As necessity is the mother of invention, sometimes tragedy reveals what we need. A few years ago I ran across some work in aviation aimed at preventing another September 11. The system was called Soft Walls (http://softwalls.eecs.berkeley.edu/), and the general idea was a proxy would exist within the avionics of commercial aircraft. This system would create virtual borders around critical areas, providing forced feedback against a pilots yoke.
The specific implementation of this plan introduces a number of security challenges, but the idea itself fits well with what security should feel like. You only feel the restrictions of the system as you try to do something questionable. The harder you try and perform restricted activity, the harder the system pushes back.
Saturday, November 17, 2007
Friday, October 12, 2007
Security fails the masses by design
In studying other subjects the idea of functional art was a common theme. Imagine a glass door along a glass wall in a peaceful room. There are few surfaces in the room, so you're struck with the lines of the floor meeting the wall, wall meeting the ceiling, etc. To keep with the theme you place a single horizontal metal bar on the door as the handle. Elegant and beautiful in its simplicity.
Now do you push or pull that door to get out?
The flaw is in the design itself, and the attempt to keep things simple causes a complexity for each new person that tries to exit.
A password is just that. A shared secret word that is likely common in the spoken language. It can be remembered without writing it down or used in a sentence. This password is also considered insecure in modern computing systems.
Instead of passwords most systems have migrated to an authentication token. Typically a string of characters including upper and lower case, special symbols, and numbers. While this string may resemble a word to make memorization easier, it is not actually a word. However a confusion still exists with many new users, who are presented with the request to create a password, and select something like "pencil".
The issue is in the fact that the design hasn't been changed. It's still called a password, and the essential implementation hasn't changed. There's still a horizontal bar on the door, but now there's a sticker that says pull.
Responsibility should be taken to understand these fundamental design flaws as we come across them in practice. and wherever possible, resist the temptation to fix the problem with a sign or a memo. This requires more effort and time, and will not always be possible, but a goal to be pursued none the less.
Now do you push or pull that door to get out?
The flaw is in the design itself, and the attempt to keep things simple causes a complexity for each new person that tries to exit.
A password is just that. A shared secret word that is likely common in the spoken language. It can be remembered without writing it down or used in a sentence. This password is also considered insecure in modern computing systems.
Instead of passwords most systems have migrated to an authentication token. Typically a string of characters including upper and lower case, special symbols, and numbers. While this string may resemble a word to make memorization easier, it is not actually a word. However a confusion still exists with many new users, who are presented with the request to create a password, and select something like "pencil".
The issue is in the fact that the design hasn't been changed. It's still called a password, and the essential implementation hasn't changed. There's still a horizontal bar on the door, but now there's a sticker that says pull.
Responsibility should be taken to understand these fundamental design flaws as we come across them in practice. and wherever possible, resist the temptation to fix the problem with a sign or a memo. This requires more effort and time, and will not always be possible, but a goal to be pursued none the less.
Saturday, March 17, 2007
Portable Information Scheme
I've talked to a few folks lately and a common theme had come up. Portable personal information.
For whatever reason we seem to have a lot of things to keep in our memories lately. Too much. So shortcuts need to be found. As an example lets take a single scenario, sending flowers to mom.
You're on a business trip, find a nice little spot around 6 to have a drink, a bite to eat, and to unwind. The phone rings, dad, so you decide to chat. Yep, things are good; no, not too busy; tomorrow? yeah, i forgot; getting right on it. Deep sigh, attempt to dry the ice, and start thinking about the task at hand.
You need a couple of things, credit card and mom's address at a minimum. Login to the online florist of choice might help. At one point in time you might have pulled out your address book, walked to the nearest florist, and pulled out a checkbook. A few years ago you might even have pulled out your palm pilot, taken out that one credit card you use for online transactions, and walked over to the nearest cyber cafe.
Today you want to use a virtual credit card number. You also don't want to walk around with the IT utility belt full of blackberry, pager, two cell phones, and a PDA. Most modern corporate IT policies make no pretense about the fact that everything on your company supplied system belongs to the company. This goes for the phone too, since everyone needs to have that smartphone with email capability. Attached to the corporate network? Belongs to the company.
So, how to I get access to my sensitive personal information anywhere I want to be? Thoughts?
For whatever reason we seem to have a lot of things to keep in our memories lately. Too much. So shortcuts need to be found. As an example lets take a single scenario, sending flowers to mom.
You're on a business trip, find a nice little spot around 6 to have a drink, a bite to eat, and to unwind. The phone rings, dad, so you decide to chat. Yep, things are good; no, not too busy; tomorrow? yeah, i forgot; getting right on it. Deep sigh, attempt to dry the ice, and start thinking about the task at hand.
You need a couple of things, credit card and mom's address at a minimum. Login to the online florist of choice might help. At one point in time you might have pulled out your address book, walked to the nearest florist, and pulled out a checkbook. A few years ago you might even have pulled out your palm pilot, taken out that one credit card you use for online transactions, and walked over to the nearest cyber cafe.
Today you want to use a virtual credit card number. You also don't want to walk around with the IT utility belt full of blackberry, pager, two cell phones, and a PDA. Most modern corporate IT policies make no pretense about the fact that everything on your company supplied system belongs to the company. This goes for the phone too, since everyone needs to have that smartphone with email capability. Attached to the corporate network? Belongs to the company.
So, how to I get access to my sensitive personal information anywhere I want to be? Thoughts?
Tuesday, February 27, 2007
Apple XGrid for Common Security Tasks
Having some old G5 towers around and a handful of G4 laptops we're making an attempt at setting the systems up into an XGrid cluster, then configure the system for common security related tasks including rainbow table creation, key cracking, etc. This would act as a proof of concept open lab environment with removable componants (laptops).
Background Reading:
http://unu.novajo.ca/simple/archives/000022.html
http://www.macdevcenter.com/pub/a/mac/2004/05/11/xgrid_pt1.html?page=1
http://www.macdevcenter.com/pub/a/mac/2005/08/23/xgrid.html
http://developer.apple.com/hardwaredrivers/hpc/xgrid_intro.html
http://mekentosj.com/widgets/xgrid/
http://www.macresearch.org/the_xgrid_tutorials_part_i_xgrid_basics
http://lists.apple.com/archives/Xgrid-users/
The XGrid is up and running with laptops able to come and go. Now I just need something to process.
Background Reading:
http://unu.novajo.ca/simple/archives/000022.html
http://www.macdevcenter.com/pub/a/mac/2004/05/11/xgrid_pt1.html?page=1
http://www.macdevcenter.com/pub/a/mac/2005/08/23/xgrid.html
http://developer.apple.com/hardwaredrivers/hpc/xgrid_intro.html
http://mekentosj.com/widgets/xgrid/
http://www.macresearch.org/the_xgrid_tutorials_part_i_xgrid_basics
http://lists.apple.com/archives/Xgrid-users/
The XGrid is up and running with laptops able to come and go. Now I just need something to process.
Subscribe to:
Posts (Atom)