Authentication vs Identification



Once again I have to return to the topic of strict antagonism between the authentication and the identification, meaning these very processes and the tokens involved as well. Before I indulge into boring you with tedious decomposition of entities you used to perceive as atomic, I present you a synthetic illustration of the difference in question. A bad guy tries to get a false-negative outcome of identification, and a false-positive outcome of authentication. This is not explanatory, yet very indicative, I hope it gives you an idea of the magnitude of the difference, and we are going to dig into this now.
Read more →

What Makes Your Password YOURS?



Simple questions are usually the most difficult ones to answer. And the most important among them are traditionally labeled stupid and dismissed. The modern days InfoSec is based upon unanswered questions. The lack of theoretical basis allows InfoSec gurus to produce teachings and «best practices» without a limit.

Today I want to address two very basic questions about passwords:

What are characteristic properties of a password? and what makes your password yours?

By answering these questions you achieve understanding of the utter malevolence of the password abandonment movements, that are so frighteningly popular today. There is a particularly dangerous movement to replace passwords with bio-metric attributes that can reliably identify your body (e.g. voice, fingerprints, and such). Although these attributes are successfully used in forensic practice for centuries, it does not make them good authentication tokens. Why? Because your password's job is NOT to identify your body.

I hear you screaming: «WHAT?!?!?!» That means you are ready to investigate what IS a password, what is its job, and what properties do you want your password to possess.
Read more →

Each Security Hole Is Created By Someone Deliberately.

Naked Security reports another (not very special) piece of malware for Android. It is quite sophisticated and effective, it has fooled almost 200K users.

I want to talk about one particular detail, quote:

The apps were installed directly onto unwitting Android devices as the extension bypassed the operating system’s permissions process.

Once again my question is how is it even possible in a mentally sane world??? Who created this bypass and why? No questions asked to Android, everybody is throwing feces at «evil-evil-evil» developers of malware. I believe that the idea of infosec related media is to channel the users' wrath into a safe direction, away from those who made malware possible in the first place, and suppress real inconvenient questions to the «trusted» developers and «respected» vendors.

Within the next few days I will explain you all evils of the android quasi-security — today I am too angry.

There Is Enough Wasted Electricity To Power All Cars In USA

I was confronted with a serious argument against Tesla cars (or electrically powered automobiles in general). It reads thusly: «If you replace all cars with Teslas the power grid will not be able to sustain the resulting tremendous surge of energy consumption». To me it sounds like a legit matter for a quick investigation, so here we go.
Read more →

What Would It Look like If The Web Developers Run A Grocery Store

Imagine, you enter a grocery store to buy a loaf of bread.
— Welcome to the Shop & Co!
— Hello. I am looking for…
— Where have you been recently?
— In a hardware store. Why?
— Do you use a car to get to us?
— No, I use a bike.
— Which model?
— XYZ123. Fucking Why?!
— Have you been to our store before? Any receipts?
— Nope.
— Where are you from?
— Me?! From Lithuania.
— Why do you speak English then?
— ...I don't know, I feel like doing so.
— May I speak Lithuanian?
— No way! just give me fucking bread!
— We are so sorry, we do not have Lithuanian bread right now.
— Can you give me any other goddamn bread!!!
— Nope.

This is exactly what happens every time you visit a website.

Flattr this

A CERN Physicist Fails At Elementary Physics

Recently I had a conversation with a renowned CERN physicist Konstantin Toms. In this conversation, all of a sudden, he exposed himself failing to spot the difference between power and work. The conversation happened in a public place here: lj.rossia.org/users/ktoms/17248.html
it was performed in Russian, so I have to translate it for you, however, Dr. Toms is informed of this fact and is welcome to make his corrections if he has any.
Read more →

A Better SQL Security Approach

This is not only an SQL's problem, I am going talk about, this is a pretty general problem of all complex systems dealing with user permissions, however SQL constitutes the best possible illustration to the issue.The principal source of all evil is the generalized security policies, policies trying to cover the entire space of user actions by being formulated in basic general terms.
Read more →