Cryptosmith

A social networking site called Rockyou.Com was hacked a few months ago, and someone was thoughtful enough to tell them about it in December. After some dithering, they announced it to their user community.

Unfortunately, they were trying to do site aggregation stuff – using other site login credentials to link that site to theirs. All very Web 2.0. All very dangerous, especially since passwords were stored in plaintext. Thus, the attackers collected 32 million user login credentials: ids, passwords, e-mail addresses. This was courtesy of a cross site scripting vulnerability.

John, a former colleague, sent me a note about a security group named Imperva that analyzed the list of passwords.

The actual report is poorly drafted – you can’t tell how much of the database they really analyzed, or how they chose a set to analyze. However, it seems that they analyzed a sampling of the passwords and compiled a list of the 5,000 most common ones. Which they didn’t share. They did share a list of the 20 most common: the most common word was “Password” while “princess” and “Nicole” were the most common names.

Continue Reading »

Posted under Security | No Comments »

Paul Ardoin, a former colleague, has posted some comments on Bring-Your-Own-Computer, the notion that companies should rely on employees’ personal laptops. My security-wonk-alarm went off when I read this, but I’m thinking the concept has some merit.

This is somewhat related to the question of using a company car versus the company paying you for mileage on your own car. People in general tend to take better care of their own car. The same may be true of computers.

However, if the company needs to enforce security constraints on employee computing, as in health care or finance, then personal machines are a bad idea. Even in companies where only a few sensitive activities take place, the company should provide and maintain special computers for those purposes.

Posted under Security | No Comments »

Back in 1964, Boston’s public TV station, WGBH, did a show on interactive computing at MIT. They interviewed Fernando Corbató, MIT’s timesharing pioneer, who demonstrated the old CTSS system. The Computer History Museum got permission from MIT and WGBH to post the episode on YouTube:

During the episode, Corby explains how timesharing (multiprogramming) works, in terms of taking turns between programs using round-robin scheduling.

Posted under History of Technology & Tech Teaching | No Comments »

A while back, Popular Science asked me to identify the Best New Security Technology. At the time I simply couldn’t think of anything, and they’ve long since published their issue filled with Best New ____ Technology.

I finally thought of something – self-encrypting mass storage. This can be anything from an encrypting USB drive – the IronKey if you like theatrics – to a self-encrypting hard drive like Seagate’s Momentus line of laptop drives.

While I also rely heavily on software drive encryption (TrueCrypt) I wish that all my hard drives had full disk encryption (FDE). If all drives had FDE, I could recycle drives (i.e. give them to my kids) just by erasing the key. Instead, I have to hook each drive up to an idle machine for a day or so to run a wiping process.

So FDE isn’t just for security paranoids and folks hogtied by compliance regulations. They’re useful for everyone. That is, assuming that the vendors make it easy to use them.

Continue Reading »

Posted under Security | No Comments »