August 30th, 2015
James Mickens has some thoughts about the state of online security:
The only thing that I've ever wanted for Christmas is an automated way to generate strong yet memorable passwords. Unfortunately, large swaths of the security community are fixated on avant garde horrors such as the fact that, during solar eclipses, pacemakers can be remotely controlled with a garage door opener and a Pringles can. It's definitely unfortunate that Pringles cans are the gateway to an obscure set of Sith-like powers that can be used against the 0.002% of the population that has both a pacemaker and bitter enemies in the electronics hobbyist community. However, if someone is motivated enough to kill you by focusing electromagnetic energy through a Pringles can, you probably did something to deserve that. I am not saying that I want you dead, but I am saying that you may have to die so that researchers who study per-photon HMACs for pacemaker transmitters can instead work on making it easier for people to generate good passwords. "But James," you protest, "there are many best practices for choosing passwords!" Yes, I am aware of the "use a vivid image" technique, and if I lived in a sensory deprivation tank and I had never used the Internet, I could easily remember a password phrase like "Gigantic Martian Insect Party." Unfortunately, I have used the Internet, and this means that I have seen, heard, and occasionally paid money for every thing that could ever be imagined. I have seen a video called "Gigantic Martian Insect Party," and I have seen another video called "Gigantic Martian Insect Party 2: Don't Tell Mom," and I hated both videos, but this did not stop me from directing the sequel "Gigantic Martian Insect Party Into Darkness." Thus, it is extremely difficult for me to generate a memorable image that can distinguish itself from the seething ocean of absurdities that I store as a result of consuming 31 hours of media in each 24-hour period.
[Via Schneier on Security]
Comments Off on 'Chains of Attestation' is a great name for a heavy metal band, but it is less practical in the real, non- Ozzy-Ozbourne-based world.
May 29th, 2014
Having finally got round to reading the transcript of Maciej Cegłowski's Beyond Tellerrand 2014 Conference Talk , I can but report that – as usual – he talked a lot of sense:
One reason there's a backlash against Google glasses is that they try to bring the online rules into the offline world. Suddenly, anything can be recorded, and there's the expectation (if the product succeeds) that everything will be recorded. The product is called 'glass' instead of 'glasses' because Google imagines a world where every flat surface behaves by the online rules. [The day after this talk, it was revealed Google is seeking patents on showing ads on your thermostat, refrigerator, etc.]
Well, people hate the online rules!
Google's answer is, wake up, grandpa, this is the new normal. But all they're doing is trying to port a bug in the Internet over to the real world, and calling it progress.
You can dress up a bug and call it a feature. You can also put dog crap in the freezer and call it ice cream. But people can taste the difference.
Comments Off on How do we build an Internet we're not ashamed of?
August 21st, 2013
Novelist and former MP Louise Mensch, demonstrating her deep understanding of how digital technology works:
She probably thinks the Guardian no longer has access to the files on that laptop too.
Actually, cancel that. I'm sure she's perfectly well aware that digital data can be – and in this case, was – backed up. To my mind, she's just doing her bit to help the government to deflect the focus of the discussion away from the Guardian's story and the doings of the surveillance state and on to the government's preferred law-and-order/keeping-us-safe-from-terrorists/nothing-to-hide, nothing-to-fear agenda.
[Via Charlie's Diary]
Comments Off on 'Our security forces have it back'?!?
August 3rd, 2013
A classmate was caught using his phone in maths. The teacher took his phone and set a passcode. He gave him this back with his phone and said good luck unlocking it.
My first thought upon seeing the above-linked image was 'I hope nobody forwards this link to Michael Gove.'
My second thought was that unless someone comes up with a better solution than passwords for logging in to web sites then one day CAPTCHAs will evolve into something like this and I'll have to give up using the web.
[Via Flowing Data]
Comments Off on Maths problems
July 24th, 2013
The word 'ironic' comes to mind:
The NSA is a "supercomputing powerhouse" with machines so powerful their speed is measured in thousands of trillions of operations per second. The agency turns its giant machine brains to the task of sifting through unimaginably large troves of data its surveillance programs capture.
But ask the NSA, as part of a freedom of information request, to do a seemingly simple search of its own employees' email? The agency says it doesn't have the technology.
"There's no central method to search an email at this time with the way our records are set up, unfortunately," NSA Freedom of Information Act officer Cindy Blacker told me last week.
The system is "a little antiquated and archaic," she added. […]
How suspiciously convenient for them.
[Via Memex 1.1]
Comments Off on Life imitates The Onion
August 7th, 2012
Getting beyond the particulars of how Mat Honan had hackers use social engineering to get his passwords reset and his iOS and MacOS devices remote wiped, for my money here's the key lesson of the whole sorry saga:
I bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life. With this AppleID, someone can make thousands of dollars of purchases in an instant, or do damage at a cost that you can't put a price on.
This isn't just about Apple – it's about all the corporations expanding from their original niches into as many corners of our online life as possible. Having a single sign-on is scary, and only gets more so as the uses of that ID expand over time.
I'd like to think that scares like this would motivate Apple, Amazon, Google, Microsoft and the rest to get this stuff right lest the public be discouraged from signing up for all the different services they offer, but I fear that convenience wins out all too often.
Comments Off on LET Eggs=N+1. LET Baskets = 1.
May 14th, 2012
OAuth is your future. What a cheerful thought.
Comments Off on OAuth is your future
April 27th, 2012
Good news and bad news for Mac users.
I wondered what software update/new release was finally going to prod me into updating to Lion; I think this might just be it.
[Via Ars Technica]
Comments Off on Java updated
March 28th, 2012
Paul Vixie has posted details of his work in dismantling a network of DNS servers being used to redirect internet traffic from computers infected with the DNS Changer malware. The problem is, even after all that work there are still hundreds of thousands of internet users with infected computers and/or routers, just waiting for someone to pick up where DNS Changer left off:
Internet users are endlessly bombarded with warnings about their security and with offers of services and software (some of it apparently "free") offering to make their computers healthier. The victims of DNS Changer are by this time jaded or overwhelmed or both. The Internet seems to be a very dangerous place, and most Internet users probably feel that they could spend more than half their waking hours just installing patches and responding to warnings – unless they just put their heads down, ignore all that noise, and try instead to get their work (or play) done. I am sympathetic to this mindset. The problem is, the Internet really is that dangerous, and people really do need to pay more attention to the dangers of unpatched or infected computers.
Short of jumping into a TARDIS and going back to 1982 to give various heads of computer companies a stern talking-to about the need to make designing secure systems a top priority I don't see a good way out of this problem beyond passing the problem to ISPs and having them cut off internet access for customers still using infected systems until they clean up their systems. Which isn't going to happen any time soon, and is a terrible idea anyway.
Comments Off on (DNS) Changes
March 5th, 2012
This anti-theft briefcase is a lawsuit waiting to happen.
[Via Bruce Schneier]
Comments Off on You'll put someone's eye out with that thing…