Cryptosmith

Here is a terrific (but depressing) article by Saul Hansell explaining how the Wall Street meltdown was fueled by feeding nonsense to the risk management systems in the big investment houses.

The systems did not have models of those weird derivative instruments being traded, so traders would say they were trading a generic (safe, well-understood) loan instrument. So the systems did not really model the risk.

I find this really heartbreaking. I have to believe some people behind the scenes knew what was going on, and I can imagine them losing the argument with their bosses when they tried to fix things. Continue Reading »

Posted under Information Security | No Comments »

I received an e-mail from a mutual friend named Jim Burrows who was decrying the state of information security, blaming it on the lack of good models for solving modern security problems. I have to agree, and I admit I don’t have a glib answer.

A few weeks back, Gunnar Peterson posted some comments relevant to this discussion of modern security policy, but I haven’t managed to frame response to that one, either.

At least, I can agree that traditional models are broken. I believe there are some fundamentals that remain constant, but the high level attempt to build firewalled enclaves is clearly obsolete (except for a very few special situations). Continue Reading »

Posted under Information Security | 3 Comments »

Randall Stross/Digital Domain has posted a NYT story on passwords, Open ID, and Information Cards.

The “Information Card Foundation” is only a few weeks old, and the technique is trying to solve problems with both passwords and with Open ID. The posting roasts the old chestnuts about how bad passwords are (does anyone really need convincing?), then roasts Open ID a bit, and then introduces Information Cards, a slightly more flexible but still vulnerable technology.

Personally, I’m not convinced that Information Cards are any safer or easier to use than Open ID can be.

Continue Reading »

Posted under Information Security | 1 Comment »

Mozilla, like most responsible web browsers, pops up a warning if someone visits a secure web site where the site’s crypto credentials have not been countersigned by a recognized certificate authority.

In Slashdot, Chandon Seldon arues that the Mozilla SSL Policy is Bad For the Web., which links to material by Nat Tuck saying, again, Mozilla SSL policy bad for the Web. The argument is that this policy violates net neutrality by forcing people into a commercial venue if they want their secure connections to be user friendly. The commentaries find this especially troublesome for nonprofit organizations.

This is nonsense. Net Neutrality is about connectivity. SSL is about security and assured identification. Web browsers pop up a complaint about authentication when they can’t verify a site’s identity - that’s what the browser is supposed to do. SSL certificate management is the best affirmative defense in the Internet today and these suggestions will only weaken it. Continue Reading »

Posted under Information Security | No Comments »