2006-11-07

Schneier on Security: Perceived Risk vs. Actual Risk

http://www.schneier.com/blog/archives/2006/11/perceived_risk_1.html

Very serious article, but I was struck by the very humorous way he describes a natural human characteristic:

The brain is a beautifully engineered get-out-of-the-way machine that constantly scans the environment for things out of whose way it should right now get. That's what brains did for several hundred million years -- and then, just a few million years ago, the mammalian brain learned a new trick: to predict the timing and location of dangers before they actually happened.

Our ability to duck that which is not yet coming is one of the brain's most stunning innovations, and we wouldn't have dental floss or 401(k) plans without it. But this innovation is in the early stages of development. The application that allows us to respond to visible baseballs is ancient and reliable, but the add-on utility that allows us to respond to threats that loom in an unseen future is still in beta testing.

The rest of the article is equally engrossing -- and it's a pretty short article so go read it.  (Don't be fooled by the size of the scrollbar in your browser window; this is because there are dozens of reader comments below the article)

at 09:45 0 comments

2006-11-02

(funny,quotes) Why I (still) cant stand Emacs :-)

...and probably never will.

An old tagline comes to mind: Emacs is my operating system, Linux is my device driver!

Anyway, here's a very nice article from my favourite Linux site, with some quotes below. The author, Jon Corbet (editor of LWN) is well known for his dry humour as well as his objectivity. Few people who profess to use emacs as much as he does would make the kind of digs that he has taken in this article!

http://lwn.net/SubscriberLink/206916/8f7cb0a9f19cad56/

Some funny (and some not so funny) quotes, with occasional comments from me in square brackets:

The addition of an IRC client would have been useful, but this is Emacs, so they added two different ones.
...
The wrong key sequence can occasionally lead to hallucinogenic results, to the point that there is a special command ("view-lossage") to answer those "how the hell did I make it do that?" questions.
...
Even some relatively trivial customizations require typing in Lisp code, which, for some strange reason, not everybody wants to learn how to do. [well Duh!]
...
There is also an entire branch in the physical therapy field dedicated to the treatment of little-finger injuries caused by excessive Emacs use.
 ...
There is a new "calc" mode which is truly scary in the things it can do. [I don't even want to know what that means...]
...
There is a built-in spreadsheet with all the usual features and some unusual ones - like the ability to enter cell formulas in Lisp. [A spreadsheet inside a text editor? What's next, a flight simulator?]
...
The current NEWS file gives a lengthy overview of the changes - though somehow it omits the important addition of a Tetris game.
...
And vi simply lacks a number of more advanced features; it was never meant to contain mail clients, RSS readers, calendars, or psychoanalysis programs. [the last one I can answer: using vi will not drive you insane, so no psychoanalysis is needed!]
...
Emacs is an interactive user interface development environment which happens to be very good at editing text. [aaah -- I get it. The Lotus Notes of text editors :-)]

at 15:37 0 comments

2006-10-24

User Education and Security

http://news.com.com/Security+expert+User+education+is+pointless/2100-7350_3-6125213.html

"Might it be so that we use the term and concept of user education as a way to cover up our failure?" he asked a crowd of security professionals. "Is it not somewhat telling them to do our job? To make them be a part of the IT organization and do the things that we are bound to do as a specialized organization?"

I don't know how many of my readers think about security all the time! Heck I don't even know if I have any readers :-)

But this is an interesting topic. In a long-term way, I think I agree with Mr Gorling -- the need for user education is clearly a technical failure at some level.

I tend to compare things to the physical world a lot. In the physical world, we're used to different levels of security. Take "documents" for instance -- we keep important financial/property documents in an inner room, and probably under some sort of lock and key. Things that are less important (like receipts, warranty cards, bills, small amounts of cash) are kept in a slightly more accessible but still quite safe place. Finally, things like books, magazines, newspapers, etc., lay around pretty much anywhere (and cause fights with the wife if she is a cleanliness freak, but that is neither here not there ;-)

Don't you think the security problems we're seeing are mainly because on his computer, unlike in his house, we have not given the user enough "rooms", and he's essentially forced to put everything in one room or (worse) one "shelf"?

A small example: within my workgroup, we allow people to access random websites only through Firefox. If they use IE, they are restricted to a whitelist of URLs that we assume we can trust. This is one type of separation, and I am sure it has helped us tremendously over the past few years it's been implemented.

Personally, I have even toyed with the idea of running two copies of the firefox browser -- one with my normal userid where I do anything I please, and one under a very rarely used userid which I will use only to access my corporate intranet portals, my bank, etc. -- yet another form of separation (although, since I use Linux, maybe I'm being too paranoid).

For ordinary users, it ought to be possible to create something like this using Linux live CDs that is easily accessible/usable, and provides excellent security against all sorts of trojans and viruses (most of which cannot work when you use a live CD, because you're booting from a CD each time).

Example implementation: there are 3 icons on the desktop to switch between "rooms", and built-in intelligence (with a list of "important" URLs that is updated from the net) to prevent him from accessing, say, www.citibank.com if he is in a low-security room, or vice versa, prevent him from accessing unlisted sites when he has switched to a high-security room.

at 15:51 0 comments

2006-10-09

(geek) KDE on the NBC Show "Heroes"

http://slashdot.org/comments.pl?sid=198073&cid=16228841

Hilarious comment :-)

For those of you who don't know, KDE is a desktop environment on Linux.
It is also the one I prefer, but that is not relevant to this joke :-)

at 12:16 0 comments

2006-09-28

on trusting someone!

http://lwn.net/Articles/201440/

I think people can generally trust me, but they can trust me exactly
because they know they don't _have_ to.

Don't worry about the rest if the article if you're not into open source.

Just reflect on the statement itself...

at 09:48 0 comments

2006-09-25

Nevermoto!

I've had it with Motorola. I was seduced by an A780, but the experience didn't live upto the seduction. 20,000 rupees down the drain in 1 year and 3 months :-(

And hell hath no fury like an evangelist who's seen the darkness, if you'll pardon the word play!

Lessons learned:

  • never, ever, buy a phone that is so badly supported! One month after the battery dies I'm still waiting for a new one. And using an old Nokia 3315 for now. [And hardly missing the A780, dammit!]
  • never buy a phone designed by an American company. Their networks are so behind the times they don't even know what features to include or test! Ever heard of location info coming up as an SMS?
  • the most often used features should use the least keystrokes. Redialling the last number shouldn't be FOUR key presses.
  • the most often used features should be the most tested. T9 (aka "predictive text input") sucks on this thing. In many ways (doesn't cycle the first 2-3 letters if you ask it to cycle the choices, doesn't allow a space before a special character, ...)
  • playing sudoku online during meetings is great, but not that important. Really!
  • ditto for a camera, web browser, mp3 player, voice recording, and T9 on the dialer.

What's my real gripe? No Linux support

The Motorola A780 does not support Linux. Yes, you heard it here first!

Here's my definition of "Linux support":

The device should not create yet another Windows dependency in order to be used as intended (which in this case includes backup/sync tasks).

Any device where the CD-ROM that comes with it assumes you run Windows has failed the test.

And please ignore the few geek pages that show how to synchronise the phone data with a Linux box -- if I can't recommend it to my non-techie brother, it isn't good enough to claim "we support Linux" whatever else you may want to claim!

[geek note:] It shouldn't be that difficult to create a statically linked Qt/GTK binary with minimal dependencies that can access the device from USB and get the stuff out and in. Sort of like jpilot; nothing fancy, but functional.

Yes, the A780 runs Linux inside, which is nice, but the warm fuzzy feeling wears off very quickly after a month of using the damn thing.

My next phone will likely be a lowly Nokia 1108. Hey, it's got a flashlight attached :-)

at 23:42 0 comments

Zune won't play MS DRM infected files

http://www.theinquirer.net/default.aspx?article=34478

So, in general, the device that Microsoft is aiming to gut the iPod with does three things really well. It screws legal music customers, screws partners, and actively advocates breaking the law to use. What a wonderful world we live in, all brought to you by the letters D, R and M, and the term infection. Seriously, you can't make this stuff up.

at 15:12 0 comments

2006-09-19

(security) Xavier Boyen - On the Impossibility of Efficiently Combining Collision Resistant Hash Functions

About a year ago, when the first collision attack against MD5 was made public, I asked my boss (who's a real scientist, unlike me!) why we couldn't simply use two different hashes and club them together, because the chances of finding a hash collision between two different strings, for two different hash functions, ought to be close to impossible.

Looks like I wasn't on crack after all... :-)

http://ai.stanford.edu/~xb/crypto06b/index.html

Let H1,H2 be two hash functions. We wish to construct a new hash function H that is collision resistant if at least one of H1 or H2 is collision resistant. Concatenating the output of H1 and H2 clearly works, but at the cost of doubling the hash output size. We ask whether a better construction exists, namely, can we hedge our bets without doubling the size of the output? We take a step towards answering this question in the negative --- we show that any secure construction that evaluates each hash function once cannot output fewer bits than simply concatenating the given functions.

at 10:04 0 comments

2006-09-13

This week in history [rec.humor.funny]

http://www.netfunny.com/rhf/jokes/06/Sep/california.html

:-)

at 16:32 0 comments

2006-09-11

(malware,DRM) Schneier on Security: Microsoft and FairUse4WM

http://www.schneier.com/blog/archives/2006/09/microsoft_and_f.html

Microsoft's priorities vis-a-vis security...! As you read this, remember that since 2003, MS's strategy for issuing patches for security holes has been that, regardless of how critical the hole is or how many computers are affected, patches come out only the second Tuesday of the following month.

Except, it seems, when someone hacks their DRM. Then the patch comes out in 3 days :-)

Quotes:

If you really want to see Microsoft scramble to patch a hole in its software, don't look to vulnerabilities that impact countless Internet Explorer users or give intruders control of thousands of Windows machines. Just crack Redmond's DRM.

[...]

Now, this isn't a "vulnerability" in the normal sense of the word: digital rights management is not a feature that users want. Being able to remove copy protection is a good thing for some users, and completely irrelevant for everyone else. No user is ever going to say: "Oh no. I can now play the music I bought for my computer in my car. I must install a patch so I can't do that anymore."

[...]

It should surprise no one that the system didn't stay patched for long. FairUse4WM 1.2 gets around Microsoft's patch, and also circumvents the copy protection in Windows Media DRM 9 and 11beta2 files.

That was Saturday. Any guess on how long it will take Microsoft to patch Media Player once again? And then how long before the FairUse4WM people update their own software?

Certainly much less time than it will take Microsoft and the recording industry to realize they're playing a losing game, and that trying to make digital files uncopyable is like trying to make water not wet.

at 15:19 0 comments

Subscribe to: Posts (Atom)