One of my hot buttons is to spot "cyber security principles," that is, general but pointed observations on how to improve cyber security.
A long-held principle is "Keep it Simple, Stupid." Thanks to Moore's Law and the constantly falling price of ever bigger, faster, and more complex tech, no one puts much effort into keeping things simple. The extra features draw more customers even if they make the tech more fragile.
For the uninitiated, I strongly warn you NOT to try to follow the link in that email. If it's only slightly malicious, then the web page will try to tease me out of personal information. After all, this is a job offer, and employers are obliged to collect SSNs and other personal information.
If it's seriously malicious, then the web page will send me a malicious MS Word or Acrobat file, or perhaps just some web-based scripts, that poke around on my machine looking for weaknesses.
Chrome has sensibly increased the key sizes it expects in public-key transactions (see here and here). However, Chrome still silently accepts RC4 encryption, even though RC4 has been vulnerable to attack for over a decade.
This is like putting a heavy padlock on a cardboard box.
Even so, 7 out of the top 10 US web sites still use RC4. This includes sites with a lot to lose like Amazon and eBay as well as Google itself. The other weaklings in the Top 10 are LinkedIn, Wikipedia, Twitter, and Google's Youtube (as weak as their owner).
I also hadn't realized the extent to which American citizens in general are considered "the enemy" by the NSA. Their duplicitous role in Internet standards is breathtaking. It may be the grandest example of social engineering. Ever.
There are comments flying around as to whether cryptography should be approached as a science or as engineering. It apparently started on Twitter. Bruce Schneier has weighed in and linked to an interesting essay by Colin Percival.
The actual border lands might not be surveyed yet, but I believe there's a distinct field of cryptographic engineering, just as computer architecture can be independent of circuit design. In both cases we try to establish design rules so that engineers can build things with predictable properties. In both cases we can push the envelope of those rules and yield disaster.
We establish an engineering discipline by trying to codify the design rules, teach them, build with them, and assess the results. That's what we see in security/cryptographic engineering these days. It's healthy even though we end up with occasional vulnerabilities.
I received the email displayed at the right. While Larry Grinnell is indeed a friend of mine who sends me email, the sender's email address was not his. This is one of several emails I've received, all extremely brief, and all with the exact same, format. The Subject line contains an exclamation. The body text contains my name and a single URL. I started saving them and experimenting with the URLs.
The first URL led to a place in Russia that displayed a weight-loss ad. I used a VM running Chrome to open it. When I used the same VM to open the more recent one (shown above) the VM crashed. I expected that. What I didn't expect was for it to take my whole desktop down, too.
Researchers at UCSB have demonstrated a "quantum processor" that correctly operates "Schor's algorithm for factoring primes" all of 48% of the time (Photo left, courtesy of UCSB). This has produced all sorts of dire predictions about existing cryptographic mechanisms.
This is nonsense. We don't know enough about quantum computing to believe that a practical quantum computer architecture can follow Moore's law. And so-called "quantum cryptography" is not the answer.
Students can earn CPE credits and a US Government-endorsed training certificate in information security. They study the textbook (Elementary Information Security, of course), discuss topics with me on the book's discussion forums if they want, and take on-line tests on the material. Once they pass all exams, they earn the certificate.
The U.S. government certifies courses of study in information security under the Information Assurance Courseware Evaluation (IACE) program. If a course is certified under one of the approved standards, then students are eligible to receive a certificate that carries the seal of the U.S. Committee on National Security Systems (CNSS, left) to indicate they have completed an approved course of study.
It can be challenging for an institution to get its course of study certified. Many of the topics are obvious ones for information security training, but others are relatively obscure. Several topics, like TEMPEST, COMSEC, and transmission security, have lurked in the domain of classified documents for decades.
This new text provides a comprehensive and widely available source for all topics required for NSTISSI 4011 certification. An institution can use the textbook along with the details of its NSTISSI 4011 topic mapping to establish its own certified course of study.
Elementary Information Security has been certified to conform fully to to the Committee on National Security System’s national training standard for information security professionals (NSTISSI 4011). To do this, I had to map each topic required by the standard to the information as it appears in the textbook. Instructors who map their courses to the standard must map the topics to lectures, readings, or other materials used in those courses.
I have exported the textbook's mapping to an Excel spreadsheet file. Curriculum developers may use this information to develop a course of study that complies with NSTISSI 4011 and is eligible for certification. I'm describing the courseware mapping process in another post. Read that post first.