How much cyber security is really there?
in [Cryptography]
|
From: Noob on 30 Mar 2010 07:28 Gordon Burditt wrote: > I have yet to find one of these systems that actually > insists on a date where the question asks for a date. My health insurance company insists that my password consist EXCLUSIVELY of the characters '0'-'9' (i.e. password=number) practically begging users to pick dates for their password. Talk about EPIC FAIL...
From: bmearns on 30 Mar 2010 08:24 On Mar 30, 4:47 am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > bmearns wrote: > > Mok-Kong Shen wrote: > >> The Wall Street Journal of 26-28 March says that a Frenchman having > >> "no training in computers" was able to hack within hours into Twitter > >> accounts, including that of the US President. So how much "practical" > >> cyber security is really there today, despite the avaiability of such > >> nice theoretical results as those of provable crypto security? > > I think calling it a "hack" is being extremely generous and pretty > > misleading. He gained access to the accounts by guessing the answers > > to password-reminder questions. > > > But to answer your question: a system is rarely any smarter than the > > person who designed it, and since it's trivially easy to setup pretty > > looking web applications without actually knowing anything about > > crypto, security, or even networks in general, there are a large > > number of disastrously insecure systems out there. The hard truth is > > that the practical onus is on the user to understand what they're > > getting themselves into. Unfortunately, this is rarely ever the case > > and most people don't think twice about what they're doing online, > > which is a big part of why identity theft has become so common in > > recent years. > > But isn't this analogous to the situation where a learned teacher in > school is very bad in pedagogy such that his pupils' performance is > poor? I mean people in the crypto field are at least to some degree > responsible for the poor "practical" security. > > M. K. Shen I don't think that analogy is at all relevant. If you decide to build a house for yourself, it's your responsibility to learn how to do it right. No one else has any obligation to make sure you know what you're doing. Likewise, if somebody is taking it upon themselves to develop a web application that handles user logins, it is there responsibility to learn how to do that correctly. If cryptography had contributed to the problem, then sure, you could argue that cryptography has some responsibility for resolving the problem as well. But all crypto has done is provide ways to increase security. If people choose not to use them or are ignorant of them, I don't see how the crypto community is responsible for that. If there's blame to be assigned, (and I'm not entirely convinced that there is) I think a significant portion should belong to the companies who have marketed computers and the Internet as an appliance. That's simply not the case; you can't just buy a computer, plug it in, and expect everything to work correctly and safely. There's a non-trivial amount of uncommon knowledge necessary to really appreciate the implications of what you're doing and what others are having you do. -Brian
From: Nils o. Janus on 30 Mar 2010 10:00 On Tue, 30 Mar 2010 10:37:42 +0200, Mok-Kong Shen <mok-kong.shen(a)t-online.de> wrote: > > You should make the answers type-incorrect as well as wrong > The idea of type-incorrect wrong answers is excellent in my humble view. I second that as a quick and easy way to provide some additional level of security to services insisting on using password reminders, which I personally don't appreciate at all if they allow for an attacker to reset the password of an account to which he just guessed the correct answer of the security question.
From: Richard Outerbridge on 30 Mar 2010 10:13 In article <3fbc3277-ac9b-4e5c-beed-bb9dccfd3029(a)33g2000yqj.googlegroups.com>, bmearns <mearns.b(a)gmail.com> wrote: > If there's blame to be assigned, (and I'm not entirely convinced that > there is) I think a significant portion should belong to the companies > who have marketed computers and the Internet as an appliance. That's > simply not the case; you can't just buy a computer, plug it in, and > expect everything to work correctly and safely. There's a non-trivial > amount of uncommon knowledge necessary to really appreciate the > implications of what you're doing and what others are having you do. Ah, but that's the end-use case we're dealing with: why is my computer any different than my microwave? Or maybe we need to require computer operator licenses, like driver's licenses and (in Canada) gun licenses? outer
From: Datesfat Chicks on 30 Mar 2010 10:22
"Mok-Kong Shen" <mok-kong.shen(a)t-online.de> wrote in message news:hoq59e$9sr$00$1(a)news.t-online.com... > The Wall Street Journal of 26-28 March says that a Frenchman having > "no training in computers" was able to hack within hours into Twitter > accounts, including that of the US President. So how much "practical" > cyber security is really there today, despite the avaiability of such > nice theoretical results as those of provable crypto security? Let me make two observations: a)First, it is quite rare that an attack involves the mathematical backbone of security (peer-reviewed encryption standards, cryptographic hash functions, etc.). The attack will most commonly involve the weakest link (password reminder questions, weak passwords, etc.). I don't remember an attack in recent history involving, for example, cracking an HTTPS exchange. So your observation about "practical" cybersecurity is completely insightful and relevant. b)Second, there are economic forces, human factors, and competing constraints that virtually ensure poor security. For example ... b1)Twitter will be under economic pressure to provide "password reminder" questions as an option for password recovery. If they don't do this, they will have to hire far more employees for call centers, etc. to talk users about password recovery and go through a more careful process. b2)Twitter is under economic pressure to not force users to choose strong passwords (if they do, a fraction of users will become frustrated and not use Twitter). b3)Although it is best practice, users for obvious reasons don't choose different passwords for all accounts. And in addition, some choose poor passwords! This is a facet of being human. http://www.betanews.com/article/Security-report-Web-users-pick-passwords-that-are-way-too-easy-to-hack/1264090241 This is a "competing constraint" in that human memory is in conflict with having every password distinct. One answer: competing constraints. Datesfat |