You are here
Comedian John Oliver has recorded a classic rant about net neutrality. Here's my favorite quote:
"The cable companies have figured out the great truth of America: If you want to do something evil, put it inside something boring.
Apple could put the entire text of Mein Kampf inside the iTunes User Agreement and you'd just go "Uh, Agree, Agree, Agree, whatev-, Agree, Agree."
OK, my name is Richard Smith, and it's a common name. My wife's name, however, isn't especially common. The combination of the two is even rarer. A party traveling by air matching those two names is even rarer.
It finally happened. Wednesday. Same flight.
Some web sites insist on as much control over our passwords as they can get. They demand that we choose hard-to-remember passwords, they spread the login over several pages, and they refuse to accept password text through autofill or even copy/paste. This is supposed to reassure us, I guess, the way that shoe removal reassures everyone at the airport.
This is a follow-on of my "Grade School Crypto" introduction to the fundamentals of cryptography. While constructing examples from my class, I came across a nice little web site called "Count On," that includes a page of basic crypto tools.
I've switched from Disqus to LiveFyre.
Unlike Disqus, LiveFyre lets you log in directly using a social media account. Disqus would tolerate social logins, but they demanded you set up a separate account first.
No big deal.
About 20 years ago, I worked with a fellow who proudly told me that he had once written a flawless piece of software. He kept its inch-thick line printer listing as a shrine in his cubicle. I never asked him for details, because he got angry when people questioned his judgement on computing. After all, he had once been in a panel discussion with Grace Hopper!
I have my own Grace Hopper stories, but today's interesting panel discussion took place earlier in December at the 2013 ACSAC in New Orleans. Roger Schell, a luminary in the annals of cyber security, declared that 1980s techniques had indeed created "bug-free software."
Roger Schell is wrong.
Last week I participated in a very geeky panel discussion about a now-defunct standard for computer system security: the TCSEC. I showed some charts and diagrams about costs, error rates, and adoption of government-
sponsored programs for evaluating computer security. During the panel, some audience members made the following claim:
"After its evaluation, Multics never needed a security patch."
I admit I find this hard to believe, and it's not consistent with my own Multics experience. However, most of my Multics experience predated the evaluation. So I ask: does anyone know if Multics had a security patch after its B2 TCSEC evaluation?
[see newer posting]
I've probably written about this before, but I feel inspired to write out some details as I sit in this session at ACSAC.
I think the modern city is the perfect metaphor for modern software. Individual programs are entities (people, organizations) who exist in a city. Elements of the city (other programs) provide services and utilities. There is a level of confidence in the services and utilities, but all is at risk of disruption by natural disasters or by criminal acts.
Here are some essential points:
Two important announcements this week about RC4:
First, Cisco has downgraded the RC4 encryption cipher and marked it as a cipher to "avoid." In other words, web sites should NOT use it to protect things like passwords. This is a revision of their published recommendations for cryptographic algorithms.