Tigr.net

Password recovery mechanisms

Wednesday, 22 May 2013

Passwords remain the main means of authentication on the internet. People often forget their passwords and then they have to recover their access to the website services through some kind of mechanism. We try to make that so-called “password recovery” simple and automated, of course. There are several ways to do it, all of them but one are wrong. Let’s see how it is done.

If you did not read Part 1 – Secret questions and Part 2 – Secondary channel, I recommend you do so before reading on.

Part 3 – Example procedure: put it all together

Let’s assume we are putting together a website and we will have passwords stored in a salted hash form and we identify the users with their e-mail address. I will describe what I think a good strategy for password recovery then is and you are welcome to comment and improve upon.

Since we have the users’ e-mail addresses, that is the natural secondary authentication channel. So if a user needs password recovery, we will use their e-mail to authenticate them. Here is how.

The user will come to a login page and clicks the link for “forgot password” or similar. They have to provide then an e-mail address. The form for e-mail address submission has to have means of countering automated exhaustive searches to both lower the load onto the server in case of an attack and provide some small level of discouragement against such attacks. There are two ways that come to mind: using a CAPTCHA and slowing down the form submission with a random large (an order of seconds) delay. Let’s not go into the holy war on CAPTCHA, you are welcome to use any other means you can think of and, please, suggest them so that others can benefit from your thoughts here. You should also provide an additional hidden field that will be automatically filled in by an automated form scanning robot, so you can detect that too and discard the request. Anyway, the important part is: slow down the potential attacker. The person going through recovery will not mind if it takes a while.

As the next step, we will look up the user e-mail address in the database, create a random token, mail it out and provide the feedback to the user. The feedback should be done in constant time, so that an attacker does not use your recovery mechanism to collect valid e-mail addresses from your website. The process thus should take the same time whether you found the user or not. This is difficult to get right and the best solution is to store the request for off-line processing and return immediately. Another way is to use the user names instead and look up the e-mail address but a user is more likely to know their own e-mail address than remember their user name, so there is a caveat. If you cannot (or would not) do off-line processing of requests, you should at least measure your server and try to get the timing similar with delays. The timing of the server can be measured fairly precisely and this is difficult to get right, especially under fluctuating load but you must give it a try. Still, it’s best if you keep the submitted information and trigger an off-line processing while reporting to user something along the lines of “if your e-mail is correct, you will receive an automated e-mail with instructions within an hour”. The feedback should never say whether the e-mail is correct or not.

Now we generate a long, random, cryptographically strong token. It must be cryptographically strong because the user may actually be an attacker and if he can guess how we generate tokens and can do the same, he will be able to reset passwords for arbitrary users. We generate the token, format it in a way that can be e-mailed (base64 encoding, hex, whatever) and store it in a database together with a timestamp and the origin (e-mail address). The same token is then e-mailed to the e-mail address of the user.

The user receives the token, comes to the website and goes to the form for token verification. Here he has to enter his e-mail address again, of course, the token, and the new password. In principle, some measure against the automated searches is in order here too, to lower the load on the server in case of an attack. The tokens are verified against our database and then the e-mail is checked too. If we see a token, we remove it from the database anyway, then we check if the e-mail matches and we continue only if it does. This way, tokens are single use: once we see a token, it is removed from the database and cannot be used again.

Tokens also expire. We must have a policy at our server that sets the expiration period. Let’s say, that is 24 hours. Before we do any look up in our token database, we perform a query that removes all tokens with a creation timestamp older than 24 hours ago. That way, any token that expires is gone from the database when we start looking.

Well, now, if the token matches and e-mail is correct, we can look up the user in our passwords database and update the password hash to the new value. Then, flush the authentication tokens and session identifiers for the user, forcing logout of all preexisting sessions. Simple.

... read more & comment >>>

Password recovery mechanisms

Tuesday, 21 May 2013

Passwords remain the main means of authentication on the internet. People often forget their passwords and then they have to recover their access to the website services through some kind of mechanism. We try to make that so-called “password recovery” simple and automated, of course. There are several ways to do it, all of them but one are wrong. Let’s see how it is done.

If you did not read Part 1 – Secret questions, I recommend you do so before reading on.

Part 2 – Secondary channel

A second way to do recovery is to use a secondary channel for authentication. Once authenticated on this secondary channel, the password for the primary channel can be changed. The secondary channel may be slower and more cumbersome but since it is used rarely it is not a problem.

You could ask the person to call user support. The user support would ask some questions for personal information and compare the answers with what they have on file. That would effectively reduce the system to the “secret questions” described in Part 1. There are better (and cheaper) ways to do it.

Historically, the server usually stores the e-mail address of the user provided at registration. That is what becomes the secondary channel. Although it is still over the Internet, but capturing the e-mails on their way to the intended recipient is not a trivial task unless you control one of the nodes through which the e-mail would be routed.

Originally the passwords were stored in plaintext at the server and the user could request the password to be e-mailed. Some services still operate like that. The notorious Mailman list server e-mails you your plaintext password once a month in case you forgot it. That is a convenient way but has a bit of a security problem, of course. Should the password database be recovered by an attacker, all passwords to all accounts are immediately known. On the other hand, it has the advantage that user passwords are not really changed, so if someone requests a password reminder, the original subscriber will receive an e-mail and that’s all.

The inventive thought then went to the idea of hashing the passwords for storage, which is a great idea in itself and protects the passwords in case the database gets stolen. It has a side effect that suddenly the password is not known to the server anymore. Only the hash is. That is sufficient for the authentication but isn’t very helpful if you want to mail out a password reminder. So, someone had a bright idea that the password reminder should become a password reset. And what they did is: when a user requests, the server generates a new password, sends it to the user, and changes the hash in the database to the new password’s hash. All secure and … very prone to the denial of service attacks. Basically, anyone may now request a password reset for any users at will and that user’s password will get changed. Very annoying.

So we went further and decided that changing the password is not such a good idea. What we do then is make a separate database of single-use tokens. When a user requests a password change, we generate a unique random token, keep the token in the database and send it out to the user. If user did not request a token, the user need not react, the password was not changed and the token will harmlessly expire some time later. When the user needs a password change, he provides the token back to the service in a password change form (or through a clicked URL) and that allows us to perform this secondary authentication and then change the primary password. And that’s the way to do it.

There are variations where the secondary channel can be an SMS, an automated telephone call, or even an actual letter from the bank. But the important thing is that those messages only provide a token that verifies your identity on the secondary channel before allowing a security relevant operation on the primary channel.

Next, we will look at an example procedure for a website in Part 3.

... read more & comment >>>

Password recovery mechanisms

Tuesday, 21 May 2013

Passwords remain the main means of authentication on the internet. People often forget their passwords and then they have to recover their access to the website services through some kind of mechanism. We try to make that so-called “password recovery” simple and automated, of course. There are several ways to do it, all of them but one are wrong. Let’s see how it is done.

Part 1 – Secret questions

A widespread mechanism is to use so-called “secret questions”. This probably originates with the banks and their telephone service where they ask you several questions to compare your knowledge of personal information with what they have on file. In the times before the internet this was a fair mechanism since coming up with all the personal information was a tough task that often required physically going there and rummaging through the garbage cans to find out things. Still, some determined attackers would do precisely that – dumpster diving – and could gain access to the bank accounts even in those times.

Right now this mechanism is, of course, total fallacy. The internet possesses so much information about you … It is hard to imagine that questions about your private life would remain a mystery to an attacker for long. Your birthday, your dog, your school and schoolmates, your spouse and your doctor – they are all there. It is hard to come up with a generic question that would be suitable to everyone and at the same time would not have the answer printed on your favorite social network page.

And even if it is not. Imagine that the secret question is “what’s your dog’s name?” How many dog names are there? Not as many as letter combinations in a password. And the most common dog names are probably only a handful. So it is by far much easier to brute force a security question than a password.

This mechanism of secret questions and answers is antiquated and should not be used.

There is a variation where you have to provide your own question and your own answer. This is not better. Most people will anyway tend to pick up the obvious questions. The attacker will see the question and can dig for information. The answer will usually be that one word that is easy to brute force. So, no good.

And, by the way, what should you do when you are presented with this folly on a website you use? Provide a strong password instead of the answer. Store that password in whichever way you store all the other recovery passwords. All other rules for password management apply.

So much for secret questions. In the next part, we will see how to do password recovery with a secondary channel.

... read more & comment >>>

The Internet: A Warning From History

Friday, 10 May 2013

... read more & comment >>>

Coverity reports on Open Source

Wednesday, 8 May 2013

Coverity is running a source code scan project started by U.S. Department of Homeland Security in 2006, a Net Security article reports. They published their report on quality defects recently pointing out some interesting facts.

Coverity is a lot into code quality but they also report security problems. On the other hand, any quality problem is easily a security problem under the right (or, rather, wrong) circumstances. So the report is interesting for its security implications.

The Open Source is notably better at handling quality than corporations. Apparently, the corporation can achieve the same level of quality as Open Source by going with Coverity tools. An interesting marketing twist, but, although the subject of Open Source superiority has been beaten to death, this deals the issue another blow.

Another interesting finding is that the corporations only get better at code quality after the size of the project goes beyond 1 million of lines of code. This is not so surprising and it is good to have some data backing up the idea that corporate coders are either not motivated or not professional to write good code without some formalization of the code production, testing and sign-off.

This is the necessary evil that hinders productivity at first but ensures an acceptable level of quality later.

... read more & comment >>>

Отличная идея

Saturday, 27 April 2013

Между прочим, отличная идея и я бы такую игруху с удовольствием замутил бы тоже :)

С хабра.

Alexey2005:
Как-то в шутку предлагал выпустить игру «битва суровых донаторов», в которой бы на все 100% отсутствовал гринд, т.к. ход игры определялся следующими правилами:

1. Игроки донатят. За каждый рубль доната начисляется 1 единица экспы.
2. По мере набора экспы происходят левел-апы. С каждым левелом растёт шанс того, что донат не пройдёт — вне зависимости от вдоначенной суммы прибавится всего одна единица экспы. Также растёт минимально необходимая сумма доната.
3. Естественно, должен быть рейтинг игроков, где видно, кто какой левел набрал
4. Игроки могут объединяться в кланы. При этом донат расшаривается между ними (помимо задонатившего, халявную экспу получают и остальные игроки пропорционально разнице уровней).
5. В игре есть ПвП. Во время битвы игроки донатят, и задонативший больше всех становится победителем. Он получает экспу за все деньги, задоначенные участниками во время битвы.
6. Естественно, должен быть ПвП-рейтинг — как для отдельных игроков, так и для кланов. Также нужен еженедельный бонус: тот игрок, который за неделю набрал максимальный ПвП-рейтинг, получает халявную экспу, равную сумме, вдоначенной им на бои за эту неделю.
7. В игре должен быть чат (общемировой канал, личка, клановый канал), дабы крутые донаторы могли посмеяться над нубами и нищебродами. Естественно, чат должен быть платным.
8. Также должен быть игнор-лист. За определённую сумму любого игрока можно внести в игнор и не получать от него сообщений. Однако, если он заплатит за сообщение больше, чем вы заплатили за игнор, его сообщение всё-таки пройдёт, и вам придётся увеличивать сумму на игнор-барьере.

А вот теперь не удивлюсь, если кто-то и впрямь выпустит нечто подобное, и оно при этом будет пользоваться дикой популярностью…

Цитата с баша: #422289.

... read more & comment >>>

Cloud security

Saturday, 27 April 2013

Let’s talk a little about the very popular subject nowadays – the so-called ‘cloud security’. Let’s determine what it is, what we are talking about, in fact, and see what may be special about it.

‘Cloud’ – what is it? Basically, the mainframes have been doing ‘cloud’ all along, for decades now. Cloud is simply a remotely accessible computer with shared resources. Typically, what most people ‘get from the cloud’ is either a file server with a certain amount of redundancy and fault tolerance, a web service with some database resources attached, or a virtual machine (VM) to do as they please with. Yes, it is all that simple. Even the most hyped-up services, like Amazon, boil down to these things.

So when you determine the basics, you are then talking about three distinctly different types of operation: a file server, a web/database application and a VM. The three have different security models and can be attacked in completely different ways. So it does not really make sense to speak about ‘cloud security’ as such. It only makes sense to speak about the security of a particular service type.

Mind you, there is also another type of ‘cloud security’ – the security of the data center itself, where the physical computers accessible through the physical network are. And the security of data centers is an important subject of interest to the operators of those data centers. At the same time, consumers of the services rarely are concerned with that type of security, assuming (sometimes without a good cause) that the data center took good care of its security.

So, from the point of view of the developer or consumer of services it makes sense to talk about three types of security in three different security models that are fairly well understood and were analyzed many times over the decades. Not using that experience of, first, the mainframe developers, and then, of the open systems developers, is at the very least irresponsible.

... read more & comment >>>

The best terrorist cartoon ever

Friday, 26 April 2013

This is the best terrorist cartoon ever. And it is very, very truthful.

(facepalm)

... read more & comment >>>

A dream job: Chief Pornography Identification Officer

Friday, 19 April 2013

This is so cool. There exists a dream job for everyone, they say. I bet many will now want this job: the “Chief Pornography Identification Officer” is wanted. It is not spectacularly paid but, hey, imagine the job satisfaction level you get!

Job Responsibilities：Quickly and accurately identifying pornographic and obscene websites.

Job Description：1. Research and study pornographic videos and images, formulate criteria for determining obscenity. 2. Deploy courseware on the standards of obscenity determination, and study materials such as educational videos on pornography. 3. Manage and rate pornographic resources (including BT seeds, images, and online videos).

Job Requirements: 1. Familiarity with the different standards of determination of pornographic content of different countries; 2. Familiarity with the standards of determination and express regulations concerning pornography in China’s law; 3. Familiarity with the standards of pornography identification used by CNNIC (China Internet Network Information Center) and various major internet providers; 4. A bachelor’s degree or above; age between 20-35; all genders; 5. Possesses good teamwork skills, and a strong sense of responsibility.

If you are interested, the position is open, send an email to hr@anquan.org.

... read more & comment >>>

Consensus vs. Collaboration

Tuesday, 9 April 2013

I came across a very interesting discussion of “Consensus vs. Collaboration” which summarizes neatly why consensus isn’t always the best approach:

In consensus cultures people are rarely excited or supportive.  Mostly because they are very frustrated at how slow things move, how risk-averse the company is, how hard it is to make a decision, and especially how unimpressive the products are.

I saw quite a lot of that, and not only in Japan, so, yeah, that’s the way things are. And the bigger the company, the more pronounced this effect becomes.

... read more & comment >>>

Getting revenue on security?

Tuesday, 9 April 2013

I am looking now into arguably the hardest problem of security: how to make it pay off. Security is usually seen as a risk management tool, where increasing security investment lowers the risk of costly disasters. But the trade off between security and risk is hard to evaluate and there is a bias for ignoring the rare risks.

We keep talking about costs, if you noticed. We lower costs, even not actual costs, but potential costs, and we do not increase the revenues here.

For example, when we talk about some product we can look at improvements that would get us more of the following to improve the bottom line:

1. Acquisition – getting more users or clients
2. Activation – getting the users or clients to make a purchase
3. Activity – getting your users or clients to come back for more

Can security demonstrate similar improvements? To move from cost cutting to revenue generation? Share your opinion, please!

... read more & comment >>>

Exodus from Java

Tuesday, 9 April 2013

Finally the news that I was subconsciously waiting for: the exodus of companies from Java has started. It does not come as a surprise at all. Java has never fulfilled the promises it had at the beginning. It did not provide any of the portability, security and ease of programming. I am only surprised it took so long, although knowing full well that companies’ managers routinely optimize for their own career and bonuses that does not come as a shock either.

For those not in the know, the gist of the problem is that Java promised at all times to provide some sort of “inherent security”. That is, no matter how bad you write the code, it will still be more secure that the code written in C or other advanced high-level algorithmic languages. Java claimed absence of buffer overflows, null pinter dereferences and similar problems, which all turned out to be not true after all. And it had a very important consequence.

The consequence is that anyone writing in Java or learning it is subconsciously aware of that promise. So people tend to relax and allow themselves to be sloppy. So the code written in C ends up being tighter, more organized, and more secure than the code written in Java. And the developers in C tend to be on average better educated in the intricacies of software development and more aware of potential pitfalls. And that makes a huge difference.

So, the punch line is, if you want something done well, forget Java.

... read more & comment >>>

Apple – is it any different?

Saturday, 30 March 2013

The article “Password denied: when will Apple get serious about security?” in The Verge talks about Apple’s insecurity and blames Apple’s badly organized security and the absence of any visible security strategy and effort. Moreover, it seems like Apple is not taking security sufficiently seriously even.

“The reality is that the Apple way values usability over all else, including security,” Echoworx’s Robby Gulri told Ars.

It is good that Apple gets a bit of bashing but are they really all that different? If you look around and read about all other companies you quickly realize it is not just Apple, it is a common, too common, problem: most companies do not take security seriously. And they have a good reason: security investment cannot be justified in short-term, it cannot be sold, and it cannot be turned into bonuses and raises for the management. And the risks are typically ignored as I already talked about previously.

So in this respect Apple simply follows in the footsteps of all other software companies out there. They invest in features, in customer experience, in brand management but they ignore the security. Even the recent scandal with Mat Honan’s life wipe-out that got a lot of publicity did not change much if anything. The company did not suffer sufficient damage to start thinking of security seriously. The damage was done to a private individual and did not translate into any impact on sales. So it demonstrated once again that security problems do not damage the bottom line. Why else would a company care?

We need the damage done to external parties to be internalized and absorbed by the companies. As long as it stays external they will not care. The same thing exactly as the ecology – ecological cost is external to the company so it would not care unless there is regulation that makes those costs internal. We need a mechanism for internalizing the security costs.

... read more & comment >>>

Люди и обезьяны – а разница в чём?

Friday, 29 March 2013

Очень интересную статью прочитал, про использование психологии приматов в определении и предсказании поведения людей у власти: Величайшая тайна власти и обезьяны.

- Откуда появляются эти люди? Кто их двигает? Почему эти люди такие никчемные и примитивные? Почему так любят «большие погоны», «красивые мундиры»?  Почему дорвавшись до власти они начинают что называется «грести под себя» и никто не может самостоятельно остановиться?  Почему во власти нет ни одного пусть негодяя, но тем не менее умного человека, который из себя что-то представляет без должности и регалий?

Рекомендую, даже не от того, что про власть, а просто – психология, понимаешь.

... read more & comment >>>

Security training – does it help?

Thursday, 28 March 2013

I came across the suggestion to train (nearly) everyone in the organization in security subjects. The idea is very good, we often have this problem that the management has absolutely no knowledge or interest in security and therefore ignores the subject despite the efforts of the security experts in the company. Developers, quality, documentation, product management – they all need to be aware of the seriousness of software security for the company and recognize that sometimes the security must be given priority.

But will it help? I have spent a lot of time educating developers and managers on security. My experience is that it does not help most people. Some people get interested and involved – those are naturally inclined to take good care of all aspects of their products, including but not limited to security. Most people do not care for real. They are not interested in security, they are there to do a job and get paid. And nobody gets paid for more security.

That results repeatedly in the situations like the one described in the article:

“If internal security teams seem overly draconian in an organization, the problem may not be with the security team, but rather a lack of security and risk awareness throughout the organization.”

Unfortunately, simply informative security training is not going to change that. People tend to ignore rare risks and that is what happens to security of product development. What we need is not a security awareness course but a way to “hook” people on security, a way to make them understand, deep inside, that the security is important, not in an abstract way, but personally, to them personally. Then security will work. How do we do that?

... read more & comment >>>

Цитата дня

Monday, 25 March 2013

Вот, порадовало:

В параллельной вселенной люди не грабят банки, банки сами грабят людей! А нет … это в этой.

... read more & comment >>>

Life expectancy

Sunday, 24 March 2013

I was reading Plato’s “The Republic” and it is a very worthwhile read. I highly recommend it to everyone, although that’s besides the point now. I want to talk about something else than the functioning of our society and its destination. In the very last chapter he managed to surprise me once again. Plato says:

“…once in a hundred years — such being reckoned to be the length of man’s life…”

And that small part of a sentence spoke mountains to me. I heard already from several sources that the length of human life is diminishing slowly over centuries, quite opposite to what the official science teaches us. But to hear from Plato that in his time (roughly 2400 years ago) the life expectancy was 100 years is stunning.

You see, Plato preaches philosophy as the basis for all human endeavors and he insists that everyone must study mathematics as the beginning of all other science and harmony. So, for him, to say the life expectancy is 100 years if it was not would be unacceptable. He speaks the truth in this case as in all other cases, mentioning it as a simple well-known fact of life.

So in his time to live to a hundred years was the same as now to live to sixty. We are down about one third in just two and a half centuries. This simple fact is hidden from us and we are taught that people live longer and longer while quite the opposite is the truth. People are dying.

... read more & comment >>>

Strategic direction: security ebb

Wednesday, 13 March 2013

Something quite prominent happened in the security field over the last week. It is a strategic move so I am going to talk about it here rather than on Holy Hash! although it would be interesting to the security folks too.

So, what happened, you ask? Ah, nothing so spectacular that TV shows would interrupt their evening program for but so momentous that I wish they would. It all started with the little exercise at RSA Conference where a couple of so-called “security leaders” declared that security is the territory of really large companies and anyone smaller should just forget about it. I already wrote my opinion about the basic idea of ignoring risks in an area where an incident, according to Coverity, runs on average to 7 million dollars but can easily be a couple of orders of magnitude more.

It would all go away into the history unnoticed if it was not for Bruce Schneier who suddenly chipped in with his commentary that he agrees to the gentlemen in question. Now, Bruce is not stoopid and he is the head of security for BT. To explain to our full satisfaction how come that his words go counter to what he usually preaches in his books and security life, we have to take it as the corporate direction from BT. Otherwise why would he go to the trouble of participating in this publicity stunt?

So here is a sand castle of conspiracy theory for you to contemplate. Notice now, how we suddenly have 3 companies largely unrelated to each other preaching the same message on highly respected channels. First, let’s summarize the message. I think it could be said along the lines of:

Only really large corporations can afford to invest in security. Small companies cannot justify the investment in security. Unless a company suffers a security problem the company must ignore security completely.

When I re-read that, I cannot help myself wondering: “where is IBM?” They should be in this game, they have been at it for decades! But I digress.

Whether the message is in earnest, as a joke or in pretense does not matter. What matters is the content of the message and the credibility of the source. Using serious well-known channels like RSA Conference and Bruce Schneier practically guarantees a large outreach for the message and the credibility of “beyond serious doubt” being automatically stamped all over it.

So this is the message and it is easy to imagine that the “smaller” companies would follow the advice and will not take care of their own security and the security of their own products. What will happen? They will lose all security related expertise, security developers and so on. So they will have to outsource the security somewhere else when accidents happen. And security accidents happen all the time, the ignorant companies will not have to wait long.

So I can see how this is a very profitable direction for BT, that sells security solutions. I can see how that is profitable for SilverSky, that sells security services. But how is it profitable for Adobe? Well, it probably isn’t. John Viega and Brad Arkin have spent a lot of time together and Cigital will certainly benefit, so I am not surprised at the performance from amis cochons even if it is irrelevant for Adobe.

Anyhow, here is an attempt at a new trend and we will see how things move on. I suppose we have to allow for several possibilities: (1) this is just a one-off publicity stunt for the people and companies in question; (2) this is companies “testing waters” for the new “approach to security” and (3) this is the beginning of a shift towards acknowledged massive insecurity driven by those interested parties. On a hunch, I would vote for the number three.

... read more & comment >>>

Surveillance and resistance

Wednesday, 13 March 2013

Quite interestingly, it seems there is some resistance to total surveillance, both in the minds and in the reality. Yes, the surveillance is increasing and the automated processes for surveillance, linking of events, things and people and follow-up and recognition is driving the technological advances now in the so-called “big data” processing. Not only your shopping habits but also all of your whereabouts can be linked together and clearly identified with sufficient data and processing power.

... read more & comment >>>

Irrelevance of search

Monday, 11 March 2013

I suddenly noticed a spike in the number of visitors here over the weekend. Being a curious one, I naturally wanted to figure out what prompted the sudden attention. Well, it turns out that I had many visitors searching for nothing else but “sex party” and I have a post about that silly sex party by Ergo last year. So I guess the visitors were fairly disappointed with what they saw here.

Makes you think how relevant the search results actually are. We have no idea how to compare them and what to compare them to. When people get this site and they are looking for sex parties, they definitely not getting their time’s worth in information. Search engines by now are very advanced, I hear, they have been around for at least a couple of decades. And still, we get disappointing results. This must be a really hard problem without a good solution yet.

My hunch from here is simple: do not discount the lists of subjects and other alternatives to search engines yet. All the hype about search engines ruling the Internet is just hype, looking for the information is still not simple and we should not limit ourselves to just a search engine.

... read more & comment >>>

Mitigating risks … is a waste of money?

Wednesday, 6 March 2013

There was an interesting talk at one of the panels at the RSA Conference, where SilverSky and Adobe claimed that investing in security is a waste of money. Their message is simple and compelling:

“For most companies it’s going to be far cheaper and serve their customers a lot better if they don’t do anything [about security bugs] until something happens. You’re better off waiting for the market to pressure on you to do it.”

Although they say that this was all in pretense, we all know it was not, companies large and small try to avoid fixing problems as long as they can, waiting for customers to complain loud before ever doing anything. Basically, this is a risk that companies rate as unimportant because of its low perceived rate of occurrence.

The problem with this kind of risks that they cannot be properly rated. The probability of these risks is hard to rate because the data is basically unavailable. And the impact of the risk is underrated because of low perceived probability. People tend to ignore such risks.

But the companies, can they also afford to ignore such risks? What has to be considered is that a serious security problem may easily put a company out of business. Even if the company stays in business, the impact to the image of the company may be such that it will take several years to recover. These risks are what typically called “existential” or “terminal” risks.

Companies, for the most part, must account for and mitigate certain risks that would place them out of business. Doing otherwise is called gambling and is totally irresponsible towards the shareholders.

... read more & comment >>>

Brainwashing in security

Thursday, 28 February 2013

At first, when I read the article titled Software Security Programs May Not Be Worth the Investment for Many Companies I thought it was a joke or a prank. But then I had a feeling it was not. And it was not the 1st of April. And it seems to be a record of events at the RSA Conference. Bloody hell, that guy, John Viega from SilverSky, “an authority on software security”, is speaking in earnest.

That’s one of those people who are continuously making the state of security as miserable as it is today. His propaganda is simple: do not invest into security, it is a total waste of money.

“For most companies it’s going to be far cheaper and serve their customers a lot better if they don’t do anything [about security bugs] until something happens. You’re better off waiting for the market to pressure on you to do it.”

And following the suit was the head of security at Adobe, Brad Arkin, can you believe it? I am not surprised now we have to use things like NoScript to make sure their products do not execute in our browsers. I have a pretty good guess what Adobe and SilverSky are doing: they are covering their asses. They do the minimum required to make sure they cannot be easily sued for negligence and deliberately exposing their customers. But they do not care about you and me, they do not give a damn if their software is full of holes. And they do not deserve to be called anything that has a word ‘security’ in it.

The stuff Brad Arkin is pushing at you flies into the face of the very security best practices we swear by:

“If you’re fixing every little bug, you’re wasting the time you could’ve used to mitigate whole classes of bugs,” he said. “Manual code review is a waste of time. If you think you’re going to make your product better by having a lot of eyeballs look at a lot of code, that’s the worst use of human labor.”

No, sir, you are bullshitting us. Your company does not want to spend the money on security. Your company is greedy. Your company wants to get money from the customers for the software full of bugs and holes. You know this and you are deliberately telling lies to deceive not only the customers but even people who know a thing or two about security. But we have seen this before already and no mistake.

The problem is, many small companies will believe anything that is pronounced at an event like the RSA Conference and take it for granted that this is the ultimate last word in security. And that will make the security state of things even worse. We will have more of those soft underbelly products and companies that practice “security by ignorance”. And we do not want that.

The effect of security bugs can be devastating. The normal human brain is not capable of properly estimating the risks of large magnitude but rare occurrence and tends to downplay them. That’s why the risk of large security problems that can bring a company to its knees is usually discarded. But security problems can be so severe that they will put even a large company out of business, not to mention that a small company would not survive any slightly more than average impact security problem at all.

So, thanks, but no, thanks. Security is a dangerous field, it is commonly compared to a battlefield and there is some truth in that. Stop being greedy and make sure your software does not blow up.

... read more & comment >>>

Everything is a hammer…

Friday, 19 October 2012

It looks like for Stephen Elop, the Microsoft  manager in charge of Nokia, everything looks like a Windows computer. What is all this nonsense about Nokia delivering cheap smartphones in developing countries? That market is already taken, first by LG and Samsung and then a couple times over by Chinese manufacturers. He ran the most successful mobile company in the world into the ground and he should be proud of that achievement. I am sure he is. Can you imagine what it takes, what kind of dedication, to actually take the market leader and run it into the ground, destroy everything very quickly and systematically? It is a mind-boggling achievement. We will be watching Stephen for his next career move to see what company will be brought to its knees next.

Related articles

• The world’s worst CEO is NOT Microsoft’s Steve Ballmer, it’s Nokia’s Stephen Elop (macdailynews.com)
• Nokia Q3 Results.. What can I say, we knew it would be misery all around (communities-dominate.blogs.com)
• How Stephen Elop Destroyed Nokia (seekingalpha.com)

... read more & comment >>>

Software Security Philosophy

Sunday, 5 February 2012

What is “security”? Well, not in broad sense, that is, but in software security? What does it mean: to develop secure software? What do we understand to fall into the realm of software security?

I tell you what I mean when I say “software security”. For me, the software security means to bring the intent of the original designer to the customer.

This is very simple. The designer had some idea in mind when designing the software. He had some intention for the software to function in a particular way. That mental picture is translated into design, brought over into development, translated into source code, translated into binary, delivered, installed and configured at the csutomer’s site. And our task is to ensure that what operates now at the customer’s site reflects exactly what developer had in mind. If it does not – we have a breach of security.

I know that this is a very broad definition and it encompasses many areas traditionally thought to be outside the realm of security. Some people do not like that. But in my view, this is much simpler to act on than to try and define the precise separation of realms.

Take quality assurance for example. Traditionally, QA is outside security. However, think about it. QA ensures that software operates properly in a predefined environment, which is a subset of the environments that security concerns itself with. Security logically encompasses QA here. QA ensures that the software operates properly under “normal” circumstances and security ensures that the software operates properly under any circumstances.

And it is like that with everything.

... read more & comment >>>

State of security – still miserable

Tuesday, 10 January 2012

... read more & comment >>>

The Future of NFC Payments

Thursday, 3 March 2011

Someone asked me to provide feedback on an article regarding The Future of NFC Payments (yes, capitalized, like in “Big Future”). I do not cherish the idea of giving up my contact details for a brochure download, so I did not read the actual paper. I cannot imagine why people would not want their ideas to be widespread. I think it is silly to force people to register when you want them to read your articles, for they will simply read it elsewhere.

Anyhow, back to the subject of mobile payments with NFC – that’s what the paper claims to be about. I do not really know what they said inside but seeing “NFC was hailed as one of the biggest trends for mobile operators for 2011″ in the blurb is enough to get an idea of what might be on the inside.

Now, let’s be clear that mobile payments are a fighting ground for two large forces: the banking industry and the mobile service industry. Both of them deal with a lot of customers and a lot of cash. And none of them would willingly give up the payment transactions stream to another. One, the banking industry, owns the terminals and the networks, the payment infrastructure. The other, the mobile industry, owns the handset and the SIM card, the means of payment.

So, until I hear that those two – mobile operators and banking associations – came into some sort of an agreement between themselves on some terms regarding the mobile payments, I am not going to lose my sleep over any imagined mobile payments trends, with or without NFC, this year.

Mind you, there is always a chance for a small handset manufacturer like Apple to come up with a painfully obvious scheme that Nokia simply cannot afford…. But that is another story.

... read more & comment >>>

Near Field Communication (NFC)

Wednesday, 2 March 2011

I stumbled upon an article in PopSci (Popular Science?) on-line publication titled Everything You Need to Know About Near Field Communication. My opinion is that many of the things described there reflect a lot of wishful thinking on the part of the smart card industry players. Especially where they go on about “everything has just started to come together”, which is exactly the same thing they were saying for the last five years or so. I was on the inside, I should know.

I think that for the more inclined to actually understand the technology in easy words, I would suggest simply reading the original NFC White Paper written by myself years ago and published by Ecma International. Trust me, nothing much has changed in the meantime, all concepts still apply today as they applied then.

... read more & comment >>>

Corporate responsibility

Monday, 6 December 2010

One of the buzzwords I dislike is “Corporate Responsibility”. It is overused, abused and never means what it is supposed to when you hear it from the top managers. However, it is important. Rather, the concept that it used to mean is important.

I spent a few months in Russia now and I am shocked and disgusted at how business is done there. That is the place where you go if you want to learn what the consequences of irresponsibility on a grand scale are.

Nobody feels responsible for anything there. The only king of this newly capitalistic country is money. Everybody dreams of making money quick. Some people make the money quick. Some don’t. But for everyone the main theme remains – just make money, no matter how, no matter what the consequences are, never mind the “after”.

What is the result? Well, most, or, perhaps, all of the business is based on making or buying something dirt cheap and selling it high. Most products are made in China or are counterfeit. Everything is made of the cheapest materials and with the cheapest technologies.

Can you imagine the life in a disposable world? Disposable furniture, disposable cars, disposable roads, disposable buildings, clothes, everything. Food is mostly dangerous for health, as is water and air. Every service you get is done as if you are a really annoying beggar, not a paying customer. All products you buy start falling apart as soon as unwrapped.

And it really matters nothing if you have a little or a lot of money. What you buy with a lot of money is still counterfeit and the same horrifying quality. There is no way to buy for yourself a higher life level, unless you ship everything you need from abroad, like some rich people there do – they just fly all their food and necessities from Germany.

And this is the result of one thing – corporate irresponsibility. Yes, they make money, a lot of it. But, when everyone provides shit to everyone else, what help is all that money?

... read more & comment >>>

Service: cheap, cheapest… cheaper!

Sunday, 25 July 2010

I find it disturbing how even the most normal appearing people are falling for the cheap-cheap-cheap mantra of the day. Take the telephone services. My friend, who would always check the quality of everything he buys and make sure that it is of at least fairly acceptable level, falls for the “we have it cheaper than everyone else” internet and telephony package. Result is very predictable: half a year of wasted time, miserable service, lost money.

Why does this happen? It seems easier to accept the “everything is equal anyway” lie when you cannot assess the quality expertly in advance. It is probably difficult to assess the quality of a used car for a non-specialist, but at least you can see the rust. When you only see the colorful brochures, it becomes near impossible to judge the quality of a future service. And it is, oh, so easy to judge the amount of money you pay.

When you select the services next time, remember, it is not only the money you pay. The service you receive should also be taken into account. You are not just paying money, you are paying money for the service. Make sure the service is worth your money.

... read more & comment >>>

Chinese can!

Thursday, 6 May 2010

Reuters is amazing me today. Another short article gives a quick update on the Chinese affairs in Africa. Chinese were copying small stuff from everywhere until now: products, technologies, machines, tools. Now they are copying the big politics and economic strategies. US has used this strategy successfully for a long time in South America, Europe, Asia and Middle East, enslaving multiple countries with horrendous amounts of debt. Now China is copying their approach in Africa. There is a lot of agricultural land in Africa and securing access to this land in the long term is a very wise decision. Not that it is going to do any good for the others but for China it is definitely a very good move.

... read more & comment >>>