PKI vs. KISS

“John Udell writes”:http://weblog.infoworld.com/udell/2003/09/28.html#a809 about a new “edge” security technology:

bq. CoreStreet has just signed a deal with Swedish locksmith Assa Abloy that will enable doors to enforce highly granular card access policies without wired (or wireless) connections. When an employee swipes a card at the main entrance, it’s refreshed with a daily set of proofs. The door need only check that the proof binds a resource (itself) to an identity (the employee) at a certain time (today).

bq. CoreStreet’s president, Phil Libin, sketches another interesting scenario. Suppose an employee needs a proof to access her own laptop but can’t contact the network. Since proofs are minimally just 20 bytes, it’s feasible to convey one in a phone call.

This sounds like exactly the style of problem that PKI was supposed to solve, but utterly failed to do. I find this somewhat ironic in the aftermath of “Baltimore’s demise”:http://www.guardian.co.uk/business/story/0,3604,1047749,00.html.

The full story is available at “Infoworld”:http://www.infoworld.com/article/03/09/26/38OPstrategic_1.html.

posted at 6:11 pm on Sunday, September 28, 2003 in Security | Comments Off on PKI vs. KISS

The Myth of ROI

An internal news clipping service led to a Google search, and I eventually found the original article “Information Security ROI: Not Every Expense Is an Investment”:http://www.metagroup.com/cgi-bin/inetcgi/jsp/displayArticle.do?oid=41867 by Tom Scholtz of “the META Group”:http://www.metagroup.com/.

bq. “Organizations should not consider every expense to be an investment,” adds META Group analyst Chris Byrnes. “Many security expenditures are completely valid and necessary and even legally required, but they are not investments that will produce a quantifiable return. In many instances, ‘What is the return on investment?’ is simply the wrong question to ask.”

This is true of many more things than Information Security, or even IT. Money is not always the right measure; sometimes it’s completely misleading (this is particularly true of environmental issues, but that’s a separate rant).

I’m glad to see someone “official” saying this for a change…

(The META Group article was originally published on 17 July 2003; why is it making the news in September?)

posted at 9:55 am on Friday, September 19, 2003 in Links, Security | Comments Off on The Myth of ROI

Identity Theft

The ideas in “David Brin”:http://www.davidbrin.com/’s “Transparent Society”:http://www.davidbrin.com/privacyarticles.html are interesting. On the other hand, “This article on identity theft”:http://www.pbs.org/cringely/pulpit/pulpit20030911.html is a major reason why I am a privacy advocate.

posted at 12:43 pm on Friday, September 12, 2003 in Current Events, Security | Comments Off on Identity Theft

Brazen Computer Theft

Proving that you can do _anything_ simply by looking official, a couple of thieves “stole two mainframe computers”:http://www.smh.com.au/articles/2003/09/04/1062548967124.html from Sydney International Airport.

bq. They presented themselves to the security desk as technicians sent by Electronic Data Systems, the outsourced customs computer services provider which regularly sends people to work on computers after normal office hours.

bq. After supplying false names and signatures, they were given access to the top-security mainframe room. They knew the room’s location and no directions were needed.

bq. Inside, they spent two hours disconnecting two computers, which they put on trolleys and wheeled out of the room, past the security desk, into the lift and out of the building.

posted at 4:11 pm on Friday, September 05, 2003 in Security | Comments Off on Brazen Computer Theft

People Still Don’t ‘Get’ Passwords

“blog.org”:http://blog.org/archives/cat_security_and_encryption.html#000745 → “The Register”:http://www.theregister.co.uk/content/55/30324.html :

bq. Nine in ten (90 per cent) of office workers at London’s Waterloo Station gave away their computer password for a cheap pen, compared with 65 per cent last year.

bq. Workers were asked a series of questions which included: What is your password? Three in four (75 per cent) of people immediately gave their password.

bq. If they initially refused they were asked which category their password fell into and then asked a further question to find out the password.

bq. A further 15 percent were then prepared to give over their passwords, after the most rudimentary of social engineering tricks were applied.

bq. The most common password was “password” (12 per cent) and the most popular category was their own name (16 per cent) followed by their football team (11 per cent) and date of birth (8 per cent).

We put a lot of time and effort into getting the security right in our software. It’s nice to know that all that effort isn’t going to waste; people are forced to give away their passwords in order to compromise the system :-)

(That’s sar- I say, that’s sarcasm, boy.)

posted at 9:08 am on Friday, May 23, 2003 in Security | Comments Off on People Still Don’t ‘Get’ Passwords

The Cost of Lost Passwords

According to an article in silicon.com titled IT Helpdesks suffering user password hell (login as guest and search for the article):

Up to 80 per cent of calls received by helpdesk staff are from end users who’ve forgotten their passwords – and with each support call costing organisations around £15, the problem is not as trivial as it may sound.

Yes, it’s a UK study. The study goes on to conclude that what’s required is a fast system for resetting passwords. I maintain that what’s required is better authentication techniques, such as smart-card based keypairs. Sadly, while we’ve had the technology commercially available for more than a decade, we still can’t get vendors to use it.

posted at 9:18 am on Thursday, January 16, 2003 in Security | Comments Off on The Cost of Lost Passwords
« Previous Page