Schneier on Security

From a skim read it covers the basics reasonably well.

It'll take a little longer read and a think to say what should be there that isn't there 8)

@ B.F.Skinner, Rich Wilson,

3quick blinks 3slow blinks 3quack blinks.

(Yup the a is the hidden message 'a'uthenticator 8)

All done in time to the "Last Post",

The "Rider of Blinky" has been close for the past couple of days but the Anti-Bs have got a grip on it for now and the fresh boild lobster look is dulling.

@ AppSec

"Pretty good article for an "intro". The focus on PHP would hopefully not be lost on those who do Java, C#, Ruby, Grails, or whatever language of choice."

You indirectly highlight a problem I've seen more of recently, which is how to explain a software problem.

Once upon a time when I was a not so wee man we used psudo code alla Knuth or whom ever (even ASN1 if we had to)

But to get at the people who are most likley to need the advice "you have to keep it real" but you also "have to keep it short and sweet".

PHP is let's be honest a dogs dinner of bit's of the banquets of older languages such as C.

So the author does get kudos not just for the artical but the way he gets it across.

What the article does highlight is another altogether more troubling security problem, which is a mono culture of applications their interfaces and code reuse in the resulting end user applications dependent on them.

To understand the way the issue works we need to step back in time fifteen or so years to the mid 90's and see how it all played out.

On one hand our problems with the web where just starting with the lack of "state" a series of cludges with major security implications resulted due to the "copying" of "example code" to get around the issue.

HTTP was not designed to (nor can it still) handle state. The browsers supporting it where not designed to support applications either.

On the other hand the majority OS (MS-DOS) of the time could not either.

I need to add a note here that I'm not bashing MS (much as I would like to ;) because this was and still is an industry wide problem and MS where but are nolonger the major problem at the time.

MS tried to resolve the Dos Woes by an "application on top" which was called "Windows" to provide mult-application support. After two previous very woefull attempts (any one remember using Windows 2?) the third version started to get traction. This was due in the main to the hardware actually being able to support the idea.

However It is important to remember that MS saw the "shining path" as the issolated (except for data) desktop each running MS Apps.

MS then under competition from the likes of Ray Norder at Novel moved into the network application world (Win 3.11, NT 3.51/4.0) but only for business users to access data. However that irritating "internet thingy" was begining to become very much used by home users. And MS played catchup/spoiler with IE.

However the Internet and especialy HTTP kept moving from strength to strength.

MS now under anti competition threats moved IE into windows.

Which was (and still is) a major major security issue. IE was effectivly the new "multi-application desktop". But unlike the underlying NT desktop which had some working security measures to isolate applications memory space and threads it had none.

A number of people myself included pointed out that the OS security was fairly irrelevant when the Apps where all running under IE which had become the "new OS, without security".

You can imagine what a surprise it was to wake up and find not the old and tired tastless and stodgy MS chaff in the breakfast bowl but a nice new lean shiny chrome which architecturaly addressed many of the IE issues (and can solve many of the Internet apps issues as well just via segregation).

So historicaly security has risen behind the applications not with them. And for many multitasking environments that apps run in there is no security of any worth.

The apps have moved from being relativly begnin objects to being out right attack objects getting in to the heart of where the users have the all important data they are trying to use (and optionaly protect).

But the next stage is afoot and that is common apps with poor API's such as the likes of Adobe, MS and many others some as helpers (plugins) and some as presentation extension (applications).

For instance a minor change in say flash can have a critical security effect on not just the user but the web apps as well.

So call it my "no brainer" prediction for 2010, the industry will conclude that the cloud (so far) non event will be stalled due to application security issues.

And where are all these issues going to come from,

1, Poorly designed interfaces.
2, Insecure example code.
3, Out of date code being re-used.

But ultimatly they all derive from "Market imperative". That is the Internet has removed geospatial limitations it is now all about time to market to get the founders market share.

@.@ I hope I have made sufficient effort to show I'm not under durance vile (or medical as it was) today 8)