161 stories
·
5 followers

Treason for the seasonpic.twitter.com/xKwPNCZL8R

1 Share

Treason for the season

Read the whole story
aranth
42 minutes ago
reply
Share this story
Delete

The Trouble with Politicians Sharing Passwords

2 Shares
The Trouble with Politicians Sharing Passwords

Yesterday I had a bunch of people point me at a tweet from a politician in the UK named Nadine Dorries. As it turns out, some folks were rather alarmed about her position on sharing what we would normally consider to be a secret. In this case, that secret is her password and, well, just read it:

For context, the back story to this is that another British pollie (Damian Green) is presently in hot water for allegedly accessing porn on his gov PC and Nadine is implying it could have been someone else on his PC using his identity. I read this while wandering around in LA on my way home from sitting in front of US Congress and explaining security principles to a government so it felt like a timely opportunity to share my own view on the matter:

And that would have pretty much been the end of it... but the topic kept coming up. More and more people pointed me to Nadine's tweet and the BBC also picked it up and quoted me. As I dug into her tweets (and those supporting her) while waiting for my bags back home in Australia, it became apparent this was becoming somewhat of a larger issue. I wanted to lay things out in a more cohesive fashion than tweets permit, which brings us to this post.

Other People Sharing Credentials

To be fair to Nadine, she's certainly not the only one handing her password out to other people. Reading through hundreds of tweets on the matter, there's a defence of "yeah but others do it too":

Firstly, that's not something I'd advise announcing in public because as you'll see a little later, admitting to that practice could have some rather severe consequences.

Secondly, the premise of justifying a bad practice purely on the basis of it being common is extremely worrying. It's normalising a behaviour that we should be actively working towards turning around. Particularly when we're talking about public figures in positions of influence, we need to see leadership around infosec, not acknowledgement that elected representatives are consciously exercising poor password hygiene.

What's the Problem Credential Sharing is Solving?

Let's start here because it's important to acknowledge that there's a reason Nadine (and others) are deliberately sharing their passwords with other people. If we can't get to grips with the root cause then we're not going to be able to effectively talk about the solutions.

Reading through the trove of tweets that followed, Nadine's challenge appears to be handling large volumes of email:

Let's be sympathetic to the challenge here - answering 300 emails a day would be a mammoth task and the principle of sourcing help from staffers is a perfectly reasonable one. Her approach to password sharing may simply be evidence of humans working around technology constraints:

I totally agree with the premise of technology needing to meet business requirements so let's take a look at how it does precisely that.

Understanding Delegated Access

As many people pointed out, there are indeed technology solutions available to solve this problem:

The concept of delegation hinges on someone else being able to perform duties on your behalf. How this is done depends on the technology of choice, for example in the Microsoft world there are a couple of ways to grant other people access. Firstly, you can share folders such that another party can access your mail. Now that's not strictly delegation (they can't act on your behalf), but it addresses use cases where someone else may need to access your messages (i.e. a personal assistant).

In order to truly delegate access to someone else, it only takes a few clicks:

The Trouble with Politicians Sharing Passwords

It's certainly not a concept unique to Microsoft either, it's actually a very well-established technology pattern to address precisely the scenario Nadine outlined above.

Other Collaborative Solutions

Let's not limit this discussion to just providing access to email though, there were other scenarios raised which may cause people to behave in a similar way to Nadine:

I really hope the suggestion of a security camera was tongue in cheek, although admittedly I did chuckle at the irony of this being a potential solution to regain the ability to identify users after consciously circumventing security controls!

But in answer to Picaro's question, yes, I have worked with a group of people all editing a document under separate identities. Products like SharePoint are designed to do precisely that and by their very nature are collaboration tools. If the logistics of this sounds confusing, check out the guidance around collaborating on Word documents with real-time co-authoring. Pictures speak a thousand words here:

The Trouble with Politicians Sharing Passwords

The Trouble with Politicians Sharing Passwords

The Trouble with Politicians Sharing Passwords

But again, this is far from being just a Microsoft construct and many readers here would have used Google Docs in the past which is also excellent for working collaboratively on content under unique identities. This is far from an unsolved technology problem. Indeed, the entire premise of many people within an organisation requiring access to common resources is an age-old requirement which has been solved many different ways by many different companies. There's certainly no lack of solutions here.

Identity, Accountability and Plausible Deniability

One of the constant themes that came back to me via Twitter was "plausible deniability":

Many others also suggested precisely this in replies to Nadine so let's look at exactly what's meant by the term:

Plausible deniability is the ability of people (typically senior officials in a formal or informal chain of command) to deny knowledge of or responsibility for any damnable actions committed by others in an organizational hierarchy because of a lack of evidence that can confirm their participation, even if they were personally involved in or at least willfully ignorant of the actions

The assertion here is that someone in her position could potentially say "something bad happened under my account but because multiple people use it, maybe it was someone else". The thing is, this is precisely the antithesis of identity and accountability and if this is actually a desirable state, then frankly there's much bigger problems at hand.

The situation with Damian Green trying to explain his way out of porn being on his machine perfectly illustrates the problem. The aforementioned BBC article contains a video where he says:

It is the truth that I didn't download or look at pornography on my computer

Yet - allegedly - pornography was found on his machine. The plausible deniability Nadine alludes to in her tweet is that how do you know it was him that downloaded it? I mean if many different people have the ability to operate under Damian's identity, that porn could have been downloaded by any number of people, right? Giving someone else access to your account leaves the door open to shirking responsibility when things go wrong.

The Ramifications of Providing Credentials to Other People

Here's an argument I've heard many times in the past:

The assertion here is that other people are already in positions of trust and as such, excessive permissions aren't a problem as you can rely on them to do the right thing. There are two fundamental flaws with this:

Firstly, there are plenty of people in positions of trust who haven't done the right thing. The most impactful example of this is Edward Snowden persuading NSA colleagues to provide their credentials to him. Now regardless of whether you do or don't support what Ed then did with those credentials, the point is that he was in a position where those around him trusted him - he had a security pass! You'll find many other examples ranging from system admins going rogue to insiders pilfering corporate documents for profit to the guy who outsourced his job to China so he could watch cat videos. Just because you trust them isn't sufficient reason to give them any more rights than they require to do their job.

Secondly, there are plenty of people who unwittingly put an organisation at risk due to having rights to things they simply don't need. I often hear an anecdote from a friend of mine in the industry where a manager he once knew demanded the same access rights as his subordinates because "I can tell them what to do anyway". That all unravelled in spectacular style when his teenage son jumped onto his machine one day and nuked a bunch of resources totally outside the scope of what the manager ever actually needed. We call the antidote for this the principle of least privilege and those inadvertent risks range from the example above to someone being infected with malware to phishing attacks. There's not necessary malice involved on behalf of the person with "a security pass", but the unnecessary trust placed in them heightens the risk.

In fact, social engineering is especially concerning in an environment where the sharing of credentials is the norm. When you condition people to treating secrets as no longer being secret but rather something you share with someone else that can establish sufficient trust, you open up a Pandora's box of possible problems because creating a veneer of authenticity in order to gain trust is precisely what phishers are so good at! Imagine an intern (per Nadine's original tweet) being asked for a password by someone posing as the boss in an environment where requesting this is the norm. You can see the problem.

In many organisations, there are very clear conditions of use set out for access to information systems that explicitly prohibit credential sharing. You know, organisations like the British Parliament:

The Trouble with Politicians Sharing Passwords

This is from the Advice for Members and their staff document on the UK Parliament Website and at least to my eyes, that seems like pretty explicit advice. Just in case it's not entirely clear, there's also the House of Commons Staff Handbook on Information Security Responsibilities:

The Trouble with Politicians Sharing Passwords

There are no accompanying caveats of "but it's alright if it makes things more convenient"! We all know this, not just because you might happen to occasionally read this blog but because we're constantly bombarded with this guidance both online and in the workplace:

The Trouble with Politicians Sharing Passwords

The Trouble with Politicians Sharing Passwords

The Trouble with Politicians Sharing Passwords

Oftentimes, the ramifications of deliberately circumventing security controls designed to protect the organisation can be severe:

If anyone knows what the possible repercussions for a member of parliament violating these policies are, do chime in via the comments section below.

Summary

I'm conscious the tweet that sparked this debate was made on a Saturday evening and for all I know, it could have been an off-handed comment after a bottle of chardonnay while kicking back on the couch. I also appreciate that for non-tech people this may have seemed like a perfectly reasonable approach at the time. A chorus of voices have now set her straight so I'm inclined to put more personal judgement on what happens next as opposed to what might have been nothing more than an uninformed casual comment.

But we do need to call out credential sharing in this fashion for what it is and it's precisely what I highlighted in that original tweet - lack of education. The Register piece I linked to earlier on quoted one MP as saying the following and it's hard not to agree with it in this case:

Most MPs have that fatal combination of arrogance, entitlement and ignorance, which mean they don't think codes of practice are for them

It's alarming to read that Nadine believes criticism of her approach is due to her gender because if ever there was a construct that's entirely gender-unbiased, it's access controls! Giving other people your credentials in a situation such as hers is a bad idea regardless of gender, race, sexuality and any other personal attribute someone may feel discriminated by.

With all of that said, if you're working in an environment where security controls are making it hard for you to do the very job you're employed to do, reach out to your IT department. In many cases there'll be solutions precisely like the delegated access explained above. It's highly likely that in Nadine's case, she can have her cake and eat it too in terms of providing staffers access to information and not breaking fundamental infosec principles.

The great irony of the debates justifying credential sharing is that they were sparked by someone attempting to claim innocence with those supporting him saying "well, it could have been someone else using his credentials"! This is precisely why this is problem! Fortunately, this whole thing was sparked by something as benign as looking at porn and before anyone jumps up and down and says that's actually a serious violation, when you consider the sorts of activities we task those in parliament with, you can see how behaviour under someone's identity we can't attribute back to them could be far, far more serious.

Update

The Information Commissioners Office (ICO) has picked up on politicians sharing their passwords and tweeted about it here:

The National Cyber Security Centre (NCSC) also has some excellent practical guidance about simplifying your approach to passwords which is a good read if it all feels too hard.

Read the whole story
aranth
7 days ago
reply
Share this story
Delete

Are tutorials to blame for basic IT problems?

1 Share

It’s now effectively impossible to spend a month following IT (and not just) new and not hear of breaches, “hacks”, or general security fiascos. Some of these are tracked down to very basic mistakes in configuration or coding of software, including the lack of hashing of passwords in database. Everyone in the industry, including me, have at some point expressed the importance of proper QA and testing, and budgeting for them in the development process. But what if the problem is much higher up the chain?

Falsehoods Programmers Believe About Names is now over seven years old, and yet my just barely complicated full name (first name with a space in it, surname with an accent) can’t be easily used by most of the services I routinely use. Ireland was particularly interesting, as most services would support characters in the “Latin extended” alphabet, due to the Irish language use of ó, but they wouldn’t accept my surname, which uses ò — this not a first, I had trouble getting invoices from French companies before because they only know about ó as a character.

In a related, but not directly connected topic, there are the problems an acquaintance of mine keeps stumbling across. They don’t want service providers to attach a title to their account, but it looks like most of the developers that implement account handling don’t actually think about this option at all, and make it hard to not set a honorific at all. In particular, it appears not only UIs tend to include a mandatory drop-down list of titles, but the database schema (or whichever other model is used to store the information) also provides the title as an enumeration within a list — that is apparent by the way my acquaintance has had their account reverted to a “default” value, likely the “zeroth” one in the enumeration.

And since most systems don’t end up using British Airways’s honorific list but are rather limited to the “usual” ones, that appears to be “Ms” more often than not, as it sorts (lexicographically) before the others. I have had that happen to me a couple of times too, as I don’t usually file the “title” field on paper forms (I never seen much of a point of it), and I guess somewhere in the pipeline a model really expects a person to have a title.

All of this has me wondering, oh-so-many times, why most systems appear to want to store a name in separate entries for first and last name (or variation thereof), and why they insist on having a honorific title that is “one of the list” rather than a freeform (which would accept the empty string as a valid value). My theory on this is that it’s the fault of the training, or of the documentation. Multiple tutorials I have read, and even followed, over the years defined a model for a “person” – whether it is an user, customer, or any other entity related to the service itself – and many of these use the most basic identifying information about a person as fields to show how the model works, which give you “name”, “surname”, and “title” fields. Bonus points to use an enumeration for the title rather than a freeform, or validation that the title is one of the “admissible” ones.

You could call this a straw man argument, but the truth is that it didn’t take me any time at all to find an example tutorial (See also Archive.is, as I hope the live version can be fixed!) that did exactly that.

Similarly, I have seen sample tutorial code explaining how to write authentication primitives that oversimplify the procedure by either ignoring the salt-and-hashing or using obviously broken hashing functions such as crypt() rather than anything solid. Given many of us know all too well how even important jobs that are not flashy enough for a “rockstar” can be pushed into the hands of junior developers or even interns, I would not be surprised if a good chunk of these weak authentication problems that are now causing us so much pain are caused by simple bad practices that are (still) taught to those who join our profession.

I am afraid I don’t have an answer of how to fix this situation. While musing, again on Twitter, the only suggestion for a good text on writing correct authentication code is the NIST recommendations, but these are, unsurprisingly, written in a tone that is not useful to teach how to do things. They are standards first and foremost, and they are good, but that makes them extremely unsuitable for newcomers to learn how to do things correctly. And while they do provide very solid ground for building formally correct implementations of common libraries to implement the authentication — I somehow doubt that most systems would care about the formal correctness of their login page, particularly given the stories we have seen up to now.

I have seen comments on social media (different people on different media) about what makes a good source of documentation changes depending on your expertise, which is quite correct. Giving a long list of things that you should or should not do is probably a bad way to introduce newcomers to development in general. But maybe we should make sure that examples, samples, and documentation are updated so that they show the current best practice rather than overly simplified, or artificially complicated (sometimes at the same time) examples.

If you’re writing documentation, or new libraries (because you’re writing documentation for new libraries you write, right?) you may want to make sure that the “minimal” example is actually the minimum you need to do, and not skip over things like error checks, or full initialisation. And please, take a look at the various “Falsehoods Programmers Believe About” lists — and see if your example implementation make those assumptions. And if so fix them, please. You’ll prevent many mistakes from happening in real world applications, simply because the next junior developer who gets hired to build a startup’s latest website will not be steered towards the wrong implementations.

Read the whole story
aranth
12 days ago
reply
Share this story
Delete

Boyfriend Dungeon is all about dating your weapons, and it looks rad

1 Comment

Ever wanted to date your sword? Here you go

We’ve already found our favorite mashup of 2019: Boyfriend Dungeon, a dungeon crawler from indie team Kitfox Games (Moon Hunters, The Shrouded Isle), which combines hack-and-slash gameplay with very, very cute guys and girls.

Boyfriend Dungeon is exactly what it says on the tin, based on the first trailer. Players are a tiny warrior fighting through monster-ridden areas. Scattered across the procedurally generated dungeons are a bunch of lost weapons — which, once rescued, turn out to actually be extremely cute singles.

That’s when the dungeon crawler turns into a romance game, and it’s also when we all realized that Boyfriend Dungeon is something special. Every romance option has their own specific weapon to equip, from an epee to a dagger and then some. Players work to level up those weapons, but also to win over these sweet babes during dialogue scenes. If this isn’t the smartest combination of genres we’ve seen in some time, we don’t know what is.

Oh, and it looks like one of the eligible bachelors is a cat. Put us down for one copy of Boyfriend Dungeon when it launches sometime in 2019, and pay attention to Kitfox Games’ social media channels for development updates.

Read the whole story
aranth
53 days ago
reply
Truly blessed to live in this golden era of gaming.
Share this story
Delete

Me too, son.

1 Share

The mainstream media has collectively lost its mind in the past week over the “shocking” revelation that a movie producer would abuse his power over the careers of aspiring actors in order to sexually harass and assault them, then scare them into silence with the exact same set of implied threats that allowed him to commit the crimes in the first place. Since the vast majority of my readership is female, I’m sure none of you were floored by the revelation, given that this kind of shit goes on literally everywhere all the time and has since the dawn of the age of homo sapiens (and, of course, earlier). While it’s heartening to see the dark and dirty truth blip into the public consciousness, it’s likely that the furor will die down in short order and that everyone will resume the charade. Everything is cool, ladies. We caught the bad guy.

I moved to Hollywood in 1999, just after I turned 21. I had zero interest in being an actor (or having anything to do with the film and television industry); I just moved there because it was an affordable neighborhood (this was 1999) in the closest big city to San Diego, where the people I was hanging out with were such degenerates that I decided I had to jet in order to avoid jail or an overdose. I’d like to say that situation improved after the move, but I just traded in a crew of reprobate upper-middle-class bros for a city full of predatory gutterballs with more money.

One needn’t seek employment in the entertainment industry to attract the attention of unctuous perverts in LA. One of my first jobs on arrival was as a waitress at the semi-infamous Mel’s Drive-In, where James Woods propositioned Amber Tamblyn, 16 at the time, with an impromptu jaunt to Vegas with him and some other senior citizen. He must have made a serious habit of propositioning women a third of his age at Mel’s, because he did the same thing to me (though I had at least reached the age of majority; he was 52 at the time). The remainder of the transaction was as awkward as you would imagine. James Woods was — in my mind — only marginally famous, yet he felt like he was a big enough deal that teenagers ought to jump at the chance to be molested by him. Andrew Dice Clay, the epitome of a has-been at the time, had been 86ed from the establishment for groping waitresses just months earlier.

But it wasn’t just the town’s well-known actors, producers, and talent agents who considered the city of Los Angeles a smorgasbord of potential victims. At that same restaurant, I had two male coworkers who had moved to the city to become famous and were just waiting tables until the entertainment elite recognized their mediocre looks and revolting personalities as star material (the cliché is real, y’all). One was a dude from somewhere in the Northeast named Anthony who insisted on being called “London.” Most interactions I had with him consisted of him pointing at bananas and then at his own dick. (You can find this specimen in the archives of the dating show Fifth Wheel if you’re interested.) The other one, Reagan, managed to behave like a reasonable (though dorky) person at work most of the time, but once put on a Frank Sinatra song and tried to make out with me, despite my obvious lack of interest (that quickly morphed into mortified laughter once he tried to Swingers me).

Then there were the mystery men who sat in my section and, shortly before paying their bill (and just before they decided what kind of tip to leave), would ask me if I was an actress. When I replied that, no, unlike every other young woman in town waiting tables, I had no interest in acting, they would say something like, “Well, you’re gorgeous and you should be. Why don’t you give me your number and I can introduce you to some people.” The conditions attached were unspoken, but were louder than a Miami bass war.

I had to “grow up” sometime, so I left Mel’s and got a job at the corporate office of a national chain of lingerie stores headquartered in Hollywood. The office was mercifully free of men, despite the fact that the company produced clownish lingerie ostensibly designed for men’s entertainment and titillation.  (I mean, I couldn’t see the draw of a red bra with underwires but no cups, so men must have been the target market.) Still, I spent at least 2% of my time at work fielding obscene phone calls.

It got so old that, while perusing online job ads at work one day, I decided to apply for a job as a receptionist at Creative Artists Agency, a fairly influential organization in the entertainment world. The interviewer was about 60 and I was still 21. He spent the entirety of the thirty years or so that I was in his office alternating between licking his lips and telling me I would look good up front and lowballing me on the job’s pay. He kept dangling the promise of becoming an assistant to one of their agents, assuring me that one day I would be a big deal Hollywood agent provided that I was up to the task of working there (and would accept poverty wages). The task was in his shorts. I still don’t know what this asshole’s job title was, or why he was selected to interview me, but I have to assume the intent was to weed out the kind of spoilsports who couldn’t handle a little sexual harassment.

All work and no play makes for a boring account of the wide world of Hollywood sexual misconduct. Through some very odd circumstances, I ended up spending a lot of time with a couple of *dudes who had been famous as teen heartthrobs in the early 90s. They were decent people (they had probably endured some sexual abuse themselves, having been child actors) despite the fact that one was a Scientologist (wasn’t everyone in LA in 1999). But their friends were unbelievable. A crew of trust-fund twentysomethings whose only connection to the entertainment industry was their parents, they were brazen and merciless in their tactics of manipulating hopeful young women into having sex with them by pretending to have connections they didn’t have and promising opportunities they had no access to (and no intention of following through on if they did).

They once took me to a club that was nigh impossible to get into at the time, Barfly, where I stood around picking at my clothing while Corey Feldman (he wasn’t there with us) made an ass of himself on the dance floor and an old fat man chased attractive young women around the room with handfuls of hundred dollar bills. Though it was an odd sight, the only reason anyone made sport of his behavior was that he made plain the (usually) unspoken but pervasive assumption that all young women in Los Angeles are for sale. (Hey, loser, get some game and quit being so extra.)

Then there’s the kid we all used to refer to affectionately as “little Will.” We found it amusing to see a 13-year-old trying to breakdance while in a K-hole. You might know him as The Gaslamp Killer, who has raped who knows how many women now that he’s all grown up and famous and has access to roofies and female fans.

Then there was ol’ “shocked and apalled” Ben Affleck, who regularly staggered his way around my neighborhood breakfast cafe, drunkenly sexually harassing the female staff at 7 AM because he could.

Then there was the *globular millionaire son of a director who had no friends whatsoever and would invite young people (male and female) to his house when the bars closed, shove piles of “free” cocaine at them, and then demand that they perform sexual entertainment as payment at the end of the night, later sending them big-screen televisions in the hopes of a repeat engagement. And the *”photographer” who actually made his living selling ecstasy at Garden of Eden and using the proceeds to lure women half his age to his apartment down the street, where he fed them drugs and bullshit until they acquiesced to his sexual demands (free headshots, anyone?).

These vignettes all derive from the outskirts — if not from outside of — the entertainment industry. You can imagine — and have learned in the past few weeks the specifics of — the heights of sexual menace inside the offices of people with actual power in Hollywood. A city brimming with young women (and men) intent on becoming famous makes a great hunting ground for manipulative sexual predators up and down the payscale.

And let me tell you, I’ve got a lot more where this comes from involving men who are about as closely connected to the entertainment industry as I am to Richard Spencer.

Harvey Weinstein isn’t an outlier. He’s an example of the entitlement of nearly all men in positions of power over women’s careers, and all men who know the threat of violence, rape, and public humiliation keep women polite in the face of harassment and quiet about what happens to us after the fact. Men like Weinstein are a dime a dozen. Every woman I know has a list as long as The Brothers Karamazov of stories of sexual harassment and assault at work, on the street, at school, at parties, at the liquor store, on the subway, at Jimmy John’s, at Home Depot, in court, at a funeral, at a wedding, in line for tickets to see Cats, while shopping for diarrhea medication, and so on ad infinitum.

I’ll dip out with a plea to everyone who can safely do so to come out with their lists in every public forum available to them. I may even recount my workplace sexual harassment stories from my teenage years in a sequel-as-prequel to this post.

*I’d include these people’s names, but I’m sure they Google themselves constantly and would instantly guess who wrote this.


Filed under: Entertainment, Rape and Sexual Assault

Read the whole story
aranth
56 days ago
reply
Share this story
Delete

Lawyer Music Video Asks You Not to Call It “Velcro”

1 Comment and 2 Shares

Pretty good video here from Velcro Companies, which seems to be the confusingly singular name of the company or companies that makes the product known as Velcro®. You may or may not have known that “Velcro” is a trademark, not just the name for the stuff. The company and its legal team would very much like you to know that, though, so that “Velcro” doesn’t become “generic” enough to lose trademark protection.

That’s happened with a number of other familiar terms, including (according to Wikipedia) “aspirin,” “dry ice,” “escalator,” “teleprompter,” and “trampoline,” all of which were once brand names entitled to trademark protection, but now aren’t. There are lots of other terms that are often used generically (such as “Band-Aid,” “Dumpster,” “Formica,” and of course “Google”)  but are still trademarks at least for now. (A petition is currently pending before the U.S. Supreme Court about the status of “Google,” as it happens.)

As the Velcro Companies legal team says in the song, the company would prefer you call it “hook and loop,” not “Velcro”:

Actually, according to the making-of-the-video video, most of these people are probably actors, but at least two of them are in fact “real lawyers” who really do represent the company. It’d be better if all of them were really part of the company’s legal team, but then again maybe it wouldn’t be.

Read the whole story
aranth
69 days ago
reply
Share this story
Delete
1 public comment
skittone
69 days ago
reply
Sorry, Velcro. That ship has sailed. (And I say this as someone who calls the product Velcro (tm) brand hook and loop tape, mostly as a Paranoia joke.)
HarlandCorbin
67 days ago
Yep, sorry, velcro is shorter than hook and loop fastener or whatever they want us to say. Tough. You lost the TM, get over it.
Next Page of Stories