Thoughts on security

24 Apr 16

Good morning. It looks like I am a few days late on my blog post. It is hard to explain these past two weeks. On the one hand, it was really kind of expected, or at least acknowledged. But on the other hand, it was a real blow to the project when it happened. But I digress. I don't want to bore you with too many details that are available elsewhere. The TL;DR is this: I have a friend who had an idea to help the community, it morphed into something else, we had a helping hand, then it got taken away. The back story of the CODE project can be found here. It stands for computer oriented developmental education. I don't actually teach anyone anything, rather I help them figure out what path they wish to take to accomplish a goal and then guide them down the path. One of our travelers came to us wanting to learn HTML so he could write an app. As we talked with him, his path changed to learning how to use Word so that he could write his own resume and get a job. And since he didn't have his own computer, we gave him one.

We thought that we had access to the computer lab at Westside Elementary, but it fell through. So we are continuing with our other class on Saturday and it is going great. We doubled our enrollment in a week. That's not hard to do when you start with one traveler though, but it sounds great. We are also beginning to accept donations from sponsors in order to provide laptops to the travelers. We have access to some surplus Thinkpads dirt cheap and I am going to compile a custom kernel and OS for them. Lisa said that wouldn't be a good idea as the business world uses Windows. I reasoned that it would be fine for our program as it was all web based. Also, it teaches them that there are alternatives out there, and the price is right for the license. Anyone who wishes to sponsor can contact either myself or Lisa here. The OS is going to be Slackware based and all of the code will be available on Github here, feel free to try it out and let me know what you think. I'll post it here when I get something up, hopefully this week.

I know that the blog is titled, "Thoughts on security", but the code project has taken up most of my time lately, that and school, which is what I should be working on right now rather than this, but oh well. I read the account of Phineas Fisher, and how he hacked Hacking Team, and it sounds like a great training piece. It is also a lesson learned that complacency is dangerous. It seems that when we reach a certain level, we think that the rules don't apply to us, or that they act differently on us, than others. Sort of a "do as I say, not as I do" attitude. Not properly separating networks, reusing passwords, etc., etc. These are the kinds of things that allow me to start a security company and have a good chance of succeeding. Until you remember to lock all the windows and doors, the best security system won't protect your home. Do you think it is any different for your computer network?

I was sitting in a meeting last week and checked my texts and saw a notification from Gmail with a code to login. I asked if anyone had seen me pull my phone out and login to my email, but of course I had not. Two factor authentication is your friend, use it everywhere you can, and if it isn't there, send an email asking for it, especially if money is involved. I had to use an account last week and had forgotten the password. I clicked the link, and went to my email to check it. They sent my password, in plaintext, in an email. This is not acceptable, in any form. Not only are they storing the passwords in plaintext at the website, which is a big problem, but now it is in my email and has been travelling around the internet for anyone who may have been looking to see. I gave a presentation at SecureWV last year and called out some bad security practices. We need to get the basics down, then we can work on some of the more advanced things.

Security is not easy, it's not convenient, and it costs money. It doesn't have to be that way, however, it is possible to integrate security into things from the beginning. It is also possible to learn from the mistakes of others, and there are plenty of mistakes out there to use. The only problem with that is they are usually the same mistakes, so are we really learning the lessons? Rather than throw more money at a problem, shouldn't we use the money we already spend more wisely? I don't claim to have all the answers, but I do know that I know the basics rather well, hence the "basic" part. For example, I am not a programmer, but I do know that a common vulnerability is a buffer overflow. I also know that there are sanity checks that you can put in place to prevent them. Since I am not a programmer and know this, do you suppose that a programmer maybe should also know it? And if they were used more commonly, that we could eliminate this vulnerability? I don't suppose that I am smart enough to reason that one out, maybe I am missing something, after all, I am not a programmer. Anyway, those were my thoughts this past week and this beautiful Sunday morning. Be careful and have a great day.