 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On 07/24/2013 01:40 PM, Rich Braun wrote: > most people have just plain given up trying to follow best-practices The whole term "best practices" annoys me. It is so much like a school yard taunt: "MY practices are better that yours!" "No they are not! Mine are Best Practices." (Who the hell signs the certificate that makes one set of practices best and how do I file an appeal? Is all innovation to stop once someone utters "best practices"?) Computer security is a good example of how silly the idea is. Details are changing by the day and hour, and the general landscape changes from year-to-year such as to be unrecognizable after awhile. Everyone has known (for decades!) to "never write down your password". Except those who disagree. Ignorant people you should ignore (not), such as Bruce Schneier. The world has changed. Where I once had one password (yes, I am that old) and it didn't matter much, I now have scores of passwords and my entire life dangles from them. The stakes and the particulars have changed. I use an electronic approach, but I do not recommend it to others who ask. I say use paper: Because of the endpoint security problem. Unless one is going to extraordinary lengths (such as a dedicated "phone" that is never used as a phone nor anything else nor ever connected to the internet; and a computer that is shared with no one running nothing Microsoft and not even anything commercial and mostly no Javascript and no Java and never logged into except at its own keyboard...) it is better to use paper. Really. Paper. Want another violation of Best Practices? Here it is: If you do go electronic, throw some security-through-obscurity in the mix. Everyone knows security-through-obscurity is worse than nothing at all. But I disagree. Try to use good security, but don't be part of a uniform monoculture, find ways of making your circumstance different from standard. What you should fear most is not the dedicated and clever attack that figures out how to target you. (I am assuming you are unimportant, sorry.) You should be worried about the automated attack that can be cheaply deployed against millions of targets to see what comes up. Being on Linux or BSD protects you enormously because there are easier and more plentiful alternatives for the bad guys to hit (security through obscurity!). Putting your secrets on an Android device does not offer such benefits. Unless you enjoy the geeky intellectual problem of how to not let your electronic secrets leak out, and are willing to spend some time on it, if you want your passwords to fit in your pocket, you should probably use paper. -kb
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
