You are here


Observations on information security.

"Design Patterns" for Identity Systems

These are design patterns in the Christopher Alexander sense rather than the object oriented design sense: they address the physical and network environment rather than focusing on software abstractions. The patterns were introduced in my book Authentication.

There are four patterns: local, direct, indirect, and off-line.

Post category: 

Senator McCain and "Internet Cryptography"

In honor of the electoral season, I'm sharing an old photograph. The occasion was a visit by Senator John McCain (R-AZ) to Secure Computing in June, 1999. We discussed possible revisions to cryptographic export controls, and he posed for photos, holding a copy of Internet Cryptography, which was 'recently published' back then.

I don't want to turn this into a political blog - this posting simply reports on the visit.

Post category: 

Password Resetting Considered Harmful - duh!

It used to be that the default password was your mother's maiden name, your SSN, your birthdate, or something like that. Now you have to pick a password, and your 'password recovery' questions are based on those old stand-by questions. So you can still break in to a person's accounts by answering those classic questions.

There have been some interesting recent reports about the use of personal questions for password resetting, and Bob Sullivan has summarized them in a recent posting.

This problem will only disappear over time, as people learn how NOT to lose security credentials.

Post category: 

Models for Today's Security

I received an e-mail from a mutual friend named Jim Burrows who was decrying the state of information security, blaming it on the lack of good models for solving modern security problems. I have to agree, and I admit I don't have a glib answer.

A few weeks back, Gunnar Peterson posted some comments relevant to this discussion of modern security policy, but I haven't managed to frame response to that one, either.

At least, I can agree that traditional models are broken. I believe there are some fundamentals that remain constant, but the high level attempt to build firewalled enclaves is clearly obsolete (except for a very few special situations).

Wordpress tag: 
Post category: 

OpenID Delegation on WordPress

Thanks to Gary Krall, tech director of PIP at Verisign, I have a recipe for "works every time" OpenID delegation with their free PIP service. First, what is OpenID delegation?

Delegation lets you use your very own URL as your identity URL for logging in with OpenID. For example, I can use to log in to web sites. To do this, you have to provide some special statements (a.k.a. magic) in your HTTP files that redirects the OpenID process from your web site to the service that actually does your OpenID authentication.

Post category: 

Using OpenID

You are welcome to use your OpenID credentials to register with Cryptosmith and/or to post comments.

When you register for the site with OpenID, the Cryptosmith site will automatically try to collect your name and e-mail address from the OpenID provider. This information will be copied into your profile. At present all profiles are private except to the site administration.

Taxonomy upgrade extras: 

OpenID Works!

Thanks to the help of Will Norris, one of the authors of the WordPress OpenID plugin, I've managed to get it to work. I will include some notes on using OpenID in a permanent page.
Post category: 

Passwords, Open ID, and "Information Cards"

Randall Stross/Digital Domain has posted a NYT story on passwords, Open ID, and Information Cards.

The "Information Card Foundation" is only a few weeks old, and the technique is trying to solve problems with both passwords and with Open ID. The posting roasts the old chestnuts about how bad passwords are (does anyone really need convincing?), then roasts Open ID a bit, and then introduces Information Cards, a slightly more flexible but still vulnerable technology.

Personally, I'm not convinced that Information Cards are any safer or easier to use than Open ID can be.

Post category: 

The Security Process

I've been working on ways of teaching information security. I think it's essential to teach some sort of systematic approach to security ("the process") and that this should include risk assessment, policy development, monitoring, and such. For educational purposes, my process contains six phases
Post category: 


Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer