Ah, security through sincerity, gotta love it!

Westpac logo

A telephone conversation last night — once the caller had garbled my name and I’d said that it was me, and I’d asked who was calling:

Caller: I’m calling from [unintelligible] on behalf of Westpac Bank.

Me: Before we go any further, how do I know you’re calling on behalf of my bank?

Caller: Sorry? We’ve been given the database…

Me: Before I discuss any kind of personal or financial information, how do I know you’re legitimately calling on behalf of Westpac bank, as opposed to just some person claiming that?

Caller: [sounding confused] Well, I don’t know…

Me: Well, I guess I’ll be hanging up then. Goodbye.

Another point, of course, is why they thought I might want to discuss anything financial at 7.20pm after a long day — when most people are either unwinding or trying to have dinner.

Dear Westpac, if you have something to discuss, isn’t that my Business Banking Manager’s job? During business hours? I was really happy with the service you’ve given me so far this week — and now you’ve ruined it.

[Update 22 December 2011: I failed to credit the originator of security through sincerity, Eric TF Bat.]

Nuclear reactors hacked

Just so you can get a sound night’s sleep before a busy working week, here’s the news that it’s easy to hack into US nuclear power plants:

The first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant’s owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM’s Internet Security Systems, found otherwise.

“It turned out to be one of the easiest penetration tests I’d ever done,” he says. “By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, ‘Gosh. This is a big problem.'”

Yes, Scott, I reckon it is.

Of course Australia’s “critical infrastructure” wouldn’t have any problems like this, would it.

Who do you trust? Everyone!

When it comes to security, every desktop computer operating system is fundamentally flawed. Why? Because any software you run has the same permissions that you do. Anything you can do, they can do too — whether you want that or not.

Speaking at the AusCERT conference on Monday, Ivan Krstic, director of security architecture for the One Laptop per Child project, says the computing industry relies on “utterly obsolete concepts and assumptions” and has “massively failed when it comes to desktop security”.

The way modern desktop security works is by relying on the user to make informed and sensible choices on things they don’t understand.

The early personal firewall software was a classic example:

A dialogue would pop up and say ‘Hi, we’ve intercepted this packet with this TCP sequence number and these flags set, and SYN and FIN are both on, and here are the destination ports and the source ports and here is a hex dump of the packet. Allow or deny? What do you think?’. Who is that protecting? It’s protecting me, but I don’t need that kind of protection in the first place.

The Apple Blog was sarcastic when they reported Krstic’s speech — I suspect because arrogant OS X users think security issues don’t apply to them — so I posted a response

Continue reading “Who do you trust? Everyone!”