The InfoSec Blog

U.S. Defense Secretary Carter emphasizes culture change needed to

Posted by Anton Aylward

Yes the government needs a culture change if it is to address its own and the national issues pertaining to security, technological, in general, internet related and more. But not like this.

A real culture change would involve hiring the likes of people such as Marcus Ranum, Gene Spafford, Becky Herrold., and more significantly the very vocal Bruce Schneier AND PAYING ATTENTION TO WHAT THEY SAY AND CARRYING OUT THEIR RECOMMENDATIONS.  And please note: none of this is new or radical.

But a read of Bruce's articles blog and published articles will make it clear to any intelligent reader, even those outside the InfoSec community, that they won't. The culture change it would require would impact too many vested interests and long held beliefs, even though Bruce -- and others -- have long since shown them to be in the same class as The Emperor's New Clothes.

When the government talks of cyber-security experts it really doesn't want people who think in terms of policy and strategy. The fact that most government agencies could do better if they carried out the recommendations that have been made to them -- but consistently don't[1] -- tells you something about their innate culture. Just adopting the GAO recommendations would take a culture change. Adopting 'uber 133z h4x0r'-wannabes for job roles that are written as what amounts to jumped-up netadmin and sysadmin positions doesn't make for good security[2].

Yes, a culture change is needed. But the kind of changes that the 'insiders' -- and that goes for the media too -- envision don't really amount to a meaningful change.


[2] The idiom "rearrange the deckchairs on the Titanic" comes to mind
Or perhaps the Hindenburg.


Passwords Suck!

Posted by Anton Aylward

Indeed they do.
Its beginning to look like the point I've been trying to make for years, here and with clients, is finally getting some notice. That the sad real truth is that passwords are security theatre. They provide the
illusion that you're securing something.

For those new here, I've long recommended Rick Smith's excellent book on this matter:
"Authentication: From Passwords to Public Keys" ISBN 0201615991
See his home page at

Grandpa Rob Slade reviewed this, rather more kindly than some books he's reviewed.
The author of the article recommends passphrases - a passphrase is easy too remember.
In "Password Expiration Considered Harmful" Rick makes the case that the overhead of periodically creating and remembering new but obscure passwords is actually a greater risk than conventional wisdom would lead one to think.

See also 'The Strong password dilemma' and not least of all this cartoon.

I use SSH and a 40+ character passphrase which is a line from a poem I wrote in my youth (and as the bard said, "But that was in another country and besides, the wench is dead"). I fat finger one time in four.

Some of it is practice. If you make people change their passphrases or passwords they won't flow from their fingers so readily.

My home machine, where no-one can get in from the net and where no-one looks over my shoulder except my cats, I've used the same passphrase for over a decade. I can type it a LOT faster than a a shoulder-surfer could see and my fat-finger rate is down around 1 in 300+. I don't even have to 'say' the passphrase in my mind so even a telepath couldn't "sniff" it.

Yes, this is a unique setting. My hardware, my home, no-one else comes near (not even to clean out the dust bunnies).

My error rate at client sites is, though, very high. They have these rules that Rick Smith points out are user-unfriendly and demand that I change the password just about the time I'm getting used to it. In the week after the mandatory password change I probably make 2-3 calls to support. AND I have to dream up more and more forgettable passwords.

If you ask me, its crazy, unproductive and expensive.

To debunk the myth that frequent password rotation is a good idea, see Gene Spafford's blog entry on this.  But many regulations require it, no matter how counter-productive it is and no matter how much it has been shown to weaken security.

Tell me, now often do you change the lock on your front door?

Reblog this post [with Zemanta]