Picture that: You are a farmer.
You have grown a ton of potato and brought it to a marketplace.
You recon everybody sells potatoes for $1 and you decided to set the price to 0.9 so that you can return home earlier.
Presently, a group of well dressed respectable men with baseball bats approached you:
— Nice potato you have here, good sir. Do you know that the minimum price for potatoes here is $1?

QUESTIONS:
1. do you believe these respectable men helped you sell your potato for a better price?
2. do you wish the minimum price to be set higher (e.g. $1.1)?

Undoubtedly we live in the age of false dichotomies… Somehow people are all talking (and fighting) about subjects with no substance.

Dear vaxxers and anti-vaxxers, your fight is ridiculous, and it is not because you are both partially right, it is because you are both completely wrong.

Have any one of you ever tried to DEFINE the subject of your debate? What do you think a vaccine is? And what to you think the category «vaccines» is? How can you make a utility/risk claim about ALL vaccines, piling together a smallpox vaccine that demonstrably saved the humanity and a flu vaccine that have never entered any testing whatsoever! Do these two share any INNATE properties at all? Can you formulate a property that all vaccines possess on their own, a property that can be observed in the vaccines themselves, all vaccines and nowhere else? This would be a characteristic property that gives you the least moral ground to speak about the «vaccines» as an object (entity). Until then, both of you vaxxers and anti-vaxxers, are engaged into a typical case of false entitification — there is no such entity «vaccines» that you pretend to be talking about. Therefore ANY CLAIM ABOUT ALL VACCINES IS GUARANTEED TO BE WRONG.

But there is still more hilarity in the «debate». Here is a logical scheme of the anti-vaxxer standing:

In a government-run hospital my child was given a shot, that was documented as vaccination. Shortly after the event the child became sick (as never before).

Let's assume we have a sufficient amount of the episodes like that (properly documented («there is no evidence» fanboys can go fuck themselves)).

How is this a reason to blame the sickness on vaccines? Let's control for all other factors… all those kids were perfectly healthy before the injection and so on and so on. If we determine beyond reasonable doubt that the sickness was caused by this particular injection, how is it a reason to blame vaccines? In order to blame vaccines on the ground described above, you must assume that the government-run hospital DID NOT lie to you about the injected substance!!!

So the anti-vaxxers' claim of the vaccines' malice is based upon the trust to the govt! The same govt that under a false pretense of vaccination and medical treatment injected kids with plutonium, gave people syphilis, created a polio outbreak (not even for scientific nor military purposes, just for fun). The govt that has broken the trust of the people over 9000 times, this govt the anti-vaxxers trust! — «govt said it was a vaccine, duh, vaccines are bad» — what a joke!

The deepest root of all the misunderstandings that constitute the InfoSec discourse nowadays is that the normal people («security experts» included) do not understand what is software, and its fundamental difference from the physical world we live in.

The entire realm of software is purely artificial.

Not only programs and functions, not only bugs and security holes, but also all the notions and intentions, all phenomena in the realm of software, even those perceived as «natural», are created by a man.

There are no natural laws that a program must follow and obey. While your computer does follow all the laws of physics, your programs do not at all. This very distinction makes a computer useful for us. The purpose and the only purpose of your computer's existence is to create a virtual TABULA RASA world, the world devoid of any laws, the world completely disconnected from the physical reality, the world that you are supposed to populate with laws of your own creation.

In other words, a computer can produce any output from any input — this is the definition and the characteristic property of a computer. This is what they always forget, and I stress ALWAYS.

REMEMBER THAT! If you want to improve your «safety», «cyber security», whatever. Every time you assume any expectation to a program of someone else's creation. Remember that! Every time you are disappointed: I gave this stupid machine a perfect input! Remember what a computer is: a machine that produces any output from any input — no restrictions at all. If you remember it well, first you will stop acting surprised when you wonder into a trap, second you will become more challenging prey, third you will stop believing InfoSec selling stories.

Before you indulge into an experiment investigating the effects of whatever quality of a subject, it is the best for you to make sure beforehand that the quality in question does belong to your subject.

We colloquially say: «a red pencil» as if it is not a question whether a pencil can be red. Indeed, it can. In this particular case our «intuition» coincide with physical reality. We can create an experiment that demonstrates a possibility of any colour be a quality of a pencil. We can clearly define «red» as a specific feature of the light spectrum, and we can unambiguously link those spectra to each pencil. We can see (experimentally) that some pencils share this quality, while some do not. Even if the dividing line between these sets is fuzzy, we now have a CHARACTERISTIC PROPERTY of a «red pencil»: all red pencils share this property, and all non red do not have it. Facing a pencil, we can (experimentally) determine if it is red (and to what extent).

It is perfectly legitimate for anyone to call a pencil «red» or otherwise tag a pencil with a colour, because of the physics, not because the language allows it. Language is equally suitable for describing reality and nonsense as well. We still can call a pencil «aggressive» but it does not make physical sense. Aggressiveness can not be observed in pencils. There are many qualities applicable to pencils and there are many qualities inapplicable to pencils. Some qualities are plainly inapplicable to some objects — this fact is so basic that is often forgotten.

Now, I give you two grains of wheat, one is «GMO» and another isn't.
Can you conceive an experiment that tells me which is which?

Maybe it is time to make one step back and determine if «GMO» is a quality of an organism? Is there any CHARACTERISTIC PROPERTY of a «GM organism», something that all «GM» subjects share, while none of the rest have? Please, define this property for me. ...or simply ask yourself (every time you are looking for the magical label on the food package) what is this characteristic property I am looking for?

Now, as you have yelled at me all your suggestions, think carefully which of them is actually a property of an organism. Not single one. All that you have come up with are qualities of a production process or a design process or even earlier. None of those can be observed in a grain of wheat.

Observing a car, can you tell, for example, a difference between a car that was sketched with HB pencil and a car sketched with 2B pencil during their stage of development? In case of a car you would not claim that all qualities of a design phase are inherited by the product. You may consider me foolish to even suggest this very possibility. It is too obvious for you that a car and a car production process are two wildly different objects. Ok, then. What makes you claim that «GM» property of an organism design process is also a quality of a resulted organism? Hopefully you are not going to claim that organisms and their production processes are the same object.

However, you may legitimately conjecture that this particular property somehow translates from the design process to the organism. This is why I gave you these two grains of wheat. Take them and prove your conjecture. Show me the CHARACTERISTIC PROPERTY of «GMO».

I know you are wondering what all this nonsense has to do with passwords.
Well, this is all about the information entropy, which you do happily assign to your passwords without even a glimpse of doubt: IS IT REALLY A QUALITY OF A PASSWORD??? CAN I CREATE A CHARACTERISTIC RELATION THAT MAPS PASSWORDS ON REAL NUMBERS AND IS A FUNCTION???

It has become a dangerous fad to talk about biometrics as a replacement for the traditional authentication methods. It is often claimed that passwords are losing battle to biometrics… Despite the futility of the claim, I don't even need to dismiss it. There is one simple physical fact that renders this entire «battle» completely impossible.
Read more →

It turned out that my "Authentication vs Identification" article was not sufficiently conclusive in the sense that some hardcore biometrics fans still nurture a non-trivial and well justified objection. So I need to address and destroy it, in order to close the topic. My opponents' argument is:

Your analysis narrows the both sides of the problem to a knowledge/ownership claim. Even if you are right, the conclusion is only applicable to the authentication by means of a knowledge token, whereas all the rest relations between the user and the token (suitable for authentication purposes) are set aside. There is one particularly important relation (the one fundamental for the entire biometrics field): «the user is» or other way around «the token is a part of the user» — this relation implies inalienability which makes the token safe for authentication purposes.

It is true. Completely true. It is undeniably true! In the physical realm.
Read more →

Once again I have to return to the topic of strict antagonism between the authentication and the identification, meaning these very processes and the tokens involved as well. Before I indulge into boring you with tedious decomposition of entities you used to perceive as atomic, I present you a synthetic illustration of the difference in question. A bad guy tries to get a false-negative outcome of identification, and a false-positive outcome of authentication. This is not explanatory, yet very indicative, I hope it gives you an idea of the magnitude of the difference, and we are going to dig into this now.
Read more →

Simple questions are usually the most difficult ones to answer. And the most important among them are traditionally labeled stupid and dismissed. The modern days InfoSec is based upon unanswered questions. The lack of theoretical basis allows InfoSec gurus to produce teachings and «best practices» without a limit.

Today I want to address two very basic questions about passwords:

What are characteristic properties of a password? and what makes your password yours?

By answering these questions you achieve understanding of the utter malevolence of the password abandonment movements, that are so frighteningly popular today. There is a particularly dangerous movement to replace passwords with bio-metric attributes that can reliably identify your body (e.g. voice, fingerprints, and such). Although these attributes are successfully used in forensic practice for centuries, it does not make them good authentication tokens. Why? Because your password's job is NOT to identify your body.

I hear you screaming: «WHAT?!?!?!» That means you are ready to investigate what IS a password, what is its job, and what properties do you want your password to possess.
Read more →

Naked Security reports another (not very special) piece of malware for Android. It is quite sophisticated and effective, it has fooled almost 200K users.

I want to talk about one particular detail, quote:

The apps were installed directly onto unwitting Android devices as the extension bypassed the operating system’s permissions process.

Once again my question is how is it even possible in a mentally sane world??? Who created this bypass and why? No questions asked to Android, everybody is throwing feces at «evil-evil-evil» developers of malware. I believe that the idea of infosec related media is to channel the users' wrath into a safe direction, away from those who made malware possible in the first place, and suppress real inconvenient questions to the «trusted» developers and «respected» vendors.

Within the next few days I will explain you all evils of the android quasi-security — today I am too angry.