Category Archives: Tech

Technology in general

Computer security and the human factor

Posted on by

One of the most important things to remember about security is that it is a process, not a product.  All too often, people think of security as a specific problem with a specific solution.  Unfortunately for us, security (in almost any context) is a moving target.  What was a strong password yesterday is weak today.  There are good reasons to require users to change their passwords, but it’s only part of the solution.  Forcing user’s to change their password too often invariably results in weaker passwords that are easier to remember.

To understand why this is a problem we first need to define what a strong password is and what makes one weak.  Numeric passwords are the worst as there are only 10^N possibilities where N is the number of characters.  Using letters is a little better as that’s 26^N for english.  Using both upper and lower case gives you 52^N, while a full alphanumeric set gives you 62^N.  Use of a full alphanumeric characterset on passwords 8-characters and higher was considered strong enough until recently.  After all, 218 trillion possibilities seems pretty large doesn’t it?  Considering some of today’s high-end graphics cards can perform over 2 trillion floating point operations per-second, breaking even a completely random 8-character alphanumeric password is trivial.  Adding the full set of special characters   on most english keyboards yields an additional 30 characters for 92^N or 5 quadrillion possibilities for an 8-character password.

You’re probably noticing a problem; we’re out of usable characters.  From this point on, the only way to increase password security is to make them longer and longer.  Obviously we can only keep up with this for so long before technology overtakes our ability to remember a secure password.  Clearly simple password-based security is insufficient for protecting anything of real value.  What’s needed is a multifactor system that uses 2 or more separate components to authenticate a user’s credentials.

A multifactor authentication system could be as simple as the combination of a password and a physical token such as a smartcard.  To authenticate, the user must insert the smartcard and type his or her password.  Either factor by itself will be rejected.  The beauty of this system is that any data protected in this way is inaccessible without each piece of the authentication puzzle.

A system is only as secure as its weakest link.  In many cases we humans are unfortunately that link.  We have limited memory and are vulnerable to social engineering attacks that get us to reveal sensitive information to complete strangers.  A strong password is useless if a user gives that password away or writes it down.  Adding a unique physical component to the equation raises the level of difficulty for an attacker significantly.

Apple’s just the latest punching bag…

Posted on by

It seems everywhere I go online, there’s another person spouting off on what’s now been dubbed Antennagate.  Most of the commentary is uninformed drivel regurgitated from the myriad sloppy reporting circulating the net.  Some are the usual malcontents looking for something to gripe about, while others are just having a good time making fun of what they see as a big corporate snafu.

All of the fuss has centered on what is being commonly referred to as the “death grip” where a user covers a large portion of the phone while gripping it tightly.  The weak spot, in the case of the iPhone 4 is a gap between the phone’s two antennas.  What’s known is that the conductivity of the average human hand is enough to have an effect on reception when this gap is bridged. (especially when that hand is moist)  Brian Klug and Anand Lal Shimpi of AnandTech.com explained it best in an article published on June 30th.  That was a full 2 weeks before Bloomberg’s July, 15th article that claimed Apple was warned about the antenna design by senior engineer Ruben Caballero.  Apple CEO Steve Jobs called the Bloomberg article “a crock” and “total [BS].”  (Caballero has not come forward publicly to either confirm or deny the accusations.)

The article on AnandTech.com clearly backs up several claims made by Apple at their recent press conference (July 16th):

  • The iPhone 4 isn’t perfect
    • signal can be affected by bridging the gap (worst case -24dB)
  • Other phones experience the same kind of signal attenuation when gripped in certain ways
  • The worst case signal loss doesn’t occur in normal use even in poor coverage areas.  Exceptions to this are solved by using a case.

So what does all this mean.  Yes, Apple made a design decision that affected the performance of the iPhone 4 antenna.  Does it matter? No.  The new design is more sensitive and generally makes up for the possibility of attenuation.  I’ve confirmed Apple’s claims myself.  When you’re in an area with good coverage, it’s nearly impossible to disrupt the signal. It’s only in areas of strong interference or poor coverage that the so-called death grip has any effect.  (the same goes for the single finger bridging technique.)  There is a problem here, but it’s not as big or important as some in the media want it to be.  Nothing to see here folks… move along.

Is DHS overstepping its authority?

Posted on by

After a recent lapse in security allowed Umar Farouk Abdulmutallab to carry an explosive device aboard a U.S. bound aircraft, the Transportation Security Administration created and distributed a security directive which was leaked to 2 bloggers.  Stephen Frischling and Chris Elliot, both travel bloggers received copies of the confidential TSA directive.  Two days later, agents of the TSA appeared at the homes of both men with subpoenas demanding to know their sources.  How far does the authority of DHS and the TSA extend?  Is the TSA overstepping their authority by sending agents to serve subpoenas and collect evidence and testimony?  Perhaps I’m confused, but this seems like the specific territory of the FBI.

When U.S. President George W. Bush created the Department of Homeland Security on Nov. 25, 2002, the goal was to improve communication and response time by bringing a host of government entities under one umbrella.  DHS integrates elements of government such as the Coast Guard and Border Patrol, but does not include agencies such as the FBI, CIA or NSA.  (though DHS does coordinate communication between these agencies in matters relating to terrorist threats)

The TSA is understandably concerned about leaks from within their ranks, but I think they need to look at the larger situation.  A bad decision was made in releasing the directive at all.  It’s obvious to even the casual reader that very little thought went into it’s creation.  The directive was a knee-jerk reaction to a situation caused by a lapse in intelligence.  In typical TSA fashion, the directive did very little to address the root of the problem and focused primarily on instilling fear and confusion in the minds of travelers.  DHS and the TSA would be better off putting their collective effort into fixing the problem that led to the intelligence failure.