Friday Squid Blogging: Giant Squid Museum

In Valdés, Spain.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on September 14, 2012 at 4:15 PM • 36 Comments

Comments

ScaredSeptember 14, 2012 5:28 PM

What's going on? The Department of Homeland Security has to establish the need and effectiveness of a multibillion-dollar upgrade to the BioWatch system?

http://www.latimes.com/news/nationworld/nation/la-na-biowatch-gao-20120912,0,3217109.story


http://www.latimes.com/news/nationworld/nation/la-na-biowatch-20120708,0,1751272,full.story

"The only times it goes off, it's wrong. I just think it's a colossal waste of money. It's a stupid program." Officials at the Centers for Disease Control and Prevention, the federal agency that would be chiefly responsible for rushing medications to the site of an attack, told White House aides at a meeting Nov. 21 that they would not do so unless a BioWatch warning was confirmed by follow-up sampling and analysis, several attendees said in interviews.

Most worrisome, testing at the Pacific Northwest National Laboratory in Washington state and at the Army's Dugway Proving Ground in Utah found that Generation 3 units could detect a biological agent only if exposed to extremely high concentrations: hundreds of thousands of organisms per cubic meter of air over a six-hour period.

Poor Northrop Grumman Corp., 1.2 Billion is pocket change to them. What did DHS expect?

Petréa MitchellSeptember 14, 2012 5:58 PM

Surveillance cameras to watch speed cameras, because the speed cameras are expensive and they keep experiencing vandalism.

No figures are given for the cost of the surveillance cameras, but this has to at some point become more expensive than other means of traffic enforcement...

(At least now we have an answer for "Who watches the watchmen?")

Petréa MitchellSeptember 14, 2012 6:15 PM

From a couple months back-- I kept forgetting to post it.

A couple of Google executives went to Juarez, Mexico, noticed that it was full of violent drug gangs, and realized that the answer was... yes! A giant pseudonymous database of informants and tips!

Naturally, since none of the following are mentioned as problems, Google will be able to make sure that the sysadmins are incorruptible, the tips will all be true, everyone will have a secure location from which they can access it unseen and untapped, the power supply will be reliable, etc.

kashmarekSeptember 15, 2012 10:30 AM

An interesting read:

http://yro.slashdot.org/story/12/09/15/027248/report-hints-at-privacy-problem-of-drones-that-can-recognize-faces

It is about drones and facial recognition. Is facial recognition really that good that it can be used successfully from a flying object, vibrating due to the engine and/or wind buffeting, looking downward, and moving much faster than the targeted objects, with trees, buildings, or other obstacles in the flight path. Really?

It sometimes takes years to explain some plane crashes, and they are loaded with technology to deal with this, but these drones are able to recognize faces instantly? Will they also recognize and identify whatever takes the out of the air (and that will start happening)?

Nick PSeptember 15, 2012 12:53 PM

Alright, something for the niche of people here who like progress in building highly assured software. Updates on old projects I mentioned and new (to me/you) links on good research.

The tagged, word-level security had good performance
http://www.crash-safe.org/sites/default/files/PLPV.pdf

Useful .NET mini-OS (with code!) verified to assembler
http://cacm.acm.org/magazines/2011/12/142529-safe-to-the-last-instruction/fulltext

As for MILS vendors, INTEGRITY 11 is out; INTEGRITY-178B got multicore; LynxSecure at 5.1 get's focus-based processor optimization, trusted path, & enhanced virtual networking; LynxSecure + secunet made SINA thin client; SYSGO's PikeOS (at 3.3) gets plenty safety-critical certs, more architectures, & is picked for Safe & Secure Microkernel Project (Europe's MILS effort); OK Labs made BYOD security solutions, a "high assurance framework", hit 1.5 bil. deployments, repeatedly busted out VMware's mobile efforts (link below), & was acquired this week by General Dynamics (yikes!).

Heiser's current & previous statements, plus free course on OS's
http://www.ok-labs.com/blog/entry/hey-vmware-secure-it-aint/

Whew that was a mouthful...

L4Fiasco got upgraded in security & multicore
http://os.inf.tu-dresden.de/fiasco/

QubesOS hit 1.0
http://theinvisiblethings.blogspot.nl/2012/09/introducing-qubes-10.html

Secure64's DNS stuff & robust custom OS continue to rock
http://www.secure64.com/press_releases

Trustifier still peddling questionable stuff & broken website (click Ryu, main offering)
http://trustifier.com/

Enough for now. Hope you all enjoyed the updates.

FigureitoutSeptember 15, 2012 1:34 PM

At least now we have an answer..
@Petréa Mitchell--Lol

@kashmarek
You know when I spotted some drones, I seriously contorted my face and altered my gait.

Now for some weekend humor, my sporadic spazzoid side of me gets a little twitchy when I read stories of technological fiery fail. In a magazine a consultant shared a story of how a desktop pc left on overnight had a circuit failure that caused a resistor to overheat and ignite the layer of dust covering inside the computer. The flames were fanned outward by an exhaust fan, turning the computer into an "electronic blowtorch". More funnies here.

The madness doesn't stop there, it's only beginning. Those that follow this blog religiously know Bruce has covered printers getting hacked and bursting into flames.

For all the "smart" phone owners (which is everyone minus me:), no your not safe either. Here we have someone who's phone "spontaneously caught fire".

Finally, I'll round out the post with our beloved "smart" meters that are "hot" in the news lately (calling something "smart" doesn't make it so). From the article: "PG&E discovered a limited number of cases of SmartMeter™ radio interference with customer electronics, including ground fault circuit interrupters (GFCI) and arc fault circuit interrupters (AFCI)."--So while your getting fried because your GFCI is being interfered with, thank your "smart" meter. Some blame faulty installation, which I've personally seen as apparently some technicians have forgot mind-numbingly simple things like how to properly solder ac wires for a transformer. Some have seen them not just catch fire, but explode! Seems that they also may be linked to power surges that damaged appliances. Leaves me with a quote from the article: "a good example of how sometimes the old way is the good way"

Clive RobinsonSeptember 17, 2012 3:57 AM

@ Bruce Clement,

It might in some ways be shallow (but not the bit on whales), but it made one observation that is almost indisputable,

Because no one will ever be as good at killing Americans as Americans

Oh and one thing it indirectly mentioned was the USA and war via 1812 invasion of Canada. The Bi-centennial of the start of this was just a handfull of days ago. However it kind of set a trend after four years not only had the USA killed and maimed and beggered a lot of people (many of whom had actually been born in the USA) it ended with the Canadian/USA border remaining exactly when it had started. But that house on the edge of a swamp (1600 Pennsylvania Ave) was all but burnt down by British forces (leaving scars that can still be seen today) that further pushed the US President and Government out of Washington DC in panic and fear causing the same in much of the general populous.

As far as I'm aware the British were the last people to invade the political heartland of the USA.

Why did the British stop fighting, when they were very obviously winning? Well the war was started by the USA when the British were heavily committed to fighting the "Little French Dictator" so could not easily defend her other territories. That European war ended at Waterloo and the British shipped their battle hardened and well trained ground forces to the Eastern Sea Bord of the US with great success. However the political decision had been taken that the UK did not want to carry on a prolonged war, so when a point was reached where surender terms could be dictated to the USA they did and pulled out.

The result was the US had captured a British Standard Flag from Muddy York, and their actions there turned the people in that part of Canada very much against the USA even though most of those people had actually been born in the USA. This spread and forced people to chose, and they chose not to live under the boot of tyranny that was their native homeland, under the ethos of "my country right or wrong" but instead to fully break away and forge a strong nation of their own under the flag of the British Empire.

That said it was the begining of the end, British Politicians realised that the reality is nobody could afford Empires any longer they were to expensive to defend and the Sun had started to set befor the British Empire had reached it's peak. Why did Britain still increase it's Empire in Asia and Africa, well mostly because of the actions of a few individuals running trading companies and the French and public opinion as whipped up by the newspapers...

As the French have observed "The more things change the more they stay the same..."

As for the events in Boston in that snowy December of 1773 a mear forty years befor, it was not actually the dumping of the Tea that was the catalyst, but an earlier "snow ball fight" where a shot was fired and this was used as a rallying flag by some to push their agenda.

We are currently seeing the same over an amature film by a person with extream views. The blow back is now being seen in over twenty countries world wide in part due to others with extream views but in the main because of what are seen as US "Imperialist Activities" over the past fourty years in the Middle East and other nations the US has sought to exploit for their resources. It might not be a "US Empire" in name but that is how many of the people in those exploited countries view the US at some level.

Rather than bang the drum and scream for revenge the US would be best to show humility and let the law enforcment organisations of the countries where the blowback has been the worst get on and do their jobs and only provide the minimum of non military assistance where specificaly asked. Flying in the Marines is actually politicaly not a good idea it just provides a more definate focus for those militants to home in on politicaly and physicaly. Those that control the militants want US boots on the ground because they know that they can exploit them to their advantage, the only way to win that game is by not playing.

The only way to defeat such militants and their puppet masters is to rob them of targets (boots on the ground etc) and leave them only their own people to turn on. That way they lose popular support and the people of the country see them as what they are Terrorists not Freedom Fighters.

It might result in in the country going backwards, but as Europe knows from long history democracy is often forged in the heat of the blood shed of civil war. You cannot give it to people, they have to fight for it. And the best way to help them is by giving them a reason to fight for it, which is a better standard of living.

It is something that has been known since Roman times, people will almost always vote for "bread and Circuses". Thus what you need to stay in power is the means to ensure the people get the food and entertainment, and that can only be achieved by economic success which can only be managed longterm by the efficient utilization of resources.

We are currently seeing in Southern Europe what happens when you have bread and circuses without an economy to support them, you start to descend into the start of civil war.

Thus peace is reached by a carefull control of peoples expectations, and the ability to forefill them. And this requires careful control of resources and thus the economy that can stabily grow in line with the expectations of the people.

How you go about it is fraught with difficulties and beguiling false paths, but one thing is certain you cannot live on your capital for very long, that way lies ruin you need to live off only part of the return from investing your capital thus expectations have to be kept in line with real growth in the economy not the false growth we see so much of.

Whilst you cannot give democracy to people or worse try to force it onto them. You can with judicious care and time help them build their economy to the point where it helps foster the desire for democracy. It might not work immediately but eventually all Empires and Dictatorships fall, generaly not due to external preasure but from preasure within.

mcdavexSeptember 17, 2012 9:17 AM

Well, it looks like MegaNet has serious competition!

according to http://www.prweb.com/releases/SSL_credit_card/encryption_security/prweb9897457.htm

The founder and proprietor (an electrical engineer who apparently identified a recurrent problem in IBM’s testing system that saved the company $1 million per year, was recognized by NASA him with an individual commendation for his automation of spacecraft programming on planetary probes, and has held chief scientist/principal engineer positions at Xerox, Northrop, Intel, Vitesse, Phillips, and AMD) has found that 3DES, SSL and RSA can all be "cracked in minutes to hours" - and he (for a fee of course) has the answer - the keys are just too short, so with his TWO GIGABYTE KEYS (that aren't PKI but need no key exchange) you can finally be secure.

Well, I await MegaNet's counter salvo. surely a one terabit encrypt matrix is the only way they could come back from this? :)

Terry ClothSeptember 17, 2012 9:57 AM

@Clive Robinson: ``You can [...] help them build their economy to the point where it helps foster the desire for democracy.''

I've always wondered why my (U.S.) gov't doesn't catch on to this. To my way of thinking, the absolute best way to handle our immigration ``problem'' is build up the Mexican economy.

Nick PSeptember 17, 2012 11:41 AM

Security news

Synopsis: "A security researcher has demonstrated a series of attacks capable of disabling touch tone and voice activated phone systems or forcing them to disclose sensitive information."

http://www.scmagazine.com.au/News/315844,phonetic-attack-commands-crash-bank-phone-lines.aspx

Quantum key exchange between plane and ground
http://www.newscientist.com/article/mg21528824.300-moving-plane-exchanges-quantum-keys-with-earth.html

@ Clive Robinson

"Err did Bruce bruce blog on this on 9/11/2012?"

Oops. I didn't see that one.

@ mcdavex

"In The Doghouse": MerlynCryption

"Well, it looks like MegaNet has serious competition!" (mcdavex)

"ASBE uses blocks as part of the algorithm. These blocks are manipulated in ways different from all currently known and published existing encryption algorithms in a variable way, which depends on the key. The algorithm employs variable key length and requires no key transfer, which overcomes two major vulnerabilities for the cryptographic design community" (from article)

Too funny. I could see how lay people, esp CIO's, might be taken in by this stuff. Even so, they'd be better off making their questionable techniques "amplify" a KB key into a MB keyspace so they don't create a storage problem solving a security problem. Millions of documents with million bit keys adds up quick. I mean, if we're doing quackery, why not go the extra mile with it? ;)

Another thing I noticed re Paul Sobel:

"His security work encompasses log management, NAC, super computer design, graphical and audio presentation of Big Data in eleven or more dimensions, and image processing."

Boggles my mind to process data in 11+ dimensions via audio. Some accomplishment. Then...

"He holds three patents in CPU Architecture, one classified patent, and one patent pending."

Rephrased: three patents in a totally unrelated field, another govt classified so he can't show you, and another random thing being patented. But, trust us, he knows better than all the cryptographers, academics & mainstream security types, too!

karrdeSeptember 17, 2012 1:26 PM

@Clive,

interesting discursion into the War of 1812, and the entire question of global Empire.

(I seem to remember most American history books give passing mention to that French guy and his fight with Britain, and then mentioning that the Royal Navy was grabbing American merchant sailors an forcing them to fight for the Crown...though I do agree with you about the conclusion of the War.)

If an Empire a military/economic structure designed to bring money into the capital of the ruling nation, then I'm not sure if the U.S. owns an Empire.

However, if an Empire is a military system designed and intended to influence the interactions of most of the other nations on the globe, then the U.S. may have an Empire. (In all but name...)

The security problems involved with being the most powerful nation in the area are many. And I doubt that there is an easy way to solve that problem, short of ceding the title of "Most Influential Nation in the Region" to someone else.

time flies like a bananaSeptember 17, 2012 2:55 PM

@Nick P.

I don't know if you see this, or if it's just me, but when I hover the cursor over the newsletter signup area on the scmagazine "Phonetic attack commands..." page, that you refer to above, it shows that it is a link to a page on deviantart.com. Anyone who clicks in that field would be unexpectedly taken there. Have script kiddies been at it perhaps ?

Nick PSeptember 17, 2012 3:13 PM

@ time flies like a banana

Nice catch. I emailed the site's editor with the relevant information. I also noticed that the site it redirects to is the same site the image on the left was taken from. It was probably a webmaster error, rather than a hack. Either way, we now get to see their response time to potential security issues that can be fixed almost instantly with an HTML edit. Should be quick, but will it be?

nobodyspecialSeptember 17, 2012 4:07 PM

@Terry Cloth
A, If you are an American worker a rich Mexico helps you, it gives you an extra market for your Made in America products and raises the value of your labor.

B, If you are an American factory/farm owner a poor Mexico gives you a source of cheap labor and keeps local wages down.

So the trick is for group B to persuade group A that it's all Mexico's fault.

nobodyspecialSeptember 18, 2012 12:35 AM

Traveling the Silk Road: A measurement analysis of a large anonymous online marketplace

arxiv.org/abs/1207.7139

"We perform a comprehensive measurement analysis of Silk Road, an anonymous, international online marketplace that operates as a Tor hidden service and uses Bitcoin as its exchange currency. We gather and analyze data over eight months between the end of 2011 and 2012, including daily crawls of the marketplace for nearly six months in 2012. We obtain a detailed picture of the type of goods being sold on Silk Road, and of the revenues made both by sellers and Silk Road operators. Through examining over 24,400 separate items sold on the site, we show that Silk Road is overwhelmingly used as a market for controlled substances and narcotics. A relatively small "core" of about 60 sellers has been present throughout our measurement interval, while the majority of sellers leaves (or goes "underground") within a couple of weeks of their first appearance. We evaluate the total revenue made by all sellers to approximately USD 1.9 million per month; this corresponds to about USD 143,000 per month in commissions perceived by the Silk Road operators. We further show that the marketplace has been operating steadily, with daily sales and number of sellers overall increasing over the past few months. We discuss economic and policy implications of our analysis and results, including ethical considerations for future research in this area."

Clive RobinsonSeptember 18, 2012 2:25 AM

@ Terry Cloth, nobodyspecial,

Mexico is a bit of a problem...

How do you improve their economy without having a detrimental effect on the US home economy...

However there is another issue getting in the way, Mexico is not exactly poor and the big problem with their economy is not the lack of wealth or resources but crime and corruption. Because of this it is often refered to as a "hollowed out country" where the entire governmental legislature, judicial and executave structure is fundamentally corrupt. Solving the crime and corruption would probably improve the base economy in Mexico without any other effort required.

One of the problems we see in Europe at the moment is the "Industrial North -v- Agrarian South". This causes a significant issue to do with a single currancy where there is no central control.

What the South want's is the quality of life they see in the North but do not have the Industrial infrastructure to support. However whilst the North has the Industrial infrastructure it does not have the ability to feed it's workers...

Looked at one way the standard of living in a country is based on the size of the population and the amount of wealth produced per square foot of land. Industry and services can be very productive per unit of land area but can also be "stacked" many layers deep on each unit of land thus making it vastly more productive. Agrigulture however is apart from a handfull of plants (think drugs and certain rare spices etc) not very productive per unit of land area, and unlike industry and services cannot be "stacked".

One potential solution would be to make the land in the south produce more wealth. There are many ways this can be done, One way would be to rise the price of food (not wise). Another is to tax the north and pay a subsidy to the farmers (See the EU CAP as to where this goes wrong). Another is to reduce the population in the South (As seen in the Americas this tendss to happen anyway as job oportunities are perceived as being better in the north).

But it's not just raw wealth that's an issue it's the cost of social infrastructures as well. In the north due to a high population density things like education and health care are more cost effective due to the Distance/Cost and Distanc/time metrics being much much smaller.

There is also the question of why the north is industrialized and the south not. Before industrialisation the south was rich and the north poor as the agricultural production of the land in the south is generaly better due to having more sunlight per unit of land and consiquent longer growing seasons etc. However the limit on population density was not just to the prooductivity of the land but also due to disease. The only safe things to drink in general were alcohol based. The south had wine which involved little in the way of effort, skill, etc to make. Beer on the otherhand requires considerable energy and skill to make effectivly. This encoraged towns to develop due to the economy of scale of beer making this encoraged commerce and surplus wealth could and did encorage patronage of fine arts etc which gave rise to metal smithing etc and eventualy industrialisation.

So the question becomes how can we reverse the productivity differential between the north and the south in a non artificial (wealth diverting via taxation / subsidy) way. And importantly without "beggering thy neighbours".

And it is this latter issue that is the cause of contention with US / Mexico, setting up a Co-prosperity area will cause work for the masses to move where labour is cheapest or subsidy is highest as the Distance/Cost and Distance/Time metrics reduce. This creates a massive taxation shift, which unfortunatly due to Mexico's corruption will not benifit the general populace, just encorage more criminal activity.

As we know the artificial way of maintaining the Distance/Cost and Distance/ Time metrics has been by "import control" in various forms, many of which are (supposadly) designed to rebalance the tax issues. One such is China's "export tariffs" on certain raw resources. They are deliberatly putting significant export restrictions on things like rare earth metals in order to get manufacturing to move from the industrialised West to their mainly agrarian society.

On a historical note when agriculture was the primary source of wealth, the most important resource to control was water, and for most of recorded history there have been "water wars". Well the equivalent of water for industry is energy, and we are already seeing "energy wars" to control the access to chemicals that store "energy".

As noted as you move south in the northern hemisphere you get more sunlight hours and with greater intensity. If this energy could be "bottled" and cheaply transported then the wealth of the south would improve significantly. One way to do this is with very fast growing organisms that can then be harvested cheaply and easily into high energy content fuels. It might be that in a few years Mexico's most significant export to the US is not bone muscle and gristle of workers but organic hydrocarbons...

Clive RobinsonSeptember 18, 2012 9:51 AM

OFF Topic:

Smart meters are as we know a bit of a disaster waiting to happen in many ways...

Well in the UK even after being given a RED light that should have killed it stone dead they are carrying on with not just the biggest invasion of privacy but also a compleate and utter financial disaster.

Ross Anderson at Cambridge Labs has a paper on it that was presented to the UK Cabinet Office,

http://www.lightbluetouchpaper.org/2012/09/17/the-perils-of-smart-metering/

FigureitoutSeptember 18, 2012 2:13 PM

@Nick P
The QKD article was pretty sick, but I'm still quite a ways away from fully comprehending :(

@Dmitry
Unbelievable.

@Clive
Agrigulture...cannot be "stacked".
--I have tried to think of ways to do this "stacking". People should be aware just how much food is produced by just planting a few plants around your property (if you're lucky enough to be able to), how little effort it is, and how satisfying it is to harvest your bounty. The only thing I would change personally is water consumption, I want to use rain water from gutters; but I've also thought of something like an inverted umbrella that can withstand storms and collect water, and have a either a pump attachment built into it or you could just put one in. The first very obvious picture is something like a skyscraper (I haven't tried), excess water would drip down & be reused; but sunlight would be an issue if they're area was too big. I planted cucumber plants (which are vine-like) amongst corn plants, and I was beyond happy with the output. The cucumber plants could also grow up the corn plants and a few of them were growing upside-down. So it was only 2 crops in almost same place; but I think there are other "compatible" plants that could grow with each other and squeeze productivity out of land; I'm looking forward to next spring :)

Re: smart meters
--Read the paper on the "Security Economics" of smart meters if you haven't. Another big issue besides resilience and privacy was data storage; if you want a transmission every 30 minutes from millions of meters, that's huge. I was pleased to see the Dutch take a stand, which will at least allow people to really consider what is happening. I was horrified thinking Google or Microsoft want to get in the "meter game", Anderson hints at how google could use all the data on your lifestyle to better serve you....more ads.

Anderson states regarding an "on/off" switch capability: Such a power should thus either not be created, or guarded and controlled extremely closely....Being able to turn out the
lights in another country is the cyber equivalent of a nuclear strike – a completely disabling strategic attack that would reduce the enemy population to nineteenth-century standards of living.

I have yet to read, just skim, but this may be interesting: Historical timeline of electric meters

WaelSeptember 19, 2012 3:38 AM

@ Nick P

Flying at a height of 20 kilometres and a speed of nearly 300 km per hour

Two questions (at least one of them... is probably stupid)
1) I wonder what kind of a plane can fly at an altitude of 65,616 feet with a speed of 186 miles per hour without stalling!

2) I guess intercepting a polarized photon does not guarantee changing its polarization, otherwise we can "observe" it more than once :) and this assumes a passive MIM "observation". I wonder what an active MIM can do...

Nick PSeptember 19, 2012 12:31 PM

@ Wael

"Here we report on the fir rst experimental demonstration of a BB84[5] QKD transmission from an airplane at a speed of 290 km/h to ground. Our system uses attenuated laser pulses with a mean photon number of µ = 0.5 and polarization encoding. Over a distance of 20 km a stable link was achieved for 10 min yielding a sifted key rate of 145 bits/s with a quantum bit error rate (QBER) of 4.8 %."

Looking at the source paper's wording, I don't think the plane was 20km in the air. The picture also showed it to be one of those tiny, civilian planes. I think the news article just reported things wrong. However, you mentioning that led to some interesting discoveries on their site. Check out the titles of the papers.

Quantum eavesdropping without interception: an attack exploiting the dead time of single-photon detectors

High speed optical quantum random number generation (edit to add: 50Mbps)

Information leakage via side channels in freespace BB84 quantum cryptography

So, we have a new TRNG (yay!) and some papers on QKD attacks. A quick skim showed quite a few different types of attacks popping up. The original news stories from the likes of New Scientist years back would have made us thought the whole point of QKD was eavesdropping is prevented by (quantum physics jargon here).

Yet, my suspicions turned out correct in that the tech has plenty of avenues of attack & can't be trusted. My advice in the past was to wait it out about ten years or so before trying to evaluate its trustworthiness. This concept played out so much in INFOSEC that I'm formulating a new law (version 0.1).

Nick P's Law of Trustworthy Technology: Don't trust any new safety- or security-critical technology until science and industry has evaluated it for at least 10 years.

(Emphasis on "at least.")

Thoughts?

LanoraSeptember 19, 2012 7:35 PM

Hey just wanted to give you a brief heads up and let
you know a few of the images aren't loading correctly. I'm not sure why
but I think its a linking issue. I've tried it in two different internet browsers and both show the same results.

WaelSeptember 19, 2012 8:14 PM

@ Nick P

Thoughts?
Sure... Here is another law: If someone can polarize it, another (someone else, that is) can depolarize and then re-polarize it :)

Regarding "Nick's Law":
You have to start your law by saying: Nick is a pessimist... Murphy isn't better than you!

Nick PSeptember 20, 2012 11:21 AM

@ Wael

"Regarding "Nick's Law":
You have to start your law by saying: Nick is a pessimist... Murphy isn't better than you!"

LOL. I guess my law is the bright side of Murphy's Law: "Everything bad that can happen will happen... for about ten years. Then, it will all work fine until someone changes one tiny part of the design or use case."

RobertTSeptember 20, 2012 10:41 PM

@NickP
"LOL. I guess my law is the bright side of Murphy's Law..."

I've got to agree, every good security professional I've ever met thinks the Murphy is an optimist.

Clive RobinsonSeptember 21, 2012 7:17 AM

@ Nick P,

Don' trust any new safety- or security-critical technology until science and industry has evaluated it for at east 10 years

Nagh that takes way to long,

Clive's first rule of evaluation of anothers design,

If on seeing the system diagram you cannot work out three ways to break the system in five minutes then it's not practical to build.

Clive's Second rule of evalutation of anothers design,

If you can't see a way to break the system then in all probability it either won't work or won't be secure.

Clive's Third rule of evaluation of another design,

If it work's and you still cannt see a way to break it then it's time to retire.

WaelSeptember 21, 2012 11:48 AM

@ Clive Robinson

Clive's first rule of evaluation of anothers design...

I am crestfallen Clive Robinson, with all your Castle-V-Prison discussions, and you come up only with three rules? Nothing less than 10 is expected (since you also referenced Lot's wife before -- 10 commandments of Clive Robinson:)

1- Thou shalt not use a short PIN :)
2- Thou shalt not use PINs that were posted on this blog, even if that reduces the "PIN space"
...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..