Josh's Blog

Bruce Schneier has an interesting take on Security and Function Creep.

He raises a lot of great points about security systems taking on new tasks they weren't originally designed for. This is quite natural in the evolution of things. Not all evolution make sense. The six armed monkey never caught on, as poop flinging wasn't a historically desirable trait until the creation of the modern zoo.

I can't help but wonder about how Open Source fits into this though. Bruce has a quote in his article

... and the same operating systems that run our businesses are suitable for military uses.

SELinux makes me wonder about this. SELinux was born from the NSA, a government group which does nothing without security in mind (or at least I hope so). I will agree that most operating systems aren't suitable for military use, but something like Open Source can change the game. If the square peg doesn't fit in the round hole, what happens if it can be turned into a round peg? Open Source can allow this to happen. The group actually running the software can make changes as needed so the software fits their task at hand.

More thought and discussion needs to go into this idea, but Open Source is very powerful, more powerful than most of can even imagine. The old saying "all of us are smarter than one of us", while corny, is very true. Security folks are generally bad UI designers, and UI designers are generally bad at security. Open Source can make it easy for these two groups to work together and accomplish great things.

It seems that a number of Twitter accounts have been compromised:

Twitter resets passwords after phishing attack

The article suggests that many of the accounts in question may be from phishing or from a third party torrent site. This is a fine opportunity to talk about password security. I wouldn't be surprised at all if a fair number of accounts were compromised because of reused passwords.

There are some people who like to complain about password tracking tools like Password Safe and pieces of paper, but in all honesty, they work better than most brains. I would guess the average person can't remember more than two or three passwords at a time, and they're probably not very good ones at that. One of them is likely their ATM PIN of 1234. If you're some sort of super genius who can remember hundreds of passwords, and you read this blog, I don't believe you. Quite often the concept of perfect can interfere with our ability to get things done. In most instances, a perfect solution is unattainable, where good enough is possible and is better than it was previously.

Attacks like this have happened more than once, I've had it happen to me. I used to use a throw away password for all my public mailman accounts (this was before I realized that mailman will randomly assign me a password, as I never actually need it). That password was then later used to attempt to gain entry to private archives to a list I'm on. I didn't use that password there, but this made me understand that it was time to get serious about my passwords. I now use a tool called pwsafe, which uses the Password Safe database format for storing passwords. I of course don't use this for any REALLY important passwords (I keep those in my brain, and they're not near as impressive as the pwsafe passwords).

If you're like most people, and use a couple of passwords everywhere, please stop doing that. Find a good password generating tool, and either use a piece of paper or something like password safe to store them. The other big advantage to using not your brain to store passwords, is that it's much easier to change them. How many of you have been using the same password for five years, because it's too annoying to think up a new good password? Lots of us do that, it's hard to change.

Remember, good enough is the goal, not perfect.