'Chains of Attestation' is a great name for a heavy metal band, but it is less practical in the real, non- Ozzy-Ozbourne-based world.

August 30th, 2015

James Mickens has some thoughts about the state of online security:

The only thing that I've ever wanted for Christmas is an automated way to generate strong yet memorable passwords. Unfortunately, large swaths of the security community are fixated on avant garde horrors such as the fact that, during solar eclipses, pacemakers can be remotely controlled with a garage door opener and a Pringles can. It's definitely unfortunate that Pringles cans are the gateway to an obscure set of Sith-like powers that can be used against the 0.002% of the population that has both a pacemaker and bitter enemies in the electronics hobbyist community. However, if someone is motivated enough to kill you by focusing electromagnetic energy through a Pringles can, you probably did something to deserve that. I am not saying that I want you dead, but I am saying that you may have to die so that researchers who study per-photon HMACs for pacemaker transmitters can instead work on making it easier for people to generate good passwords. "But James," you protest, "there are many best practices for choosing passwords!" Yes, I am aware of the "use a vivid image" technique, and if I lived in a sensory deprivation tank and I had never used the Internet, I could easily remember a password phrase like "Gigantic Martian Insect Party." Unfortunately, I have used the Internet, and this means that I have seen, heard, and occasionally paid money for every thing that could ever be imagined. I have seen a video called "Gigantic Martian Insect Party," and I have seen another video called "Gigantic Martian Insect Party 2: Don't Tell Mom," and I hated both videos, but this did not stop me from directing the sequel "Gigantic Martian Insect Party Into Darkness." Thus, it is extremely difficult for me to generate a memorable image that can distinguish itself from the seething ocean of absurdities that I store as a result of consuming 31 hours of media in each 24-hour period.

[Via Schneier on Security]

Comments Off on 'Chains of Attestation' is a great name for a heavy metal band, but it is less practical in the real, non- Ozzy-Ozbourne-based world.

How do we build an Internet we're not ashamed of?

May 29th, 2014

Having finally got round to reading the transcript of Maciej Cegłowski's Beyond Tellerrand 2014 Conference Talk , I can but report that – as usual – he talked a lot of sense:

One reason there's a backlash against Google glasses is that they try to bring the online rules into the offline world. Suddenly, anything can be recorded, and there's the expectation (if the product succeeds) that everything will be recorded. The product is called 'glass' instead of 'glasses' because Google imagines a world where every flat surface behaves by the online rules. [The day after this talk, it was revealed Google is seeking patents on showing ads on your thermostat, refrigerator, etc.]

Well, people hate the online rules!

Google's answer is, wake up, grandpa, this is the new normal. But all they're doing is trying to port a bug in the Internet over to the real world, and calling it progress.

You can dress up a bug and call it a feature. You can also put dog crap in the freezer and call it ice cream. But people can taste the difference.

Comments Off on How do we build an Internet we're not ashamed of?

'Our security forces have it back'?!?

August 21st, 2013

Novelist and former MP Louise Mensch, demonstrating her deep understanding of how digital technology works:

Louise Mensch on data security

She probably thinks the Guardian no longer has access to the files on that laptop too.

Actually, cancel that. I'm sure she's perfectly well aware that digital data can be – and in this case, was – backed up. To my mind, she's just doing her bit to help the government to deflect the focus of the discussion away from the Guardian's story and the doings of the surveillance state and on to the government's preferred law-and-order/keeping-us-safe-from-terrorists/nothing-to-hide, nothing-to-fear agenda.

[Via Charlie's Diary]

Comments Off on 'Our security forces have it back'?!?

Maths problems

August 3rd, 2013

A classmate was caught using his phone in maths. The teacher took his phone and set a passcode. He gave him this back with his phone and said good luck unlocking it.

My first thought upon seeing the above-linked image was 'I hope nobody forwards this link to Michael Gove.'1

My second thought was that unless someone comes up with a better solution than passwords for logging in to web sites2 then one day CAPTCHAs will evolve into something like this and I'll have to give up using the web.

[Via Flowing Data]

  1. For non-UK readers: Michael Gove is the current Secretary of State for Education in the UK. Within a week his department would be announcing that schools would have to produce returns demonstrating that 75% of pupils could solve such problems in a below-average time..
  2. Speaking of which, in theory Tim Bray has a point. In practice, Rui Carmo has a much better one.

Comments Off on Maths problems

Life imitates The Onion

July 24th, 2013

The word 'ironic' comes to mind:

The NSA is a "supercomputing powerhouse" with machines so powerful their speed is measured in thousands of trillions of operations per second. The agency turns its giant machine brains to the task of sifting through unimaginably large troves of data its surveillance programs capture.

But ask the NSA, as part of a freedom of information request, to do a seemingly simple search of its own employees' email? The agency says it doesn't have the technology.

"There's no central method to search an email at this time with the way our records are set up, unfortunately," NSA Freedom of Information Act officer Cindy Blacker told me last week.

The system is "a little antiquated and archaic," she added. […]

How suspiciously convenient for them.1

[Via Memex 1.1]

  1. For what it's worth, I'm quite prepared to believe that they don't have all their employee email in a single spool that can easily be searched by or on behalf of their FoIA team. The question is whether that was a desired outcome or just a happy side effect of their last email migration.

Comments Off on Life imitates The Onion

LET Eggs=N+1. LET Baskets = 1.

August 7th, 2012

Getting beyond the particulars of how Mat Honan had hackers use social engineering to get his passwords reset and his iOS and MacOS devices remote wiped, for my money here's the key lesson of the whole sorry saga:

I bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life. With this AppleID, someone can make thousands of dollars of purchases in an instant, or do damage at a cost that you can't put a price on.

This isn't just about Apple – it's about all the corporations expanding from their original niches into as many corners of our online life as possible.1 Having a single sign-on is scary, and only gets more so as the uses of that ID expand over time.2

I'd like to think that scares like this would motivate Apple, Amazon, Google, Microsoft and the rest to get this stuff right lest the public be discouraged from signing up for all the different services they offer, but I fear that convenience wins out all too often.

  1. For what it's worth, I haven't enabled iCloud on my Mac Mini or my iPod Touch. Not because I foresaw this sort of problem; it's just that I don't see the benefit of iCloud. I bought my iPod Touch as a replacement PDA, not a device for accessing the internet on the move. In any case, given that when I'm at work I'm not in range of an accessible WiFi service, so my iPod Touch isn't going to be accessing iCloud anyway.
  2. I dread the day when Apple finally make some feature I really want/need insist upon having access to iCloud. That might be my cue to take a close look at whatever the successor to the Nexus 7 turns out to be.

Comments Off on LET Eggs=N+1. LET Baskets = 1.

OAuth is your future

May 14th, 2012

OAuth is your future. What a cheerful thought.

Comments Off on OAuth is your future

Java updated

April 27th, 2012

Good news and bad news for Mac users.

I wondered what software update/new release was finally going to prod me into updating to Lion; I think this might just be it.

[Via Ars Technica]

Comments Off on Java updated

(DNS) Changes

March 28th, 2012

Paul Vixie has posted details of his work in dismantling a network of DNS servers being used to redirect internet traffic from computers infected with the DNS Changer malware. The problem is, even after all that work there are still hundreds of thousands of internet users with infected computers and/or routers, just waiting for someone to pick up where DNS Changer left off:

Internet users are endlessly bombarded with warnings about their security and with offers of services and software (some of it apparently "free") offering to make their computers healthier. The victims of DNS Changer are by this time jaded or overwhelmed or both. The Internet seems to be a very dangerous place, and most Internet users probably feel that they could spend more than half their waking hours just installing patches and responding to warnings – unless they just put their heads down, ignore all that noise, and try instead to get their work (or play) done. I am sympathetic to this mindset. The problem is, the Internet really is that dangerous, and people really do need to pay more attention to the dangers of unpatched or infected computers.

Short of jumping into a TARDIS and going back to 1982 to give various heads of computer companies a stern talking-to about the need to make designing secure systems a top priority I don't see a good way out of this problem beyond passing the problem to ISPs and having them cut off internet access for customers still using infected systems until they clean up their systems. Which isn't going to happen any time soon, and is a terrible idea anyway.

[Via rc3.org]

Comments Off on (DNS) Changes

You'll put someone's eye out with that thing…

March 5th, 2012

This anti-theft briefcase is a lawsuit waiting to happen.

[Via Bruce Schneier]

Comments Off on You'll put someone's eye out with that thing…

Page 1 of 41234