Life Cycle of a Security Bug

Unlike members of the insect family, computer software bugs live forever. Software security bugs (well, flaws) are especially troubling since they demand respect from every software developer now and forever. We want to believe we can "eradicate" software flaws through reviews, testing, and vigilance. Eradication is a myth. A flaw's spores simply go dormant to... Continue Reading →

The Six Types of Cyber-Risks

My textbook lists categories of cyber-attacks that focus on an attack's lasting impact: how does it affect the target's assets and resources? Since the categories really reflect the attack's impact on the target, they really represent risks. Here are the categories I use right now: Denial of service - Pillage - Subversion Masquerade - Forgery - Disclosure This is a... Continue Reading →

The Big Bug in the News: the WPA2 flaw

The big news this week is a protocol flaw in the Wireless Protected Access protocol, version 2 (WPA2). The Ars Technica article covers the details pretty well. This is what every Wi-Fi wireless router on the planet uses these days. The problem does not directly damage your system, but it can uncover data you had intended... Continue Reading →

Tiptoeing Through Vulnerabilities

I sympathize with developers who throw up their hands and say, "I don't do security stuff." No matter what you choose, there's a trade off that could go wrong. It's especially troublesome if one deploys a "security website." I've deployed security education websites in many environments over the past 20 years, and I rarely achieve... Continue Reading →

Symantec Breaks Trust with the Internet?

Symantec is one of the companies that holds the keys to the Internet: they are a trusted certificate authority for authenticating major web sites. All major browsers recognize Symantec as a trustworthy source of SSL/TLS authentication certificates. Symantec (also known by its subsidiary name Verisign) is part of a chain of trust that keeps our Internet traffic safe.... Continue Reading →

The “Bug-Free Software” fallacy

About 20 years ago, I worked with a fellow who proudly told me that he had once written a flawless piece of software. He kept its inch-thick line printer listing as a shrine in his cubicle. I never asked him for details, because he got angry when people questioned his judgement on computing. After all,... Continue Reading →

Multics was flawless?

Last week I participated in a very geeky panel discussion about a now-defunct standard for computer system security: the TCSEC. I showed some charts and diagrams about costs, error rates, and adoption of government-sponsored programs for evaluating computer security. During the panel, some audience members made the following claim: "After its evaluation, Multics never needed a... Continue Reading →

Stream Cipher Reuse: A Graphic Example

Take a look at the following image. You should see two different 'messages' here. This particular mish-mash of messages reflects the failure of otherwise strong cryptography: the improper implementation of a one-time pad or a stream cipher. This same mistake let American cryptanalysts decode thousands of Soviet spy messages in the 1940s and -50s. The... Continue Reading →

Create a website or blog at WordPress.com

Up ↑