Several people have asked me recently what hardware I would buy today for use as a home firewall.

About a year ago, we switched ISPs from RCN to Verizon. I had no particular issues with RCN except that their prices went up each year without providing better service. (It’s true that RCN also fails to handle IPv6 natively, but Verizon shares that failure.) What’s happened in that year?

• Three outages. Two were caused by trucks knocking down the fiber crossing the road; one by an unspecified problem that was fixed by rebooting the Optical Network Terminal (i.e. fiber termination device, which offers ethernet, cable TV and telephone services). The first fiber outage took a week …

One problem: we have built an immense network of supercomputers that is essentially a Commons. An abuse of this Commons that would be ridiculously unprofitable if it had to be carried out by humans – say, an expected return of one one-hundredth cent per attempt – is highly attractive to unscrupulous actors who can automate a billion attempts for an expenditure of a few days or weeks worth of setup and expect a hundred thousand dollars of return.

Another problem: there has been little incentive for software developers to guarantee the security (integrity, privacy, trustworthiness) of their products, because they face so …

Definitions:

• A policy is an organization’s stated objectives and methods for accomplishing a goal.

• Sustainable means a model of a system that easily fits into a person’s head and can be used as an accurate prediction of how another person accomplished a goal.

So a sustainable software policy is a set of objectives and methods for accomplishing software lifecycle management that can be easily documented, understood, and consistently applied with a minimum of surprise.

I find it most desirable to reduce cognitive burdens and risks of manual error by automating every policy mechanism that can be so automated …

In farming, monoculture is the practice of raising a single crop over and over again. You can figure out exactly what fertilizers it needs, how much water, and predict your yield accurately, year after year.

Then, one year, a blight or a virus or a bacterium or a weevil comes along and eats everything. If you had planted four kinds of crops, you would have lost 25% of this year — bad, but potentially survivable. 100% is rarely survivable. In order to make sure the blight is gone, you may need to burn your fields to the ground. That will stop …

Nobody likes you when you’re 23 /
And are still more amused by prank phone calls /
What the hell is caller ID?

Blink-182, “What’s My Age Again?”, 1992

You probably already know that Caller ID is useful, and that it can be faked. If you want to know how it works and how it fails, read on.

Once upon a time (prior to 1980-2, when AT&T was broken up), everything was simple. All calls in the United States, to a first approximation, were handled by AT&T or one of its daughter companies. They kept track of who …

Attackers change their behavior, so we have to change in response.

Way back in the olden days, someone with evil intent would ping your IP address to make sure it was up, run nmap to figure out which of four or five exploitable services were available, and then pound their fist against the door repeatedly with different usernames and passwords until they got bored or found a way in.

Ah, those were the days.

Now a botnet works in phases: one segment compiles a list of IP addresses that respond on the right ports; another group sends a single attack …

Nintendo’s 3DS pocket-sized game system includes “Streetpass”, a method of sharing your high scores, Mii avatars and other game information with random strangers who also have 3DS systems. That includes the levels designed by Super Mario Maker, which are a few megabytes apiece.

The swap happens anonymously and automatically whenever two 3DS systems (which both have to have the feature turned on) are near to each other. The range is around 80 feet, depending on local wifi conditions.

Don’t worry if you can’t make your rendezvous; Nintendo helpfully set up 29,000 “Nintendo Zone” wifi stations that …

People just don’t take security seriously, because security is hard to understand and hard to implement and hard to maintain. We need a new way of “doing” security, and I’ve got an idea. Let’s go back to the notion of skeuomorphism: we use pictorial representations of real-world objects to represent similar functions in a graphical user interface. The floppy disk icon that means save, the little printer that means print and the iconic handset that looks nothing like a modern telephone that means call are all examples of skeuomorphic design.

Your home is your castle, so let …

Information security (infosec) is very simple and very hard.

Infosec is simple: there are only three steps:

1. Figure out how you are giving information to people.
2. In each case, evaluate whether you want to do that.
3. Stop giving information to people who you don’t want to have it.

Actual implementation of each of these steps is extremely difficult.

Suppose a customer calls you up on the phone and talks to you about their account. How are you giving information to people?

Obviously you are giving information to the customer.

Did you remember that you are giving information to your …

In security nomenclature, “trusted system” or “trusted device” does not mean the ordinary usage. It does not mean “we think this system is trustworthy”.

It means “we have no choice but to trust this system”.

The two are not even remotely synonymous, and the difference has probably been literally fatal.

“Trustworthy” implies:

• reliability: it always works or clearly reports an error
• integrity: it does what it says it does
• authenticity: it is the thing you think it is

“Trusted” means that it is, in practice, the thing being relied on.

Many trusted systems appear to be trustworthy, but are not …

These are the basic strategies for securing what you care about. I will make certain assumptions: you are living in the early 21st century; you are living in a highly connected information state; you are not intent on committing crime, and therefore have no reason to spend an outsized portion of your wealth on security; you are not a particularly attractive target.

An “individual attack” is an attack against you in specific, with some degree of research being focussed on you.

An “organized mass attack” is an attack originating from an organization that does not focus on you in particular …

When I was younger, I dreamed of something like this. Voice control for my home! A Star Trek computer that I can interact with conversationally! I just say what I want and it happens!
Now, I just see an internet-connected microphone in a software black box which I can only interpret as a giant frickin’ security liability.