Friday, September 30, 2005

Unattended PCs

http://www.theregister.co.uk/2005/09/29/unattended_pc_peril/

Maybe people could LOCK their PCs before walking away. Seriously, automatically locking PCs after a period of inactivity isn't a BAD idea, it just isn't a particularly EFFECTIVE one. The problem is finding the right balance between security and convenience. Hard to do.

Besides, if somebody actually wants to do harm, all they need is a moment to hit a URL with a browser, say yes to the popup, and they own the PC. For that matter, there's always the hardware keyboard sniffer. Y'all check for those every morning right?

Thursday, September 29, 2005

Trusted Websites?!?

http://www.theregister.co.uk/2005/09/27/untrusted_search/

How and why do we establish trust in the online world? How and why do we establish trust in the real world? Shouldn't the two be approached similiarly?

Consider email encryption. PKI based solutions have languished whilst PGP has flourished. Why? Because the trust model for PGP is more closely mapped to the way society works. Establishing trust for websites should similiarly map to the real world.

Imagine you are traveling out of state in a town you've never visited before. If you were looking for a restaurant, would you trust a sticker on the door that said "American Restaurant Association Approved"? Sounds legit, but who the heck is the ARA? How do I know the sticker wasn't forged? You are far more likely to trust a brand name, or the advice of a trusted friend or associate.

A far better idea than attempting to establish centralized third parties, is to build "peer to peer" or community based rating systems such as those used by eBay or Slashdot. I doubt that "TrustWatch" or any other system can ever obtain the necessary ubiquity to be useful.

While we're near the topic, I hope nobody believes that SSL and HTTPS are the answers to online security (Sorry Verisign). As an exercise for the reader, go read this:
http://www.schneier.com/paper-pki.pdf

Wednesday, September 28, 2005

Hello World

Greetings fellow Earthlings. This is the first post of what will hopefully be many humorous, insightful, or otherwise useful ramblings on Information Security topics. This blog is a companion to my soon to be released comic strip, The CrISSPy Crew. The intent of this blog, and the strip, is to poke fun at the rampant silliness, stupidity, and ignorance of Security concepts and principles. They will also portray some out of the mainstream thoughts which will hopefully provoke discussion, and a reevaluation of widely held viewpoints.

Enjoy.

-SHP