tag:blogger.com,1999:blog-8281035461329714656.comments2020-06-20T06:49:48.100-04:00Web InsecurityTerri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-8281035461329714656.post-4913259443720015212012-03-29T09:23:21.779-04:002012-03-29T09:23:21.779-04:00You assume that the answers provided in surveys ar...You assume that the answers provided in surveys are reliable indicators of behaviour. Many people are "concerned" about workers' rights, but buy Nike shoes from Walmart. Heck, I would rather not have my data compromised, but if I can get 3.1% interest from a bank that had a breach last week, I'll leave the bank that hasn't had a breach in 5 years that's offering 3.0%. If I suffer any financial loss, I expect to be compensated automatically or be able to sue. I'd lay real money that most of that 92% feel the same.<br /><br />In fact, I'd go one step further and suggest that while they're concerned about it, most wouldn't want to incur the bother of changing banks over it.Timmysonhttps://www.blogger.com/profile/12740161456878839854noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-18630464350086323292011-03-01T13:04:13.287-05:002011-03-01T13:04:13.287-05:00I'm torn between amusement and dismay that Fac...I'm torn between amusement and dismay that Facebook has such a tradeoff between account security and personal security...Terri Odahttps://www.blogger.com/profile/10462169521890966235noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-9853472285256377602011-03-01T11:46:14.714-05:002011-03-01T11:46:14.714-05:00Facebook keeps reminding me that my account securi...Facebook keeps reminding me that my account security is only "medium" because I won't give them my phone number. Here is yet another reason NOT to give it to them.Unknownhttps://www.blogger.com/profile/10262530916072958857noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-26755785805861096902011-01-27T14:45:39.632-05:002011-01-27T14:45:39.632-05:00OK, one more try...
The other thing that struck m...OK, one more try...<br /><br />The other thing that struck me was the term "act of nature". When I think of account compromise, I think "act of robots."<br /><br />It is actually scary to think about real, live human beings attacking me. Of course I realize that there's at least one person behind each of the thousands of automated attacks that fail each day, but that person usually isn't the one attacking me, their hordes of software agents are. Software agents aren't scary to me at all--I can watch their futile probing all night if I'm having trouble sleeping.<br /><br />If you use terms like "virus" and "worm" to describe malware, then a botnet--a large creature consisting of self-replicating cells driven by an intelligence that lurks under the visible parts of the Internet looking for inexperienced captains or crews--might seem like an archetypal sea monster.<br /><br />I don't believe in sea monsters, because I'm an archetypal oceanographer. I <i>know</i> the ominous thumping on the bottom of my boat is some prat with a remote-controlled submarine, and it would normally not occur to me to describe an encounter with one in any other terms.<br /><br />So "My boat got wrecked!" is what you'd tell your friends and colleagues who might be wondering what happened to your boat. "Something wrecked my boat!" would be what you state on your insurance claim. "The boat was hijacked by a RoboSquid CVE2010-0442 exploiTorpedo, then directed to play Viagra ads loudly through the PA system while driving erratically through the harbor until it collided with a pier and segfaulted" would be what the insurance adjuster writes on their report.Zygonoreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-64313722315111148392011-01-27T14:12:25.210-05:002011-01-27T14:12:25.210-05:00This is definitely interesting. I'm also not s...This is definitely interesting. I'm also not sure whether to be flattered or worried that you want to offer me for hacking pleasure. ;)Gail Carmichaelhttps://www.blogger.com/profile/14173555781667297996noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-18834665747970516532011-01-27T13:51:20.730-05:002011-01-27T13:51:20.730-05:00I have many "friends" on Facebook who I ...I have many "friends" on Facebook who I haven't seen or even communicated with in years. As do many of the friends with whom I got into friend-count competitions. I doubt my ability to accurately spell a random friend's name with better than 60-70% accuracy.Timmysonhttps://www.blogger.com/profile/12740161456878839854noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-81326369439247492592011-01-27T13:45:16.590-05:002011-01-27T13:45:16.590-05:00Now I want to hear the longer comment about sea mo...Now I want to hear the <a href="http://twitter.com/zblaxell/status/30692947125084161" rel="nofollow">longer comment about sea monsters</a>. ;)<br /><br />But yes, it is more efficient language, and we say something similar with other crimes "I got mugged" "my luggage was stolen" so maybe it doesn't really mean much at all. Still an amusing thought exercise and a funny statement, though!Terri Odahttps://www.blogger.com/profile/10462169521890966235noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-17610030336960640952011-01-27T13:12:29.948-05:002011-01-27T13:12:29.948-05:00"Someone hacked my account" is less effi..."Someone hacked my account" is less efficient language than "my account got hacked." The former introduces a distracting and irrelevant third party into the statement, who probably cannot be usefully discussed further. The intended message is "my account was compromised, and it's all you need to know or I want to talk about," and adding a "someone" just invites "someone who?"Zygonoreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-35777343155676930862011-01-18T09:47:10.069-05:002011-01-18T09:47:10.069-05:00They blinked, at least until their PR department c...They blinked, at least until their PR department can put a bit more spin on it:<br /><br />http://techcrunch.com/2011/01/18/following-complaints-facebook-puts-address-and-number-sharing-on-hold/_https://www.blogger.com/profile/10878277402903015907noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-89577534980126287922010-11-04T18:20:30.914-04:002010-11-04T18:20:30.914-04:00Thanks, I've now Read the Whole Thing and as y...Thanks, I've now Read the Whole Thing and as you say it is good on the subject. I do like to see an explicit acknowledgement of the disproportionate impacts of adding round trips, but you can't have everything.Maryhttps://www.blogger.com/profile/17148328916764421339noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-75469999434728072372010-11-04T10:59:22.641-04:002010-11-04T10:59:22.641-04:00Did you get a chance to read through the Overclock...Did you get a chance to read through the Overclocking SSL post? They actually spent quite a lot of time working on addressing the problem of round trip time, and I realise what little I quoted might have misled you into believing that they hadn't.<br /><br />(This doesn't change the fact that this is a problem that affects some users more than others, of course.)<br /><br />I suspect for some open source organisations and other groups with limited budgets, the certificate costs can be pretty prohibitive too. When John was looking into it for kernel.org, he was getting quotes well over USD $50k because they needed *.*.kernel.org to handle the various wikis and git repositories and such that they host. Even with * certificates so they wouldn't have to buy a new cert for every new project, it was pretty ridiculous. Self-signing is becoming non-viable for usability reasons thanks to Firefox. In the end, Kernel.org was fortunate enough to get a donation from a signing authority to solve their encryption problem.<br /><br />So yeah, it's definitely not like SSL is the answer for everyone, but it's important to make the decision based on actual problems and not imagined computational costs that aren't nearly as high as they were once reported to be.Terri Odahttps://www.blogger.com/profile/10462169521890966235noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-48773956641225960082010-11-04T03:20:17.933-04:002010-11-04T03:20:17.933-04:00I discussed this with Andrew who has talked about ...I discussed this with Andrew who has talked about the launchpad.net trade-offs a bit, and his summary was: no the computational effort isn't significant now, but SSL negotiations add noticeably to round trips costs (especially impacting people who are not physically close to the server, so, usually not something North Americans notice most prominently in their web experience), which can be mitigated but not without a fair investment of developer time.Maryhttps://www.blogger.com/profile/17148328916764421339noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-47040313275943177482010-10-12T12:59:34.255-04:002010-10-12T12:59:34.255-04:00While I totally appreciate your enthusiasm on the ...While I totally appreciate your enthusiasm on the subject and hopefully some of my readers will appreciate your rundown of issues in password authentication... I should point out here that I do actually work for a <a href="http://ccsl.carleton.ca" rel="nofollow">research lab</a> which includes a number of people working on cutting-edge alternative authentication techniques, the effects of password interference, and other issues in authentication and usable security. My own 100ish students took part in the first long term, large-scale study of graphical passwords in the passpoints style, and I get to hear a lot of cutting-edge (often not-yet-published) research through work. <br /><br />So what I'm getting at is that explaining issues with password authentication to <em>me</em> actually borders on insultingly patronizing.<br /><br />Likely you just weren't aware, or maybe you were misled by the tone of this blog since I use this blog as a place to describe research ideas for a wider audience. But yeah... you should skip the basic explanations and go right to "have you seen this new research?" in the future! <br /><br />You might want to take a look at <a href="http://www.ccsl.carleton.ca/publications/" rel="nofollow">some of the publications</a> that our research group has done on the subject if your'e looking for starting points for discussion -- I think you'll find them very interesting.Terri Odahttps://www.blogger.com/profile/10462169521890966235noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-36389011928131014402010-10-12T02:51:33.742-04:002010-10-12T02:51:33.742-04:00It's worse than that, actually. Passwords are,...It's worse than that, actually. Passwords are, generally speaking, obsolete. The recommended way of handling passwords, is something like the following:<br /><br />Pick passwords that are fairly long, and a good mix of letters and other symbols. Use different, unrelated passwords for each purpose. Do not write the passwords down. Change the passwords regularily.<br /><br />The problem with this is, that human beings are unable to do that. I certainly have more than 100 accounts of various types. I am not able to remember 100 unrelated, complex passwords at all, and asking me to change them all regularily, is COMPLETELY out of the question.<br /><br />Instead, most people use the same password everywhere, and never change it. If you're lucky, they MAY have 2-3 passwords and for example use one of them for job-related and another for private stuff.<br /><br />It's only getting worse too, machines never get slower. You'll need about one more bit of real entropy in the password for every year, just to maintain security. With passwords being non-random, this translates to adding one character to your password something like every 4 or 5 years.<br /><br />Gr0w$hume- is probably an above-average password, but it's still a LONG way away from random. "grow" is an english word, and "hume" is an english-sounding word-fragment.<br /><br />If 8 characters, of a quality similar to the example above, provides reasonable security today (I actually question this, especially for offline attacks), are we going to insist on 9+ starting 2015 and 10+ 2019 ? Just how much of a hassle can you expect users to put up with -- WITHOUT choosing more banal passwords to compensate ?<br /><br />And for how long, can you claim that the users is the problem, since they're not following advice - when that advice is in practice IMPOSSIBLE for human beings to follow ?<br /><br />2-factor, is the way to go. Google got it right. My debit-card with a 4-digit pin, offers good security, because you need the pin AND the physical card, which is a -huge- help against many attacks.Eivindhttps://www.blogger.com/profile/07327083310096712235noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-45914959358683683812010-09-22T02:06:17.784-04:002010-09-22T02:06:17.784-04:00I found this via dreamwidth's latest things li...I found this via dreamwidth's latest things link. Verrrrry interesting article, and something I'd never thought of! Wow! Thanks for taking the time to point this out.Brigid Keelyhttps://www.blogger.com/profile/09558327183683074633noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-45645072003199507962010-09-20T14:00:24.034-04:002010-09-20T14:00:24.034-04:00hah! it's not every day a post about web secur...hah! it's not every day a post about web security makes me giggle out loud. well done, and interesting stuff.<br /><br />also, argh, blogger doesn't support self-hosted openid providers. grump.Leigh Honeywellhttp://hypatia.canoreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-56401823939954120532010-07-09T11:36:03.819-04:002010-07-09T11:36:03.819-04:00- detecting breaches of security & appropriate...- detecting breaches of security & appropriate responses.<br /><br />- methods for dealing with distributed denial-of-service attacks<br /><br />- OS-level vulnerabilities and choices in server architecture<br /><br />These may be too "legal" for a technical course, but I'm curious:<br /><br />- collecting electronic forensic information for law enforcement<br /><br />- working with law enforcement & navigating departmental jurisdictions<br /><br />- legal security responsibilities between server owners and clientslunarbovinehttps://www.blogger.com/profile/18230861410629416290noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-84634862256065925032010-05-25T17:25:29.524-04:002010-05-25T17:25:29.524-04:00"Shouldn't" and "aren't&quo..."Shouldn't" and "aren't" are very different things!<br /><br />The point of this presentation was to remind folk that whether they <em>should</em> or not, our current setups <em>do</em> allow non-technical page creators to impact security. Separation is a powerful tool, but it's quite weak if there's programmer error on the supposedly secure system side, so it's not really enough by itself.Terri Odahttps://www.blogger.com/profile/10462169521890966235noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-61054295357133970892010-05-24T07:10:53.745-04:002010-05-24T07:10:53.745-04:00If you're not a programmer, you shouldn't ...If you're not a programmer, you shouldn't be exposing your code to hostile users. If you want to customize your website beyond playing with the layout and static content, hire someone to do it. Computer programs are the most complicated "devices" created to date, and cut-and-paste doesn't change that.<br /><br />Really separating design and code, to the point where the designer can't inject code deliberately (let alone accidentally), is about the only approach that I can see having a chance of really working. That's what Wikis and web-forums do, using a markup language that's deliberately secure and gets converted to a subset of HTML. Yes, it means you can't install the web equivalent of a turbocharger without hiring a programmer... but then, most people wouldn't try to install a turbocharger without hiring a mechanic: and that's in many ways a much simpler job.Resunahttps://www.blogger.com/profile/11926139083455275005noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-28927627600417866252010-05-23T19:32:16.470-04:002010-05-23T19:32:16.470-04:00Inspiring Presentation.
I've never seen one l...Inspiring Presentation.<br /><br />I've never seen one like that before.<br /><br />Congrats.Marcos Ricardohttps://www.blogger.com/profile/10175937289599328538noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-67159538850186484392010-02-05T12:32:05.505-05:002010-02-05T12:32:05.505-05:00The first thing that I noticed about "Verifie...The first thing that I noticed about "Verified by VISA" was that all I needed to get a password for it was the card number and an e-mail address...Anonymousnoreply@blogger.com