You are here

rick's blog

John Oliver on Net Neutrality

Comedian John Oliver has recorded a classic rant about net neutrality. Here's my favorite quote:
"The cable companies have figured out the great truth of America: If you want to do something evil, put it inside something boring.
Apple could put the entire text of Mein Kampf inside the iTunes User Agreement and you'd just go "Uh, Agree, Agree, Agree, whatev-, Agree, Agree."
Post category: 

Identity theft, airport security, and coincidences

Airport Screening

OK, my name is Richard Smith, and it's a common name. My wife's name, however, isn't especially common. The combination of the two is even rarer. A party traveling by air matching those two names is even rarer.

It finally happened. Wednesday. Same flight.

Post category: 

Cerf and the "secure from the start" Internet

Early Arpanet Map

Vint Cerf, co-intentor of TCP/IP, talked recently about the technology available to "secure the Internet" when it first arrived. News sites claimed "The Internet could have been secure from the start, but the tech was classified." 

 That's really not what he said. And it's not true.


If the Internet had been made "secure from the start," then none of us would be using it. 

Post category: 

Password managers and autocomplete

Authentication Icons


Some web sites insist on as much control over our passwords as they can get. They demand that we choose hard-to-remember passwords, they spread the login over several pages, and they refuse to accept password text through autofill or even copy/paste. This is supposed to reassure us, I guess, the way that shoe removal reassures everyone at the airport.

Post category: 

On-line cipher tools

This is a follow-on of my "Grade School Crypto" introduction to the fundamentals of cryptography. While constructing examples from my class, I came across a nice little web site called "Count On," that includes a page of basic crypto tools.

Post category: 

Administrivia: New commenting regime

I've switched from Disqus to LiveFyre.

Unlike Disqus, LiveFyre lets you log in directly using a social media account. Disqus would tolerate social logins, but they demanded you set up a separate account first.

No big deal.

Wordpress tag: 
Post category: 

The "Bug-Free Software" fallacy

For patching the unpatchable

About 20 years ago, I worked with a fellow who proudly told me that he had once written a flawless piece of software. He kept its inch-thick line printer listing as a shrine in his cubicle. I never asked him for details, because he got angry when people questioned his judgement on computing. After all, he had once been in a panel discussion with Grace Hopper!

I have my own Grace Hopper stories, but today's interesting panel discussion took place earlier in December at the 2013 ACSAC in New Orleans. Roger Schell, a luminary in the annals of cyber security, declared that 1980s techniques had indeed created "bug-free software."

Roger Schell is wrong.

Wordpress tag: 
Post category: 

Multics was flawless?

Last week I participated in a very geeky panel discussion about a now-defunct standard for computer system security: the TCSEC. I showed some charts and diagrams about costs, error rates, and adoption of government-

Multics logo

sponsored programs for evaluating computer securityDuring the panel, some audience members made the following claim:

"After its evaluation, Multics never needed a security patch."

I admit I find this hard to believe, and it's not consistent with my own Multics experience. However, most of my Multics experience predated the evaluation. So I ask: does anyone know if Multics had a security patch after its B2 TCSEC evaluation?

[see newer posting]

Wordpress tag: 
Post category: 

The City: a metaphor on software and security

I've probably written about this before, but I feel inspired to write out some details as I sit in this session at ACSAC.

I think the modern city is the perfect metaphor for modern software. Individual programs are entities (people, organizations) who exist in a city. Elements of the city (other programs) provide services and utilities. There is a level of confidence in the services and utilities, but all is at risk of disruption by natural disasters or by criminal acts.

Here are some essential points:

Wordpress tag: 
Post category: 

Stout nails in RC4's coffin

Cipher disk

Two important announcements this week about RC4:

First, Cisco has downgraded the RC4 encryption cipher and marked it as a cipher to "avoid." In other words, web sites should NOT use it to protect things like passwords. This is a revision of their published recommendations for cryptographic algorithms.

Wordpress tag: 
Post category: 


Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer