General, Security, Privacy, Uncategorized

But…Shouldn’t Security Be Our Number 1 Priority?

Six executives fill the boardroom chairs and you seem to have chosen the only chair that lets loose a metallic shriek upon any movement. Ugh. But there is work to do. You are all here to solve a problem. A big problem. One of your organization’s IT solutions desperately needs replacement and you are here to provide a “security lens” on the discussions about to be had.

Things start out well enough. They go over the list of features that are required in the replacement product: what are deal-breakers? what could be left behind if required? pay tiers? support models? deployment plans and timelines? Things like that. The requirements are high level and you spend your time listening to the discussion but not really participating. Then the discussion turns towards compliance and security. Your ears perk up.

They start asking your type of questions: “What type of information do we need to store and how are we going to protect it?”, and the like — in not-so-many-words but you pick up the subtext. “Do we need to think about compliance?”
All eyes turn to you.

Continue reading

Standard
General, Security, Privacy, Technical

A Hacker’s View of Passwords

Passwords You Say?

Passwords. The bastion of authentication. Defenders of data. Bane of those shadowy figures wearing hoods and ski masks in darkened basements whilst attacking your servers. Passwords protect your secrets, but how effective are they really?

Plenty of articles have been written on the short-comings of passwords — mainly around complexity, reuse, expiry, and how these additional “controls” may not truly solve the problems inherent to passwords. I will touch on these, but in the spirit of education I felt a duty to provide context and to answer the inevitable question one hears when they enact some new policy or control in the security world: “Why?”

I will start by saying that, in my humble opinion, passwords are here to stay — in one form or another. “What about biometrics?” you may ask — to which I will reply with another question: “What happens when your fingerprint is stolen?”. You can easily change a password. You can’t (easily) change your fingerprints. What about the tokens used in two-factor authentication? Couldn’t we simply just use those instead? Yes we could, but they can be lost or stolen, and can be expensive relative to a password. Economically speaking, we would have to see executives, as a whole, start taking security a lot more seriously if that is to happen.

So, for now, let us say that passwords will be with us for the foreseeable future. Maybe I’m wrong and some new technology will supplant passwords as the de facto standard — but for now they are here and we have to deal with them.

Now, Let us take a look at the current “state of the art” of passwords.

Continue reading

Standard
General, Programming

Software Development, Morality, ‘The Secret Life of Walter Mitty’, and Victor Frankenstein

For those who haven’t watched ‘The Secret Life of Walter Mitty’, I highly recommend a showing. It follows Walter Mitty, a daydreaming “negative asset manager” at LIFE magazine during its conversion to a fully-online offering. It truly is a visually stunning work.

The opening premise, LIFE magazine moving online and the inevitable downsizing and layoffs, struck a chord that has been, and is still, resonating: Is there a place for morality in software developer’s drive toward automation and efficiency?

Continue reading

Standard
General, Security, Privacy

History and its Uncanny Ability to Repeat Itself

The EFF has published a well-cited and informed article on why they view the current trend of dragnet surveillance to be thoroughly against the constitution of the U.S.

Even if you are not an American, this article touches on the ideals of many. It describes the context around why the Fourth Amendment was included and goes into specific detail as to who and why they thought it so important:

“Using ‘writs of assistance,’ the King authorized his agents to carry out wide ranging searches to anyone, anywhere, and anytime regardless of whether they were suspected of a crime. These ‘hated writs’ spurred colonists toward revolution and directly motivated James Madison’s crafting of the Fourth Amendment.”

I highly recommend reading the entire article: The NSA’s “General Warrants”: How the Founding Fathers Fought an 18th Century Version of the President’s Illegal Domestic Spying

 

Standard
General

The Value of a Secret

Suppose that, while teaching a class some engaging topic, I keep a secret from the class and only reveal it at the end of the term. This secret provides a sudden realization to the students that they can take into their next year — A real ‘Aha! moment’. I only ask them that they do not reveal the secret to any classes that haven’t taken the course yet so that they can have the same experience. This may work for a while, but inevitably one student, through malice or ignorance, will reveal the secret to someone they shouldn’t have. This then spreads throughout the whole student body until the experience for all future classes is ruined.

Continue reading

Standard
General, Technical

Privacy: A How-To

Introduction

With the leak of classified NSA documents and their entailing revelations, Edward Snowden has become a household name. He single-handedly caused millions of people to rethink their electronic lives – and their assumptions of privacy. Now, those people (and businesses) are scrambling to find solutions to a problem they didn’t know existed, or chose to remain blissfully unaware, a number of months ago.

There have been numerous blog posts and documents about enhancing your systems to increase privacy protection, and I thought that I would summarize many of them from the perspective of someone who works in the industry. The sections of this article are organized in order of complexity (and tinfoil hattiness). The easiest and most basic measures will be in section 1 while the most complex and restrictive measures will be in the last.

Continue reading

Standard
General

Showing Up

Richard Branson talks at length in his book “Like a Virgin” about various topics in the business world. He addresses issues brought up by aspiring entrepreneurs and seasoned veterans in their journey to provide great products and services.

One of those points Richard addresses is the importance to simply show up. I remember reading that section and thinking that I would take this advice with a grain of salt. What if I am competing against some of the best in the world?

I was skeptical.

A few months passed and I received an email from a prominent financial institution; it detailed a contest where Canadian postsecondary students can submit an essay on what their vision of a responsible financial institution is.

I was intrigued.

I started thinking. I am not a financial institution expert or well-versed in what makes them responsible. All I could do was think of my own convictions. What did I think a financial institution that was responsible look like? It ended up looking like a simple essay with a list of suggestions – and it was. I was certain that I would not win, but I felt strongly about it.

I am surrounded by smart people all day. I would wager that most of them are far smarter than me, but I was the only one who entered the contest. All of them said something similar when I asked them if they would enter the competition: there would be people far smarter than them who would write something and win.

I definitely had those same thoughts, but instead of giving up before I had even written a single word I figured that I would at least try. I showed up.

I wrote something that I felt strongly about. Why wouldn’t I show people?

I placed second in the Canada-wide contest.

New York Magazine published an article in February of 2011 that covered research on just this topic. The studies that were referenced identified links in children that were told they were “smart” and their likelihood to try something that was not inherently natural for them. In general they found that children who were constantly praised for their intelligence were more likely to quit when things didn’t come naturally.

I am extending this idea to include self-deprecating mentalities in adults who believe themselves to be intelligent.

Intelligent adults will assess the situation and gauge their ability to succeed based on their own perception of their capabilities. The difference between the study with the children and my extension into the adult realm is that the children actually try before their failure is realized. The adults encounter their difficulty before attempting anything. The result is the same. Both groups do not complete the attempt.

This brings further reinforcement to the saying “you are your own worst enemy.”

I suppose I should be grateful for that mentality as it allows others, such as myself, to try and succeed. I cannot help but wonder, though, what breakthroughs might have happened if those people would actually try.

Sources:

New York Magazine, How Not to Talk to Your Kids: The inverse power of praise, http://nymag.com/news/features/27840/

Like a Virgin: Secrets They Won’t Teach You In Business School, Richard Branson, http://www.virgin.com/richard-branson/books/like-a-virgin

Standard