Computer Security


The Internet denial of service attacks over the last few months have yet again raised the profile of security and allowed security firms to come to the fore. The problem is that all this high profile publicity - demands for the perps to by dealt with by Judge Dredd and such like - is obscuring the real problems.

What is being missed is that most computer crime/fraud etc is carried out by insiders. Much of the rest is carried out not by technically clever hackers, but by those who obtain passwords because of the carelessness of the password owner.

Compared to the scale of these problems, the recent Distributed Denial of Service attacks are just the equivalent of nuisance raids. I say that not to belittle their effects, but merely to point out the severity of the other problems.

The fascinating thing about such problems is that they are frequently crimes of opportunity, rather than hardened criminals burrowing into a company with intent to steal. If you leave your wallet lying around in a public place it will be stolen, because you have made an opportunity for it to be stolen. Similarly the failure to take advantage of the security provided by your computer(s) and by the issuing of crazy passwords provides for computer crimes of opportunity.

Most of these password based problems are self-inflicted.

I know of several companies that issue everyone the same password! This means you can access someone's computer 'if they are ill'. Oh yeah. Even more pernicious to my mind is the issuing of 'random' style passwords - you know the ones that look like 'cxoiam193od'. The problem with these sort of passwords is that no one except a memory prodigy can remember them. So, of course, people write them down. Not only do they write them down, but because they need them every day the note of the password is easily accessible. Frequently they write them down on Post-It notes and stick them on the front of their monitor.

The other week I was asked by my bank to give them a 'memorable' ten digit number. Sometimes I wonder who makes up these rules. We need a little common sense applied to the business of security, not the mindless application of computerese.

Lenton's rule of Computer Security: If you make security difficult and obscure then people will break it in order to get the job done.
Corollary: If your security gets in the way of day to day work you will soon have no security worth talking about.

Alan Lenton
3 April, 2000


Read other articles about computers and society

Back to the Phlogiston Blue top page

If you have any questions or comments about the articles on my web site, click here to send me email.