – epic fail

    Unlike the deniers in the Liberal party, I understand climate science well enough to know that we should give our only planet the benefit of the (very little) doubt. It’s time to act. But not with an ETS. I hope that the Liberals (== conservatives, for my US readers) defeat the ETS a.k.a Carbon Pollution Reduction Scheme (CPRS).

    The heart of the problem is that the Emissions Trading Scheme doesn’t help to reduce pollution. Why? ETS Traders have no skin in the game – you don’t have to be a polluter or seller to participate. Why would those traders be interested in carbon reduction. Over time, the value of the market will go up due to speculation and moves by the traders, making it more expensive for the Australian Government to buy back emissions credits to reduce the total emissions pool, or even worse, short changing the folks who need to acquire those credits. The folks who buy these credits on the open market will need to pay more, and we pay double through increased taxation and higher bills for pretty much everything even if you’re doing the right thing.

    The Coalition have introduced a bunch of get of jail free cards to the heaviest polluters to provide their denying colleagues some carrots.

    • Coal fired power plants are largely exempt, despite emitting about 50% of Australia’s total CO2 emissions
    • Heavy users of power have tax credits to help pay for their credits, often up to 90% of the value of them or even free in the case of aluminium producers. Where’s my 90% reduction in my electricity bill? This is corporate welfare at the worst
    • Agriculture has a wide range of exemptions, despite many inefficient processes that could benefit from better alternatives. They also get money for carbon offsetting, so in reality, they can be paid for sequestration activities, but have no economic harm from releasing that captured carbon. Way to go to buy the rural vote, Rudd.

    So no matter what I do to reduce my carbon footprint, it will have little impact, as the largest polluters can simply keep on going on doing exactly what they’re doing today. I – and all Australians, even if you’re off the grid, grow your own food and don’t drive or fly will end up paying for this dumb scheme.

    The Government should not distort an entirely new unproven market. Let it distort the current market:

    • Announce the Government will only buy electricity from renewable sources as of 2015 or so
    • Announce no more coal fired power stations will be built and approve nuclear power stations
    • Set power consumption targets for the heaviest power users in the average business and house (computers, lights, fridges, ovens, aircons, etc)
    • Require standby to be < 0.1 W (or it’s off), and prohibit clocks on things that don’t need them (like microwaves, fridges, ovens and toasters) so they can turn off when not used
    • Ban crappy computer PSUs and require 80-Plus only PSUs. Make rackable servers like Google’s – no PSU in the device, and the power supply is > 90% efficient.
    • Ban non-LED downlights (also have a positive impact on # of house fires from cheap iron core transformers setting fire to insulation)
    • Fund or provide serious rebates for solar hot water for everyone with an electric water heater.
    • Fund or provide serious rebates for passive solar cooling for every home, rented or owned.
    • Continue the serious rebates for solar panels, and extended it to rented and owned properties.
    • Required states to tax the hell out of cars that chew more than 7.5 l/100km
    • Only buy cars with average fuel consumption of less than 7.5 l/100km from now on – there’s hundreds of thousands of cars in the government car fleet
    • Mandate employers allow telecommuting where possible. This would eliminate hundreds of thousands of wasteful trips every day, and free up freeways for freight and necessary journeys. I enjoy my ten second commute and I don’t have to start the car most days.
    • Provide incentives to get road freight back onto rail
    • … anything other than an ETS

    Trading schemes (like NEMMCO) have a proven history of epic failure. In California, traders caused widespread blackouts and damage not to mentioned sky high electricity bills. There is no incentive for an ETS to reduce carbon pollution. The market relies upon carbon being emitted. It will fail, not reduce CO2 emissions as the largest polluters don’t have to participate properly, and cost us billions.

    ETS == Epic fail with our future. Bring on a double dissolution election.

  • “Protect the Data” Idiot! Redux

    Richard Bejtlich at his TaoSecurity Blog makes a very strong assertion that we’re all idiots for wanting to protect data, rather than the container.

    I’m not going to play a semantic game about protecting data versus the thing the data is in at the moment, but honestly, I think he misses a really strong point as to why we’ve moving away from the failed network-centric strong border / soft center protection racket to a more secure data-centric protection scheme.

    I will not disagree with Richard that we secure the containers, not the data, but we secure the containers BECAUSE of the data, not the other way around. For far too long, we’ve thought about the enemy outside the gates, when its actually the folks inside that cause many breaches.

    The weakest link in any protection scheme is the humans.

    • They have weak passwords
    • They (rightfully) share information about themeselves to their friends and (not so rightfully) to the Internet at large, making password resets untenable.
    • Folks accidentally disclose data assets all the time. Laptops, backup tapes, USB sticks, brief cases containing the data.

    Should we care if I lose my phone? It contains my address book, which I can sync again to the next phone, and little else. But to a CEO with e-mails, internal VPN access, browse history, contacts, calendars and more. What differentiates my container (my iPhone) from the CEO of Apple’s container (Steve Jobs’ iPhone)? In a Richard world, nothing – they should be protected equally. But it’s really about the data the container holds and what data the container has access to.

    Data in and of itself is intangible, and generally cannot be secured if it wants to get out (see WikiLeaks for an incontrovertible example). I think Richard and I agree with this bit. Where I stray from Richard is to ignore the data is to miss the point of information security entirely, which is why I take umbrage at his ad hominem attack.

    • If you have backups, you’re changing the data’s container, but you’re protecting the asset (the data) and not the container by doing backups. We’re planning for a complete loss of the container.
    • If you have a DR site, protecting the container is secondary to protecting the data
    • If you have a distributed cloud, protecting the container is nigh on impossible as you don’t control them.
    • If you’ve printed previously encrypted data, the container and its protection controls have changed. The need for protection hasn’t changed, just how those controls work.

    Lastly, it comes down to classification. If we ignored the data, we would protect the most expensive containers, rather than the business critical data.

    • The CEO’s high-end home desktop would get more protection than a USB stick containing next quarter’s results. I bet I know which the company would fret about more.
    • The WAF would get more protection and monitoring than the HR server as the WAF costs 10x as much as any one commodity server
    • The SAP system would probably gain some attention as it would consume a chunk of change from the IT budget, but would you put it in a data center or in a closet?

    We’re not idiots for promoting protection of the data. The containers and pipes BECOME valuable and we protect them because of the data sitting in or passing through that containers and pipes. We only protect those tangible assets because we pay enough attention to the data’s classification and its various requirements for the data’s protection.

    Really, we don’t need to call each other names to try and bring us back to the failed border centric fold. We can disagree with each other as gentlefolks and not call each other names. I’m amazed that Richard has gone down the attack path as I normally agree with 99% of all his blog posts.

  • Google: Don’t be evil

    I work on an open source project, ESAPI for PHP. Well, “work” might be too strong a word for it, but I try to prod its lifeless carcass from time to time. That’s not the reason I write today. I write because of stupidity, and evil being conducted in the name of a “law”.

    I have a fellow open sourcer, who wants to contribute to ESAPI for PHP. He’s actually completed a MVC framework for PHP (jFramework). Due to Google blocking Iran, this gentleman can’t easily contribute to our project, which hosts its repository on code.google.com. ESAPI for PHP will not help build a nuke. It does no crypto of its own. It will make PHP applications safer and more secure – but you can do that anyway if you read half a dozen pages on PHP’s website.

    This is madness. ITAR is about blocking the EXPORT of sensitive MUNITIONS (i.e. weapons) TO Iran and other “hostile” countries. ITAR is NOT about blocking the GIFT of intellectual property and valuable developer cycles FROM Iran, helping everyone all over the world, including those folks in Iran (as well as Australia and the USA). This is stupidity on a scale I’ve not seen in a while.

    Google: you are doing evil.

    Stop this madness, now! Call in your tame congress critters and tell them how stupid and harmful this particular nonsense is and get it repealed. Grow a spine and take a chance. Unless someone open sources a command and control system for a warship, a missile guidance program, or puts Nuclear Reactors For Dummies up as a project, all of the projects should be available for download worldwide. Those one or two mythical and nonsensical projects should not block an entire library of human knowledge to the entire Iranian people just because of some imaginary evil open source project might help Iran’s nuclear program or military. The stuff we do is not rocket science.

    Stupid and outdated laws / treaties like ITAR make us disrespectful of all the other laws and treaties, and make us lose all respect for those who abuse their positions of power in the name of “security”. The way to improving relations between countries is not to block them (how’s that Cuba policy going, anyway?) but to engage with them and stop the evil ignoramuses on both sides stopping everyone being happy and free, or just contributing to an open source project.

  • Neilsen on password security vs usability

    I read Jakob Neilsen’s post on password security, and although he has a point, there are several issues as to why this is a monumentally bad idea.

    First, passwords are a fundamentally bad idea for all data risk classifications. Instead of trying to make passwords more usable, how about getting rid of them?

    Second, exposing folks’ passwords in a shared environment will expose them in more ways than one. For example, most folks use the same password everywhere. I used to do this when I was 16. Then I migrated in 1989 to having low, medium and high security passwords. Then about five years ago, I migrated to using long random passwords for nearly everything. I do not know my password for my blog. I cut n paste my passwords from a password manager. I’m ashamed to say that I still use the low security password from 1989 from time to time – mostly to recover access to long lost internet sites. So if your social networking site – where you’ve evaluated YOUR risk to be low, well… that user uses the same password EVERYWHERE, including high risk sites such as Internet Banking, for tax, for their insurance login, etc.

    Third, malware that currently snaps screens when used with visual keyboards (security theater!) will have a bonus time with this scheme, or any scheme like it (think iPhone where the last character typed remains on the screen for a second or so and then becomes a bullet). However, if you have malware, you have more interesting problems than just clear text passwords.

    I am all for killing passwords. They are crap. They are insecure. They are hard to remember. IT Security folks with NO UNDERSTANDING of human nature or how this terrible usability costs the business ask us to change them every 30 days and you can’t have the same password for the last five years and the password must not be a dictionary word and must contain punctuation and numbers and upper and lower case characters. The only people who can do that without ringing the help desk are the tin foil hat people like me who use password managers with long random passwords. I love going to sites with those sort of rules – the passwords are nearly universally on post it notes or written on the cubicle wall or dry erase board. Dumb!

    So how do we improve the situation? I strongly believe that for the average user, the browser should take over the credential for the user. A nice auto-generated certificate login managed basically transparently by the browser’s credential manager makes the most sense. This should be able to export to a standard file format that all the browsers agree upon so that users can upgrade their machines, and move amongst them. Obviously, Apple already has MobileMe to help sync those credentials around, and this will help folks like me with more than one computer. If you’re out and about and need to log in remotely, you log in to MobileMe (or similar), and approve the site you want to log on to for (say) 10 minutes from the computer you’re currently on. Then you go to the site you want to go, like Wikipedia or Travelocity with your full strength credential… that will not stay on that machine and will not work after a few minutes.

    For value transactions, the use of SMS transaction signing and two factor transaction signing should be mandated where PII, finanical or health data is concerned.

    Then we can put passwords out of their misery, and folks never need to remember their passwords ever again. Jakob is right – passwords suck. It’s time for them to die.