July 18, 2018 at 8:43 pm
Comments posted to this topic are about the item The Combinations of Software
July 19, 2018 at 1:40 am
This article on using npm packages to steal data pretty much sums up the risks. I believe the techniques used in the article have recently been tried for real.
I've seen the emergence of software applications to unit test, performance test, accessibility test, code standard test. There are tools to help security test but from what I can see they are geared up to web site vulnerabilities. For example http://www.sqlinjection.net/sqlmap/tutorial/
I feel that unit test and code standard test software is widely accepted. I still see reluctance to do proper database performance test work let alone invest in the tools to do so. Sit with someone who relies on a screen reader and you'll get the distinct impression that no-one tests for accessibility.
I feel that investment in tools and training to use those tools has to take place, particularly with GDPR threatening sizeable fines in the event of a data breach.
In the big data world the open-source packages are constantly being updated and a lot of the challenges with big data tech is working out what the incompatibilities between versions may be. This is why Hortonworks and Cloudera have a selling point of working all that for you in their Hadoop distributions.
If you are using open-source software in combinations then you need the following: -
July 19, 2018 at 6:39 am
The cold hard truth is that security is a myth. Nothing is secure, and the fact we insist on piling disparate software on top of legacy code on top of the newest whiz-bang trend of the hour only tosses a match onto the gasoline soaked rag pile that is today's software mess.
Complexity increases attack surface. Actual security means you plug EVERY SINGLE HOLE. Even just ONE compromises your security, usually fatally. And guess what? It is NOT POSSIBLE to plug every hole because tens of thousands of very dedicated bad guys are dreaming up new and frankly astounding ways to attack your "secure" facility. They're fanatical because that's how they eat. Necessity is the mother of invention and all that.
Security is expensive, it is inconvenient, and that is anathema to business types. Period. GDPR will collapse under its utopian demands of perfection. Unfortunately, like every political solution it's going to do horrific damage to everything near it before being quietly withdrawn. Hopefully with the bill's sponsors taking "early retirement".
Do I sound bitter and cynical? Maybe that's because I am. 😛
My current project is 650,000+ lines of code, in two different (computer) languages and was designed from the get go with "get it right or people could die" security, and I know there's holes. Don't know where the holes are, and penetration testers are only as good as low-level script kiddies, so what can you do?
By the standards of most companies that project is not even terribly complex. Which illustrates my point. And even if my project is a paragon of Superman-level security, what about Windows? What about the network? What about that gee-whiz shiny app that one user just had to have and installed without my knowledge that turns out to be a keyboard logger? What about *phones*? Android is a nightmare, and the iPhone isn't much better.
Security? Yeah, give me some of that. Oh, and I'll take that rainbow unicorn in the window as well...
July 19, 2018 at 7:56 am
roger.plowman - Thursday, July 19, 2018 6:39 AMThe cold hard truth is that security is a myth. Nothing is secure, and the fact we insist on piling disparate software on top of legacy code on top of the newest whiz-bang trend of the hour only tosses a match onto the gasoline soaked rag pile that is today's software mess.Complexity increases attack surface. Actual security means you plug EVERY SINGLE HOLE. Even just ONE compromises your security, usually fatally. And guess what? It is NOT POSSIBLE to plug every hole because tens of thousands of very dedicated bad guys are dreaming up new and frankly astounding ways to attack your "secure" facility. They're fanatical because that's how they eat. Necessity is the mother of invention and all that.
Security is expensive, it is inconvenient, and that is anathema to business types. Period. GDPR will collapse under its utopian demands of perfection. Unfortunately, like every political solution it's going to do horrific damage to everything near it before being quietly withdrawn. Hopefully with the bill's sponsors taking "early retirement".
Do I sound bitter and cynical? Maybe that's because I am. 😛
My current project is 650,000+ lines of code, in two different (computer) languages and was designed from the get go with "get it right or people could die" security, and I know there's holes. Don't know where the holes are, and penetration testers are only as good as low-level script kiddies, so what can you do?
By the standards of most companies that project is not even terribly complex. Which illustrates my point. And even if my project is a paragon of Superman-level security, what about Windows? What about the network? What about that gee-whiz shiny app that one user just had to have and installed without my knowledge that turns out to be a keyboard logger? What about *phones*? Android is a nightmare, and the iPhone isn't much better.
Security? Yeah, give me some of that. Oh, and I'll take that rainbow unicorn in the window as well...
I agree there is no silver bullet and I share some of your skepticism. It's just that for the past few decades security has been both very bad and an afterthought. Hard to change something like that overnight; however, I think it is worth trying. Imagine going from writing passwords on a post it note to using a password manager, or from sending data in the clear to use encryption instead? Simple things that progress the cause. Most threat actors are not nation state backed.
July 19, 2018 at 7:56 am
A bug or security flaw introduced into a common library like Node.js or jQuery could propogate around the globe overnight. Also, it's interesting how 3rd party hosted services like Microsoft / FaceBook / Google Sign-In and Slack have insinuated themselves into corporate infrastructure and become operational lynch-pins.
Single Point of Failure: The (Fictional) Day Google Forgot To Check Passwords
https://youtu.be/y4GB_NDU43Q
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
July 19, 2018 at 7:58 am
Because of business reasons, security will always take a back seat to its prettier sibling performance and usability. Security has gotten better over time even with all the breaches and blunders. This is a hard factor to bake into a development process or system architecture because once time and money are allocated they make lots of demands on the quality of the work - security is one of the qualities.
I remain optimistic but it is hard every time I read the news...
July 19, 2018 at 8:11 am
Jeff Mlakar - Thursday, July 19, 2018 7:56 AMI agree there is no silver bullet and I share some of your skepticism. It's just that for the past few decades security has been both very bad and an afterthought. Hard to change something like that overnight; however, I think it is worth trying. Imagine going from writing passwords on a post it note to using a password manager, or from sending data in the clear to use encryption instead? Simple things that progress the cause. Most threat actors are not nation state backed.
Except password managers are just as bad as post-it notes, they create a big juicy target for hackers AND HAVE ALREADY BEEN BREACHED.
Repeatedly.
Also, don't be fooled. It doesn't take a nation state to find a breach. The stereotypical basement dwelling hacker is just as capable of finding a hole from sheer serendipity as "Super-Duper-Sekret-Cyber-Ninjas". I would wager most government breaches are not in fact, from nation state hackers, but from unaffiliated individuals.
Blaming "da Ruskies" is just politicians covering their butts because it's embarrassing for a multi-billion dollar intelligence agency to get hacked by a teenager too young to drive...
July 19, 2018 at 8:53 am
roger.plowman - Thursday, July 19, 2018 8:11 AMExcept password managers are just as bad as post-it notes, they create a big juicy target for hackers AND HAVE ALREADY BEEN BREACHED.
Repeatedly.
Also, don't be fooled. It doesn't take a nation state to find a breach. The stereotypical basement dwelling hacker is just as capable of finding a hole from sheer serendipity as "Super-Duper-Sekret-Cyber-Ninjas". I would wager most government breaches are not in fact, from nation state hackers, but from unaffiliated individuals.
Blaming "da Ruskies" is just politicians covering their butts because it's embarrassing for a multi-billion dollar intelligence agency to get hacked by a teenager too young to drive...
I hear you and agree with most here. I want to reiterate my main point: that incremental improvement matters.
Yes PWD managers can be breached but they are superior for most people and their use cases. You cannot tell me post-its are better. That is overzealous. Those kind of ravings are made by someone who won't vaccinate their children because 0.00000000000009% of people get sick from it. You could also drive a car with your feet if you had to but that doesn't make it better. I know you are likely experienced and jaded from that however - don't let that make you "throw out the baby with the bathwater".
Security is a risk management discipline. We make trade-offs to balance our situations. Small improvements over time make a big difference.
July 19, 2018 at 9:23 am
What are your best resources for the economic costs of security breaches?
412-977-3526 call/text
July 19, 2018 at 9:24 am
Jeff Mlakar - Thursday, July 19, 2018 8:53 AMroger.plowman - Thursday, July 19, 2018 8:11 AMJeff Mlakar - Thursday, July 19, 2018 7:56 AMroger.plowman - Thursday, July 19, 2018 6:39 AMThe cold hard truth is that security is a myth. Nothing is secure, and the fact we insist on piling disparate software on top of legacy code on top of the newest whiz-bang trend of the hour only tosses a match onto the gasoline soaked rag pile that is today's software mess.Complexity increases attack surface. Actual security means you plug EVERY SINGLE HOLE. Even just ONE compromises your security, usually fatally. And guess what? It is NOT POSSIBLE to plug every hole because tens of thousands of very dedicated bad guys are dreaming up new and frankly astounding ways to attack your "secure" facility. They're fanatical because that's how they eat. Necessity is the mother of invention and all that.
Security is expensive, it is inconvenient, and that is anathema to business types. Period. GDPR will collapse under its utopian demands of perfection. Unfortunately, like every political solution it's going to do horrific damage to everything near it before being quietly withdrawn. Hopefully with the bill's sponsors taking "early retirement".
Do I sound bitter and cynical? Maybe that's because I am. 😛
My current project is 650,000+ lines of code, in two different (computer) languages and was designed from the get go with "get it right or people could die" security, and I know there's holes. Don't know where the holes are, and penetration testers are only as good as low-level script kiddies, so what can you do?
By the standards of most companies that project is not even terribly complex. Which illustrates my point. And even if my project is a paragon of Superman-level security, what about Windows? What about the network? What about that gee-whiz shiny app that one user just had to have and installed without my knowledge that turns out to be a keyboard logger? What about *phones*? Android is a nightmare, and the iPhone isn't much better.
Security? Yeah, give me some of that. Oh, and I'll take that rainbow unicorn in the window as well...
I agree there is no silver bullet and I share some of your skepticism. It's just that for the past few decades security has been both very bad and an afterthought. Hard to change something like that overnight; however, I think it is worth trying. Imagine going from writing passwords on a post it note to using a password manager, or from sending data in the clear to use encryption instead? Simple things that progress the cause. Most threat actors are not nation state backed.
Except password managers are just as bad as post-it notes, they create a big juicy target for hackers AND HAVE ALREADY BEEN BREACHED.
Repeatedly.
Also, don't be fooled. It doesn't take a nation state to find a breach. The stereotypical basement dwelling hacker is just as capable of finding a hole from sheer serendipity as "Super-Duper-Sekret-Cyber-Ninjas". I would wager most government breaches are not in fact, from nation state hackers, but from unaffiliated individuals.
Blaming "da Ruskies" is just politicians covering their butts because it's embarrassing for a multi-billion dollar intelligence agency to get hacked by a teenager too young to drive...
I hear you and agree with most here. I want to reiterate my main point: that incremental improvement matters.
Yes PWD managers can be breached but they are superior for most people and their use cases. You cannot tell me post-its are better. That is overzealous. Those kind of ravings are made by someone who won't vaccinate their children because 0.00000000000009% of people get sick from it. You could also drive a car with your feet if you had to but that doesn't make it better. I know you are likely experienced and jaded from that however - don't let that make you "throw out the baby with the bathwater".
Security is a risk management discipline. We make trade-offs to balance our situations. Small improvements over time make a big difference.
Password managers are not an improvement in any sense of the word. They gather the holy hacking grail of millions of users in one place. Hack that even once and identity theft and worse becomes ludicrously easy. That puts real people in real danger of losing their reputation, their life savings or other critical theft.
Don't believe me? Try reading this:
https://team-sik.org/trent_portfolio/password-manager-apps/
That's from 2017, but the basic problem (an attack surface the size of a planet) is still there. Password managers are dangerous.
July 19, 2018 at 9:44 am
roger.plowman - Thursday, July 19, 2018 9:24 AMPassword managers are not an improvement in any sense of the word. They gather the holy hacking grail of millions of users in one place. Hack that even once and identity theft and worse becomes ludicrously easy. That puts real people in real danger of losing their reputation, their life savings or other critical theft.
Don't believe me? Try reading this:
https://team-sik.org/trent_portfolio/password-manager-apps/
That's from 2017, but the basic problem (an attack surface the size of a planet) is still there. Password managers are dangerous.
I'm sorry I must disagree. You are going way overboard here. Is "password1" or "pass" or "guest" on par with passwords generated with a manager system? The premise here, once again, is that with so many logons people can either make up a password and write it down (people are typically bad at this) OR utilize a password manager system. Just because vulnerabilities exists doesn't factor in risk management. It is much easier to remember 1 complex long password than > 1.
May I ask what your solution is?
July 19, 2018 at 10:54 am
Jeff Mlakar - Thursday, July 19, 2018 9:44 AMI'm sorry I must disagree. You are going way overboard here. Is "password1" or "pass" or "guest" on par with passwords generated with a manager system? The premise here, once again, is that with so many logons people can either make up a password and write it down (people are typically bad at this) OR utilize a password manager system. Just because vulnerabilities exists doesn't factor in risk management. It is much easier to remember 1 complex long password than > 1.
May I ask what your solution is?
Remember a short phrase. 🙂
The problem with password managers isn't that vulnerabilities exist, it's that one failure compromises every user. As has happened at least twice. So this isn't a theoretical worst case scenario, it's established fact. So no, not going overboard. Just pointing out the obvious.
July 19, 2018 at 11:57 am
roger.plowman - Thursday, July 19, 2018 10:54 AMRemember a short phrase. 🙂
The problem with password managers isn't that vulnerabilities exist, it's that one failure compromises every user. As has happened at least twice. So this isn't a theoretical worst case scenario, it's established fact. So no, not going overboard. Just pointing out the obvious.
I agree it is an established fact that password manager systems have vulnerabilities. That does not mean they are without merit or not a better solution. Home security systems are flawed too - does that mean we should not use home security systems? No - we should use them if the risks are lessor than the benefits.
I understand the single point of failure - especially with having a file in the cloud. I myself memorized a long string such that it would not appear in dictionaries and substituted out numbers and special characters. I'm a fan of long passwords. The situation becomes more complex with the addition of more and more logons. Pretty soon you are either using the same password for multiple sites or appending a suffix to your formula. That is a less secure option.
Consider the typical user. Imagine the passwords they come up with. They are the same ones in brute force attack dictionaries. Imagine if instead they had a 15 character string with numbers and special characters. How is that not a better solution? Basically you need to memorize 1 password that is long and complex and change it every 6-12 months. That is a better solution than most others. The benefits outweigh the risks here.
July 19, 2018 at 12:02 pm
Jeff Mlakar - Thursday, July 19, 2018 11:57 AMI agree it is an established fact that password manager systems have vulnerabilities. That does not mean they are without merit or not a better solution. Home security systems are flawed too - does that mean we should not use home security systems? No - we should use them if the risks are lessor than the benefits.I understand the single point of failure - especially with having a file in the cloud. I myself memorized a long string such that it would not appear in dictionaries and substituted out numbers and special characters. I'm a fan of long passwords. The situation becomes more complex with the addition of more and more logons. Pretty soon you are either using the same password for multiple sites or appending a suffix to your formula. That is a less secure option.
Consider the typical user. Imagine the passwords they come up with. They are the same ones in brute force attack dictionaries. Imagine if instead they had a 15 character string with numbers and special characters. How is that not a better solution? Basically you need to memorize 1 password that is long and complex and change it every 6-12 months. That is a better solution than most others. The benefits outweigh the risks here.
I can't agree. With a home security system one compromise is *one* compromise. With a password manager one compromise is potentially tens of millions of compromises. BIG difference!
July 20, 2018 at 7:06 am
I have a password manager app on my phone, but I don't enter the entire password, only a shorter tokenized version. For example, instead of "GreenDay!871", I'll enter "G*871". That way if the app were to be hacked, I'm not losing all the family jewels.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
Viewing 15 posts - 1 through 15 (of 16 total)
You must be logged in to reply to this topic. Login to reply