Unlike members of the insect family, computer software bugs live forever. Software security bugs (well, flaws) are especially troubling since they demand respect from every software developer now and forever. We want to believe we can "eradicate" software flaws through reviews, testing, and vigilance. Eradication is a myth. A flaw's spores simply go dormant to... Continue Reading →
My textbook lists categories of cyber-attacks that focus on an attack's lasting impact: how does it affect the target's assets and resources? Since the categories really reflect the attack's impact on the target, they really represent risks. Here are the categories I use right now: Denial of service - Pillage - Subversion Masquerade - Forgery - Disclosure This is a... Continue Reading →
The big news this week is a protocol flaw in the Wireless Protected Access protocol, version 2 (WPA2). The Ars Technica article covers the details pretty well. This is what every Wi-Fi wireless router on the planet uses these days. The problem does not directly damage your system, but it can uncover data you had intended... Continue Reading →
I sympathize with developers who throw up their hands and say, "I don't do security stuff." No matter what you choose, there's a trade off that could go wrong. It's especially troublesome if one deploys a "security website." I've deployed security education websites in many environments over the past 20 years, and I rarely achieve... Continue Reading →
Symantec is one of the companies that holds the keys to the Internet: they are a trusted certificate authority for authenticating major web sites. All major browsers recognize Symantec as a trustworthy source of SSL/TLS authentication certificates. Symantec (also known by its subsidiary name Verisign) is part of a chain of trust that keeps our Internet traffic safe.... Continue Reading →
The current fight is about whether we will impose a technological infrastructure which will be exceptionally vulnerable to attackers in order to provide nothing more useful than some very, very short-term advantages to people investigating crimes. Perry Metzger, commentary on the Cryptography mailing list last Friday Let me say it differently: We put everyone in... Continue Reading →
About 20 years ago, I worked with a fellow who proudly told me that he had once written a flawless piece of software. He kept its inch-thick line printer listing as a shrine in his cubicle. I never asked him for details, because he got angry when people questioned his judgement on computing. After all,... Continue Reading →
Last week I participated in a very geeky panel discussion about a now-defunct standard for computer system security: the TCSEC. I showed some charts and diagrams about costs, error rates, and adoption of government-sponsored programs for evaluating computer security. During the panel, some audience members made the following claim: "After its evaluation, Multics never needed a... Continue Reading →
Take a look at the following image. You should see two different 'messages' here. This particular mish-mash of messages reflects the failure of otherwise strong cryptography: the improper implementation of a one-time pad or a stream cipher. This same mistake let American cryptanalysts decode thousands of Soviet spy messages in the 1940s and -50s. The... Continue Reading →
