I stumbled across an article on car software viruses. I did not see anything unexpected really. The experts “hope” to get it all fixed before the word gets out and things start getting messy. Which tells us that things are in a pretty bad shape right now. The funny thing is though that the academic group that did the research into vehicle software security was disbanded after working for two years and publishing a couple of damning papers, demonstrating that “the virus can simultaneously shut off the car’s lights, lock its doors, kill the engine and release or slam on the brakes.” An interesting side note is that the car’s system is available to “remotely eavesdrop on conversations inside cars, a technique that could be of use to corporate and government spies.” This goes in stark contrast to what car manufactures are willing to disclose: “I won’t say it’s impossible to hack, but it’s pretty close,” said Toyota spokesman John Hanson. Basically, all you can hope for is that they are “working hard to develop specifications which will reduce that risk in the vehicle area.” I don’t know, mate, I think I better stay with the good old trustworthy mechanic stuff. I guess I know too much about software security for my own good. I kinda feel they will be inevitably hacked. Scared? If there is a manual override for everything – not so much but… The second-hand car market suddenly starts looking very appealing by comparison…
I think I already talked about this subject previously but not here. Anyhow, the subject bears repeating.
Many go “yippee!” at the mention of biometrics and start to think their user authentication problem is solved. Do not pay attention, they will end up in the newspaper headlines fairly soon, either for massive security failures or being bankrupt, or both.
The problem is not a huge false negative rate, and it is not the huge false positive rate either. The problem is immutability of the characteristics. The biometric characteristics change slowly over time as you age and can be influenced by the environment but they cannot be changed at will (well, at least not easily). The problem is that whatever this thing is, it is a part of your body and is most of the time something you do not want to change even if you had a possibility to do so.
And that’s also why it is dangerous – you may end up losing a limb or two.
The first question that should be asked then, “what’s it good for, anyway?” A characteristic that is fairly stable, cannot easily be changed at will, – that’s a fairly reasonable user name, i.e. the user identification. Even then, it is a questionable approach because it is a good idea to let users change names.
Biometrics is definitely not any good for authentication, that is, proving that you are who you say you are. If you compare to the familiar authentication with passwords, you will notice that the means of authentication are supposedly:
- secret or concealable
- easily changeable in a controlled manner
- transferrable in a controlled manner
And biometrics is none of that.
But why then? Oh, I do not expect to find a definitive answer to that but one thing could be that it looks cool in movies. The other is that biometrics were historically good for tracking people that are not actively resisting such tracking. But then we talk about politics and power and that is not the subject of this discussion at all. One thing is certain: whatever the reason to use biometrics is, it has absolutely nothing to do with security.
So when you see claims like “Biometric is the most secure and convenient authentication tool”, now you know that’s just utter nonsense and you should stay away from people (and companies) making such claims. Unless there isn’t enough nonsense in your life, of course.
When it’s your responsibility to implement a security system, try to stay away from biometrics, you’ll live a happier life. Leave it to Hollywood.
Hmm… Good question… Well, let’s get this straightened out before we jump into other interesting subjects. Every single website and application, every single computer system gets broken into. For fun, money, fame, accidentally. This is just the way it is and I have to accept this as the current reality. I may not like it but who cares about that?
Whether you are a large corporation or a student writing the first website, your system will get broken into. If your system has been around for a while, it was already broken into. My not-so-extremely-popular website was broken into already three times (that I know of) and I am not ashamed to admit it. Denial is futile. Take it as inevitable.
There is even a line of thought nowadays with some of the security people that we should not bother to concentrate so much on trying to protect things for we can’t prevent break-ins anyway. They say we should concentrate on detecting and containing the damage from break-ins. Ah, bollocks. We have to do both. Do not give up your defenses just because you know they will be eventually breached. But be prepared.
What I really want to say is that when you make a computer system, be it a website, corporate network, smart card or anything else, you have no choice. Thinking that security is somebody else’s problem is extremely common, second only to not thinking about security at all, and usually disastrous in a not-so-distant future. Don’t be like that. Come to the good side, protect your system, think of security long and hard, apply the Hash and the Crypto the Right Way™ and your system will run happily ever after (well, at least to the next major breakthrough in cryptography or something).
This is a lighter software security blog. I start it now mainly because of two reasons.
First, something has to be done. The recent break-ins at the likes of LinkedIn and Yahoo show that even at the large companies people do not understand the basics of security. By looking at what is proposed and advised under the guise of security to people starting out to write their own web applications I understand that those are not far behind. Should their applications become famous, they will be broken as easily. There needs to be a place to discuss even the most basic things, so people do not keep making the same mistakes over and over again… like if it’s bloody Groundhog Day.
Second, why do we have to talk about software security always with a grave face? Yes, it is a serious subject but that does not warrant the long faces. Lighten up, people! Relax, let the Force flow. Have a break and make a joke. Security can be an entertaining subject. Let’s not make it appear harder than it is.
So here we are, something has to be done and it better be done with a smile. Or a grin… a smirk, a beam, a crack. Not with a frown. I will write my thoughts on software security, you are welcome to comment, make fun of, ask questions and generally have a good time.