It's amazing how subtle a one-time pad really is. On one level they're deceptively simple: you simply match up the text of your message with a collection of "random bits" you share with the recipient. To decrypt, the recipient matches up a copy of those "random bits" to retrieve the message.
I have been reading the ACM's Model Curriculum on Information Technology (a prototype "IT" major) with a special eye towards the information security coverage. I've been teaching information security courses and recently developed a major in the area.
The curriculum provides minimum times to cover major topics in the field, like 3 hours to cover "Fundamental Aspects" including the "history" of information assurance and security. After factoring out the other dozen 'learning outcomes' for that topic, one is left with six minutes to cover the "history" of information security.
The San Francisco story is sounding more like a techie's personal tragedy and less like terrorism or hijacking or a ransom thing. Paul Venezia was contacted by someone in the IT department who knew Terry Childs, the "rogue admin."
Apparently Childs is a highly talented admin who is obsessed with his network. If the anonymous source is painting an accurate picture, then it's just an unfortunate combination of limited social skills on his part and hysterical overreaction on the part of his managers.
It's not an easy fix because it requires planning ahead, discipline, and effort. But it's essentially why banks can hire low-wage tellers and not worry about theft at the till (or at least not as much).
San Francisco has lost control of their FiberWAN. It's not clear how much this affects day to day operations, since the city appears to still be working. And that in itself is a tribute to separation of duty.
There's some terrific stuff here. Unfortunately, it's packaged with Internet-based password selection.
Get it straight: you're only supposed to share your passwords with yourself and your keyboard. You aren't supposed to ask your astrologer for one, or collect one from someone on the bus, or at a cocktail party. And never, ever from an Internet web site.
Someone picked up the domain 'highsecuritypasswordgenerator.com' and has proceeded to implement a password generator on it. The generator applies a common technique (I described it in my book Authentication) wherein you choose two words from long lists and separate them with a special character of some sort.
The down side should be obvious to anyone who thinks about web security: the password is shared with the password generating site and with anyone who sniffs the web page as it travels across the Internet.
The City of San Francisco has just suffered what sounds like the nightmare scenario of an insider attack on their computing infrastructure.
The 'disgruntled employee' who reportedly was 'disciplined for poor performance' had enough access to critical system components to give himself exclusive control of the infrastructure and apparently lock out other administrators. The system is said to still be running, but administrators have little control over it.
So what's the lesson here?