Skip to main content

Posts

Showing posts from August, 2014

4Chan

I don't necessarily think it's a bad thing that your offline and online identity are intertwined - at the naive level that the Zuckerberg marketing machine operates it sounds fair enough - and, ultimately it's true; for most of us we are the same person online as offline, physically if not behaviourally. However, one of the reasons the internet is so liberating is precisely because you can maintain a number of alter-egos, you too can be a warrior at the weekend! It also forces the innate prejudices we have to be put to one side due to the historic interaction limitations that existed on the net - that a 15yr old geek can stand as an authority on something online where they'd be laughed off stage offline is evidence of this. Zuckerberg and those of his ilk are riding on the back of this wave. They were born into a time where anonymity online was the norm and created the likes of fb to capture this herd of anonymous sheep desperate for somewhere to mingle and conjoin wit

Chief Muppet

Is it me or has there been a radical explosion in the title "Chief" recently? CEO, CFO, CIO, CTO, I can get this (kind of)... But isn't the point that such a role is, well, the chief? Like the president being commander-in-chief? So we dilute the office (Executive, Financial, Information, Technology...) and you're "chief" of your office... But ok, whatever, you need a little viagra to stimulate these guys. We then have chief architect (period) which; I admit, in some cases was a role I had some respect for. But now I'm seeing  chief-architect-of- xxx  (where xxx is some random project spawned the morning after a particularly heavy drinking session). You're not the chief, you're a muppet for believing the title has any bearing on your status. The only effect that title has is to make the CEOs feet go cold when he realises his veil of authority is slowly eroding away, and for the minions you supposedly lead to think you're a bit of a dick. So I

Welcome to the Future!

The security police are starting to crawl out of the their bunkers once more to shout and scream about the mess that has been left behind by the enthusiastic but naive, avant garde of technology - the Internet of Things. Steven M. (I'm sure he has longer surname somewhere) has a post over at Linked-in on this titled Should I care about the Internet of Things? Depending on your viewpoint, advocates of IoT are either leading us into a bright new shiny future where everything talks to everything else in a glossy-white plastic world where robots beep-beep their way to satisfy your every whim, fridges restock themselves before you know you've run out of milk and cars drive themselves 6 inches apart on highways made of strawberry milkshake, or , a world where killer robots are roaming free, terrorists are randomly restocking your fridge with tins of baked-beans (I really don't like baked beans) and cars spontaneously crash of their own volition, polluting the otherwise natural be

Computation v Security: Encryption and Hashing

As an aside on previous post on computation and security requirements I thought I'd add a note on an obvious omission, encryption and hashing... Tricks like encryption and hashing aren't really applicable to computation security requirements even though they are computations themselves. Encryption and hashing are more applicable to transport (connections) and storage (data). It's nigh-on impossible to do any computation on encrypted data so you generally need it in plain-text form (homomorphic encryption aside since it's not really market ready yet). Hashing is a useful tool in so many cases but is increasingly becoming overused. The compute power available today; especially in the cloud, means its relatively easy for someone to create a lookup database of all words in hashed form. This can then be used to identify user passwords for example. You can salt the hash to make it more distinct but this then means you need to manage the salt; and likely change it from time t

Computation v Security

Last month I wrote a piece about computation, data and connections with a view to starting to list out some considerations for each of these with respect to non-functionals... This is part one on computation and security. In terms of computation, we're talking about code that does stuff, the stuff that performs the logical processing on the data and using those connections. From a security perspective we're primarily concerned with access control. Conceptually this is a question of who is allowed to do what, where, when and how. Who - in essence covering authentication and identification. The who may be human or system. There are many ways to authenticate users and I would strongly advise you use an off-the-shelf component. Most application servers (JEE or .NET) will have built in ways to authenticate users against LDAP or AD etc. These will have been tested for security (penetration testing) and will be more secure than any home-grown solution. What - authorisation to exec