Security damn well IS a dirty word, actually
Wash your mouth out with TLS 1.2
Posted in Management, 26th March 2013 05:58 GMT
Free whitepaper – Hands on with Hyper-V 3.0 and virtual machine movement
Sysadmin blog An interesting feature popped up on Ars Technica recently; website journo Nate Anderson discusses how he learned to crack passwords.
The feature is good; good enough for to me to flag it up despite that journalistic competition thing*. That said, the feature gently nudges – but does not explore – a few important points that are increasingly critical to consider in the context of any serious discussion about IT security.
In his feature, Nate describes himself as having learned to become a "script kiddie." While I won't dispute the nomenclature, reading the feature left me with the impression that he felt that tool chosen was an important part of what separates the script kiddie from more well versed malefactors.
The difference between a script kiddie and a decent cracker isn't the tool used. It is the time taken to understand how a tool works, why it works that way, what its limitations are and - ultimately - the effort made to increase the tool's efficiency and/or likelihood of success. Nate may have started his journey out as a script kiddie, but I suspect he's put far more thought into this than most script kiddies do. Were he to pursue this "addictive" line of investigation for a few more months, he'd be well on your way to what – in the 80s – we called a cracker.
The terms have been diluted over the years. A cracker was someone who put a lot of time and effort into breaking digital locks. It required a fair amount of knowledge to accomplish but was still a focused pursuit. A hacker – using the old school technology – would take this same iterative experimental approach to hardware. They would see software and hardware as two parts of a single whole.
For an old-school hacker the goal was to learn. The reward was solving another puzzle. These people still exist today; though increasingly underground as curiosity itself seems to be rapidly becoming illegal.
Wave your hands
Google's Self Driving Car: a security problem waiting to happen?
Computers are not magic. It is simultaneously a simple truth and the hardest element of their operation to intuitively grasp. There are so many layers between today's users and the underlying transistor logic that the operation of computers legitimately seems like magic, even to those who've spent a lifetime in the field. (Be rational all you want, printers were sent from hell to make us miserable.)
The problem with computers today – as with yesteryear – is the abstraction of these operating fundamentals from the usage of the device. Despite evolving existing interfaces, periodically reinventing the wheel and even changing form factors we are actually pretty bad at abstracting away the underlying flaws of computer design such that end users don't need to know how the widget works.
If you don't know how the widget works, you are ultimately going to be vulnerable to some security flaw you didn't even know existed. Despite this, proliferation of computers has trebled; the growth of deployment seems logarithmic with no asymptote in sight. Computers are in everything from our cars to our phones and soon our watches and even our eye glasses. If we can't secure the mess we have today what hope can we possibly have of locking down the much hyped internet of things?
It's dead, Jim
Anderson correctly highlights that the fragility of passwords is frightening. Password cracking software is shocking in its ease of use. What should be more frightening – but hasn't sunk in yet for most – is the ease with which virtually every other security mechanism we employ can also be compromised.
From encryption at rest (via RAM grabs, amongst others) to SSL/TLS (via, apparently, everything) on to nearly every other storage and transmission mechanism we've invented; the IT industry seems to birth crypto mechanisms that are really only practically secure for a few years - a decade at best.
More frustrating than this is that we do generate solutions to known vulnerabilities on a regular basis. In many cases they simply remain unimplemented. Consider the shocking lack of support for DNSSEC, or the fact that amongst the mainstream browsers TLS 1.1 is only enabled by default in Safari and Chrome while TLS 1.2 isn't enabled by default on iOS devices. (There's a good discussion on why here.)
The economies of most nations depend on the security and trustworthiness of these authentication mechanisms and yet the implementation of newer techniques is constantly held back. The multinationals making the gear we use circle each other and growl; each is looking to exploit the weaknesses that affect us all to their individual advantage.
Ultimately, I don't think education alone will help here. Some combination of "keeping one step ahead" on the cryptography front has to be combined with a UX that abstracts the "hard stuff" away from end users. As much as I'd love to teach 7 billion people proper password hygiene, I suspect this isn't the correct path.
Defeating security mechanisms is a challenging puzzle that offers wealth to those who accomplish it. Creating new security mechanisms – or fixing old ones – is hard and few are willing to engage in the activity unless a clear monetary advantage can be gained. We need a fundamental rethink regarding the economics of IT security. The market as it stands today isn't delivering. That failure promises to be a problem for us all. ®
*Though we'll put the link down here, eh, Trevor - Ed.
Free whitepaper – Hands on with Hyper-V 3.0 and virtual machine movement
COMMENTS
Computing isn't the problem
Its the Internet.
Also, its the way we use metaphors.
We have a "desktop" but a fundamental aspect of a desktop is that it is has physically limited access. Reading pron at your desk may get you fired, but it probably wouldn't result in your bank account being emptied and vast bills being run up on your credit card. The physical presence of a real desktop in a room in a house, up a driveway behind a locked door with possible nosy neighbours, drastically reduces risk.
We "go to a website" rather than, "run a program we downloaded from somewhere." Yes, HTML/JS are instructions - programmes.
The Internet dispenses with geography and computers are designed to automate things. Those two elements are dangerous. Being geographically safe, we assume we are logically safe. That's an assumption which doesn't hold true an longer.
Its the people, not the computer
"The problem with computers today – as with yesteryear – is the abstraction of these operating fundamentals from the usage of the device."
I think it goes much deeper than this; to me its the people's lack of interest above anything else combined with an odd (to me) inability to find the information should they eventually start wondering about some topics.
I've seen this happening too many times now in too many different area's that I really think this is a fundamental problem. In Java a program starts with the "public static void Main(String[] args)" method. It was one of the first thing I got curious about when I dove deeper into Java; why? how?
When Solaris 10/x86 finally became more mature and started taking off a bit it eventually introduced a new SysV compliant boot mechanism: Manifests. You'd write an XML file to describe the program or service (name, start/stop method and any optional or mandatory dependencies) and import it into the main structure. It was quite sophisticated and worked very well. Also because this same system could also monitor its services for availability.
Yet soo many people who couldn't be bothered to look into this (it wasn't that hard) and simply relied on the previous (and still supported) rc.d structure. Nothing wrong with that, sure, but I really sensed a lack of interest. And a missed opportunity because this system was extremely powerful when used right.
Heck; I also see it with my current endeavours, I recently dove deep into ASP.NET, and I'm actually enjoying the ride too. By default a webpage in an ASP forms project "simply" needs a method "Page_Load()" to start your code. I'm a bit too new with this to name the parameters from mind, but one of them is of type "Eventargs". So why does this get started, magic? I don't think so....
When you dive into this stuff you'll learn that /everything/ including the webpages themselves are objects (classes) and that by default the environment scans a Page class derivative for methods such as Page_Load(), Page_Init() or even Page_PreInit().
And after you found out about this it starts to make much more sense, because the real method which you'd normally use is: protected void override OnLoad(Eventargs e). This "easier approach" is simply activated by default due to an option called "autoEventWireup".
Yet soo many people who can't seem to manage to get their heads around this, or couldn't even care less about the why and how...
Just a few examples which stuck with me; but there's sooo much more than that.
Its not the computers which make everything easier; its the people who lost their curiosity and interest to find out and discover for themselves why and how things work.
Tux; because most people I know using Linux still have this strong curiosity and interest. Even though in many cases it doesn't go beyond Linux.
Re: Its the people, not the computer
Some people are unscrupulous, and some people are gullible, and no amount of technology is going to change that.
It's not necessary to understand how to build a car in order to drive one, and I don't suppose anyone thinks mechanical engineering should be part of the driving test, so what happens? You take your car in for service and the garage tries it on by saying "your brake disks are under tolerance, you need new ones to be safe" which, if you have any sense, you politely decline. This happened to me a few years ago and I took the same car back to the same garage a year later and, for laughs, said "can you be sure to check out the brakes please?" and they came back and said "your brakes are fine, but we need to do [this other expensive work]". This was not a backstreet operation, it was a main dealer for a prestige brand, incidentally.
Perhaps what we need to do is stop wringing our hands about bad people using the Internet and just deal with it. You don't trust everyone you meet face-to-face, so don't trust people you "meet" on the Internet.
Re: Its the people, not the computer
Its not the computers which make everything easier; its the people who lost their curiosity and interest to find out and discover for themselves why and how things work
Or maybe they are paid for the work they actually produce and can't justify spending hours discovering how the wheel was invented.
Sorry. I didn't mean that to sound snide - you make a good point. I just don't think it reasonable to expect today's software developers to understand every last aspect of their trade. Or where does it end? Am I to be prevented from writing software until I can describe the design of logic gates for AND, OR, NOT? Or perhaps I have to demonstrate an understanding of electron flow inside a transistor? Or perhaps being able to quote Farraday's various laws is essential?
Unfortunately we have to draw the line somewhere and today's IT markets are fast paced and schedule driven. Very few people in IT can afford to devote time to wondering about the how and why of a black box whether it be a logical black box or one that a courier has just delivered. What we need to do is make better black boxes not require everyone to understand them :)
Anyway just to repeat, I liked your post :)
Despite evolving existing interfaces
Or perhaps because of. It's good that they evolve but the likes of TIFKAM is a yet higher level abstraction and that requires even higher levels of protection underneath. It's the classic 'ease-of-use' v. 'safe-and-secure' balancing act.
Another side-effect it seems to me is that seasoned, experienced users (the ones best positioned to drive and influence security) tend to be alienated or even behind the curve on UI changes. One scenario I'm concerned about is that a lot of Windows software developers might stick with the traditional desktop and that's not where typical users will be. Yes we can develop for TIFKAM but I bet a lot of us will treat it like cross platform development.
The new Office Garage series:
