Security for Dummies
Safe and simple
Monday 28 July 2008, 6:24 PM
In web we trust?
There is no doubt that the web has changed our lives. We are looking for information, pictures, news, music, video; we are shopping, dating, you name it. We have everything there. We do a lot there. We spend half of life there.
Then why do we still store gigabytes of info at our home PCs? HDD are not reliable enough (3-5 years lifetime?). What are you doing whith your personal data when you upgrade your PC or purchase a new one?
Why the heck not to keep everything online and sleep tight?
I have 2 reasons for it, maybe some of you have more:
1. The performance - it is stil slower than local drive.
2. The trust - we beleive that the closer the safer.
* Yes, we are still thinking that burned DVD will save our data for promised 100 years! LOL
* No, we do not trust these guys at the server side. We do not beleive that they will take care about our data better than we do. But we do not... we do not take any care at all :)
So what can the internet offer? There are 2 major types of online storage by purpose: sharing and offsite storage/backup (of course most of services offer a combination of both)
See the full story here
Then why do we still store gigabytes of info at our home PCs? HDD are not reliable enough (3-5 years lifetime?). What are you doing whith your personal data when you upgrade your PC or purchase a new one?
Why the heck not to keep everything online and sleep tight?
I have 2 reasons for it, maybe some of you have more:
1. The performance - it is stil slower than local drive.
2. The trust - we beleive that the closer the safer.
* Yes, we are still thinking that burned DVD will save our data for promised 100 years! LOL
* No, we do not trust these guys at the server side. We do not beleive that they will take care about our data better than we do. But we do not... we do not take any care at all :)
So what can the internet offer? There are 2 major types of online storage by purpose: sharing and offsite storage/backup (of course most of services offer a combination of both)
See the full story here
Thursday 17 July 2008, 11:21 AM
Biometrics - conserns and answers
First, I would like to distinguish biometric technologies that do not work or must not work. I mean both behavioral (keystroke dynamics, handwriting) and physical (voice, face and palm) recognition systems. Why do I think that these technologies are not working? Simple. The error ratio is too high for real life implementation; it is too easy to trick these systems even for non-experienced hacker.
I am also not going to talk about iris scan and retina scan. These systems are accurate. It is much harder to trick them. But these systems are too expensive. For the same token I will not talk about DNA, odor identification systems and alike.
Let’s talk about biometrics that works in real world conditions – fingerprint.
What are concerns?
1. Accuracy.
Regular fingerprint identification system has standard FAR of 0.001% and FRR of 0.1%. What does it mean for us? FAR (False Accept Ratio), a possibility to accept a wrong finger instead of registered one, of 0.001% mean that if one fingerprint is registered, the system can once in 100,000 attempts the system can wrongly grant access to a impostor. Pretty high accuracy. If 10 fingerprints are registered – the same statistical mistake accumulates resulting to one in 10,000 attempts. That is also fine. But let us imagine a public system with 1,000 registered users (not rare situation). Every user has 10 fingerprints registered. What is the resulting false accept ratio? 10fingerprints*1000users*0.001%=0.1%. That is already alarming. That means that every passer-by may enter the gate from maximum 10 attempts.
For the system with 10,000 registered users the resulting false accept will be “1”, meaning that ANYONE can enter from the first attempt. Scary!
2. Response time, user acceptance and FRR
It was tested and proved that FRR (false reject) rises exponentially with the number of attempts. If the person trying to pass the gate is a bit nervous, the possibility of false reject is 1% at the first attempt, 12% at the second, 48% at the third time. Imagine a huge line of employees trying to get their workplace in time.
3. Psychological resistance
The fingerprint technology has still some criminal “aura”; it is deep in our minds. We do not want to leave our fingerprints somewhere.
Contnue to the full story here
I am also not going to talk about iris scan and retina scan. These systems are accurate. It is much harder to trick them. But these systems are too expensive. For the same token I will not talk about DNA, odor identification systems and alike.
Let’s talk about biometrics that works in real world conditions – fingerprint.
What are concerns?
1. Accuracy.
Regular fingerprint identification system has standard FAR of 0.001% and FRR of 0.1%. What does it mean for us? FAR (False Accept Ratio), a possibility to accept a wrong finger instead of registered one, of 0.001% mean that if one fingerprint is registered, the system can once in 100,000 attempts the system can wrongly grant access to a impostor. Pretty high accuracy. If 10 fingerprints are registered – the same statistical mistake accumulates resulting to one in 10,000 attempts. That is also fine. But let us imagine a public system with 1,000 registered users (not rare situation). Every user has 10 fingerprints registered. What is the resulting false accept ratio? 10fingerprints*1000users*0.001%=0.1%. That is already alarming. That means that every passer-by may enter the gate from maximum 10 attempts.
For the system with 10,000 registered users the resulting false accept will be “1”, meaning that ANYONE can enter from the first attempt. Scary!
2. Response time, user acceptance and FRR
It was tested and proved that FRR (false reject) rises exponentially with the number of attempts. If the person trying to pass the gate is a bit nervous, the possibility of false reject is 1% at the first attempt, 12% at the second, 48% at the third time. Imagine a huge line of employees trying to get their workplace in time.
3. Psychological resistance
The fingerprint technology has still some criminal “aura”; it is deep in our minds. We do not want to leave our fingerprints somewhere.
Contnue to the full story here
Monday 14 July 2008, 12:54 PM
Facts about passwords
I have mentioned several times here and here we all need password manager. These three posts in the ITFacts strongly support my words.
Fact #1 63% of Americans use roughly the same password for different online accounts
63% of Americans admit to using the same password or a variation of it for all or most of their online accounts. 6.7% use a variation of a familiar password for most of their online accounts. 22.9% use the same password for most of their online accounts. 3.5% use the same password for all their online accounts.
Fact #2 66% of US employees write down passwords in unsafe places
US workers, managers, and IT staffs alike are increasingly confronted with difficulties arising from computer passwords. Over half of all respondents said the average employee in their firms are required to remember three to five passwords, with an additional 26% saying the number ranges from six to ten or more. 49% responded that employees are required to use passwords more than 25 times per week, with 8% stating the number of password uses exceed 100 per week. 66% stated that employees write down or store passwords in unsafe places, creating a security problem for their companies. 48% of responding IT professionals are actively seeking a reliable password management solution. While 79% of those taking the survey report that security is their number one password management concern, 39% also reported Lost Employee Productivity or Frustration as an issue. In addition, 31% said that helpdesk hours are either lost or spent in frustration by support personnel.
Fact #3Only 14% of business users use a different password for each site
14% of the business users use a unique password for each site. 41% use the same password all the time, while the remaining 45% use “a few” different passwords.
My statement is clear - we need password manager software, better portable one. This can save time, money and nerves.
Fact #1 63% of Americans use roughly the same password for different online accounts
63% of Americans admit to using the same password or a variation of it for all or most of their online accounts. 6.7% use a variation of a familiar password for most of their online accounts. 22.9% use the same password for most of their online accounts. 3.5% use the same password for all their online accounts.
Fact #2 66% of US employees write down passwords in unsafe places
US workers, managers, and IT staffs alike are increasingly confronted with difficulties arising from computer passwords. Over half of all respondents said the average employee in their firms are required to remember three to five passwords, with an additional 26% saying the number ranges from six to ten or more. 49% responded that employees are required to use passwords more than 25 times per week, with 8% stating the number of password uses exceed 100 per week. 66% stated that employees write down or store passwords in unsafe places, creating a security problem for their companies. 48% of responding IT professionals are actively seeking a reliable password management solution. While 79% of those taking the survey report that security is their number one password management concern, 39% also reported Lost Employee Productivity or Frustration as an issue. In addition, 31% said that helpdesk hours are either lost or spent in frustration by support personnel.
Fact #3Only 14% of business users use a different password for each site
14% of the business users use a unique password for each site. 41% use the same password all the time, while the remaining 45% use “a few” different passwords.
My statement is clear - we need password manager software, better portable one. This can save time, money and nerves.
Thursday 10 July 2008, 10:31 PM
Please educate your clients!
This extremely short post appeared following a meeting with a decision maker of a potential client. During the conversation I realized that this highly respected and well paid top manager knows nothing. He does not understand a single word in a sphere of his duties and should-be knowledge.
Dear vendors, developers and manufacturers, dealers, resellers and agents! Please educate your clients! Even though the deeper understanding can block or cancel the deal, it is much better working with a client that understands. It can save your company a fortune on support calls. Educated client knows what he is looking for. Maybe it is not your product. Maybe he does not need your solution at all. Face it.
Yes you can try to sell something that the client is not looking for. You may use terms that sound nice and attractive to ignorant ear, terms that are very popular but have nothing to do with your product. Be honest with yourselves.
I did not close the deal. I care about my company's reputation. Maybe later, when this client will stop using terms of “digital signature”, “active directory”, ”VPN”, “RSA”, “minutiae”, “templates” and other “magic” words not related to his needs, I will talk to him once again. Not now.
Maybe I am wrong. Maybe I shall not refuse selling to idiots. What do you think?
Dear vendors, developers and manufacturers, dealers, resellers and agents! Please educate your clients! Even though the deeper understanding can block or cancel the deal, it is much better working with a client that understands. It can save your company a fortune on support calls. Educated client knows what he is looking for. Maybe it is not your product. Maybe he does not need your solution at all. Face it.
Yes you can try to sell something that the client is not looking for. You may use terms that sound nice and attractive to ignorant ear, terms that are very popular but have nothing to do with your product. Be honest with yourselves.
I did not close the deal. I care about my company's reputation. Maybe later, when this client will stop using terms of “digital signature”, “active directory”, ”VPN”, “RSA”, “minutiae”, “templates” and other “magic” words not related to his needs, I will talk to him once again. Not now.
Maybe I am wrong. Maybe I shall not refuse selling to idiots. What do you think?
Wednesday 9 July 2008, 10:43 AM
Password manager - portable or online
Yes, we have lots of passwords - bank accounts, e-mails, computers, domains, instant messengers, you name it - and we need them all. We may forget them and we do. I am not talking about those who have only one password for all, they are just not aware of risks. Regular PC user needs at least 10 passwords. It is even more important to those who travel a lot, either for pleasure or on business.
I think that we all agree that we need a Password Manager. The only question is which one to chose.
What to Look for in Password Management Software
Password management software should be easy to use and useful to the most inexperienced computer user. It should also be secure enough to keep hackers out and passwords safe. These are the criteria that one shall consider when selecting a best suitable solution for his money:
Read the full story here
I think that we all agree that we need a Password Manager. The only question is which one to chose.
What to Look for in Password Management Software
Password management software should be easy to use and useful to the most inexperienced computer user. It should also be secure enough to keep hackers out and passwords safe. These are the criteria that one shall consider when selecting a best suitable solution for his money:
Read the full story here
Previous
