Ok, this is a backwards observation.
One of my hot buttons is to spot “cyber security principles,” that is, general but pointed observations on how to improve cyber security.
A long-held principle is “Keep it Simple, Stupid.” Thanks to Moore’s Law and the constantly falling price of ever bigger, faster, and more complex tech, no one puts much effort into keeping things simple. The extra features draw more customers even if they make the tech more fragile.
Continue reading Example of KISS
I’m a sucker for basic principles distilled into pithy prescriptions.
A freelance writer, Brian Boyko, has distilled the basic features of graphical user interfaces (GUIs) into four principles: Control, Conveyance, Continuity, and Context. He uses them to structure a well-reasoned though shrill critique of Windows 8.
Continue reading GUIs: Control, Conveyance, Continuity, and Context
I’ve been looking at the evolution of electronic funds transfer (EFT) and payment systems recently. My research uncovered a gem: about two years ago, David Stearns completed a dissertation that looks at the early evolution of the Visa card (originally “Bank Americard”) in the context of other evolving electronic payment systems. Stearns’ work is both readable and filled with interesting information.
Continue reading Pragmatic Security: the history of the Visa card
I’ve been reviewing histories of cryptography recently and here’s an interesting thing about pre-computer encryption: it’s almost entirely used for communications security. People encryptedmessages, but they rarely encrypted documents.
I’ve finally found a few real-world cases: encrypted diaries. BBC did a short segment on them last summer. But I’m still looking – there must be other cases where someone needed to keep some long-term data secret from prying eyes.
Continue reading Real-world document encryption
These are design patterns in the Christopher Alexander sense rather than the object oriented design sense: they address the physical and network environment rather than focusing on software abstractions. The patterns were introduced in my book Authentication.
There are four patterns: local, direct, indirect, and off-line.
Continue reading Design Patterns for Identity Systems
The insider threat isn’t easy to fix. We can fix it with Separation of Duty, but it requires planning ahead, discipline, and effort. But it’s essentially why banks can hire low-wage tellers and not worry about theft at the till (or at least not as much).
San Francisco lost control of their FiberWAN. It’s not clear how much this affected day to day operations, since the city appeared to still be working. And that in itself is a tribute to separation of duty.
Continue reading Fixing the Insider Threat: Separation of Duty