Nice article about how deterrence cannot work for computer security at Slate. The real problem is that computing systems are generally vulnerable to attack. This is not an inevitable state of affairs, but currently no one knows how to build secure, usable systems in a cost-effective way. It is not merely an engineering problem; it … Continue reading Deterrence
An allegory for computer security. You have lived all your life in a quickly growing town, whose growth has been sped up by constructing all the buildings out of wood. Some buildings in town are huge structures that have been repeatedly expanded with new wings and towers; others are simple shacks that are put up … Continue reading The Wooden Firehouse
The theft of data from the Office of Personnel Management is a disaster with long-lasting consequences. It is hard to imagine what event —without causing broad, immediate physical damage— could give the government a stronger incentive to support work on improving computer security. I'm worried the opportunity will be missed anyway. Current computing systems are … Continue reading The OPM disaster and computer security
I hear periodically that computer security is hopeless because there is always a way for the adversary to get around whatever security mechanisms are in place. This view misunderstands the point of security mechanisms. It's true that there is no such thing as absolute security: an adversary with unbounded power and resources can defeat all … Continue reading Why security mechanisms matter
When I was a graduate student at MIT, at some point we discovered that all of our systems had been compromised. I happened to have earlier hacked up a network monitoring tool that was a very graphical version of tcpdump, enabling us to rapidly figure out that the attacker was coming into via a computer … Continue reading A Hippocratic Oath for computer security research?
Neil deGrasse Tyson received a lot of derision for calling for "unhackable systems" recently. I'm a bit perplexed by this response. On the positive side, it's clear that it is widely understood that current computer systems are very far from unhackable. On the negative, the common understanding (at least among those on Twitter) seems to … Continue reading Unhackable computers?
I posted my little poem about programming mistakes on Facebook a while back, but I thought it might be a bit more permanent here. It's inspired by Edward Gorey's Gashlycrumb Tinies. Sophia Berger has been working on some illustrations in the spirit of Gorey's, but they're not done yet. The GashlyCode Tinies A is for … Continue reading GashlyCode Tinies
Every time I teach a course, I see my students making their lives harder than necessary. This is particularly true for group projects. To make sure they aren't missing out on any opportunities to increase the challenge, I wrote the following top-10 list. Ten proven ways to make your group project harder: The Scapegoat. Designate … Continue reading How not to work with others
This bug is every bit as bad as people are saying, so bad that I've taken the trouble to patch the computers I can get to. I have Macs running web servers, so they were wide open. It's unbelievable that this behavior has been sitting in bash for so long without being fixed. Apache is … Continue reading Shellshock
In 1991 Richard Gabriel wrote a insightful and influential article about the difference in designing software systems in the "MIT Style" and "New Jersey Style" (AT&T), where he termed the latter "worse is better". He argued that when building software, the "MIT style" of getting the design "right" (at the cost of complexity in implementation) … Continue reading Worse is Better vs. Better is Better