The One Thing Has Overlooked

The simplest and most important fact about computers — COMPUTERS ARE TURING COMPLETE

Because of that, we can not know what program runs on a given computer (without disassembling this computer to atoms).

The only possible source of an answer to this question is the computer itself, which in turn can be programmed to give ANY ANSWERS (due to its Turing completeness). A system program+computer can present itself to an observer as anything arbitrarily far from the real internal state of the system.

That's enough for any amount of fraud to be completely undetectable. NO AMOUNT OF REGULATIONS CAN CHANGE IT!!! A program can always be invisibly replaced/altered.

The law defines the elections as a particular process. Computers arbitrarily change this process — this is not legal (in a very literal sense of «legal»). Computers make the regulations inapplicable and the entire electoral process unregulated — lawless!

The computers should be banned from the vote counting process regardless of the actual fraudulent activity of any parties.

Why The InfoSec Discourse Is Entirely Composed Of Fallacies?

The deepest root of all the misunderstandings that constitute the InfoSec discourse nowadays is that the normal people («security experts» included) do not understand what is software, and its fundamental difference from the physical world we live in.

The entire realm of software is purely artificial.

Not only programs and functions, not only bugs and security holes, but also all the notions and intentions, all phenomena in the realm of software, even those perceived as «natural», are created by a man.

There are no natural laws that a program must follow and obey. While your computer does follow all the laws of physics, your programs do not at all. This very distinction makes a computer useful for us. The purpose and the only purpose of your computer's existence is to create a virtual TABULA RASA world, the world devoid of any laws, the world completely disconnected from the physical reality, the world that you are supposed to populate with laws of your own creation.

In other words, a computer can produce any output from any input — this is the definition and the characteristic property of a computer. This is what they always forget, and I stress ALWAYS.

REMEMBER THAT! If you want to improve your «safety», «cyber security», whatever. Every time you assume any expectation to a program of someone else's creation. Remember that! Every time you are disappointed: I gave this stupid machine a perfect input! Remember what a computer is: a machine that produces any output from any input — no restrictions at all. If you remember it well, first you will stop acting surprised when you wonder into a trap, second you will become more challenging prey, third you will stop believing InfoSec selling stories.

GMOs And Passwords

Before you indulge into an experiment investigating the effects of whatever quality of a subject, it is the best for you to make sure beforehand that the quality in question does belong to your subject.

We colloquially say: «a red pencil» as if it is not a question whether a pencil can be red. Indeed, it can. In this particular case our «intuition» coincide with physical reality. We can create an experiment that demonstrates a possibility of any colour be a quality of a pencil. We can clearly define «red» as a specific feature of the light spectrum, and we can unambiguously link those spectra to each pencil. We can see (experimentally) that some pencils share this quality, while some do not. Even if the dividing line between these sets is fuzzy, we now have a CHARACTERISTIC PROPERTY of a «red pencil»: all red pencils share this property, and all non red do not have it. Facing a pencil, we can (experimentally) determine if it is red (and to what extent).

It is perfectly legitimate for anyone to call a pencil «red» or otherwise tag a pencil with a colour, because of the physics, not because the language allows it. Language is equally suitable for describing reality and nonsense as well. We still can call a pencil «aggressive» but it does not make physical sense. Aggressiveness can not be observed in pencils. There are many qualities applicable to pencils and there are many qualities inapplicable to pencils. Some qualities are plainly inapplicable to some objects — this fact is so basic that is often forgotten.

Now, I give you two grains of wheat, one is «GMO» and another isn't.
Can you conceive an experiment that tells me which is which?

Maybe it is time to make one step back and determine if «GMO» is a quality of an organism? Is there any CHARACTERISTIC PROPERTY of a «GM organism», something that all «GM» subjects share, while none of the rest have? Please, define this property for me. ...or simply ask yourself (every time you are looking for the magical label on the food package) what is this characteristic property I am looking for?

Now, as you have yelled at me all your suggestions, think carefully which of them is actually a property of an organism. Not single one. All that you have come up with are qualities of a production process or a design process or even earlier. None of those can be observed in a grain of wheat.

Observing a car, can you tell, for example, a difference between a car that was sketched with HB pencil and a car sketched with 2B pencil during their stage of development? In case of a car you would not claim that all qualities of a design phase are inherited by the product. You may consider me foolish to even suggest this very possibility. It is too obvious for you that a car and a car production process are two wildly different objects. Ok, then. What makes you claim that «GM» property of an organism design process is also a quality of a resulted organism? Hopefully you are not going to claim that organisms and their production processes are the same object.

However, you may legitimately conjecture that this particular property somehow translates from the design process to the organism. This is why I gave you these two grains of wheat. Take them and prove your conjecture. Show me the CHARACTERISTIC PROPERTY of «GMO».

I know you are wondering what all this nonsense has to do with passwords.
Well, this is all about the information entropy, which you do happily assign to your passwords without even a glimpse of doubt: IS IT REALLY A QUALITY OF A PASSWORD??? CAN I CREATE A CHARACTERISTIC RELATION THAT MAPS PASSWORDS ON REAL NUMBERS AND IS A FUNCTION???

The Root Of All Evil

For a million years you are being trained to reason about the physical world as perceived by your sensors. You evolved to search for patterns and assume animal agency by default (simply because the cost of the mistake is lower with this assumption). Then came computer programs… they are invisible for your sensors, they do not follow any patterns, they can make computers appear animate, they can disguise as a reasonable actor, or fool your senses otherwise. And on top of it all they do not obey the laws of physic, the laws that your brain perceive as unbreakable for any agent in the visible world. This is a disaster for your neolithic brain.
Read more →

Password Strength Explained

This is a scheme of how we define password strength in a strict scientific manner without bullshit and lyrics:

1. we clarify what is a guessing attack and set aside all other types of attacks;

2. we prove the theorem: any two guessing attacks differ ONLY by the ORDER in which they try candidate-passwords;

3. we demonstrate that password strength (in any practical sense) is a function of an attack;

4. the strength of a given password is the position of this password in the attacker's dictionary;

5. the defender's strategy is an approximation of the attack dictionary order;

6. an approximate order is equivalent to a specific set of orders (i.e. different attacks);

7. thus, the defender's password strength is an expected value for the password strength over the given set of attacks.

You can read the implementation of this scheme in my paper: "A Canonical Password Strength Measure". It gives us a feasible meaningful unambiguous measure that everyone can implement.

It is also worth noticing that Shannon's entropy is entirely irrelevant to the password strength problem. Entropy is based on the ASSUMPTION of possible outcomes. This set is well defined in the context of measuring a memory size, and not defined at all in the context of password creation/guessing.

In contrast to my work, the «password strength» discourse is extraordinarily rich on bullshit. Take a look at this masterpiece. This is a great example of how to write some 35K of text without answering the question, and even without understanding the subject. Let me quote the key paragraph:

Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

This is one of the best non-answers I have ever seen, and a very succinct one too. No wonder it originates from the government officials! It obscures the matter it addresses in almost every word — «effectiveness», «resisting», «complexity», «unpredictability» — what are they? So, essentially the quoted paragraph reads:

Password strength is a function of something unknown to us.

It is time for us to do some trivial maths and terminate the «password strength» nonsense.

On The "Bottom-Up" Approach To Data Security

Once I stated the title I immediately realized that there are many distinct dimensions having their own «bottoms» and «ups». So I must specify. The «bottom» is a set of elementary data manipulation operations available to you as a programmer or a data security specialist (although it is often the same «you»). The «top» is a transitive closure of this set. The set of operations available for a user is rather close to the «top», and mapping them into the basic data handling operations constitutes the essence of the programmer's job. The «bottom-up» approach to data security is a job of defining all the necessary data access rules in terms of the basic data handling operations — you apply certain restrictions to various data elements and they affect the data system overall behavior, namely data accessibility in the high-level terms used by the end users. The most elaborated text-book example of this approach is SQL — it gives you very low-level security bricks to build a custom building without specifying explicitly this building emergent properties.
Read more →

A Better SQL Security Approach

This is not only an SQL's problem, I am going talk about, this is a pretty general problem of all complex systems dealing with user permissions, however SQL constitutes the best possible illustration to the issue.The principal source of all evil is the generalized security policies, policies trying to cover the entire space of user actions by being formulated in basic general terms.
Read more →

There Is No Such Thing As Binary Data In This World

The «binary data» is a myth, created by very unintelligent people. This is just another undefined term in IT amongst millions of its brethren. Oh, dear! if you disagree I challenge you to define it or at least look up a definition. Seriously, give it a try.
I have challenged many advocates of «binary data» to define their beloved product of words. All of them (who are not indoctrinated enough to refuse the challenge altogether) immediately slipped into reasoning about text editors, terminals, and ASCII. But, wait, «my terminal can not display binary data» — is your terminal's problem and nothing more. Some terminals can not display unicode — is it «binary»? All different kinds of terminals unable to display different kinds of data. The same goes to the text editors — which particular byte sequences make a text editor cringe and glitch is specifically defined within the text editor and nowhere else.
Read more →

How many capital letters does your password contain?

Do you really, i mean really, believe that computers are afraid of capital letters? and punctuation? Don't tell me that you want to scare off people, not computers, it would be even more ridiculous, given a second thought.

How would you feel if a service provider asks you: «please include at least three capital letters, seven underscores, and a number thirteen in your password»? — weird? You better adjust your attitude. The first ingredient is already required by some, more to follow soon.

Seriously, have you ever tried to think why all those «password choosing» policies are so ridiculous and stupid, are they as beneficial as people believe?

The serious answer to the question is given in my new paper on the password authentication: and its summary is as follows: «The password policies are futile, because they have no formal mathematical foundation at all, and this is why they are all as ridiculous as homeopathy».

Here i want to present some fun aspects of the problem.

The two most prominent protagonists of computer security MS and Google directly contradict each other:

Common letter-to-symbol conversions, such as changing «o» to «0».
similar looking substitutions, such as the number zero for the letter 'O'
No one notice. These both password creation policies are equally respected. Who are we to doubt the Wisdom of the Titans!?

Also, the Titans teach us that there is an inherent contradiction between security and memorability. Of course the Titans do not condescend to proving their claims. We are supposed to make a leap of faith. I don't have faith, i need a proof, or at least some evidence supporting the claim. Here is the claim:

Human memory is limited and therefore users cannot remember secure passwords.
Call me when you find any evidence of that.