Synopsis: There are no elections in USA.

It is not a hyperbole and it is not a political nor ethical statement. I am talking specifically about the procedure of elections as an information process. By using a «voting» machine you do not give your vote to any of candidates, you give your vote to whomever controls the machine. Giving your vote away is NOT electing.

In case you are concerned about data security or voter fraud issues: those concerns are irrelevant, the computerized procedure in use does not endanger the elections, it ELIMINATES them from existence. From the InfoSec perspective the information process that has taken place of the elections (be it hacked or not) is NOT the elections — not even a surrogate! — it is something else, that, most importantly, has nothing to do with your vote.
Read more →

The deepest root of all the misunderstandings that constitute the InfoSec discourse nowadays is that the normal people («security experts» included) do not understand what is software, and its fundamental difference from the physical world we live in.

The entire realm of software is purely artificial.

Not only programs and functions, not only bugs and security holes, but also all the notions and intentions, all phenomena in the realm of software, even those perceived as «natural», are created by a man.

There are no natural laws that a program must follow and obey. While your computer does follow all the laws of physics, your programs do not at all. This very distinction makes a computer useful for us. The purpose and the only purpose of your computer's existence is to create a virtual TABULA RASA world, the world devoid of any laws, the world completely disconnected from the physical reality, the world that you are supposed to populate with laws of your own creation.

In other words, a computer can produce any output from any input — this is the definition and the characteristic property of a computer. This is what they always forget, and I stress ALWAYS.

REMEMBER THAT! If you want to improve your «safety», «cyber security», whatever. Every time you assume any expectation to a program of someone else's creation. Remember that! Every time you are disappointed: I gave this stupid machine a perfect input! Remember what a computer is: a machine that produces any output from any input — no restrictions at all. If you remember it well, first you will stop acting surprised when you wonder into a trap, second you will become more challenging prey, third you will stop believing InfoSec selling stories.

It has become a dangerous fad to talk about biometrics as a replacement for the traditional authentication methods. It is often claimed that passwords are losing battle to biometrics… Despite the futility of the claim, I don't even need to dismiss it. There is one simple physical fact that renders this entire «battle» completely impossible.
Read more →

For a million years you are being trained to reason about the physical world as perceived by your sensors. You evolved to search for patterns and assume animal agency by default (simply because the cost of the mistake is lower with this assumption). Then came computer programs… they are invisible for your sensors, they do not follow any patterns, they can make computers appear animate, they can disguise as a reasonable actor, or fool your senses otherwise. And on top of it all they do not obey the laws of physic, the laws that your brain perceive as unbreakable for any agent in the visible world. This is a disaster for your neolithic brain.
Read more →

I have a strong conviction that 99% of «security experts» do not know the definition of the entropy. This conviction does certainly seem wildly deranged for you, unless you know the definition in question. So, let's begin with the definition, by the book.
Read more →

Previously (in "What Makes Your Password Yours" and "Auth vs ID") We have established that your exclusive and complete control over your password makes the password belong to you, and this is the one and only characteristic property of a valid password. Now, we are to scrutinize the second member of the 2-Factor formula.
Read more →

It turned out that my "Authentication vs Identification" article was not sufficiently conclusive in the sense that some hardcore biometrics fans still nurture a non-trivial and well justified objection. So I need to address and destroy it, in order to close the topic. My opponents' argument is:

Your analysis narrows the both sides of the problem to a knowledge/ownership claim. Even if you are right, the conclusion is only applicable to the authentication by means of a knowledge token, whereas all the rest relations between the user and the token (suitable for authentication purposes) are set aside. There is one particularly important relation (the one fundamental for the entire biometrics field): «the user is» or other way around «the token is a part of the user» — this relation implies inalienability which makes the token safe for authentication purposes.

It is true. Completely true. It is undeniably true! In the physical realm.
Read more →

Once again I have to return to the topic of strict antagonism between the authentication and the identification, meaning these very processes and the tokens involved as well. Before I indulge into boring you with tedious decomposition of entities you used to perceive as atomic, I present you a synthetic illustration of the difference in question. A bad guy tries to get a false-negative outcome of identification, and a false-positive outcome of authentication. This is not explanatory, yet very indicative, I hope it gives you an idea of the magnitude of the difference, and we are going to dig into this now.
Read more →

Simple questions are usually the most difficult ones to answer. And the most important among them are traditionally labeled stupid and dismissed. The modern days InfoSec is based upon unanswered questions. The lack of theoretical basis allows InfoSec gurus to produce teachings and «best practices» without a limit.

Today I want to address two very basic questions about passwords:

What are characteristic properties of a password? and what makes your password yours?

By answering these questions you achieve understanding of the utter malevolence of the password abandonment movements, that are so frighteningly popular today. There is a particularly dangerous movement to replace passwords with bio-metric attributes that can reliably identify your body (e.g. voice, fingerprints, and such). Although these attributes are successfully used in forensic practice for centuries, it does not make them good authentication tokens. Why? Because your password's job is NOT to identify your body.

I hear you screaming: «WHAT?!?!?!» That means you are ready to investigate what IS a password, what is its job, and what properties do you want your password to possess.
Read more →