Domain: berylliumsphere.com
Stories and comments across the archive that link to berylliumsphere.com.
Comments · 19
-
Writing down your password
Same point as Bruce, but put in terms of a threat analysis translated into everyday terms:
Why you should write down your password -
Re:No way.I used to tell people not to write down their passwords, but after dealing with people losing their passwords all the time, I changed my tune. I think this makes a good point. There are some passwords I won't write down, but if I can carry hundreds of dollars, keys to my house and car, and credit cards with over a total credit line over 10 000USD in my pocket.
Preferably, one would just write down a hint, of course. And not on a sticky-note on the monitor.
-
Evil overlords fall into this trap
My security commentary on the Evil Overlord's Handbook points out how evil overlords get duped by salespeople into buying shiny things that don't contribute to solid security.
The lemon problem is just another manifestation of my worst competitor, apathy. If customers cared about good security they'd demand independent testing labs. -
Re:Cybercrime
Department of Justice advice to law enforcement officers investigating crimes where computers are involved
(Blog plug warning)My review of the DOJ computer crime advisory.
Law enforcement has an easier time being clueful now than they did ten or fifteen years ago. -
pwdhash compared to alternatives
The discussion is deliberately nontechnical, but I did a comparison of password generator utilities last year and pwdhash came out on top.
-
Re:And why is it that way?
My explanation of why you *should* write down your password. Bruce Scheier has made the same point.
All of which is really a distraction. Sticky notes on the monitors? If someone's that close they can install a hardware keylogger in a matter of seconds or RAT and rootkit the machine with a live CD in a few minutes. The only security improvement you get from taking down the sticky notes is against casual or opportunistic attacks, which is not nothing, but face the fact that physical access means Game Over. -
You're asking for a lot there
Faithful translations are a rare and difficult thing, and that's what you're asking for. You want to translate from the language of a nation of techies, a nation that has years of experience that lets them instantly understand the implications of a phrase like "plaintext authentication", to the language of normal people who don't look under the hood and run systems that would make it hard to look under the hood if they wanted to.
I know it's hard because I try it. I have a security blog for the nontechnical where I try to explain things like botnets. It's a challenge.
Best suggestion? The old rule of "don't tell 'em, show 'em". Point out that the entries in the firewall log every few seconds are breakin attempts. Image the machine, install an antispyware package, and show them how often it alerts when you follow links to "free games". Then restore the machine, because no antispyware package has complete coverage. -
Re:Hardly surprising
The bottom line is this: If we have to live our lives weighing every action, every communication, every human contact, wondering what agents of the state might find out about it, analyze it, judge it, possibly misconstrue it, and somehow use it to our detriment, we are not truly free.
My own blog has a chilling example of serious damage from a grocery store loyalty card. -
Kickbacks
-
Good start but inadequate
>some banks, when communicating via email, will tell you to log into your account by manually TYPING in an URL in your browser
Except a phisher could do the same and simply ask someone to type in the wrong URL (foobank-visa.com instead of foobank.com, for example). At least it would prevent the obfuscated link problem and force phishers into providing a lead for investigators at a domain registry.
"Use a bookmark" would be better advice because it would require DNS poisoning in order to make the phishing scam work.
SSL was supposed to solve this problem. Maybe if the UI displayed the organization name as well as the URL, and if CAs all checked (as long as there's a single CA in the browser's list of trusted CAs that will issue a cert without checking the organization name then there is no protection).
Then, as Bruce Schneier pointed out, it's dead easy for malware to add a new and crooked CA to the browser's list of trusted CAs. Marketscore does just that to create a proxy that can pass SSL, and they've been accused of being spyware. See also the account from Roger Grimes. If you need to explain this to someone nontechnical, point them to my Security Mentor article about Marketscore. -
Re:Hand count vs. Diebold
The New York Times answered that question in an editorial about voting machine sales practices. The editorial is password protected, of course. If you don't like using BugMeNot, I summarized it in my article "E-voting: why election officials push for it "
-
Second endorsement
Anyone who doesn't know about Bruce Schneier should check out his writings (he has several books out). He thinks to the bottom of things, recursively asking "what's the *real* problem?" until he gets to a real solution. I've tried to follow his example in my security blog for normal people.
-
Re:Well, this is a classic dilemma
>Some advice Bruce Schneider once gave: there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet. Your wallet is a security mechanism that you already use, and you are very practiced at keeping it secure.
Not only that, it has a quantifiable value, allows you to choose an arbitrarily complex password, and protects against the self-administered DoS of a forgotten password: http://www.berylliumsphere.com/security_mentor/200 4/03/heresy-write-down-your-password-what.html
Having the password "written" down in an encrypted file should satisfy anybody sane, and if your company is insane, hey, they can't prove there's a password inside the file! Bruce Schneier's Password Safe has been holding up pretty well in the real world and in the crucible of people looking to get famous by finding a flaw in Schneier's work. -
POSIWID
>>The health insurance industry is a parasite the purpose of which is to interfere with your patient-doctor relationship and to deny your treatment.
>Oh yes, no doubt that millions of people invest their money in companies that are formed specifically to deny people health care treatments.
"Obscure" can mean "not well known". It can also mean "cryptically written". There is an obscure book called Have Fun At Work. It's about learning how to use complex systems by shedding your dysfunctional beliefs about them. Honest, I'm going somewhere with this.
"The Purpose of a System Is What It Does" ("POSIWID") is the first amoung the author's insights. For example, stop driving yourself crazy by thinking the government is here to protect national security. Regard it as a machine for sending money to contractors in the districts of key Congressmen and you can begin to get things accomplished, for example by siting $VITAL_FACILITY in $HOME_STATE_OF_APPROPRIATIONS_COMMITTEE_CHAIRMAN. That's why we have so many NASA centers: Kennedy and Johnson knew the way to land on the Moon was to put jobs in all the right districts.
Fast forward to today. What's the purpose of health insurance companies? On paper it's to collect premiums and rationally allocate them to health care while paying the employees and investors. But what do they *do*? -
It's a frustrating article
But it looks like there may be something real here.
The presentation lists events that will trigger a System Management Interrupt (SMI) and enter System Management Mode (SMM). Overheating is only one of them. Another is "century rollover". Taken literally, that would mean that anyone who could set the clock to 11:59 December 31 1999 [I'd say 2000 but I doubt the chip is mathematically correct] can enter SMM without needing physical access to the machine or to the circuit breaker for the air conditioning. Or to use the presentation's example, outl(0xB2, 0x0000000F);.
If I read this problem report correctly, then a process outside of SMM can write to the memory for SMM. (Controlled by the D_OPEN bit in the SMM control register).
So it looks like you can do it without physical access, where "it" is a privilege escalation that *starts* from root. That's getting less absurd all the time as virtualization and technologies like SELinux become more common. Also allows planting a deeper-than-root rootkit. You could escalate to God of Hardware or in the CanSecWest example to "root at securelevel -1".
Maybe I should email Duflot for details and write up something for my nerdish security blog -
Another resource & note to mods
A microsoftie named Linda Criddle had some level-headed MySpace safety advice. It was so good I couldn't add much value to it in my security newsletter for non-technical people, except to attempt a teen-compatible explanation of why posting sexy pictures is a bad idea.
Moderators, please notice cmpalmer's comment, sibling to this one, and please moderate it appropriately (meaning, up). -
My favorite for web sitesThe Mozilla extension pwdhash generates a strong site-specific password by hashing the URL with your master password. I wish they salted it but that raises some usability issuess (what if the salt gets deleted? Where do you put it?).
I reviewed it at my security newsletter for nontechnical people
-
Re:Quotes from the BBC article:
I'm constantly finding passwords on sticky notes on monitors and under keyboards
You'd be surprised how little difference that makes to security. It's about three minutes worth. Somebody who's sweet-talked his way past your physical security can boot from CD and own the machine in three minutes, install a hardware keylogger in less than thirty seconds, or read a sticky note while walking by. Hiding the password, then, gains you at most a few minutes of intrusion resistance unless you've taken a lot of other precautions.I've actually made the heretical argument about password security that you should write your password down (though of course some place smarter than the monitor).
-
Re:But I wrote down all of my passwords...
He pulls out a notepad from his top, always unlocked, desk drawer. This notepad has ALL of his passwords written on it. He has access to some pretty important stuff, too.
Let me be unconventional and argue that the problem there was that the drawer was unlocked.I did a risk analysis/threat modeling exercise on writing down passwords and translated it into Aunt Tillie language once for my free newsletter. Everyone says never to write down passwords, but they're just repeating what they heard themselves. I concluded that writing down a password and storing it with decent physical security is usually right for most situations.
If you don't want to follow my link, I compare the dollar value of a password against the dollar value of everything else in your purse/pocket and suggest alternatives for the exceptional cases.
I do agree that passwords are unfixable. We need hardware tokens or at least hardcopy one-time passwords. European banks are successfully issuing their customers lists of passwords with instructions to use one and scratch it out, then use the next on the list next time. It's a great compromise that even deters phishing.