Schneier on North Korean Cyberattacks

The complete text is at http://www.schneier.com/blog/archives/2009/07/north_korean_cy.html.

Some great quotes:
  • "What [the President] didn’t add was that those infections occurred because the Air Force couldn’t be bothered to keep its patches up to date. … Even this current incident is turning out to be a sloppily modified five-year-old worm that no modern network should still be vulnerable to."
  • "Securing our networks doesn’t require some secret advanced NSA technology. It’s the boring network security administration stuff we already know how to do: keep your patches up to date, install good anti-malware software, correctly configure your firewalls and intrusion-detection systems, monitor your networks. And while some government and corporate networks do a pretty good job at this, others fail again and again."
  • "The news isn’t the attacks, but that some networks had security lousy enough to be vulnerable to them."
Organizations can learn from this. "The news isn’t the attacks, but that some networks had security lousy enough to be vulnerable to them."


Spammers need grammar lessons

“Hello from Ms vivian shaka, I am writing with the earnest prayer that my attention will meet favorably with you.”

I really want to reply and say, “Hey, Viv! What the heck does that even mean?! ‘My attenion will meet favorably with you,’ indeed!”


Masked passwords must go

This article in The Register, Masked passwords must go, reports recommendations from "Usability expert Jakob Nielsen and security expert Bruce Schneier" saying that "both think websites should stop blanking out passwords as users type them in. They say the practice inconveniences users and delivers no security benefits."

I certainly find this to be true, and not just because I am getting older. I suspect I am not different than many of us here. I have to remember (or security hide) 6 passwords including 2 on a sponsor network. I have to change them all regularly, though not, of course, on the same schedule. And the password rules for our more secure systems and uses means I’ve had to be creative.

The idea is creativity = security. Yes, but not when it also needs to include "usability." That is always the tug-of-war, and equilibrium between the two is a good thing.

Anyway, back to the article. 1) It would be great if I could see what I type into systems and web pages here. 2) No matter what experts say that it is both secure and usable, I don’t believe that we will ever get changes as suggested in the article.

Schneier has clarified his position on this in The Pros and Cons of Password Masking.