1. 10

A 2014, draft book by Peter Guttman teaching security engineering.


  2. 6

    A fascinating tome, focused on effective security. Flipping through it, this quote on the differences between geeks and normal people: stands out in lurid neon.

    If you’re still not convinced, here’s a third example of the difference between geek and standard human mental processes, this time going back to the field of psychology. Consider the following problem:

    All of Anne’s children are blond.

    Does it follow that some of Anne’s children are blond?

    (If you’re a logician, assume in addition that the set of Anne’s children is nonempty). Is this statement, called a subalternation in Aristotelian logic, true or false? Most geeks would agree that the inference from “all A are B” to “some A are B” is valid. However, 70% of the general public consider it false [228], and this result is consistent across a range of different cultures and with various re-phrasings of the problem (in the experimenters’ jargon, the result is robust) [229][230][231]. The reasons why people think this way are rather complex [232] and mostly incomprehensible to geeks, for whom it’s a perfectly simple logical problem with a straightforward solution.

    1. 1

      I didn’t know about that. Fascinating. Thanks for the excerpt!

    2. 3

      Does also provide a useful collection of quotable phrases like…

      “wastefully pointless, but adorably harmless” (describing security protocols that don’t provide truly end-to-end security)

      Fundamental Truth No.6 of the Twelve Networking Truths, “It is easier to move a problem around than it is to solve it”

      1. 2

        “PKI is like real security, only without the security part”

        a certificate is “an X.509 formatted receipt for the bribe a website owner is required to pay a Certificate Authority [in order to avoid] the Certificate Warnings from Hell”

        Microsoft have a sixty-page best practices document for code signing [399], but from an informal survey of online developer forums it seems that the impact of this on developers is negligible, if they even know of its existence, probably not helped by the fact that the document includes discussions of topics like FIPS 140-certified hardware security modules (HSMs), key cards and biometrics for access control, security cameras and guards, and periodic audits, for something that from the developers’ point of view is little more than a hurdle to be leaped or bypassed during the development process.

        No best-practices document ever seems to consider that more than one or maybe two files might need to be signed. This problem is exacerbated by the fact that there’s no real distinction made between development/test releases and final releases, with the complex and awkward signing process being required in both instances.

        The conceptual mistake that Oracle was making in this case (setting aside for a moment the numerous implementation flaws that accompanied it), even more so than other organisations relying on code signing for security, was that they conflated authentication with authorisation. If you want to see the difference between authentication and authorisation in practice, try walking into a store and buying something with your passport (authentication) instead of your credit card (authorisation). In other words Oracle assumed that as long as they knew who wrote a piece of code, it was safe to authorise it to do anything. Not only is this not the case, but because of the loose security practices of the CAs who issued the code- signing certificates and the problem of attackers stealing legitimate users’ certificates, it’s not even possible to know, from the code signature, who really wrote a piece of code.