Culture

Password reset questions

Recently therewas some discussion about “self-service” password resets.  The standard option, of course, is to have some sort of “secret question” that the true account holder should be able to answer.  You know: super-secret stuff like your pet’s name.  (Yes, Paris Hilton, I’m talking about you.)

The discussion was more detailed, turning to policy and options, and asked whether you should turn off “custom” questions, and stick to a list of prepared questions.

I would definitely allow custom questions.  The standard lists never seem to give me options that I can both a) remember, and b) that wouldn’t be immediately obvious to anyone who was able to find out some minimal information about me.

If I can make up my own question, I can ask myself what my favourite burial option would be.  The answer, “encryption,” is something I will remember to my dying day, and nobody else is ever going to guess.  (Well, those who have read the “Dictionary of Information Security” might guess that one, so I guess I won’t actually use it.)

Go ahead: try and guess what is the only pain reliever that works for me.

What sits under my desk and keeps the computers running in the case of a power failure?

What is Gloria’s favourite ice cream flavour?

Finish the following sentence: Don’t treat Rob as your _______ ___.  (This is a two-factor authentication: you also have to fill in the standard response to that statement.)

The thing is, all of these oddball questions have special meaning for Gloria and I, but for very few other people in the world.  They rely on mistakes or quirks that have become “family phrases.”  For example, what do you need before bed to get to sleep?  Answer: “warum melek,” coming from an elderly lady of our acquaintance from a northern European background.

Yeah, I like “custom questions” a lot.

(OK, yes, you do have to do a bit of security awareness training to indicate that “who is my sweetie poo” may not be as secret as some people seem to think …)

“New” ideas about distributed computing?

The CEO of BitTorrent thinks we should think about using distributed computing to deal with upgrade issues over the Internet.

It sounds like a good idea.  So good, that you wonder why someone hasn’t thought of it before.  Well, surprise, surprise (unless you know Slade’s Law of Computer History), someone has.  How about Shoch and Hupp, who worked on the idea at Xerox PARC in the late 70s, and reported on it in 1980 and 1982?  Or Fred Cohen, who was quite vocal about using “good” viruses in the late 80s, and mentioned it in one of his earlier popular books?  Or Vesselin Bontchev, who, in the 90s, gave a detailed outline of what you have to do to make it work

Western society is WEIRD [1]

(We have the OT indicator to say that something is off topic.  This isn’t, because ethics and sociology is part of our profession, but it is a fairly narrow area of interest for most.  We don’t have a subject-line indicator for that  :-)

This article, and the associated paper, are extremely interesting in many respects.  The challenge to whole fields of social factors (which are vital to proper management of security) has to be addressed.  We are undoubtedly designing systems based on a fundamentally flawed understanding of the one constant factor in our systems: people.

(I suppose that, as long as the only people we interact with are WEIRD [1] westerners, we are OK.  Maybe this is why we are flipping out at the thought of China?)

(I was particularly interested in the effects of culture on actual physical perception, which we have been taught is hard wired.)

[1] – WEIRD, in the context of the paper, stands for Western, Educated, Industrialized, Rich, and Democratic societies

Online forum rule haikus

On the CISSPforum we were discussing precepts for getting along and keeping the discussions meaningful.  Somebody started listing rules, so I started casting them as haikus.  That prompted a few more.

I wondered if these were only for that group, but then realized most of them were applicable to online discussions of whatever type.  So, herewith:

 

Create your own space
Meaningful content only
Comes to those who post.

Silence calls silence
Lurkers don’t disturb quiet
Sleep beckons as well.

The posts are boring?
Raise topic of interest
Thread starter lauded.

Forum like sewer:
What you get out of forum
Depends on input.

Being creative
Is much better than being
Tagged as complainer.

These are your colleagues.
Why are you so much  better
That they must start first?

The forum that is
Is not what must always be.
Build a better world.

Friday is not for
Building new realities.
Your colleagues would sleep.

 

Then some other chimed in:

I remember trust
It disappeared so quickly
I guess we were fools

Pointing to resource
Always appreciated
Who can search the whole?

Putting platitudes
into pleasing haiku
removes sting of truth

Now you’re getting it.
Format is everything.  (Well,
And maybe context  :-)

friday gratitude
is here at last for resting
ignoring infosec

Friday at last! Time for
Bottles of overpriced wine.
Why’m I still at work???

Request not correct.
Reformat for this thread.
Please resubmit now.

UNSUBSCRPTION post
Jangles cosmic harmonies
Til balance achieved.