Security Font

I have just designed the most secure font ever. At least it is to my knowledge. You can get it here. Below is a screenshot of the font in action.

update: The screenshot was not showing up because either Firefox or Blogger decided that dragging and dropping a file into the blogger interface should try to link to the file on my computer rather than putting it on some photo upload site. So now the pic is up there. Sorry for the trouble and thanks to Anonymous for pointing it out.

If It's Not Verified, It's Not Secure

Today at the data center, I was scheduled to upgrade one of our systems. I was pretty well prepared and was just going through some final checks as I waited for the download of the new software to complete. I had already shut down the services and made a final backup, so I decided to try the restore feature to make sure it would work later after the upgrade was complete. It didn't work, and neither did the other 3 sets of backups I tried!

As mistakes go, having not tested this backup would have been a huge one! All of the data that was on the server would have been completely lost. This represents not just the time to recreate some of the documents and settings, but would have involved several different groups and would have left the server down for at least 3-4 days!

A call to the manufacturer's tech support line was helpful and it turned out that there was a hidden failure in the backups that can only be discovered on doing a test like I did. This wasn't in their documentation for the backup feature, nor was it in their documentation for the upgrade procedure. If I hadn't been diligent enough to test out the restore procedure, I would have had a major problem on my hands. The fact that my boss just left for vacation and the vendor was about to close for the weekend would have made the problem worse.

I trusted that the backup would work, but it didn't. The reason why is a bit too obscure for this blog, but it is something I never could have imagined. In fact, the engineers for the vendor seemed perplexed by it, too. With all of the pieces still intact, it is easy to figure out why the system failed. But if I had already installed the upgrade, there would be only guesses as to why the failure had happened. This is why you should always test your backups to make sure they will do what you think they will.

And you should check other systems that you use, too. In the computer security world, penetration testers help check out our security. Shows like "It Takes A Thief" do the same thing for peoples' home security. In some cases, even the most well planned and implemented systems can be broken. But most of the time there are holes in the design or execution that make the difference.

Effective systems design the verification into them. This is one of the strengths of the scientific process of peer review. It ensures that others can replicate results that one researcher finds. Because fraud, mistakes, and interpretation can distort the facts, the scientific community needs to make sure that these things are minimized. This ensures that our body of knowledge surges closer and closer to the truth of the world.

This reminds me of a scene from "Road Trip" where the kids are talking about jumping over a broken bridge in a car. They do a lot of calculating and thinking about it and decide that the distance really isn't that far and they can make it. And then they just happen to test it out by putting just a little bit of weight on the other side of the bridge. The bridge collapses. That was the easy way to find out their plan would have fallen apart with the bridge. Of course in the movie they went for it anyway, but at least they KNEW it wouldn't work.

update: It turns out that the backups were failing because they were being uploaded to a FTP server in the wrong mode. The client didn't properly change to "binary" mode and instead was sending files as "ASCII". Many servers automatically determine that the file is binary and transmit in the correct mode despite it being the client's responsibility. However, ours doesn't.

Stop Swatting At Flies

I saw a great post today over at the IT Toolbox site. It talks about stepping back and making sure you know the whole situation before you start acting. It's well written and accessible to anyone. If you don't understand the part about the proxy server and the help desk tickets, just skip it. I can't say what he does any better, so I'll just let Chief, the Security Monkey do my talking for me.

But since his last post was about blogs not adding content, merely linking to sites with content, I guess I'll have to do some real work here. The chief's blog is one of a handful which are informative, but not targeted at the latest research or trends. Instead, these blogs usually focus on techniques instead of results. I think everybody needs to have a few of these blogs in their regular reading list to make sure they remember the basics. But maybe I'm biased, since that is what kind of a blog I run here.

Knowing the processes that go into the results is the key to really understanding what the results say. It is fine to read the conclusions that story authors come to, but unless you understand how they came to those conclusions and can form your own, you might as well just use a Jump to Conclusions Mat. Understanding the basics and the underlying causes for things allows you to be skeptical and to see what people try to cover up, gloss over, or outright miss. As the chief's post makes clear, when you know how and why something does what it does, it is much easier to know how to change it. You can stop swatting at flies and get them out of your way for good.

Finish The Job

I'm a big fan of Tom Clancy type spy thriller novels. I just read a book which reminds me of these, and which Clancy himself called "A spy story for the 90's -- and it's all true." The book is called The Cuckoo's Egg by Cliff Stoll. I won't give away any spoilers here, but you can read the collective summary if you want to know what happens.

This is a classic story of what happens when you see something out of place and instead of just fixing the problem you really investigate. You start digging and pretty soon you find that there are dozens of things that need to be reworked, and dozens more that need to be done and done right. With no funding for a project, it can be damn near impossible to carve the time out of your paying job to do them, so most go undone. In his book, Cliff doesn't let his main issues fall to the wayside, he sticks with them and sees that things get done as well as they can be.

While the book is nearly 20 years old, the lessons it teaches are true today. Cliff has to overcome sloppy practices, a determined and perseverant adversary, invasion of his personal life, lack of support from those he is trying to help, etc. And in the end, he is essentially unrewarded for his efforts. These are problems that security professionals -- and many others -- face every day. But Cliff won't back down or give up, he is able to look at the problem as an opportunity to learn and explore. His reward comes from the joy of discovery, from seeing the problem to its conclusion, and making connections with people in the same situation.

It's easy to respect and admire someone like this, but it's not as easy to become them ourselves. It is much easier to push things off to another day or let things drop by the wayside as we hurtle along through life. But I think that one of the things that makes me happiest is when I pursue the things that Cliff did: truth, discovery, and resolution. It also tends to make the products of my work better because we care about what I am doing, not just trying to get it done so I can move on to something else.

It's hard to be enthusiastic about every aspect of we all do for a living. In fact, if we really enjoy doing something and decide to make money from it, we will soon find that we enjoy it less. But what would it take to do every task like we enjoyed it? Probably not that much more effort than we already put into it. That could be changing the duty enough to make it more interesting, like turning it into a game. Or it could mean trying to learn all you can from theories to history to other techniques. Or it might just mean that you embrace the unembraceable and focus on being as good as you can.

But you've got to find some way to persevere through the difficult jobs to get to the end. In Information Security, it is absolutely essential to do things right and see them through to completion. It is like that in many other fields and aspects of our lives. If you give up or half-ass it at any point, it diminishes the results of your labor. But working hard through every step gives a great feeling of accomplishment and self-esteem as well as makes for a better end result.

Simplify, Simplify, Simplify

I am back from my recent hiatus and have finally gotten caught up enough to write a couple of lines here. While on trips, it always becomes obvious how much better a simple solution is when compared with a complicated one. For example, when trying to backup images from a camera. It was a hassle to try to get them onto the computer then to a jump drive or a flickr.com account.

A much easier solution would be to use a device to dump the pictures directly to an iPod. The Apple iPod Camera Connector is the descriptively named device made by Apple to do the job. It works pretty well, too. It will even move RAW photos, though the iPod can't display them. This helped out greatly since my friend had dozens of gigs worth of these large photos and no way to store them to make room for more. While this certainly wasn't the simplest solution, it worked well and stayed within our budget.

With simple solutions, it is easy to see their flaws and compensate. The problems which can occur in a system increase exponentially with complexity. In other words, the more things that are involved, the more likely something is to go wrong and the more difficult they will be to solve. When giving directions to my house, I usually give them a route with very few turns. Because the directions are simple, they can be more precise and are easier to follow.

Also, the more difficult and complex something is to use, the less likely people are to use it. To stay with the example above, I drive a very simple route home from work every day. I could probably shave 5-10% off my trip time by taking alternate routes depending on conditions and using back streets rather than the main ones. However, this adds stress to my drive and introduces frustrations. Using the most direct route, I can sit back and relax on my drive, focusing instead on my music or on what I'll do with my free time.

Reducing the complexity of a system usually increases its security (or decreases its likelihood of failure). If a process requires four easy steps, it is much more likely to be followed closely than a similar process which requires several times more steps. In automated systems, more steps means that there are more places to troubleshoot when a problem arises. More worrisome, the more likely a single step is to fail silently and/or catastrophically.

So KISS! That Wikipedia link can elaborate for you if you are interested, but repeating what others have written is not keeping it simple. I'd hate to multiply entities beyond necessity, so I'll quit while I'm ahead.