Attack of the SSN and DOB

Altered Grades Lead to Student’s Arrest, reads the headline. Upon further reading it is clear to me that naivete in system design combined with unscrupulous behavior are to blame. I am so sick of hearing about systems that have been access by people impersonating authorized users. Many times these systems are protected by passwords and the hole that makes them vulnerable is the utility for resetting the password when a user forgets it.

How can an administrator say, "...illegal access to the computer grading system was not the result of a deficiency or flaw in the program." Of course there was a flaw! The flaw exists in the logic that lead to the procedure to reset a user's password using their Social Security Number and Date of Birth. Two elements of data that are trivial to obtain and never designed to be secret!

Insecurity of Signature Images on the Web

Someone recently asked about the security of a signature image on their web page. They wondered if they should remove it or if there was some way to keep it from being downloaded or spidered and cached by search engines. While I can understand the desire to give that personal touch to a web page I wouldn't publish an image of my signature. That being said, here's some analysis.

I assume we all agree that there is no reliable way to keep a publicly viewable web image of anything, including a signature from being viewed, downloaded, cached, reused, etc. If you disagree, consider that you're not trying to hide it from search engines. You're trying to hide it from people, unscrupulous people specifically. How can you make it public while at the same time hide it from people with questionable intentions? My web-enabled mind reading system is not finished yet, is yours?

Death to the Secret Question

In The curse of the secret question, an article by Bruce Schneier, he explains why security questions are so inadequate. Schneier and I share the view that the security question is, essentially, a second password which serves as an alternate login mechanism. Since most people answer these questions truthfully the accounts that these questions are supposed to protect are only as safe as the answers provided.