Schneier on Security
A blog covering security and security technology.
« Fingerprinting Paper |
| Do-it-Yourself Security Checkpoint »
August 13, 2005
The Devil's Infosec Dictionary
I want "The Devil's Infosec Dictionary" to be funnier. And I wish the entry that mentions me -- "Cryptography: The science of applying a complex set of mathematical algorithms to sensitive data with the aim of making Bruce Schneier exceedingly rich" -- were more true.
In any case, I'll bet the assembled here can come up with funnier infosec dictionary definitions. Post them as comments here, and -- if there are enough good ones -- I'll collect them up on a single page.
Posted on August 13, 2005 at 10:48 AM
• 106 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
On the definition of Identity Theft, how about adding: The act of corporations and government entities offering too little protection to too many people for too long and now it is too late to stop it.
The lowest paid person in the company with more access to sensitive data than the company president
Free test to check if you applied all microsoft updates
Stuff made by evil companies where we can't read the source so it must be insecure
Stuff made by people with to much spare time and no communication skills so the source we can read is not understandable so it must be secure.
A tradeoff between misconceptions of the buyer, incompetence of the vendor, and burden on end-users. A buggy back-end with a dashboard front-end (rampant). The Van Eck radiation given off by paranoia. Commonly provides information in direct proportion to verbosity level selected, and security in inverse proportion to public interest in the target; where it is vastly superior, Madam, to nothing - the which provides latter but not former.
Free test to check if your organisation has responsible email users
Made by people who want to demonstrate that the average user is to stupid to make any security decisions whatsoever
Program made by analists to check the gender distribution (click on the attachment to get naked women) or financial interests (win 5000 dollars, click on the attachment), computer savvy (please click on attachment, enter passphrase and click on program inside) or general intelligence (click on attachment)
Website immitating contest with great prizes!
The stuff we need so we can forget about securing anything else so we can save money
A method to create a denial of service to your own systems
WEP (Wired Equivelant Privacy) |wep|
verb [past part.] intrans 1. To implement security after an incident. 'I WEPd for days after our wireless network was comprimised'
noun 1. An IEEE standard that works as advertised 'WEP provides the exact level of privacy as the wired internet, nearly none'
An american data encryption standard.
Written document which removes any blame from management and puts it to an unsuspecting user
When applied to servers:
A method to increase TCO thereby providing for more job security to sysadmins while removing the need to do anything else like patching systems
When applied to desktops
A way to make users hate you, bring the business to a grinding halt and still be able to catchup on the lates virus because you don't need patching anymore
A lock, more or less elaborate, betimes even with one key for outside and one for inside. Guards the door to treasure - which is usually stolen via the window.
A written document which makes users write their passwords down and put it on the monitor
ROT13 - A cryptography algorithm which is applied twice to secure all wireless communications
Wireless - A security mechanism designed to hide data in spectrums which are inheirently more secure because they cannot be seen by the human eye.
Security Officer (remixed definition) - Someone who seeks to annoy users with inane password requirements instead of doing their actual job which is to take blame when a 1337 Hacker uses the CEO's mother's maiden name to compromise the entire network.
CEO - An untouchable who should have access to all networkable computers. This person should be regarded as trusted and secure by default.
Security Policy - A document which is to be strictly followed unless it would be inconvenient to do so.
Trojan Horse - A term created to give people on full-disclosure something to argue over
Hashing Algorithm - A complex series of mathematical equations designed to output something that has been proven to be consistently nothing like the input.
Infinite Loop - See Recursive
Recursive - See Infinite Loop
Log Files - Files where the read bit is unneccesary.
127.0.0.1 - This machine is the cause of 99% of all security problems.
127.0.0.2 - This machine is the cause of the other 1%
The Mythical Non-Connected Machine - The theoretically secure machine in a locked vault not connected to any external network interface. See Useless Technology
One Time Pads - A technology which is perfectly secure unless used.
Uptime - The interval between the time the machine is compromised and the discovery of said compromise.
Unbreakable - See Breakable
Breakable - See Everything
Everything - See Breakable
Authentication Tokens - Devices designed to spur humans to think of new and better ways to weaken system security.
RSA - Three guys who really are going to be pretty disappointed when we figure out a fast way to factor large integers.
A person with no communication skills whatsoever put in charge of managing a network full of people who ask questions all day long.
A strong locked door to the server room to protect the system admin trying to repair the downed network with angry users outside
Providing security using detachable parts of your body proving company data is more important than you
Performed by a person with no security knowledge to assess if the current network is compliant with the written documents 5 years ago.
Pretty screensaver with naked girls on the beach. Install now!
Pretty screensaver with naked girls on the beach. Install now!
System slowdown and destabilizing software
Hostile user of your network
Hostile user of you network.
Place to torture young IT professionals so they will become non communicative system admins.
Software to restrict access to your network to just the UFBP protocol (see also HTTP and HTTPS)
Universal Firewall Bypass Protocol
Secure Universal Firewall Bypass Protocol
Technology that gives us authentication, integrity, and confidentiality. These three virtues ensure that when the lowly-paid off-shore DBA of the website you visited sells your credit card number to criminals, the criminals can be certain of their purchase. This is known as e-commerce.
I'd suggest this edit to one of Wim's:
Virus: A program which slows down and destabilizes your computer
Anti-virus: A program which sloes down and destabilizes your computer
A buzzword on a sticker slapped on software products to make people think they're secure
Botnet - Applied grid computing.
Method of speeding up the delivery of patches by distributing exploits.
Telnet: Least secure possible mechinisim for accessing machines remotely. Also, the only port open on the firewall to access machines remotely.
Wired equivelent protection: A tool for deluding yourself into thinking that assumptions that once held still do.
Wired equivelent protection: CAT-5 cabling.
Users: See security holes.
Security holes: The ability to do anything useful with a system.
Remote access: The ability to use a system from elsewhere. Also, the ability to abuse a system from elsewhere.
Security consultant: The person outside your orginization that you pay to secure everything you don't want anybody outside your orginization to know about.
Evidence: That which you use to convict people of offenses against you. Also, that which other people use to convict you of offenses against them.
Breaking and entering: Research.
Dumpster diving: Because one man's trash is another man's instruction manual.
Social Engeneering: Getting people paid to be helpful to be a little too helpful.
Belt sander: The only way to securely delete the contents of a hard drive.
Wire clippers: The most effective tool for securing a computer.
I looked at the page and atleast some of it is actually funny, like this:
A mercenary paid vast sums of money to tell you that your systems can't be secured
Phisting, what happens after you've been successfully phished...
Username/password: A string of characters used to keep honest people out of a system.
This is a classic I heard years ago:
Encryption: A powerful algorithmic encoding technique employed in the creation of computer manuals.
Stuff you don't need to read because you already now your stuff right?
A set of rules which don't apply to you because you already know everything about security
Logging: storage array stress-testing
Password Policy: Reverse Turing test - means to prove that users are human and hence cannot remember simple, four-class passwords
Road Warrior: Virus prospector and cracker attractor
VPN: Virtual Private Network, something which is none of those three
Penetration testing: BitTorrent
Red Teaming: post-layoff beer session
Port scanning: ritualized warning used by Actual Dangerous Crackers (See: consultant, penetration testing)
Crafted Packet: handwritten layoff notice
Malicious Code: financial application
Single Point of Failure: See 'CEO'
Honeynet: see BitTorrent
Any password not belonging to the set: 11111 , 1234567, qwerty, (name of familymember, dog etc)
Hacker tool. See also Courier services
Deliver company backup data to evil person service.
The lowest paid employees or contractors in your company, with access to most of your company's physical and virtual assets.
Password recovery tool for unknown people wanting to use the network.
Another word for Utopia.
See Swiss Cheese
Cryptography: The art of mathematically scrambling data to be non-readable by a malicious attacker -- unless the attacker finds the password where it is written on a sticky note stuck to the monitor.
Beyond Fear: ....but not beyond hystaria.
CEO: The guy with least technical knowledge who makes the biggest technical decisions.
Operating Systems: an aspiration rarely achieved; wishful thinking
Information Security Policy: a document designed to cover the arse of the Information Security people should any security problem arise. Full compliance with this document would require users to burn their PCs, crush them into cubes, and bury them deep within the earth. The document is inevitably written by someone so anti-social that they would never be hired on the business side, but so untalented that they have no practical use in the IT department.
Unix Systems Administrators: these come in two flavours.
1. The young, thoughtful type who will go out of his or her way to help you solve a problem, as long as you phrase the question correctly. Reads slashdot, cryptogram, phrack, and generally ignores company policy when it's expedient to do so. Wears a lot of black and has at least one open source related toy on desk.
2. The thoughtless type who adhere to company policy like superglue and prevent any real work from being done. Typically saw their first Unix prompt in University and keep a small cheat sheet of commonly used commands on their desk. Are generally to be avoided because in the unlikely event you actually have them perform a task for you, they will certainly stuff it up. Wears neat casual clothes and has an unusually tidy desk.
Patching: the act of installing software, provided by a vendor, to address a security hole or bug. Typically done after malware has already exploited the hole and the vendor is receiving negative publicity because of it. If the act of patching does not fundamentally destroy the machine, you may also expect it to introduce new and improved security holes.
Information security consultant: a parasite who derives an income stream from the paranoia of others. Sometimes the parasitic relationship is mutually beneficial; frequently though the host finds themselves robbed of a large amount of cash for no measurable gain in security.
Apart from sizeable holes appearing in the host's bank balance, the presence of a security consultant might also be detected by their droppings, called "information security policy documents" (see above).
Single sign on: a delirious utopian fantasy wherein users can authenticate themselves on all company systems using the same authentication token. In the wildest fantasies this might include a convenient physical token like a smart card.
No known implementations of Single Sign On have been seen in the wild. Sometimes very smart people end up in mental asylums after attempting an implementation; approach a project like this at your own risk.
Wireless security: 1. an oxymoron.
2. Something that exists in a parallel universe where there are no malicious eavesdroppers and everyone loves one another.
Having the greatest opportunities for treachery and embezzelment.
Trusted system or device
Designed to cause a catastrophe to the function and security of the organization when it fails.
Controlled by an unknown and unaccountable third party. See 0wn3d.
Any person whose agenda is the same as your own.
A method or apparatus intended to protect you from the malice of others. Must only be used in accordance with the designer's expectations.
Public archive storage.
Free advertising channel.
Marketing tool for Windows security products.
The policy that computers should be operated by those who best understand them.
This may seem like nitpicking, but it seems like they'd all be (slightly) funnier if they ended with periods. If nothing else, that's the style of Bierce's witticisms when they pop out through fortune(6)...
Keyword : an easy to remember short distionary word, so that don't have to write it down. Examples :
A network status symbol. The more you have open, the more you're allowed to do.
Information that's tucked away behind a tiny icon because it's redundant.
Proving that you have permission to access someone else's account by typing in their name and password.
I suspect the DID was a lot funnier after the first couple of beers/joints.
ACL (Access Control List):
A list determining which users should have access to which files/programs, compiled/managed by executives who have no knowledge of which files/programs a user actually needs.
A secret means of entering your system, widely known by everyone except you.
The science of applying mathematical algorithms to sensitive data and then obscuring your easily-broken algorithim with phrases like, 'nanolevel hyperrandom multiphasic encryption.'
Incidents more easily blamed on anonymous hackers than on the failure of employees or IT security staff.
The equivalent of Consumer Reports for cryptographic products.
cryptography: the fine art of protecting data which, those who need do not know how to use and those who will misuse it will know it well.
cryptography: the sensitive science whose code can be printed in a book that can be exported, but exporting a soft-copy of that code is illegal.
DRM: The methods used to convert what you thought was a purchase, into a rental.
Trusted Computing: Computers which any sufficiently large corporation can trust more than they trust you.
Cyperspace Czar: Fall guy.
> SECURITY, INFORMATION: A tradeoff between misconceptions of the
> buyer, incompetence of the vendor, and burden on end-users.
> A buggy back-end with a dashboard front-end (rampant). The Van Eck
> radiation given off by paranoia. Commonly provides information in
> direct proportion to verbosity level selected, and security in inverse
> proportion to public interest in the target; where it is vastly superior,
> Madam, to nothing - the which provides latter but not former.
Can we send this one back for a rewrite? It was going to be very good before it devolved into incoherence....
David wrote ...
> > SECURITY, INFORMATION: A tradeoff between misconceptions of the
> > buyer, incompetence of the vendor, and burden on end-users.
> > A buggy back-end with a dashboard front-end (rampant). The Van Eck
> > radiation given off by paranoia. Commonly provides information in
> > direct proportion to verbosity level selected, and security in inverse
> > proportion to public interest in the target; where it is vastly superior,
> > Madam, to nothing - the which provides latter but not former.
> Can we send this one back for a rewrite? It was going to be
> very good before it devolved into incoherence....
I thought that was the point.
Address book: Food for worms, carried around by them to feed other worms.
AES: Advanced Employment Securing. A mathematical system to protect jobs at the NSA.
Brute Force Attack: Type of information gathering by CIA
CIA: A division of NSA, specialized in gathering information by breaking bones, instead of codes.
Enigma: It was an enigma to the Germans how the Allies could find their U-boats.
One-Time Key: An easy to forget password
Steganography: A system to hide porn in another image. If detected, one believes the porn is used to hide a secret message.
"Cryptography is nothing more than a mathematical. framework for discussing the
implications of various paranoid delusions." — Don Alvare
a scheme for private communication which is socially beneficial for american governments and corporations, but absolutely intolerable for anybody else, including american citizens, unless there's a backdoor.
Folks, the titular reference is to Ambrose Bierce's work, _The Devil's Dictionary_:
Some of you may want to check that out, just to pick up the proper attitude and form for these things.
Intellectual Property: The legal basis for preventing anyone poorer than you from profiting by the ideas you stole from them.
[Initializing your Windows desktop...]
Maximum probability the help desk will answer.
Expert who will, for a large hourly fee, put your system on the couch and tell it that true security comes from within itself.
Techniques for ensuring that no one but an intended recipient can access data, unless someone else wants to badly enough.
Encryption that has joined the Dark Side of the Force.
Urgint mesage form yur bnak or credut pervider, at himz nu syte in Roumania.
See Security Policy
Terms that haven't circulated yet but maybe should:
Cryptogasp: The gasp from the realization that one has forgotten the super obscure unguessable passphrase that one never wrote down even in a hint and important data is ow inaccessible.
Cryptograbby: The desire to collect crypto keys. Can include
a) trying to important thousands of public keys of people with one's not likely to ever communicate in plaintext let alone ciphertext.
b) attempt to steal copies of secret keys.
Key Largo: An impractically oversized crypto key.
1) Hyping the supposed strength of one's cryptography system or one's self-proclaimed expertise.
2) Talking about esoteric detail of cryptography to an uninterested audience. Also called "cryptobabbling on" or "cure for insomnia".
3) Idiotically disclosing one's passphrase or other "secret" info.
AC B6 64 B3 1E AB 8E D2 DD 32 5C 38 3A 72 87 41 CE 15 FD 61
B2 62 EF 93 F0 C4 FE AD 0B 90 3F 2F 66 D6 C7 E0 7C DF D7 EB
3B B9 CF 22 52 8C FF 32 CE 48 E8 E8 76 40 3B 4A 45 9A BB FC
2C 76 C1 A2 96 68 D0 7B 18 CC 5C F6 27 CA 91 C3 8C 9E 4D A0
16 56 DD 15 CE 28 2A 35 83 56 B3 94 2C 3C A7 0F C4 E6 C2 EF
46 F9 8C 93 8A 0F FD 18 8B 9C 72 37 3D A5 6C 1A 02 F0 A3 7E
88 8D B0 82 72 75 EE CB 81 AE A5 45 62 17 71 25 8A D7 FA F1
84 B3 99 09 AE B0 BC 51 4A 3B D8 A1 48 23 EC 5C 27 94 E7 D0
56 38 8C 1E 61 58 2A E8 30 00 32 27 18 3A 2A 6D 3D F2 48 1F
A5 54 7C 80 40 D6 90 5B AD 00 69 A7 1F(.)
(AKA Public Key Encryption) Most secure and flexible way of encrypting all kinds of data that never caught on because nobody can finish explaining it to execs before they fall asleep.
Two factor authentication:
(AKA strong authentication)
Something the user has, and something the user forgets.
VPN: Way of increasing your companiy's long distance bills. (See strong authentication)
a. exists = consciousness, structure
b. does not exist = subconscious, suckture
a. holder of the phising-pointer
b. password holder
c. secure version: password on the backside
" Two factor authentication: Something the user has, and something the user forgets."
Shouldn't that be:
Something the user forgets, and something the user loses?
A piece of secret information designed to cause inconvenience to users and job security for help desk staff.
1. A technology that hides the admins' personal e-mail messages from management.
2. A system used selectively to allow hackers to identify important data before looking it up in swap.
An executive hired to countermand security decisions made by well-trained, competent staff.
Being nice in order to gain information with which one can be a bastard later.
Computing systems too important to take down for security maintenance.
Security Awareness Training
The provision of donuts and coffee in a futile attempt to bribe users into caring about things they barely understand.
The systematic granting of excessive access to users who were fired last week.
The group of people without whom security would be simple.
Trusted Computing: When faceless, multibillion-dollar corporations can be trusted to completely control your computer and your data.
biometric authentication: something the user used to be.
Outside agents who are granted unsupervised physical access to your networks under the assumption that they don't know how to do any harm.
Critical infrastructure (CI), n.
A government's network of corporate contributors, public relations consultants, and pliant or on-side media. See also, PCI.
Perceived Critical Infrastructure (PCI), n.
Any geographically vast, low-security physical system providing non-essential services of convenience that it is in no one's interest to destroy. Excellent food for FUD. See also, CI.
Information Warfare, n.
Phrase devised by the post cold-war military complex to explain cross-continental corporate casualties and their impact on critical infrastructure. Explanations for these casualties are, however, quite logical:
- uncontrolled provision of poor quality products (IT sector)
- illogical faith in DRM (media sector)
- FUD-mongering (security sector)
- deep-set aversion to reality (military complex)
Defining property of media reports and press releases about security. Poorly understood but rapidly duplicated, it is notoriously difficult to shake from its victims. At its most dangerous when encountered in media feedback loops, where it exhibits the property of increasing exponentially. Unfortunately, this environment is also its most common.
A dangerous intellectual state resulting from the reading of security-related media reports. See 'FUD'.
Some definitions do not need to change:
PASSPORT, n. A document treacherously inflicted upon a citizen going
abroad, exposing him as an alien and pointing him out for special
reprobation and outrage.
D.J. Capellis is almost right
Circular Definition - See Infinite Loop
Infinite Loop - See Recursive
Recursive - See Circular Definition
I thought of another one:
A moment of insecurity between operations that causes developers to bolt for the door.
And, Zwack, the whole Infinite Loop and Recursion jokes have already been done by the Hacker's Dictionary in this form:
Recursive: see 'Recursive'
Loop, Infinite: see 'Infinite Loop'
Infinite Loop: see 'Loop, Infinite'
A superior mechanism employing a 9000 bit key and proven secure algorithms, providing unbreakable encryption through a polymorphic cypher. Required in order to ensure absolute data protection.
One or more locations in a program where users may optionally activate unexpected features, the number of which is proportional to the amount by which your programmers were overpaid.
The series of bolted steel doors, man-traps and slavering dobermans preventing friends from visiting your straw house.
Concrete Block Security:
The computer does nothing, communicates with nothing, stores nothing. But Hey! It's secure.
"Good" Encryption: NSA has a back door to it. (As oppose to "Evil" encryption.)
Outsourced Call Centre: Personal information publishing house.
Digital Signature: A means to determine that the
person who appears to have sent a document is the same as the person who appears to be its author.
Public Key: Your DES key on your homepage.
Key agreement protocol: A method of setting up an absolutely secure communication channel between yourself and somebody who claims to be a really nice person.
Password Safe: A simple program which allows you to forget/delete/give-to-the-Russian-mafia every password you own simultaneously.
Your mother's maiden name.
Your boss's mother's maiden name.
The document recording a Secure Password.
A method to create a state of denial.
Beneficiary of exercise program based on principles of security.
Security work: n.
The second oldest profession. Exceeded only by the first in the percentage of amateur practitioners.
Strong password policy: A policy requiring users to use complex passwords and change them frequently, thereby guaranteeing that each user's current password can be found written down somewhere within arm's reach.
Certification and Accreditation: The process of creating a stack of documentation sufficiently thick to discourage any idea of reading it, but the sheer size of which is supposed to prove due diligence in implementing security.
Mandatory Access Control: The fallacy that a system can be made to prevent users from sharing information without some formal authorization.
Social Engineering: Wearing a shirt with a first name on it and holding a clipboard
Two-Factor Authentication: A method of access control using something that the user forgot and something that the user left in their pants and put through the washing machine.
Single-Sign-On: A method of access control enabling a user to forget how to access every single system and application in the enterprise merely by consuming one too many adult beverages at lunch.
Password Complexity: Utopian belief that users can successfully log into one system that requires the use of one of only three special characters: #, $ or % and another system that can not use #, $ or % without requiring three calls to the helpdesk.
GUI : Graphical User Interrupt
An interface designed to be unusable
Something a user forgets, and something a user loses (edited from above)
Something (other than your anniversary) that you can't remember
Risks transferred to a user by a EULA.
The process of hiding the expected and mundane details whilst exposing unexpected data
Flame resisting sheetrock
Resources expected to be there though no one will pay for them
Invisible resources... "Why inspect the bridges? They're build so well they won't collapse!"
A set of conflicting rules designed by bureaucrats allowing them to look productive in comparison to those who must live within policy (Note: these rules get longer and more conflicting should anyone actually be able to get work done)
The most privileged user of a Unix (or Unix deviant) system, usually not the owner or administrator
Mis-spelled; should be prefixed by "Ab-"
Keeping an ancient typewriter handy for your resume writing tasks
The lock on the workout room's door
WINDOWS, and UNIX:
Operating system originally designed to be neither secure nor networkable. Has become demonstrably networkable over time.
An organization where multiple individuals need to be lied to, in order to make a sale.
firewall: A simple piece of technology which allows you safely to remove or disable all internal security systems in your intranet.
Quantum cryptography: the ultimate development of security through obscurity - a security system nobody can understand.
Windows Security: see "oxymoron"
Cheap but I like it.
Biometric security: authentication on principle of something you temporarily have and forget can be taken away from you
Virtual Private Network: A. virtual reality illusion of security - simulated by wearing glasses mirrored on the inside; B. technical implementation of the Big Brother house - creating a feeling that nobody is watching
99% Uptime Guaranteee:
you won't really miss your critical system for 3.69 days straight every year
1. proof that hackers really do know how to break into your system untraced;
2. proof that humans can't remember two dozen non-dictionary word passwords with mixed case and non-alpha characters changed monthly (therefore proof that computers are the real deal)
scanned image of handwriting pasted into a Word document;
provides a trustworthy link between the key and the name of a person being impersonated
The personal touch on your redundancy letter.
How important the password you have forgotten is.
Alternative dimension where all the key passwords you have forgotten end up.
Avoiding work by pretending to be dead.
Trusted Third Party: Any organization that can be manipulated by the government.
VPN : A way for your retrenched staff to "stay in touch".
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.