Wednesday, October 12, 2005

That's a crime?!?

http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/

It appears that a few members of the UKs legal community have spent too much time at the local pub. The above referenced article finally provides some details into the heinous, illegal actions taken by a security professional against a Tsunamai relief donation site. To quote the article, "Cuthbert put ../../../ into the address line. If the site had been unprotected this would have allowed him to move up three directories".

Egads! Bloody evil old chap! If that's a crime, you'd best not click here. Actually, could I be arrested for inciting a crime by even providing that link?

Seriously, this conviction is a travesty. Given all the real crimes that are ocurring, to convict a true security professional for something that as trivial as a munged URL is unforgivable. It is inconceivable to me how such an action can even be considered criminal, much less inappropriate. It is no more malicious than a port scan, perhaps less so. The only person who should be out of a job in this case is the poor schmucks lawyer.

Tuesday, October 04, 2005

Steal my what?

You may have heard the story about superstitious tribesman who think that a camera can steal their soul. Pretty silly that people could actually believe that. In fact, it's almost as silly as the current buzz around identity theft.

So, explain to me please how somebody can actually steal my identity. If they do, do I cease to exist? Do I cease to be me? Do I wander around like an undead zombie saying, "Hi, I'm nobody"? Is it like the mad scientist on Gilligan's Island swapping voices and personalities between bodies?

OK, enough sarcasm (for now). ID Theft is really just plain old fraud. Unfortunately, the big financial institutions, credit bureaus, and government are either too stupid, or too lazy to properly address the problem. Instead we get silliness like the Notification of Risk to Personal Data Act.

The proposed bill would require notification to individuals if their (ahem) personal information is somehow compromised. Great, so now I know that some 3rd party over whom I have no control has unwittingly allowed some other 3rd party over whom I have no control to obtain said personal information, and that new 3rd party could potentially use that information to fraudulently obtain credit from yet another 3rd (5th) party over whom I have no control.

Gee, I'm glad I'm being notified. Now I can take bold and decisive action like filing a fraud alert with the credit bureaus. Greeeeeeaaaaaaaat. So, if somebody obtains my super secret, super sensitive "personal" information, and if the source through which they obtained it is fortunate enough to discover it, and if they are diligent enough to notify me, and if I am concerned enough to notify the credit bureaus, THEN, people will be a bit more careful about extending credit in my name. Otherwise, it's just the same old foolishness. That makes TONS of sense.

What I can't figure out is why we don't just make it harder to commit fraud in the first place. I'm not the least bit comfortable relying on the best (er, I mean minimally compliant) efforts of multiple organizations who have access to my super secret, super sensitive, "personal" information for the security of my "identity". Why should I bother.

Let's see. There's banks, credit card companies, insurance agencies, mortgage brokers, schools, daycare providers, pharmacies, sports leagues, family members, government agencies, employers, and probably more that all have some of my super secret, super sensitve, "personal" information. Fortunately, no criminals work for any of them, so if they can just succeed in preventing, or at least notifying me of, any unauthorized access, we'll have this ID theft problem licked faster than a 1 cent lollipop. Pass the cotton candy.

-SHP

Friday, September 30, 2005

Unattended PCs

http://www.theregister.co.uk/2005/09/29/unattended_pc_peril/

Maybe people could LOCK their PCs before walking away. Seriously, automatically locking PCs after a period of inactivity isn't a BAD idea, it just isn't a particularly EFFECTIVE one. The problem is finding the right balance between security and convenience. Hard to do.

Besides, if somebody actually wants to do harm, all they need is a moment to hit a URL with a browser, say yes to the popup, and they own the PC. For that matter, there's always the hardware keyboard sniffer. Y'all check for those every morning right?

Thursday, September 29, 2005

Trusted Websites?!?

http://www.theregister.co.uk/2005/09/27/untrusted_search/

How and why do we establish trust in the online world? How and why do we establish trust in the real world? Shouldn't the two be approached similiarly?

Consider email encryption. PKI based solutions have languished whilst PGP has flourished. Why? Because the trust model for PGP is more closely mapped to the way society works. Establishing trust for websites should similiarly map to the real world.

Imagine you are traveling out of state in a town you've never visited before. If you were looking for a restaurant, would you trust a sticker on the door that said "American Restaurant Association Approved"? Sounds legit, but who the heck is the ARA? How do I know the sticker wasn't forged? You are far more likely to trust a brand name, or the advice of a trusted friend or associate.

A far better idea than attempting to establish centralized third parties, is to build "peer to peer" or community based rating systems such as those used by eBay or Slashdot. I doubt that "TrustWatch" or any other system can ever obtain the necessary ubiquity to be useful.

While we're near the topic, I hope nobody believes that SSL and HTTPS are the answers to online security (Sorry Verisign). As an exercise for the reader, go read this:
http://www.schneier.com/paper-pki.pdf

Wednesday, September 28, 2005

Hello World

Greetings fellow Earthlings. This is the first post of what will hopefully be many humorous, insightful, or otherwise useful ramblings on Information Security topics. This blog is a companion to my soon to be released comic strip, The CrISSPy Crew. The intent of this blog, and the strip, is to poke fun at the rampant silliness, stupidity, and ignorance of Security concepts and principles. They will also portray some out of the mainstream thoughts which will hopefully provoke discussion, and a reevaluation of widely held viewpoints.

Enjoy.

-SHP