Monday, February 28, 2011
Answering the right question
The most common cause of software startup death is building something nobody wants. The lone-wolf developer who hides his project's nature (and even existence) from the outside world until its glorious 1.0 release often finds that there is a reason nobody had built the product before. The right approach is to tell as many people about your idea as possible, as quickly as possible. If you rapidly discover that your idea is something nobody cares about--and it probably is--then pat yourself on the back! You've saved yourself many months of labor on a project doomed to failure.
Wednesday, February 16, 2011
Hacking in a world that's used to hackers
In the early days of networked computers, security protocols were pitifully underdeveloped and underanalyzed. Worse, they were implemented ad-hoc for each system separately. This means that a lot of early hacks were successfully executed directly against machines: Lines were tapped for passwords being sent in plain text, system executables were trivially overwritten, and son on. The only real security was physical isolation.
It wasn't long after networking became popular that it also became much more secure. In fact, SSL was first invented by Netscape in an effort to convince consumers that they could trust sensitive data, like credit card information, to the nebulous ether of the Internet. Remote access to important servers is now routinely restricted to access by a 2048-bit or larger private key rather than a password that can be guessed or accidentally divulged. File-system security has similarly advanced, along with distributed authentication (Kerberos), mechanical protection against automated password attacks (CAPTCHAs), and any number of other areas.
The net result is that a server now comes with secure software pre-installed. Each component has been peer-reviewed by thousands or tens of thousands of experts to ensure it is immune against known mechanical attacks.
Yet somehow, we keep hearing of embarrassing and costly hacks. HBGary Federal recently had their entire website trashed, full email logs published, backups erased, and their CEO's iPad remotely wiped. Just a couple months ago, Gawker Media (who runs many of the world's most-visited blogs) was manhandled by hackers who walked away with hundreds of thousands of user names and passwords. Not just hashed passwords to be cracked later, but the actual plain-text passwords, which most of those users probably used just about everywhere else.
With the decades of cryptography research and development we now have behind us, how is this still possible? In almost every case, it's a combination of administrator ignorance and at least one helpful clerical worker. The years of research that go into an algorithm like SHA-1 don't help Gawker if they don't salt and thoroughly hash their passwords. And Anonymous might not have destroyed HBGary so thoroughly if their secretary hadn't been willing to hand over credentials to a 16-year-old who asked nicely.
Welcome to the new world, same as the old world. If you really want prying eyes out, it seems the only real security is physical isolation.
It wasn't long after networking became popular that it also became much more secure. In fact, SSL was first invented by Netscape in an effort to convince consumers that they could trust sensitive data, like credit card information, to the nebulous ether of the Internet. Remote access to important servers is now routinely restricted to access by a 2048-bit or larger private key rather than a password that can be guessed or accidentally divulged. File-system security has similarly advanced, along with distributed authentication (Kerberos), mechanical protection against automated password attacks (CAPTCHAs), and any number of other areas.
The net result is that a server now comes with secure software pre-installed. Each component has been peer-reviewed by thousands or tens of thousands of experts to ensure it is immune against known mechanical attacks.
Yet somehow, we keep hearing of embarrassing and costly hacks. HBGary Federal recently had their entire website trashed, full email logs published, backups erased, and their CEO's iPad remotely wiped. Just a couple months ago, Gawker Media (who runs many of the world's most-visited blogs) was manhandled by hackers who walked away with hundreds of thousands of user names and passwords. Not just hashed passwords to be cracked later, but the actual plain-text passwords, which most of those users probably used just about everywhere else.
With the decades of cryptography research and development we now have behind us, how is this still possible? In almost every case, it's a combination of administrator ignorance and at least one helpful clerical worker. The years of research that go into an algorithm like SHA-1 don't help Gawker if they don't salt and thoroughly hash their passwords. And Anonymous might not have destroyed HBGary so thoroughly if their secretary hadn't been willing to hand over credentials to a 16-year-old who asked nicely.
Welcome to the new world, same as the old world. If you really want prying eyes out, it seems the only real security is physical isolation.
Monday, February 7, 2011
How not to gain respect for your cause
Wikileaks provides a rare infusion of actual facts into political debate, though many would rather they just shut up. One group has come to Wikileaks' defense over the last few months, in spite of actual arrests being made against its members: Anonymous. While I applaud their enthusiasm for a just cause, they're just embarrassing themselves and their cause. Petty vandalism against the opposition does not look noble. It's juvenile, and it distracts from the real issues just as much as the mainstream media's perverse obsession with Julian Assange's personality.
Subscribe to:
Comments (Atom)