Mozilla, like most responsible web browsers, pops up a warning if someone visits a secure web site where the site's crypto credentials have not been countersigned by a recognized certificate authority.
In Slashdot, Chandon Seldon arues that the Mozilla SSL Policy is Bad For the Web., which links to material by Nat Tuck saying, again, Mozilla SSL policy bad for the Web. The argument is that this policy violates net neutrality by forcing people into a commercial venue if they want their secure connections to be user friendly. The commentaries find this especially troublesome for nonprofit organizations.
This is nonsense. Net Neutrality is about connectivity. SSL is about security and assured identification. Web browsers pop up a complaint about authentication when they can't verify a site's identity - that's what the browser is supposed to do. SSL certificate management is the best affirmative defense in the Internet today and these suggestions will only weaken it.
It's amazing how subtle a one-time pad really is. On one level they're deceptively simple: you simply match up the text of your message with a collection of "random bits" you share with the recipient. To decrypt, the recipient matches up a copy of those "random bits" to retrieve the message.
I have been reading the ACM's Model Curriculum on Information Technology (a prototype "IT" major) with a special eye towards the information security coverage. I've been teaching information security courses and recently developed a major in the area.
The curriculum provides minimum times to cover major topics in the field, like 3 hours to cover "Fundamental Aspects" including the "history" of information assurance and security. After factoring out the other dozen 'learning outcomes' for that topic, one is left with six minutes to cover the "history" of information security.
The San Francisco story is sounding more like a techie's personal tragedy and less like terrorism or hijacking or a ransom thing. Paul Venezia was contacted by someone in the IT department who knew Terry Childs, the "rogue admin."
Apparently Childs is a highly talented admin who is obsessed with his network. If the anonymous source is painting an accurate picture, then it's just an unfortunate combination of limited social skills on his part and hysterical overreaction on the part of his managers.
It's not an easy fix because it requires planning ahead, discipline, and effort. But it's essentially why banks can hire low-wage tellers and not worry about theft at the till (or at least not as much).
San Francisco has lost control of their FiberWAN. It's not clear how much this affects day to day operations, since the city appears to still be working. And that in itself is a tribute to separation of duty.
There's some terrific stuff here. Unfortunately, it's packaged with Internet-based password selection.
Get it straight: you're only supposed to share your passwords with yourself and your keyboard. You aren't supposed to ask your astrologer for one, or collect one from someone on the bus, or at a cocktail party. And never, ever from an Internet web site.
Someone picked up the domain 'highsecuritypasswordgenerator.com' and has proceeded to implement a password generator on it. The generator applies a common technique (I described it in my book Authentication) wherein you choose two words from long lists and separate them with a special character of some sort.
The down side should be obvious to anyone who thinks about web security: the password is shared with the password generating site and with anyone who sniffs the web page as it travels across the Internet.