Category: bruce schneier

Categories
bruce schneier douglas kastle password security

Q&A with Bruce Schneier


Bruce Schneier as Chuck Norris
Originally uploaded by massdistraction

There is a very interesting Q&A with security expert and internet meme Bruce Schneier over at the Freakonomics page. While the page is a bit lengthy it is a good read and should be read by all, particularly the less internet savvy as there is a lot to take away.

He describes a very effective way of storing and using passwords. It is a technique I have been using for years and usually recommend to family and friends.

Q: How do you remember all of your passwords?

A: I can’t. No one can; there are simply too many. But I have a few strategies. One, I choose the same password for all low-security applications. There are several Web sites where I pay for access, and I have the same password for all of them. Two, I write my passwords down. There’s this rampant myth that you shouldn’t write your passwords down. My advice is exactly the opposite. We already know how to secure small bits of paper. Write your passwords down on a small bit of paper, and put it with all of your other valuable small bits of paper: in your wallet. And three, I store my passwords in a program I designed called Password Safe. It’s is a small application — Windows only, sorry — that encrypts and secures all your passwords.

Here are two other resources: one concerning how to choose secure passwords (and how quickly passwords can be broken), and one on how lousy most passwords actually are.

Categories
a boy bruce schneier douglas kastle father ted hoodies security the man vague

D’Officials – No Hoodies!

In Ireland there are two constructs, “The Man” and “A boy”, that are used by parents to corral their kids in. “A boy” is usually a person that got himself injured doing something stupid and is used as a warning to other kids, “A boy broke his legs climbing over those rocks”, or “A boy almost had his finger cut off climbing in that window”. (There is a window in the primary school of Dungeagan in Ballinskelligs, Co Kerry and I was that boy that people get warned about).

“The Man” however is the marginally empowered person that flexed it when ever he can. You meet them all the time when you go through metal detectors in airports and they take away nail clippers, or the security guards that tell you you can’t take pictures of a building. The comedian’s John Kenny and Pat Shortt, also know as D’Unbelievables, capture the phenomenon excellently at the start of the performance on D’Video :

I was reminded of “The Man” while reading Bruce Schneier blog, where in the UK a four year old girl was asked to remove her hoodie for vague “security” reasons:

“She had her hood up on her cardigan, a young lad came across and asked her to take her hood down because of security.”

When Ms Lewis learned what had happened, she spoke to the worker. She said: “He said ‘It’s policy, they don’t allow any hoodies in there.'”

While it would be great in society to slap these upside the head and tell them to stop acting the maggot that usually doesn’t help so we’ll always be stuck with them. Here’s another example of “The Man” from Father Ted :

Categories
bruce schneier cracker douglas kastle glasgow hinky london new york script kiddie terrorist

Script kiddie terrorists

When I was growing up in the 80s home computers were very new to people and so was the concept of hacking. I remember relatives and friends worrying about plugging in their computers into the wall because they might get hacked. They assumed that hackers could get in over the electrical cord. To me at the time it was prosperous and silly and I would have to explain then why they had nothing to worry about. Of course now people are educated and have a better idea of how computers work, though hacking as a problem never went away. (Though the electrical cord hacking now could be possible since there are proposed techniques of routing internet over power lines).

The media, both news outlets and entertainment, I always felt was to blame as they usually showed hacking in some easy to follow way that would sell well either on a big movie screen or when described in a newspaper. For the record there has only been one relatively accurate example of hacking in a movie and it went to The Matrix Reloaded when trinity uses an ssh exploit to gain access to a machine so that the grid of the city can be shut down. It is a blink and you miss it moment.

In the world of computers there are two types of problem hackers,

  1. Crackers who are highly intelligent and figure out more and inventive ways to break into machines and do malicious damage. There are not many people like this but they can be very dangerous if they get influenced and pointed in the wrong direction.
  2. Script kiddies who are fairly so-so computer users that get there hands on hacking techniques that are floating are the dark fringes of the internet, usually in script form. There are a lot more of these guys than crackers and while they cause damage, they in the main more of a nuisance and provide a level of noise that can make finding the problem crackers harder.

The problem in the media is that they don’t generally make a distinction between crackers and script kiddies and all hacking events are given the same level of gavitas.

I can’t help feeling that the recent spate of terrorist events in London, Glasgow and New York are merely script kiddie terrorists. Don’t get me wrong they were of sufficient lethalness that there could have been serious injury and loss of life. However they were failures and as investigations have proceeded they appear more and more like they have been handed down from from “Terrorism for Dummies” handbook. The media though have hyped up the events, I took particular exception to the coverage of the New York JFK plot. There the terrorist were planning to blow up a fuel stage container and hope it would cause a chain reaction and blow up the airport. One quote from U.S. Attorney Roslynn Mauskopf was that it was “one of the most chilling plots imaginable,” and could have have caused “unthinkable” devastation (It was subsequently debunked by security expert Bruce Schneier who argued that the plot was never operational).

The media need to get off there “if it bleed, it leads” mantra and become part of the productive community and educate people as well as inform. The two London car bombs were found before they exploded due to the the education of the emergency services (The sharp eyed paramedic noticing something hinky about a car nearby and reporting it getting special notice.) Also as noted previously the JFK plot was never even close to being operational, been shut down by an effective intelligence operation by the Americans. The cracker terrorist are always going to be a problem unfortunately, there are some amazingly smart people in the world that just really don’t like us no matter what we do. Let’s hope however effective intelligence can catch the script kiddie terrorist while they are only annoying and before they move onto lethal.