Observations of a geek.

Heartbleed and Personal Password Management

Heartbleed has forced me to write about personal password management again. While we've made some advances toward multi-factor and biometrics we haven't come far enough.

Steal my idea for sending private emails

"So, how did you spend your vacation Steve?" I built a basic system that allows common (i.e., non-technical) people to send truly private e-mails to each other. Yes, even the NSA will have a hard time reading your messages with this system, assuming it's implemented properly. Try it out.

Privacy, Intelligence and Old News

For as long as I can remember, whenever I was in a conversation about cryptographic systems or network security there has always been a caveat[0]. Security has always been relative because there is always someone with more resources than you, "unless you're the NSA". In fact, more often than not, it was probably me reminding everyone that there is always someone with more money, more computing power, more smart people.

Just change your LinkedIn password

The other day it came out that millions of LinkedIn password hashes were leaked. Of course everyone with a LinkedIn account wonders if their password has been compromised. This has led to a bunch of put-your-LinkedIn-password-in-this-form-and-I'll-tell-you-if-it-was-leaked websites. This is a perfect example of the Password Anti-pattern; it's a pattern you want to avoid.

Keep external hard drives mounted under OS X without being logged in

I have an old G4 mac mini running OS X 10.5 Leopard that I've set up as a NAS for my home network. The idea was to have our laptops and other macs use Time Machine to backup to the USB drives attached to the mini. The mini draws only a small amount of electricity and I happened to have a couple of large USB drives kicking around so it seemed like a great replacement setup for my aging Linux solution. So I plugged the drives in, turned on file sharing, shared the drives, and started backing things up.

Beyond Passwords

I've written, spoken, and taught about password management in the past. I continue to believe that password-centric authentication systems are limited in their ability to provide much assurance about a person's claim on an given digital identity. Any information system requiring more than a basic level of assurance must use stronger multi-factor authentication mechanisms that incorporate things like one-time passwords and biometrics.

Information Technology: Liability, Plumbing, or Force Multiplier?

I've been saying for years that you can generate a fairly accurate hypothesis about the organizational attitude toward IT by looking at the responsibility for IT within an organization.

If responsibility for IT is scattered hither and thither then IT is likely an uncoordinated aid to other things, probably very inefficient, providing patchy uptimes, and non-scalable systems.

If IT is coordinated then the reporting line from the highest ranking IT person to the Executive Board Room can be very telling.