Chrome Bad!

Chrome Bad!

I’m so sad that I’m increasingly of the opinion that Google does not have my interests at heart. Really I don’t mind if they don’t care about *me*…it’s that they are losing the values that made them great to start with.

The End of the Password

I seriously cannot wait for us to be done with the password! The idea of a human-remembered secret to protect our access hasn’t really been a safe or secure one since people started plugging phones into computers. Hopefully we’re starting to see some action on this front, with Michael Barret (CISO of Paypal) starting an alliance to “obliterate user IDs and passwords and PINs from the face of the planet.

The FIDO Alliance seems to be interested in taking a set of biometrics, USB storage, and TPM embedded hardware and using it to provide secure authentication across the web. Certainly this is an idea who’s time is nearly here, with easy to use services providing open two-factor authentication for applications, and the advent of identity federation services.

We also need it very badly, a large proportion of the high-profile security breaches reported on in the press both are caused by and result in password disclosure. Disclosed passwords, even the ones stored in one-way-hashes are getting easier to decode (brute-force). It’s also easy to ‘social-engineer’ your way into someones passworded accounts and completely derail their life. The current best practices for password management systems were defined in 1985, and are still implemented poorly and incompletely, we can do better. Passwords also create a responsibility on engineering groups to store them securely so that a compromised password on one system doesn’t lead to many compromised systems (algorithms like scrypt, bcrypt and PBKDF2 with high iteration counts can do the trick [1] [2]).

But even with the best password authentication system we can design, we are still stuck with a link between the keyboard and the user’s memory as the essential component of assuring who’s trying to gain access. Passwords should be complex, unique, and hard to lose. This is not a job for a person’s scattered memory, and the combination of better identity tools, including biometrics and mobile devices can bring us beyond the idea of ‘accounts’ with ‘usernames’ and ‘passwords’ and instead to a more serious idea of identity.




Where I go for my tech and development news fix

A friend recently asked me what blogs to follow for learning more about software engineering, and I gave him this list. I thought I’d share it here.

Udi Dahan – The Software Simplist – Udi is one of the best people writing on the subject of large system architecture in the enterprise. I get a lot of value just trying to understand the words he uses, let alone his ideas.

Ayende @ Rahien – Ayende Rahien aka Oren Eini is a fantastic coder, responsible for NHibernate, Rhino Mocks, Entity Framework Profiler, and RavenDb. His daily posts follow the things he’s learning and working on as well as broader insights into coding in the .NET world.

Scott Hanselman – Hillsboro resident Scott Hanselman is one of the celebrities of the .NET world. Currently he works in the ASP.NET/Azure team at Microsoft and constantly works to Open Source the frameworks he works on.

Alvin Ashcraft’s Morning Dew – This is my ‘go to’ resource for everything else that happens in .NET land. Alvin collects the best blog posts of the day and provides you a quick list of things to look at. Much better than subscribing to dozens of blogs.

Knock Me Out – Ryan Neimeyer writes about the various ways to effectively use Knockout.js in your projects, how to solve stick problems, and improve performance of your pages.

Steven Sanderson’s blog  – Author of one of the better books on ASP.NET MVC, as well as the Knockout.js library, Sanderson provides insights on web tech.

Techmeme – News of the technology world, sorted and grouped by lead story. Find the best article on the news of the day without hitting all the news sites.

Hacker News – Links and discussion from the world of venture-funded software startups.

C# on Reddit – Discussion on the C# world.

Krebs on Security – Automated network hacking devices, zero day exploits, and ATM skimmers, hot security stories from a information security researcher.

Seth’s Blog – Wisdom and insight from one of the wizards in the white hat marketing world. Learn to be a better person and a better contributor in your work.

Schneier on Security – The Chuck Norris of information security. Broad insights into the philosophy and future of secure systems.