Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« Fingerprinting Paper | Main | Do-it-Yourself Security Checkpoint »
August 13, 2005
The Devil's Infosec Dictionary
I want "The Devil's Infosec Dictionary" to be funnier. And I wish the entry that mentions me -- "Cryptography: The science of applying a complex set of mathematical algorithms to sensitive data with the aim of making Bruce Schneier exceedingly rich" -- were more true.
In any case, I'll bet the assembled here can come up with funnier infosec dictionary definitions. Post them as comments here, and -- if there are enough good ones -- I'll collect them up on a single page.
Posted on August 13, 2005 at 10:48 AM • 106 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Rick Katz • August 13, 2005 11:58 AM
On the definition of Identity Theft, how about adding: The act of corporations and government entities offering too little protection to too many people for too long and now it is too late to stop it.
http://www.link-popularity-zone.com/...
wim • August 13, 2005 12:00 PM
Sysadmin:
The lowest paid person in the company with more access to sensitive data than the company president
Wim • August 13, 2005 12:01 PM
Internet Worm:
Free test to check if you applied all microsoft updates
wim • August 13, 2005 12:04 PM
Closed source:
Stuff made by evil companies where we can't read the source so it must be insecure
Open Source:
Stuff made by people with to much spare time and no communication skills so the source we can read is not understandable so it must be secure.
Vainstein • August 13, 2005 12:08 PM
SECURITY, INFORMATION:
A tradeoff between misconceptions of the buyer, incompetence of the vendor, and burden on end-users. A buggy back-end with a dashboard front-end (rampant). The Van Eck radiation given off by paranoia. Commonly provides information in direct proportion to verbosity level selected, and security in inverse proportion to public interest in the target; where it is vastly superior, Madam, to nothing - the which provides latter but not former.
Wim • August 13, 2005 12:10 PM
Virus
Free test to check if your organisation has responsible email users
or
Made by people who want to demonstrate that the average user is to stupid to make any security decisions whatsoever
or
Program made by analists to check the gender distribution (click on the attachment to get naked women) or financial interests (win 5000 dollars, click on the attachment), computer savvy (please click on attachment, enter passphrase and click on program inside) or general intelligence (click on attachment)
Wim • August 13, 2005 12:12 PM
Firewall
The stuff we need so we can forget about securing anything else so we can save money
Alf Watt • August 13, 2005 12:15 PM
WEP (Wired Equivelant Privacy) |wep|
verb [past part.] intrans 1. To implement security after an incident. 'I WEPd for days after our wireless network was comprimised'
noun 1. An IEEE standard that works as advertised 'WEP provides the exact level of privacy as the wired internet, nearly none'
Wim • August 13, 2005 12:18 PM
Security Policy
Written document which removes any blame from management and puts it to an unsuspecting user
Wim • August 13, 2005 12:20 PM
Hardening
When applied to servers:
A method to increase TCO thereby providing for more job security to sysadmins while removing the need to do anything else like patching systems
When applied to desktops
A way to make users hate you, bring the business to a grinding halt and still be able to catchup on the lates virus because you don't need patching anymore
Vainstein • August 13, 2005 12:21 PM
ENCRYPTION
A lock, more or less elaborate, betimes even with one key for outside and one for inside. Guards the door to treasure - which is usually stolen via the window.
Wim • August 13, 2005 12:22 PM
Password Policy
A written document which makes users write their passwords down and put it on the monitor
D.J. Capelis • August 13, 2005 12:24 PM
ROT13 - A cryptography algorithm which is applied twice to secure all wireless communications
Wireless - A security mechanism designed to hide data in spectrums which are inheirently more secure because they cannot be seen by the human eye.
Security Officer (remixed definition) - Someone who seeks to annoy users with inane password requirements instead of doing their actual job which is to take blame when a 1337 Hacker uses the CEO's mother's maiden name to compromise the entire network.
CEO - An untouchable who should have access to all networkable computers. This person should be regarded as trusted and secure by default.
Security Policy - A document which is to be strictly followed unless it would be inconvenient to do so.
Trojan Horse - A term created to give people on full-disclosure something to argue over
Hashing Algorithm - A complex series of mathematical equations designed to output something that has been proven to be consistently nothing like the input.
Infinite Loop - See Recursive
Recursive - See Infinite Loop
Log Files - Files where the read bit is unneccesary.
127.0.0.1 - This machine is the cause of 99% of all security problems.
127.0.0.2 - This machine is the cause of the other 1%
The Mythical Non-Connected Machine - The theoretically secure machine in a locked vault not connected to any external network interface. See Useless Technology
One Time Pads - A technology which is perfectly secure unless used.
Uptime - The interval between the time the machine is compromised and the discovery of said compromise.
Unbreakable - See Breakable
Breakable - See Everything
Everything - See Breakable
Authentication Tokens - Devices designed to spur humans to think of new and better ways to weaken system security.
RSA - Three guys who really are going to be pretty disappointed when we figure out a fast way to factor large integers.
Wim • August 13, 2005 12:24 PM
Sysadmin (2)
A person with no communication skills whatsoever put in charge of managing a network full of people who ask questions all day long.
Wim • August 13, 2005 12:28 PM
Physical Security
A strong locked door to the server room to protect the system admin trying to repair the downed network with angry users outside
Wim • August 13, 2005 12:29 PM
Biometric security
Providing security using detachable parts of your body proving company data is more important than you
Security Audit • August 13, 2005 12:31 PM
Performed by a person with no security knowledge to assess if the current network is compliant with the written documents 5 years ago.
Wim • August 13, 2005 12:32 PM
Trojan Horse
Pretty screensaver with naked girls on the beach. Install now!
wim • August 13, 2005 12:35 PM
Hacker
Hostile user of your network
User
Hostile user of you network.
wim • August 13, 2005 12:40 PM
Helpdesk
Place to torture young IT professionals so they will become non communicative system admins.
Wim • August 13, 2005 12:42 PM
Firewall
Software to restrict access to your network to just the UFBP protocol (see also HTTP and HTTPS)
HTTP
Universal Firewall Bypass Protocol
HTTPS
Secure Universal Firewall Bypass Protocol
Vainstein • August 13, 2005 1:15 PM
SSL/HTTPS
Technology that gives us authentication, integrity, and confidentiality. These three virtues ensure that when the lowly-paid off-shore DBA of the website you visited sells your credit card number to criminals, the criminals can be certain of their purchase. This is known as e-commerce.
Mike Schiraldi • August 13, 2005 2:10 PM
I'd suggest this edit to one of Wim's:
Virus: A program which slows down and destabilizes your computer
Anti-virus: A program which sloes down and destabilizes your computer
Ari Heikkinen • August 13, 2005 2:15 PM
Cryptography
A buzzword on a sticker slapped on software products to make people think they're secure
MathFox • August 13, 2005 2:22 PM
Full Disclosure:
Method of speeding up the delivery of patches by distributing exploits.
Responsible Disclosure:
Syn. cover-up
Telnet: Least secure possible mechinisim for accessing machines remotely. Also, the only port open on the firewall to access machines remotely.
Wired equivelent protection: A tool for deluding yourself into thinking that assumptions that once held still do.
OR
Wired equivelent protection: CAT-5 cabling.
Users: See security holes.
Security holes: The ability to do anything useful with a system.
Remote access: The ability to use a system from elsewhere. Also, the ability to abuse a system from elsewhere.
Security consultant: The person outside your orginization that you pay to secure everything you don't want anybody outside your orginization to know about.
Evidence: That which you use to convict people of offenses against you. Also, that which other people use to convict you of offenses against them.
Breaking and entering: Research.
Dumpster diving: Because one man's trash is another man's instruction manual.
Social Engeneering: Getting people paid to be helpful to be a little too helpful.
Belt sander: The only way to securely delete the contents of a hard drive.
Wire clippers: The most effective tool for securing a computer.
Ari Heikkinen • August 13, 2005 2:58 PM
I looked at the page and atleast some of it is actually funny, like this:
Analyst, security
A mercenary paid vast sums of money to tell you that your systems can't be secured
jammit • August 13, 2005 3:10 PM
Username/password: A string of characters used to keep honest people out of a system.
Pat • August 13, 2005 3:50 PM
This is a classic I heard years ago:
Encryption: A powerful algorithmic encoding technique employed in the creation of computer manuals.
Wim • August 13, 2005 4:09 PM
Computer Manual
Stuff you don't need to read because you already now your stuff right?
Security policies
A set of rules which don't apply to you because you already know everything about security
Sierran • August 13, 2005 4:10 PM
Logging: storage array stress-testing
Password Policy: Reverse Turing test - means to prove that users are human and hence cannot remember simple, four-class passwords
Road Warrior: Virus prospector and cracker attractor
VPN: Virtual Private Network, something which is none of those three
Penetration testing: BitTorrent
Red Teaming: post-layoff beer session
Port scanning: ritualized warning used by Actual Dangerous Crackers (See: consultant, penetration testing)
Crafted Packet: handwritten layoff notice
Malicious Code: financial application
Single Point of Failure: See 'CEO'
Honeynet: see BitTorrent
Wim • August 13, 2005 4:20 PM
Complicated Password
Any password not belonging to the set: 11111 , 1234567, qwerty, (name of familymember, dog etc)
Backup
Hacker tool. See also Courier services
Courier Services
Deliver company backup data to evil person service.
Arik • August 13, 2005 4:21 PM
Cleaning crew:
The lowest paid employees or contractors in your company, with access to most of your company's physical and virtual assets.
Wim • August 13, 2005 4:23 PM
Telephone
Password recovery tool for unknown people wanting to use the network.
B-Con • August 13, 2005 6:20 PM
Cryptography: The art of mathematically scrambling data to be non-readable by a malicious attacker -- unless the attacker finds the password where it is written on a sticky note stuck to the monitor.
Beyond Fear: ....but not beyond hystaria.
CEO: The guy with least technical knowledge who makes the biggest technical decisions.
Tim Howland • August 13, 2005 8:03 PM
Operating Systems: an aspiration rarely achieved; wishful thinking
Luke Burton • August 13, 2005 8:40 PM
Information Security Policy: a document designed to cover the arse of the Information Security people should any security problem arise. Full compliance with this document would require users to burn their PCs, crush them into cubes, and bury them deep within the earth. The document is inevitably written by someone so anti-social that they would never be hired on the business side, but so untalented that they have no practical use in the IT department.
Luke Burton • August 13, 2005 8:52 PM
Unix Systems Administrators: these come in two flavours.
1. The young, thoughtful type who will go out of his or her way to help you solve a problem, as long as you phrase the question correctly. Reads slashdot, cryptogram, phrack, and generally ignores company policy when it's expedient to do so. Wears a lot of black and has at least one open source related toy on desk.
2. The thoughtless type who adhere to company policy like superglue and prevent any real work from being done. Typically saw their first Unix prompt in University and keep a small cheat sheet of commonly used commands on their desk. Are generally to be avoided because in the unlikely event you actually have them perform a task for you, they will certainly stuff it up. Wears neat casual clothes and has an unusually tidy desk.
Luke Burton • August 13, 2005 8:59 PM
Patching: the act of installing software, provided by a vendor, to address a security hole or bug. Typically done after malware has already exploited the hole and the vendor is receiving negative publicity because of it. If the act of patching does not fundamentally destroy the machine, you may also expect it to introduce new and improved security holes.
Luke Burton • August 13, 2005 9:04 PM
Information security consultant: a parasite who derives an income stream from the paranoia of others. Sometimes the parasitic relationship is mutually beneficial; frequently though the host finds themselves robbed of a large amount of cash for no measurable gain in security.
Apart from sizeable holes appearing in the host's bank balance, the presence of a security consultant might also be detected by their droppings, called "information security policy documents" (see above).
Luke Burton • August 13, 2005 9:10 PM
Single sign on: a delirious utopian fantasy wherein users can authenticate themselves on all company systems using the same authentication token. In the wildest fantasies this might include a convenient physical token like a smart card.
No known implementations of Single Sign On have been seen in the wild. Sometimes very smart people end up in mental asylums after attempting an implementation; approach a project like this at your own risk.
Luke Burton • August 13, 2005 9:15 PM
Wireless security: 1. an oxymoron.
2. Something that exists in a parallel universe where there are no malicious eavesdroppers and everyone loves one another.
Terry Browning • August 13, 2005 9:44 PM
Trusted person
Having the greatest opportunities for treachery and embezzelment.
Trusted system or device
Designed to cause a catastrophe to the function and security of the organization when it fails.
Trusted computer
Controlled by an unknown and unaccountable third party. See 0wn3d.
Trustworthy person
Any person whose agenda is the same as your own.
Security system
A method or apparatus intended to protect you from the malice of others. Must only be used in accordance with the designer's expectations.
Dumpster
Public archive storage.
Email
Free advertising channel.
Virus
Marketing tool for Windows security products.
0wn493
The policy that computers should be operated by those who best understand them.
Nathan Sharfi • August 13, 2005 11:14 PM
This may seem like nitpicking, but it seems like they'd all be (slightly) funnier if they ended with periods. If nothing else, that's the style of Bierce's witticisms when they pop out through fortune(6)...
Stu Savory • August 14, 2005 12:08 AM
Keyword : an easy to remember short distionary word, so that don't have to write it down. Examples :
Guest,
password,
admin.
peachpuff • August 14, 2005 1:50 AM
Port:
A network status symbol. The more you have open, the more you're allowed to do.
Site Certificate:
Information that's tucked away behind a tiny icon because it's redundant.
Authentication:
Proving that you have permission to access someone else's account by typing in their name and password.
Nick • August 14, 2005 3:07 AM
I suspect the DID was a lot funnier after the first couple of beers/joints.
====
ACL (Access Control List):
A list determining which users should have access to which files/programs, compiled/managed by executives who have no knowledge of which files/programs a user actually needs.
Back door:
A secret means of entering your system, widely known by everyone except you.
Cryptography:
The science of applying mathematical algorithms to sensitive data and then obscuring your easily-broken algorithim with phrases like, 'nanolevel hyperrandom multiphasic encryption.'
Cybercrime:
Incidents more easily blamed on anonymous hackers than on the failure of employees or IT security staff.
Doghouse:
The equivalent of Consumer Reports for cryptographic products.
frodo • August 14, 2005 6:52 AM
cryptography: the fine art of protecting data which, those who need do not know how to use and those who will misuse it will know it well.
cryptography: the sensitive science whose code can be printed in a book that can be exported, but exporting a soft-copy of that code is illegal.
Dave Harmon • August 14, 2005 7:01 AM
DRM: The methods used to convert what you thought was a purchase, into a rental.
Trusted Computing: Computers which any sufficiently large corporation can trust more than they trust you.
Cyperspace Czar: Fall guy.
david • August 14, 2005 8:01 AM
> SECURITY, INFORMATION: A tradeoff between misconceptions of the
> buyer, incompetence of the vendor, and burden on end-users.
> A buggy back-end with a dashboard front-end (rampant). The Van Eck
> radiation given off by paranoia. Commonly provides information in
> direct proportion to verbosity level selected, and security in inverse
> proportion to public interest in the target; where it is vastly superior,
> Madam, to nothing - the which provides latter but not former.
Can we send this one back for a rewrite? It was going to be very good before it devolved into incoherence....
terry • August 14, 2005 9:03 AM
David wrote ...
> > SECURITY, INFORMATION: A tradeoff between misconceptions of the
> > buyer, incompetence of the vendor, and burden on end-users.
> > A buggy back-end with a dashboard front-end (rampant). The Van Eck
> > radiation given off by paranoia. Commonly provides information in
> > direct proportion to verbosity level selected, and security in inverse
> > proportion to public interest in the target; where it is vastly superior,
> > Madam, to nothing - the which provides latter but not former.
>
> Can we send this one back for a rewrite? It was going to be
> very good before it devolved into incoherence....
I thought that was the point.
Dirk Rijmenants • August 14, 2005 11:13 AM
Address book: Food for worms, carried around by them to feed other worms.
AES: Advanced Employment Securing. A mathematical system to protect jobs at the NSA.
Brute Force Attack: Type of information gathering by CIA
CIA: A division of NSA, specialized in gathering information by breaking bones, instead of codes.
Enigma: It was an enigma to the Germans how the Allies could find their U-boats.
One-Time Key: An easy to forget password
Steganography: A system to hide porn in another image. If detected, one believes the porn is used to hide a secret message.
Gunnar Peterson • August 14, 2005 11:33 AM
"Cryptography is nothing more than a mathematical. framework for discussing the
implications of various paranoid delusions." — Don Alvare
another_bruce • August 14, 2005 1:23 PM
encryption
a scheme for private communication which is socially beneficial for american governments and corporations, but absolutely intolerable for anybody else, including american citizens, unless there's a backdoor.
David Harmon • August 14, 2005 2:36 PM
Folks, the titular reference is to Ambrose Bierce's work, _The Devil's Dictionary_:
http://www.alcyone.com/max/lit/devils/
Some of you may want to check that out, just to pick up the proper attitude and form for these things.
Another example:
Intellectual Property: The legal basis for preventing anyone poorer than you from profiting by the ideas you stole from them.
Vainstein • August 14, 2005 4:31 PM
KNOCK-KNOCK JOKE
[Who's there?]
jschmoe
[jschmoe who?]
jschmoe
[Initializing your Windows desktop...]
John M. Ford • August 14, 2005 10:33 PM
24/7
Maximum probability the help desk will answer.
Analyst, Security
Expert who will, for a large hourly fee, put your system on the couch and tell it that true security comes from within itself.
Encryption
Techniques for ensuring that no one but an intended recipient can access data, unless someone else wants to badly enough.
Encryption, Strong
Encryption that has joined the Dark Side of the Force.
Phishing
Urgint mesage form yur bnak or credut pervider, at himz nu syte in Roumania.
Dido Sevilla • August 15, 2005 2:22 AM
This link from Lars Knudsen's Journal of Craptology has even funnier entries IMHO:
J.D. Abolins • August 15, 2005 6:38 AM
Terms that haven't circulated yet but maybe should:
Cryptogasp: The gasp from the realization that one has forgotten the super obscure unguessable passphrase that one never wrote down even in a hint and important data is ow inaccessible.
Cryptograbby: The desire to collect crypto keys. Can include
a) trying to important thousands of public keys of people with one's not likely to ever communicate in plaintext let alone ciphertext.
b) attempt to steal copies of secret keys.
Key Largo: An impractically oversized crypto key.
Cryptoblabbling:
1) Hyping the supposed strength of one's cryptography system or one's self-proclaimed expertise.
2) Talking about esoteric detail of cryptography to an uninterested audience. Also called "cryptobabbling on" or "cure for insomnia".
3) Idiotically disclosing one's passphrase or other "secret" info.
J.D. Abolins
Whim • August 15, 2005 7:03 AM
Cryptography:
AC B6 64 B3 1E AB 8E D2 DD 32 5C 38 3A 72 87 41 CE 15 FD 61
B2 62 EF 93 F0 C4 FE AD 0B 90 3F 2F 66 D6 C7 E0 7C DF D7 EB
3B B9 CF 22 52 8C FF 32 CE 48 E8 E8 76 40 3B 4A 45 9A BB FC
2C 76 C1 A2 96 68 D0 7B 18 CC 5C F6 27 CA 91 C3 8C 9E 4D A0
16 56 DD 15 CE 28 2A 35 83 56 B3 94 2C 3C A7 0F C4 E6 C2 EF
46 F9 8C 93 8A 0F FD 18 8B 9C 72 37 3D A5 6C 1A 02 F0 A3 7E
88 8D B0 82 72 75 EE CB 81 AE A5 45 62 17 71 25 8A D7 FA F1
84 B3 99 09 AE B0 BC 51 4A 3B D8 A1 48 23 EC 5C 27 94 E7 D0
56 38 8C 1E 61 58 2A E8 30 00 32 27 18 3A 2A 6D 3D F2 48 1F
A5 54 7C 80 40 D6 90 5B AD 00 69 A7 1F(.)
Pat • August 15, 2005 8:33 AM
PKE:
(AKA Public Key Encryption) Most secure and flexible way of encrypting all kinds of data that never caught on because nobody can finish explaining it to execs before they fall asleep.
Two factor authentication:
(AKA strong authentication)
Something the user has, and something the user forgets.
VPN: Way of increasing your companiy's long distance bills. (See strong authentication)
zoli • August 15, 2005 8:40 AM
Organizational Security
a. exists = consciousness, structure
b. does not exist = subconscious, suckture
Mousepad
a. holder of the phising-pointer
b. password holder
c. secure version: password on the backside
quercus • August 15, 2005 9:30 AM
" Two factor authentication: Something the user has, and something the user forgets."
Shouldn't that be:
Something the user forgets, and something the user loses?
radiantmatrix • August 15, 2005 10:16 AM
Password
A piece of secret information designed to cause inconvenience to users and job security for help desk staff.
Encryption
1. A technology that hides the admins' personal e-mail messages from management.
2. A system used selectively to allow hackers to identify important data before looking it up in swap.
CSO
An executive hired to countermand security decisions made by well-trained, competent staff.
Social Engineering
Being nice in order to gain information with which one can be a bastard later.
Critical Infrastructure
Computing systems too important to take down for security maintenance.
Security Awareness Training
The provision of donuts and coffee in a futile attempt to bribe users into caring about things they barely understand.
Provisioning
The systematic granting of excessive access to users who were fired last week.
Vulnerability
See 'Users'
Users
The group of people without whom security would be simple.
DAW • August 15, 2005 10:23 AM
Trusted Computing: When faceless, multibillion-dollar corporations can be trusted to completely control your computer and your data.
dude • August 15, 2005 11:15 AM
Cleaning crew:
Outside agents who are granted unsupervised physical access to your networks under the assumption that they don't know how to do any harm.
Critical infrastructure (CI), n.
A government's network of corporate contributors, public relations consultants, and pliant or on-side media. See also, PCI.
Perceived Critical Infrastructure (PCI), n.
Any geographically vast, low-security physical system providing non-essential services of convenience that it is in no one's interest to destroy. Excellent food for FUD. See also, CI.
Information Warfare, n.
Phrase devised by the post cold-war military complex to explain cross-continental corporate casualties and their impact on critical infrastructure. Explanations for these casualties are, however, quite logical:
- uncontrolled provision of poor quality products (IT sector)
- illogical faith in DRM (media sector)
- FUD-mongering (security sector)
- deep-set aversion to reality (military complex)
FUD, n.
Defining property of media reports and press releases about security. Poorly understood but rapidly duplicated, it is notoriously difficult to shake from its victims. At its most dangerous when encountered in media feedback loops, where it exhibits the property of increasing exponentially. Unfortunately, this environment is also its most common.
BeFUDdlement, n.
A dangerous intellectual state resulting from the reading of security-related media reports. See 'FUD'.
Daedala • August 15, 2005 12:50 PM
Some definitions do not need to change:
PASSPORT, n. A document treacherously inflicted upon a citizen going
abroad, exposing him as an alien and pointing him out for special
reprobation and outrage.
Zwack • August 15, 2005 1:43 PM
D.J. Capellis is almost right
Circular Definition - See Infinite Loop
Infinite Loop - See Recursive
Recursive - See Circular Definition
Z.
Radiantmatrix • August 15, 2005 2:27 PM
I thought of another one:
Race Condition
A moment of insecurity between operations that causes developers to bolt for the door.
And, Zwack, the whole Infinite Loop and Recursion jokes have already been done by the Hacker's Dictionary in this form:
Recursive: see 'Recursive'
Loop, Infinite: see 'Infinite Loop'
Infinite Loop: see 'Loop, Infinite'
Alexander Else • August 15, 2005 5:52 PM
Snake oil.
A superior mechanism employing a 9000 bit key and proven secure algorithms, providing unbreakable encryption through a polymorphic cypher. Required in order to ensure absolute data protection.
Alexander Else • August 15, 2005 6:00 PM
Buffer overflow.
One or more locations in a program where users may optionally activate unexpected features, the number of which is proportional to the amount by which your programmers were overpaid.
Alexander Else • August 15, 2005 6:07 PM
Firewall.
The series of bolted steel doors, man-traps and slavering dobermans preventing friends from visiting your straw house.
Cyent • August 15, 2005 7:55 PM
Concrete Block Security:
The computer does nothing, communicates with nothing, stores nothing. But Hey! It's secure.
"Good" Encryption: NSA has a back door to it. (As oppose to "Evil" encryption.)
csrster • August 16, 2005 6:43 AM
Digital Signature: A means to determine that the
person who appears to have sent a document is the same as the person who appears to be its author.
Public Key: Your DES key on your homepage.
Key agreement protocol: A method of setting up an absolutely secure communication channel between yourself and somebody who claims to be a really nice person.
Password Safe: A simple program which allows you to forget/delete/give-to-the-Russian-mafia every password you own simultaneously.
Dave Bell • August 16, 2005 7:35 AM
Password
Your mother's maiden name.
Secure Password
Your boss's mother's maiden name.
Birth certificate.
The document recording a Secure Password.
Twerpette • August 16, 2005 12:04 PM
Security:
A method to create a state of denial.
Sphincter:
Beneficiary of exercise program based on principles of security.
woody weaver • August 16, 2005 12:10 PM
Security work: n.
The second oldest profession. Exceeded only by the first in the percentage of amateur practitioners.
Jim Duncan • August 16, 2005 12:13 PM
Strong password policy: A policy requiring users to use complex passwords and change them frequently, thereby guaranteeing that each user's current password can be found written down somewhere within arm's reach.
Jim Duncan • August 16, 2005 12:23 PM
Certification and Accreditation: The process of creating a stack of documentation sufficiently thick to discourage any idea of reading it, but the sheer size of which is supposed to prove due diligence in implementing security.
Jim Duncan • August 16, 2005 12:41 PM
Mandatory Access Control: The fallacy that a system can be made to prevent users from sharing information without some formal authorization.
fezzik • August 16, 2005 1:48 PM
Social Engineering: Wearing a shirt with a first name on it and holding a clipboard
gotpasswords • August 16, 2005 2:53 PM
Two-Factor Authentication: A method of access control using something that the user forgot and something that the user left in their pants and put through the washing machine.
Single-Sign-On: A method of access control enabling a user to forget how to access every single system and application in the enterprise merely by consuming one too many adult beverages at lunch.
Password Complexity: Utopian belief that users can successfully log into one system that requires the use of one of only three special characters: #, $ or % and another system that can not use #, $ or % without requiring three calls to the helpdesk.
Pat Cahalan • August 16, 2005 4:42 PM
GUI : Graphical User Interrupt
An interface designed to be unusable
Secure Computer
An abacus
Two-factor Authentication
Something a user forgets, and something a user loses (edited from above)
Complex Password
Something (other than your anniversary) that you can't remember
Acceptable Risk
Risks transferred to a user by a EULA.
John R Campbell • August 16, 2005 5:29 PM
Information Security:
The process of hiding the expected and mundane details whilst exposing unexpected data
Firewall:
Flame resisting sheetrock
Infrastructure:
Resources expected to be there though no one will pay for them
Critical Infrastructure:
Invisible resources... "Why inspect the bridges? They're build so well they won't collapse!"
Security Policy:
A set of conflicting rules designed by bureaucrats allowing them to look productive in comparison to those who must live within policy (Note: these rules get longer and more conflicting should anyone actually be able to get work done)
Root user:
The most privileged user of a Unix (or Unix deviant) system, usually not the owner or administrator
User:
Mis-spelled; should be prefixed by "Ab-"
Self-Help:
Keeping an ancient typewriter handy for your resume writing tasks
Physical Security:
The lock on the workout room's door
Vainstein • August 16, 2005 9:14 PM
WINDOWS, and UNIX:
Operating system originally designed to be neither secure nor networkable. Has become demonstrably networkable over time.
ENTERPRISE:
An organization where multiple individuals need to be lied to, in order to make a sale.
csrtser • August 17, 2005 1:47 AM
firewall: A simple piece of technology which allows you safely to remove or disable all internal security systems in your intranet.
Quantum cryptography: the ultimate development of security through obscurity - a security system nobody can understand.
Phil • August 18, 2005 4:55 AM
Biometric security: authentication on principle of something you temporarily have and forget can be taken away from you
blouis • August 20, 2005 7:24 AM
Virtual Private Network: A. virtual reality illusion of security - simulated by wearing glasses mirrored on the inside; B. technical implementation of the Big Brother house - creating a feeling that nobody is watching
blouis • August 20, 2005 8:15 AM
99% Uptime Guaranteee:
you won't really miss your critical system for 3.69 days straight every year
Authentication:
1. proof that hackers really do know how to break into your system untraced;
2. proof that humans can't remember two dozen non-dictionary word passwords with mixed case and non-alpha characters changed monthly (therefore proof that computers are the real deal)
Digital Signature:
scanned image of handwriting pasted into a Word document;
Certificate:
provides a trustworthy link between the key and the name of a person being impersonated
MarkW • August 20, 2005 9:50 AM
Digital Signature
The personal touch on your redundancy letter.
Key
How important the password you have forgotten is.
Keyspace
Alternative dimension where all the key passwords you have forgotten end up.
Terminal Emulation
Avoiding work by pretending to be dead.
TheSage • August 26, 2005 12:55 AM
Trusted Third Party: Any organization that can be manipulated by the government.
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Subscribe |
Subscribe via Kindle |
| Blog Menu |
SearchPowered by DuckDuckGoBlog Home Page
Archives by Date2013 J F M A M
Tags  |
| Latest Book |
more books by Bruce Schneier |
Comments