Improving your own security, and changing the way we think about how we tackle security in the first place. Here's what I'm reading this week:
- Three easy steps to improve your security Ninjutsu: Earlier this week, Citizen Lab released an easy-to-use security planner. Answer a few simple questions, tell them a bit about the systems you use and what you're worried about, and they offer a few straightforward recommendations to make yourself more secure (and yes, if you're the suspicious type, that sounds like they're building a targeting profile on you, but don't worry, the questions are general enough and anonymized that you can get help without risk here). I particularly like that I got "Enable 2-Factor Authentication" and "Get a Password Manager" in my top 3 recommendations. For most people, those recommendations are the best ROI of any security investment I've heard of.
I'm reading: "Security Planner."
- Find me a wall that can't be climbed, and I'll show you a tunnel right underneath: The accepted wisdom today is that intruders never target encryption algorithms, because it is so much easier to find mistakes in encryption implementation. Nevertheless, a couple of researchers recently argued that we should be doing more work trying to understand how to prove the security of encryption algorithms – not just because intruders might target them, but because it's the only way to be certain that they don't include intentionally designed backdoors. The researchers make an interesting point: it is much harder to prove security (there is no way in) than to prove insecurity (finding a single way in). This leads us today to often accept the absence of proof of insecurity to be proof of security (in other words, no one has found a vulnerability, so there is no vulnerability). The researchers argue this means we should be diverting more research to getting better at proving security, but I see a different takeaway. In physical security, experts long ago realized that there is no such thing as a proof of security, and they design their security protocols with this in mind. In cybersecurity, we still imagine that perfect security is possible. It's not. The best security is designed to work in an insecure environment, and that's true both in the physical world and on the network.
I'm reading: "We need to talk about mathematical backdoors in encryption algorithms."