back to article Security damn well IS a dirty word, actually

An interesting feature popped up on Ars Technica recently; website journo Nate Anderson discusses how he learned to crack passwords. The feature is good; good enough for to me to flag it up despite that journalistic competition thing*. That said, the feature gently nudges – but does not explore – a few important points that …

COMMENTS

This topic is closed for new posts.
  1. Steve 53

    TLS1.2 has been supported in opera for years now

    1. ThomH

      With about one sixth the number of users as 'does it really qualify for the list?' Safari, Opera is not a major browser (sources: StatCounter, W3Counter, NetApplications). Which is a shame.

    2. Trevor_Pott Gold badge

      Paragraph is from an older version; missed that when I added. Should read "Consider the shocking lack of support for DNSSEC, or the fact that amongst the mainstream browsers TLS 1.1 is only enabled by default in Safari and Chrome while TLS 1.2 is only enabled by default on iOS devices!" I am trying to get it changed...

      1. diodesign (Written by Reg staff) Silver badge

        Re: TLS 1.2

        The paragraph has been tweaked.

        C.

  2. Anonymous Coward
    Linux

    Its the people, not the computer

    "The problem with computers today – as with yesteryear – is the abstraction of these operating fundamentals from the usage of the device."

    I think it goes much deeper than this; to me its the people's lack of interest above anything else combined with an odd (to me) inability to find the information should they eventually start wondering about some topics.

    I've seen this happening too many times now in too many different area's that I really think this is a fundamental problem. In Java a program starts with the "public static void Main(String[] args)" method. It was one of the first thing I got curious about when I dove deeper into Java; why? how?

    When Solaris 10/x86 finally became more mature and started taking off a bit it eventually introduced a new SysV compliant boot mechanism: Manifests. You'd write an XML file to describe the program or service (name, start/stop method and any optional or mandatory dependencies) and import it into the main structure. It was quite sophisticated and worked very well. Also because this same system could also monitor its services for availability.

    Yet soo many people who couldn't be bothered to look into this (it wasn't that hard) and simply relied on the previous (and still supported) rc.d structure. Nothing wrong with that, sure, but I really sensed a lack of interest. And a missed opportunity because this system was extremely powerful when used right.

    Heck; I also see it with my current endeavours, I recently dove deep into ASP.NET, and I'm actually enjoying the ride too. By default a webpage in an ASP forms project "simply" needs a method "Page_Load()" to start your code. I'm a bit too new with this to name the parameters from mind, but one of them is of type "Eventargs". So why does this get started, magic? I don't think so....

    When you dive into this stuff you'll learn that /everything/ including the webpages themselves are objects (classes) and that by default the environment scans a Page class derivative for methods such as Page_Load(), Page_Init() or even Page_PreInit().

    And after you found out about this it starts to make much more sense, because the real method which you'd normally use is: protected void override OnLoad(Eventargs e). This "easier approach" is simply activated by default due to an option called "autoEventWireup".

    Yet soo many people who can't seem to manage to get their heads around this, or couldn't even care less about the why and how...

    Just a few examples which stuck with me; but there's sooo much more than that.

    Its not the computers which make everything easier; its the people who lost their curiosity and interest to find out and discover for themselves why and how things work.

    Tux; because most people I know using Linux still have this strong curiosity and interest. Even though in many cases it doesn't go beyond Linux.

    1. Anonymous Coward
      Anonymous Coward

      Re: Its the people, not the computer

      Without all the technical talk the bottom line of security is securing the weakest link.

      The weakest link is the human being, if the human being clicks on to a link that promises free porn or clicks on a link from his 'Bank' stating he needs to verify his user account then no amount of security or perceived protection will save him.

      Just as I don't have to know how to re-wire my house or strip an engine down to rebuild it or fix a leaking pipe I can call on the expertise of someone who can.

      Granted I could learn these things myself over time, but all I need to know is where to go and what not to do to successfully sort out the problem.

      1. Craig 8
        Holmes

        Re: Its the people, not the computer

        Some people are unscrupulous, and some people are gullible, and no amount of technology is going to change that.

        It's not necessary to understand how to build a car in order to drive one, and I don't suppose anyone thinks mechanical engineering should be part of the driving test, so what happens? You take your car in for service and the garage tries it on by saying "your brake disks are under tolerance, you need new ones to be safe" which, if you have any sense, you politely decline. This happened to me a few years ago and I took the same car back to the same garage a year later and, for laughs, said "can you be sure to check out the brakes please?" and they came back and said "your brakes are fine, but we need to do [this other expensive work]". This was not a backstreet operation, it was a main dealer for a prestige brand, incidentally.

        Perhaps what we need to do is stop wringing our hands about bad people using the Internet and just deal with it. You don't trust everyone you meet face-to-face, so don't trust people you "meet" on the Internet.

        1. AndrueC Silver badge
          Childcatcher

          Re: Its the people, not the computer

          You don't trust everyone you meet face-to-face, so don't trust people you "meet" on the Internet.

          Nor every aspect of the APIs you use :)

      2. Marcelo Rodrigues
        Boffin

        Re: Its the people, not the computer

        Just as I don't have to know how to re-wire my house or strip an engine down to rebuild it or fix a leaking pipe I can call on the expertise of someone who can.

        No, You surely don't have to - nor should. BUT

        Having an rough idea about the thing makes You able to use it better - and safer.

        Consider Your house wiring. No, You don't have to know to re-wire your house. But by knowing that a thicker wire can transport more energy, that it gets hotter in the process - and that is how a fuse works - You stand a better chance of not overloading the system.

        You don't have to know how to strip an engine. But knowing the basic makes You a safer driver. You will know not to exceed the maximum RPM (and why), will not forget to change the oil, and will understand the benefits and limitations of engine braking.

        1. AndrueC Silver badge
          Thumb Up

          Re: Its the people, not the computer

          Having an rough idea about the thing makes You able to use it better - and safer

          Yeah that's true. It's also true that knowing the basics can make the other stuff easier. I've heard that knowing Latin make understanding modern languages a lot easier and as you say knowing roughly how a car works will help make you a better driver.

          I'm not advocating the totally blinkered view. Just pointing out that life is a compromise and we should accept that and work with it rather than expecting the unlikely. As I suggested: Don't expect people to invest the time and effort in understanding black boxes. Just give them a better black box in the first place :)

    2. AndrueC Silver badge
      Thumb Up

      Re: Its the people, not the computer

      Its not the computers which make everything easier; its the people who lost their curiosity and interest to find out and discover for themselves why and how things work

      Or maybe they are paid for the work they actually produce and can't justify spending hours discovering how the wheel was invented.

      Sorry. I didn't mean that to sound snide - you make a good point. I just don't think it reasonable to expect today's software developers to understand every last aspect of their trade. Or where does it end? Am I to be prevented from writing software until I can describe the design of logic gates for AND, OR, NOT? Or perhaps I have to demonstrate an understanding of electron flow inside a transistor? Or perhaps being able to quote Farraday's various laws is essential?

      Unfortunately we have to draw the line somewhere and today's IT markets are fast paced and schedule driven. Very few people in IT can afford to devote time to wondering about the how and why of a black box whether it be a logical black box or one that a courier has just delivered. What we need to do is make better black boxes not require everyone to understand them :)

      Anyway just to repeat, I liked your post :)

      1. Anonymous Coward
        Anonymous Coward

        Re: Its the people, not the computer

        "Am I to be prevented from writing software until I can describe the design of logic gates..."

        No, you should not be prevented. Everyone is a n00b sometime. Though, if you are serious, then you'll want to know about how it works. I dare say that anyone, even a casual user, will benefit from a general understanding of the underlying principals.

    3. John Sanders
      Linux

      Re: Its the people, not the computer

      I do agree with you wholeheartedly, why on this time an age with computing technology being so accessible to everybody some people still struggle with things as basic such as to where to save files goes beyond my comprehension.

      People already deal with insane levels of complexity when it comes to administrative stuff and regulations, yet they are unable to grasp what a program is and why installing programs at random from the net is a security risk.

      When it comes to professionals, I'm amazed that most can not separate the different components of what constitutes an OS, or what file formats are, etc.

  3. nuked

    Good point well put

  4. Anonymous Coward
    Anonymous Coward

    ...while TLS 1.2 isn't implemented by any!

    Actually, the sheer irony here is that Internet Explorer has had TLS 1.2 support since IE8...

    Disabled by default though.

    1. TeeCee Gold badge
      WTF?

      Re: ...while TLS 1.2 isn't implemented by any!

      Hmm, well this 'ere version of IE8 on XP only offers 1.0 as an option.

      Maybe 9??

      1. djack

        Re: ...while TLS 1.2 isn't implemented by any!

        TLS (and most other crypto) in IE and IIS (and many others) is handled by SCHANNEL which I believe to be a component provided by the operating system, so it is more correct to comment on the capabilities of various versions of Windows as opposed to the applications that make use of whatever is offered. Basically, WIndows XP does not support TLS 1.2 but Windows 7 may well do.

        Of course, most multi-platform pieces of software will be using some other crypto library.

    2. Gordon Fecyk
      Stop

      I was waiting for this...

      Actually, the sheer irony here is that Internet Explorer has had TLS 1.2 support since IE8

      ...actually, IE depends on the crypto suite of the host OS. On XP, only TLS 1.0 and previous SSL versions are supported. To do TLS 1.1 and 1.2 in IE, you need Vista, 7 or 8, or corresponding server version.

      And there are too many banking sites that don't have TLS 1.1 or 1.2 support in their servers. I can't cite any one bank out of good conscience, but I can say that Symantec doesn't enable it on their MessagelabsSymantec.Cloud pages. I had to argue with a support droid about that. (ugh, you know I used to like Messagelabs).

      1. Dan 55 Silver badge

        Re: I was waiting for this...

        One would have thought that MS would have backported the crypto suite in Vista and 7 to XP, it is a security fix after all. Perhaps they're not as focused on security as they would have us imagine.

  5. Anonymous Coward
    Anonymous Coward

    "Reverse Engineering"

    I was the generation before "script kiddies" and my choice actions as a teenager have ended up proving invaluable when I've been asked by employers to "reverse engineer" for them. One though tried to put better encryption in to our product than that I had written and ended up locking out source for two weeks. Revert anyone?

    People don't understand security, I've heard PCI-DSS assumed to be compliant by a lock on the door; I winced.

  6. AndrueC Silver badge
    Boffin

    Despite evolving existing interfaces

    Or perhaps because of. It's good that they evolve but the likes of TIFKAM is a yet higher level abstraction and that requires even higher levels of protection underneath. It's the classic 'ease-of-use' v. 'safe-and-secure' balancing act.

    Another side-effect it seems to me is that seasoned, experienced users (the ones best positioned to drive and influence security) tend to be alienated or even behind the curve on UI changes. One scenario I'm concerned about is that a lot of Windows software developers might stick with the traditional desktop and that's not where typical users will be. Yes we can develop for TIFKAM but I bet a lot of us will treat it like cross platform development.

  7. Anonymous Dutch Coward
    Thumb Up

    Economics are the real problem

    I think Trevor hit the nail on the hit with the final few sentences. There's a market in breaking security, also some in implementing security at the individual product/company level, but no economic incentive to force better security standards.

    The technical development of the standards/protocols may (does) hit its snags, there may be insufficient amount of skilled people around to efficiently do this, and some standards/protocols may have technical or security deficiencies, but the real problem is that these improvements are not adopted.

    So what could change this economic point of view? Government/trade industry/whatever fines when corps are using insecure technology (e.g. banks on SSL, not latest TLS), when data breaches occur etc seems to be the only obvious solution here..

    (Whatever its faults, at least PCI DSS has lead to improvements in security. These are often implemented and "audited" by incompetents but hopefully not always)

    What do you guys think?

    (Thumbs up for the article)

  8. P. Lee

    Computing isn't the problem

    Its the Internet.

    Also, its the way we use metaphors.

    We have a "desktop" but a fundamental aspect of a desktop is that it is has physically limited access. Reading pron at your desk may get you fired, but it probably wouldn't result in your bank account being emptied and vast bills being run up on your credit card. The physical presence of a real desktop in a room in a house, up a driveway behind a locked door with possible nosy neighbours, drastically reduces risk.

    We "go to a website" rather than, "run a program we downloaded from somewhere." Yes, HTML/JS are instructions - programmes.

    The Internet dispenses with geography and computers are designed to automate things. Those two elements are dangerous. Being geographically safe, we assume we are logically safe. That's an assumption which doesn't hold true an longer.

  9. Anonymous Coward
    Anonymous Coward

    Now, the REAL Problems

    First, Crypto has been a fixed problem for a long, long time. Except if you are, say, the Russian state and want a modicum of privacy. I have never heard of any serious real-world attacks using the SSL/TLS route.

    The REAL problems are related to the Turing Problem ("prove this algorithm correct") and Money Whores. Money trumps every other consideration in information technology and "doing it right" is in 90% of commercial cases "too expensive, too time consuming, too much effort" etc etc. Plus, there are tons of amateuers roaming the IT sphere and they simply don't know what they do. Before you come with the "self-trained people are surely best" argument, let me ask if you would like to the treated by a "self-trained medical professional" ??

    As a case study proving my arguments:

    Can you explain to me why "RSA security" (nice cynical names they use) needed to

    A) have a single crypto key (Central Secret) for their key generators. No way for users to generate their own keys.

    B) have Excel and Flash on the computers having access to the Central Secret.

    Can you explain why Lockheed Martin chose this shoddy "security" solution ?

    Because all the money thoroughly corrupted Applied Computer Science. Money excuses everything.

    1. Anonymous Coward
      Mushroom

      Also C and C++

      ..are a major source of grave security weaknesses. Why do we still use these languages ? Not because they are intriniscally necessary for 100% of their use cases. Because - tata - there is a rich supply of people somewhat able to build contraptions using C and C++. Retraining them to use (say) Ada would impose a cost in the order of three months of salary - so fuck that.

      MS ironically have done serious efforts into memory-safe languages, but they still use C and C++ for their Office products, which pose the greatest security risks.

      I am sure China is all for Shopkeepers in IT - it makes their job much easier !

      The pictured nuke has been built after the blueprints I found while sitting in Chengdu, rummaging through a machine in Aldermaston.

      1. Anonymous Coward
        Anonymous Coward

        Re: Also C and C++

        I think you meant to say: "Programmers who don't understand C and C++ are a major source of grave security weaknesses." Tell me what a low(er)-level language has to do with security features? I think you might be trying to say that security is tricky to get right and that we should use well designed libraries to make our code more robust.

        But I may be wrong. You might actually think that C and C++ are a major source of grave security weaknesses. I think you should program in JAVA in that case. (snicker)

      2. Vic

        Re: Also C and C++

        > Retraining them to use (say) Ada would impose a cost

        And wouldn't obviate the problem, even if it would mitigate it to some extent.

        Ariane 501 used Ada. Read the incident report to see why relying on the "safety" aspects of a language is such a bad idea when the beancounters come to call...

        Vic.

  10. ecofeco Silver badge
    Facepalm

    Forget the Higher Levels

    Most people and places can hardly be bothered to do just basic security.

    Password123 anyone?

    1. Trevor_Pott Gold badge

      Re: Forget the Higher Levels

      Correct horse battery staple!

      1. Vic

        Re: Forget the Higher Levels

        > Correct horse battery staple!

        Durka durka mohammed jihad.

        Vic.

        1. Trevor_Pott Gold badge

          Re: Forget the Higher Levels

          MATT DAMON

  11. multipharious
    Pint

    Economics of Security

    I totally agree. Great article Trevor!

    Last RSA there was an interesting bit on game theory using a super simple game called Flip It. I have consumed way more brain cycles than I ever anticipated thinking about system resets as a method to limit dwell time. We all know it as our browser in the VM to protect the base system and data...but apply this to the Data Center.

  12. FlatEarther

    Missing the point

    I think this article misses the point. There is no perfect security. There won't ever be. Do you feel secure behind your locked door at home? Why? You know that someone could break it down if they really wanted to.

    Security is about managing risk. We need to have enough controls to deter and detect bad guys, given the risk. Too much makes it harder for the user (and for businesses). Too little is asking to be ripped off. That's why most SSL exploits are not of concern (but yes, some are). They are theoretical and impractical to reproduce in the wild. The people working on them are part of the process of improving security, not bringers of doom.

    Are you concerned about someone stealing your credit card details and racking up huge bills? You should be a bit, but there's no need to make a fetish out of it. After all the Bank/Visa/MC bears most of the risk and cost.

    And I don't believe that abstraction and lack of understanding of the underlying technology is such an issue. It must be pretty good, otherwise " the growth of deployment seems logarithmic with no asymptote in sight" couldn't happen, or we'd all be broke because the Russian mafia had all our money. Why would a business spend gazillions of dollars improving security by 1% when they could insure me against loss for much less?

    Sure their will be holes. The key is to keep playing the game to stay far enough ahead of the bad guys so you risk is controlled. Your risk will never be 0. That doesn't me that password123 is a good password.

  13. oralicon
    FAIL

    SSL is broken.....

    ....which is probably why El Reg doesn''t bother using SSL/TLS to protect user data on the login or registration pages

This topic is closed for new posts.

Other stories you might like