Passwords

I was pointed at this article in the Washington Post on password security. It’s quite long and so I summarise:

  1. Length is better than complexity (More than 12 bytes)
  2. Simple transformations are no help (Don’t use 1st letter Caps and last character as 1 or !, mutt5nut5 is considered very easy.)
  3. Don’t reuse passwords for accounts that you care about! (A corollary is to delete the accounts on services you no longer use.)
  4. Write the passwords down in a secure place if you have too many, or use a password manager. (They are in favour, I am not so sure.)
  5. Don’t use personal facts about yourself (Bdays, Place of Birth, Pet’s names)

They have conducted some volume research by cracking and survey which they reference in the article and built a password checker based on these lessons but using it breaches one or maybe two of the rules I set myself in my Linkedin blog article “Password Vaults”. It’s on the internet, and we can’t read the code; that’s not to say it’s not a useful training tool.

Passwords

Research

Techdirt, providing a public service as ever have posted a piece on confusion in the US Federal Government agencies. Whenever seeking to censor material, one has to prohibit research into the censored material and the techniques used to enforce the censorship. This is equally true in technology, and since encryption is used to ‘protect’ material, in the US they have prohibited research into circumventing “Digital Rights Management” technology which is used by creative capitalism to manage pay-per-view. This has led to the absurd situation that, in the US, unlocking phones was a prohibited technology for a while. The Copyright Office, often seen as creative capitalism’s agents in Government, have come to the conclusion that the copyright laws interference with security research is a bad thing. Whether they’ll repeal those bits of the law is another matter.

Research

Wannacry

Having done my best to ensure that my personal systems are as safe as I can make them, I am preparing a personal response to the #wannacry attack last weekend. Meanwhile, I consider this by John Elliot, a great response on the public policy side, and this by David Thomas, a useful look at the IT Security response where he argues that it’s not just about “Vulnerability Management” and that Technical Debt is not just a funky word to get money for the maintenance budget. Neither of them major on the NHS IT Security failings that made them such a target but David makes the points that the UK & NHS weren’t the only victims with Taiwan, Russia, Ukraine and India all suffering from attacks. This is from Microsoft’s Chief Legal Officer, Brad Smith and is also important, He re-states Microsoft’s commitment to all its customers and calls for better government response including the idea of a digital Geneva convention. The Washington Post describes the discussions inside the NSA and reveals aspects of how they decide whether to release security vulnerabilities or weaponise them. It’s argued that the cyber weapon was like “Fishing with dynamite”, but as ever no public evidence to allow the people that pay for this to evaluate their claims.

Wannacry

On the GDPR

The week before last, I attended the BCS legal day and have finally published my notes on what is now my essay blog. The priority was the coming General Data Protection Regulation. I prefer to write in a style recognising those who have informed me or changed my mind but the notes have been anonymised as I believe that the day was held under Chatham House rules,  The running order has been changed to make the story better and to conform to my preferred priority order, of principles, rights, obligations and enforcement.  The day consisted of two presentations, entitled “Key Issues”, “the Data Protection Officer” and one on trends in enforcement.

On the GDPR

Compliance

After attending the BCS IS Security Group meeting yesterday, I began to think about how small (or more accurately, medium) companies might deal with the additional compliance actions required of the GDPR. There would seem to be two design patterns, a golden source, or an all knowing switch. The first pattern led me to consider the SaaS solutions, which should be used to dealing with suspects, prospects and customers (CRM), also any employees that might be employed, with the ERP solution catering for personal data located in the supply chain. Over the years I have been made aware of Sugar CRM & OpenBravo (ERP), more recently I have looked at Financial Services KYC problem, and been pointed at kyc.com,  an enhanced CRM system designed for the financial services industry. The gap is an industry leading HR system, and it will surprise none of my long term friends and colleagues, that I think we can assume that fault is in the buying community where the priority would seem to be recruitment and applicant tracking although, of course, payroll was the first SaaS offering by an order of decades.

Compliance

Significant

I was tidying up my desktop, when I came across a couple of articles by Bruce Schneier on e-voting. In this piece, he argues to tighten up the IT Security around the voting machines in the US, repeating his demand that voting machines have voter authorised paper copies so voters know and agree their ballot papers. He also categorically states that voting over the internet is just asking for trouble. He is concerned about integrity attacks, but ballot organisers should also be worried about impersonation, duplication and coercion, and this is apart from just hacking the results. There are some who feel that the use of e-voting is better than not voting but there remain significant IT Security problems; while I do not necessarily support a return to “show of hands in the car park”, obsessing about internet voting isn’t the answer yet, and may never be.

For more by me, check out my blog articles on e-voting, and for my bookmarks read here….

Significant