Essays Tagged "Guardian"
Page 4 of 5
The Secret Question Is: Why Do IT Systems Use Insecure Passwords?
Since January, the Conficker.B worm has been spreading like wildfire across the internet, infecting the French navy, hospitals in Sheffield, the court system in Houston, Texas, and millions of computers worldwide. One of the ways it spreads is by cracking administrator passwords on networks. Which leads to the important question: why are IT administrators still using easy-to-guess passwords?
Computer authentication systems have two basic requirements. They need to keep the bad guys from accessing your account, and they need to allow you to access your account. Both are important, and every system is a balancing act between the two. Too little security, and the bad guys will get in too easily. But if the authentication system is too complicated, restrictive, or hard to use, you won’t be able, or won’t bother, to use it…
Terrorists May Use Google Earth, But Fear Is No Reason to Ban It
This essay also appeared in The Hindu, Brisbane Times, and The Sydney Morning Herald.
It regularly comes as a surprise to people that our own infrastructure can be used against us. And in the wake of terrorist attacks or plots, there are fear-induced calls to ban, disrupt or control that infrastructure. According to officials investigating the Mumbai attacks, the terrorists used images from Google Earth to help learn their way around. This isn’t the first time Google Earth has been charged with helping terrorists: in 2007, Google Earth images of British military bases were found in the homes of …
Tigers Use Scent, Birds Use Calls—Biometrics Are Just Animal Instinct
Biometrics may seem new, but they’re the oldest form of identification. Tigers recognise each other’s scent; penguins recognise calls. Humans recognise each other by sight from across the room, voices on the phone, signatures on contracts and photographs on drivers’ licences. Fingerprints have been used to identify people at crime scenes for more than 100 years.
What is new about biometrics is that computers are now doing the recognising: thumbprints, retinal scans, voiceprints, and typing patterns. There’s a lot of technology involved here, in trying to both limit the number of false positives (someone else being mistakenly recognised as you) and false negatives (you being mistakenly not recognised). Generally, a system can choose to have less of one or the other; less of both is very hard…
When You Lose a Piece of Kit, the Real Loss Is The Data It Contains
These days, losing electronic devices is less about the hardware and more about the data. Hardly a week goes by without another newsworthy data loss. People leave thumb drives, memory sticks, mobile phones and even computers everywhere. And some of that data isn’t easily replaceable. Sure, you can blame it on personal or organisational sloppiness, but part of the problem is that more and more information fits on smaller and smaller devices.
My primary computer is an ultraportable laptop. It contains every email I’ve sent and received over the past 12 years – I think of it as my backup brain – as well as an enormous amount of personal and work-related documents…
Passwords Are Not Broken, but How We Choose them Sure Is
This essay also appeared in The Hindu.
I’ve been reading a lot about how passwords are no longer good security. The reality is more complicated. Passwords are still secure enough for many applications, but you have to choose a good one. And that’s hard. The best way to explain how to choose a good password is to describe how they’re broken. The most serious attack is called offline password guessing. There are commercial programs that do this, sold primarily to police departments. There are also hacker tools that do the same thing.
As computers have become faster, the guessers have got better, sometimes being able to test hundreds of thousands of passwords per second. These guessers might run for months on many machines simultaneously…
Time to Show Bottle and Tackle the Real Issues
This essay also appeared in the Taipei Times.
Airport security found a bottle of saline in my luggage at Heathrow Airport last month. It was a 4oz bottle, slightly above the 100 ml limit. Airport security in the United States lets me through with it all the time, but UK security was stricter. The official confiscated it, because allowing it on the airplane with me would have been too dangerous. And to demonstrate how dangerous he really thought that bottle was, he blithely tossed it in a nearby bin of similar liquid bottles and sent me on my way…
Why Society Should Pay the True Costs of Security
It’s not true that no one worries about terrorists attacking chemical plants. It’s just that our politics seem to leave us unable to deal with the threat. Toxins such as ammonia, chlorine, propane and flammable mixtures are being produced or stored as a result of legitimate industrial processes. Chlorine gas is particularly toxic; in addition to bombing a plant, someone could hijack a chlorine truck or blow up a railcar. Phosgene is even more dangerous. And many chemical plants are located in places where an act of sabotage – or an accident – could threaten thousands of people…
A Fetishistic Approach to Security Is a Perverse Way to Keep Us Safe
We spend far more effort defending our countries against specific movie-plot threats, rather than the real, broad threats. In the US during the months after the 9/11 attacks, we feared terrorists with scuba gear, terrorists with crop dusters and terrorists contaminating our milk supply. Both the UK and the US fear terrorists with small bottles of liquid. Our imaginations run wild with vivid specific threats. Before long, we’re envisioning an entire movie plot, without Bruce Willis saving the day. And we’re scared.
It’s not just terrorism; it’s any rare risk in the news. The big fear in Canada right now, following a particularly gruesome incident, is random decapitations on intercity buses. In the US, fears of school shootings are much greater than the actual risks. In the UK, it’s child predators. And people all over the world mistakenly fear flying more than driving. But the very definition of news is something that hardly ever happens. If an incident is in the news, we shouldn’t worry about it. It’s when something is so common that its no longer news – car crashes, domestic violence – that we should worry. But that’s not the way people think…
Why Being Open about Security Makes Us All Safer in the Long Run
London’s Oyster card has been cracked, and the final details will become public in October. NXP Semiconductors, the Philips spin-off that makes the system, lost a court battle to prevent the researchers from publishing. People might be able to use this information to ride for free, but the sky won’t be falling. And the publication of this serious vulnerability actually makes us all safer in the long run.
Here’s the story. Every Oyster card has a radio-frequency identification chip that communicates with readers mounted on the ticket barrier. That chip, the “Mifare Classic” chip, is used in hundreds of other transport systems as well—Boston, Los Angeles, Brisbane, Amsterdam, Taipei, Shanghai, Rio de Janeiro—and as an access pass in thousands of companies, schools, hospitals, and government buildings around Britain and the rest of the world…
Software Makers Should Take Responsibility
A recent study of Internet browsers worldwide discovered that over half – 52% – of Internet Explorer users weren’t using the current version of the software. For other browsers the numbers were better, but not much: 17% of Firefox users, 35% of Safari users, and 44% of Opera users were using an old version.
This is particularly important because browsers are an increasingly common vector for internet attacks, and old versions of browsers don’t have all their security patches up to date. They’re open to attack through vulnerabilities the vendors have already fixed…
Sidebar photo of Bruce Schneier by Joe MacInnis.