"One Brand of Firewall"

Gatrner sent me an ad of a quite disturbing report ( www.gartner.com/imagesrv/media-products/pdf/fortinet/fortinet-1-3315BQ3.pdf ) which advocates using «one firewall brand» to reduce complexity.

Sorry, guys, one brand of WHAT?

There is no such thing as «general purpose firewall» that fits all. It is a mythical device (and this myth was supported by Gartner for years).
What you call «firewall» is actually one of three (or more) things:

1) A border/datacenter segmenation device. Think high throughput, ASICs, fault tolerance and basic IPS capabilities.
2) An «office» firewall. Think moderate throughput, egress filtering, in-depth protocol inspection, IAM integration and logging capabilities
3) WAF. Enough said, WAF is completely different beast, having almost nothing in common with any of those.

Ah, and a VPN server. It is not a firewall (though it should have basic firewall capabilities). Not falls into any of those categories.

Dear Gartner, have you ever tried to market a pipe-wrench-hair-dryer? You should, you have a talent for that.

The One Thing blackboxvoting.org Has Overlooked

The simplest and most important fact about computers — COMPUTERS ARE TURING COMPLETE

Because of that, we can not know what program runs on a given computer (without disassembling this computer to atoms).

The only possible source of an answer to this question is the computer itself, which in turn can be programmed to give ANY ANSWERS (due to its Turing completeness). A system program+computer can present itself to an observer as anything arbitrarily far from the real internal state of the system.

That's enough for any amount of fraud to be completely undetectable. NO AMOUNT OF REGULATIONS CAN CHANGE IT!!! A program can always be invisibly replaced/altered.

The law defines the elections as a particular process. Computers arbitrarily change this process — this is not legal (in a very literal sense of «legal»). Computers make the regulations inapplicable and the entire electoral process unregulated — lawless!

The computers should be banned from the vote counting process regardless of the actual fraudulent activity of any parties.

The Final Note On The Elections



Synopsis: There are no elections in USA.

It is not a hyperbole and it is not a political nor ethical statement. I am talking specifically about the procedure of elections as an information process. By using a «voting» machine you do not give your vote to any of candidates, you give your vote to whomever controls the machine. Giving your vote away is NOT electing.

In case you are concerned about data security or voter fraud issues: those concerns are irrelevant, the computerized procedure in use does not endanger the elections, it ELIMINATES them from existence. From the InfoSec perspective the information process that has taken place of the elections (be it hacked or not) is NOT the elections — not even a surrogate! — it is something else, that, most importantly, has nothing to do with your vote.
Read more →

The Root Of All Evil



For a million years you are being trained to reason about the physical world as perceived by your sensors. You evolved to search for patterns and assume animal agency by default (simply because the cost of the mistake is lower with this assumption). Then came computer programs… they are invisible for your sensors, they do not follow any patterns, they can make computers appear animate, they can disguise as a reasonable actor, or fool your senses otherwise. And on top of it all they do not obey the laws of physic, the laws that your brain perceive as unbreakable for any agent in the visible world. This is a disaster for your neolithic brain.
Read more →

On coming age of silver bullets

Silver bullet

I keep telling you time and again «there is no silver bullet in Information Security», despite the vendors blatant attempts to claim otherwise.

You cannot buy a box that solves your problems at once. Every tool needs a skilled person to be mastered by. And still we look forward with hope for the best and the victory of reason, while, trying to guess the shape of things to come. There are emerging technologies, deep learning, AIs and stuff that certainly will change everything. Someday. And there are promising startups that already started doing it. But is it really the most important change we expect — right now?
Read more →

An Observation About Passphrases: Syntax vs Entropy



I suggested in the article to use passphrases instead of «traditional» passwords, for multiple reasons, including: sheer strength, memorability, and conforming to idiotic password creation policies without actually following detrimental recommendations of the policy authors.

This recommendation gives rise to a reasonable doubt: «what if syntactically correct phrases are as weak as dictionary words in comparison to a random string of symbols?''. Indeed, syntax itself should weaken a passphrase, as it provides some „predictability'' to the phrase. I want to address this problem, by comparing syntactically correct passphrases to random collections of words (which we all consider sufficiently strong… hopefully).
Read more →

Password Strength Explained

This is a scheme of how we define password strength in a strict scientific manner without bullshit and lyrics:

1. we clarify what is a guessing attack and set aside all other types of attacks;

2. we prove the theorem: any two guessing attacks differ ONLY by the ORDER in which they try candidate-passwords;

3. we demonstrate that password strength (in any practical sense) is a function of an attack;

4. the strength of a given password is the position of this password in the attacker's dictionary;

5. the defender's strategy is an approximation of the attack dictionary order;

6. an approximate order is equivalent to a specific set of orders (i.e. different attacks);

7. thus, the defender's password strength is an expected value for the password strength over the given set of attacks.

You can read the implementation of this scheme in my paper: "A Canonical Password Strength Measure". It gives us a feasible meaningful unambiguous measure that everyone can implement.

It is also worth noticing that Shannon's entropy is entirely irrelevant to the password strength problem. Entropy is based on the ASSUMPTION of possible outcomes. This set is well defined in the context of measuring a memory size, and not defined at all in the context of password creation/guessing.

In contrast to my work, the «password strength» discourse is extraordinarily rich on bullshit. Take a look at this masterpiece. This is a great example of how to write some 35K of text without answering the question, and even without understanding the subject. Let me quote the key paragraph:

Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

This is one of the best non-answers I have ever seen, and a very succinct one too. No wonder it originates from the government officials! It obscures the matter it addresses in almost every word — «effectiveness», «resisting», «complexity», «unpredictability» — what are they? So, essentially the quoted paragraph reads:

Password strength is a function of something unknown to us.

It is time for us to do some trivial maths and terminate the «password strength» nonsense.