| |
 |
Friday, August 02, 2002 |
|
Homeland Insecurity
The September issue of the Atlantic Monthly has a remarkable special report called Homeland Insecurity (not yet excerpted online). It features none other than Bruce Schneier. I am delighted to see Schneier's philosophical transformation -- from crypto-infatuated fortress builder to pragmatic watchguard -- detailed in a mainstream magazine. People who would never have read Secrets and Lies will read this excellent article, and I hope will ponder Schneier's message:
- Security technologies are brittle
- When they fail, they fail catastrophically
- Human judgment needs to govern the security process
The article concludes with a description of Counterpane's command center:
Highly trained and well paid, these people brought to the task a quality not yet found in any technology: human judgement, which is at the heart of most good security. Human beings do make mistakes, of course. But they can recover from failure in ways that machines and software cannot. The well-trained mind is ductile. It can understand surprises and overcome them. It fails well.
Mixing long stretches of inactivity with short bursts of frenzy, the work rhythm of the Counterpane guards would have been familiar to police officers and firefighters everywhere. As I watched the guards, they were slurping soft drinks, listening to techno-death metal, and waiting for something to go wrong. They were in a protected space, looking out at a dangerous world. Sentries around Neolithic campfires did the same thing. Nothing better has been discovered since. Thinking otherwise, in Schneier's view, is a really terrible idea.
5:58:44 PM 
|
|
|
Tuesday, July 23, 2002 |
|
OASIS and WS-Security
Under the OASIS umbrella, more folks are linking arms to support WS-Security:
The OASIS standards consortium has organized a new technical committee to advance the WS-Security specification. WS-Security provides a foundation for secure Web services, laying the groundwork for higher-level facilities such as federation, policy, and trust. Through the open OASIS process, providers and users will come together to extend the functionality of WS-Security, which was originally published by IBM, Microsoft, and Verisign. [OASIS]
I plan to attend a forum ("co-sponsored by OASIS and W3C") in Boston on Aug 26 to hear more about this. The picture is still quite fuzzy, frankly, but it does appear we're in a market-making let's-all-work-together phase.
PS: Maybe that shouldn't be surprising. According to today's NY Times, we are wired to cooperate, and doing so lights up the pleasure centers of the brain.
10:43:41 AM
|
|
|
Tuesday, July 02, 2002 |
|
Web services security and XML pixie dust
It's an article of faith right now in the web services realm that security is the major roadblock. We're all sitting around drumming our fingers on the table, the story line goes, just waiting for consensus to emerge from that cloud of dust the standards-makers are kicking up.
When I look at the proposed standards, though, I see a bunch of familiar stuff. Name/password authentication, Kerberos, access control lists, PKI certificates, signing, encryption. All this has been part of the web forever, though admittedly PKI and Kerberos haven't really gotten over the activation threshold.
I don't think its a bad idea to wrap XML around this stuff. But I'm not convinced that will solve the hard problem. What's hard is that security technologies are just a royal pain in the ass to deal with. I was sure, for example, that client certificates would be widespread by 1997 as a mode of authentication to websites, and as a single sign-on solution. Today I'm one of a handful of people who have ever bothered to acquire a client cert.
Are we just trying to XMLize Kerberos and PKI and ACLs because we hope the magic pixie dust of XML will make the pain go away?
11:14:48 AM
|
|
|
Tuesday, June 18, 2002 |
|
Wednesday, June 12, 2002 |
|
Blogging and homeland security: connecting the dots
Sunday's New York Times featured a disturbing story on the IT culture clash between Google and the FBI:
Data is compartmentalized so that case information compiled in Phoenix might not be accessible to agents in Minneapolis, and retrieval of the full text of case reports is not possible. Devised for the quick retrieval of the names of known suspects, the network can be searched for terms like "aviation" or "schools, " but not "aviation schools" -- in other words, precisely the kinds of phrases that may have made it easier for law enforcement agents to connect the dots and discern the patterns of activity leading up to Sept. 11 attacks.
Mr. Schmidt of Google said that government had characteristically been slower than industry to adopt new information technology and to link its multitudinous information networks. This leads to a condition that the industry calls "stovepiped" information, which means that data is warehoused in separate, unconnected silos. That is partly by design, Mr. Schmidt said, as a precaution against wandering hackers. "They don't want a network interloper to come in and do a lot of damage to other computers." [New York Times]
I'm sure it's true, though no-one can come out and say so, that the FBI are among Google's most intense users. I hope a private network of weblogs will be the next step. Valdis Krebs has a new paper that suggests how social network mapping can be used to thwart terrorists. He writes:
To gather the data for mapping these networks, individually and as a group, requires much cooperation between departments, agencies and countries. This requires vertical, horizontal, and diagonal links between all of the investigators on the case -- in other words, our network needs to be as good or better than enemy's! [Valdis Krebs]
Maybe I've just got blogs on the brain. But like all stovepiped IT organizations, the FBI's will not be rebuilt anytime soon. The way forward is a human awareness network layered on top of those stovepipes and connecting them.
Such an overlay network needn't, of course, intersect with public blogspace. But purely internal use of existing low-tech weblog software could reproduce the same effect: a knowledge network with human routers. Would it be perfectly secure? Of course not. But in the end, what's the greater risk? That the enemy might discover we had connected the dots and have to change its plans? Or that we have no hope of connecting the dots at all?
8:19:47 AM
|
|
|
Saturday, May 18, 2002 |
|
Managing credentials with Counterpane's Password Safe
Seeing Bruce Schneier at ETCON reminded me that I've been meaning to mention Password Safe, a really simple and useful tool available for free from Schneier's company, Counterpane Labs. It's a GUI app you use to securely maintain a database of passwords.
The version I'm using, 1.7, runs on Windows. Version 2, an open source project, is apparently still also for Windows only, though I guess this could change.
I've been holding my breath for a long time waiting for single sign-on. After a while I started turning blue, and writing down passwords, which felt incredibly stupid but was unavoidable. Password Safe makes that necessary evil feel a lot less stupid.
The database is Blowfish-encrypted. Each entry has a title (e.g., "Amazon"), a name, a password, and a comments field which I find quite important for recording the context of a given credential (e.g. "3rd sample user for test system version 5"). Copying a username or password to the clipboard, for subsequent pasting into an authentication dialog, is easy. There are some thoughtful details: you can have the app clear the clipboard when it's minimized, and it won't ever display any passwords on the screen unless you override a default.
The whole kit -- executable, data file, and helpfile -- amounts to under 400K, and since there are no registry dependencies it can easily be moved back and forth between your desktop and laptop.
Nothing earthshaking about this. Just a simple and practical tool, from the most pragmatic security pro in the business.
3:50:56 PM
|
|
|
Wednesday, May 15, 2002 |
|
Security, insurance, and hard realities
Here are some notes from Bruce Schneier's talk. Hard, cold realities. Microsoft and its peers don't care about security, he argues, because it's not rational for them to do so. As businesses, they shouldn't, because they're not liable for their practices. Schneier is running out of options, he says, and what he's left with is a two-pronged strategy. One, require businesses to use insurance to manage risk, just like businesses use it to manage all other risks. Two, beef up prosecution of computer crime.
I'm sure he is right. If we change the economic incentives governing security practices, like we've done in the case of environmental protection, then there will be change. Otherwise not.
Suddenly a company choosing an operating system gets handed two insurance policies -- here's what it costs if you use Linux, here's the policy for Microsoft. The math gets much more interesting now. Security will improve because the CEO will now care.
This has disturbing implications for small software companies. Is there another way? He doesn't see one.
8:23:52 PM
|
|
|
PKI: no silver bullet, but not worthless either
John Robb's comment -- certification isn't worth doody -- overstates the case. Despite exploitable flaws in the PKI/SSL infrastructure, I would rather transact business with a company that has identified itself to some third party than with a company that hasn't.
I'd also much prefer to transact business with individuals who take the trouble to identify themselves to some third party. The assurance offered by my Thawte freemail cert, while minimal, is far more than what's available in typical email discourse.
Just because PKI has been oversold doesn't mean it should be underestimated. Groove shows us just how seamless the exchange of trust can be for users. Although it presumes a PGP-like model, it was built to be -- and in version 2.0 has become -- a system than works with enterprise and cross-enterprise PKI-based trust. The issues addressed by PKI aren't going away, and the technologies woven into PKI will play out in our lives one way or another.
2:35:08 AM
|
|
© Copyright 2002 Jon Udell.
|
|
