If only security was that easy

There was one little bit at the conference I went to today that caught my attention. One of the academics, Dr. Ryan Ko, is working on a research project that aims to bring better privacy and security to web applications. These are things that interest me, so I listened for anything that sounded promising.

The project is called Stratus, and the part that was shown was an auditing system that created cryptographically signed audit records. The records were generated by a low-level process, making it impossible to delete logs without leaving any trace. This sounds like a great idea, except for one thing. That’s a lot of auditing data, and who will be bothered reading it? User apathy is a huge boundary to try and push past.

At the end of Dr. Ko’s presentation the question remained unanswered, so I used Q&A time to ask the question. His answer? That some education will be required, and that the information will be made readily available to the user. He also extended a general invitation for people to help make a contribution to the project.

The only thing that his answer said to me is that he’s quite out of touch with the average user. Most people have some level of general awareness about the dangers of the internet. They’ve heard about The Fappening and that those emails from that Nigerian prince may not be real. But this completely ignores a key issue: users will ignore anything that gets in their way.

The average user doesn’t bother reading even the first paragraph of their software license agreements. Error dialogs are like flies and are swatted away as quickly as possible. Anything that’s optional and requires brain power is just a distraction and should be ignored. If they can get something done a different way with less fuss, they’ll do it that way.

This is where security gets really hard. Access controls and audit logs are must-haves for most software, but it’s extremely difficult to come up with a good user interface for them. If the access controls need more than a couple of clicks, they become a barrier and stop being used. Audit logs need to be filtered so that only important events are shown, otherwise they become a sea of white noise.

While I wish the project all the best, I think they’ve got a long way to go to meet their goals.


Having just done two conferences back-to-back, it’s quite interesting comparing the two. There were some unexpected similarities between how they were run, but were quite different in their execution.

The first conference was a big one: Microsoft Ignite. This is the new name for what once was TechEd, and as you can probably imagine it was a well-oiled beast. I’ve deliberately avoided TechEd in the past because it’s 2/3 Microsoft marketing material and I’m not a fan of getting preached to. The reality? Not as bad as I expected. Yes, the blatant marketing was there, but you had a pretty good idea which sessions they’d be. It was easy enough to keep those sessions to a minimum.

The second conference was the 2015 NZ Cloud Computing Conference. The conference was… I’d say laughable, but there was nothing funny about it. Four of the seven presentations were made by sponsors. Two of the remaining sessions were academics. There was also a panel, featuring two of the sponsors and one of the academics. Up until the lunch break, it felt like only speaker that wasn’t trying to sell me something was one of the academics. I don’t know how the afternoon speaker went. After having my catered lunch, I just up and left.

Both conferences were very much aimed at selling products. Ignite was open and honest about it, and gave you choice if you wanted a break. NZCCC looked every bit an independent conference from the outside, but turned into a thinly-veiled sales pitch when you’re in there.

Even ignoring the content, there was a noticeable difference in the quality of the presentations. On the whole, the presenters at Ignite were interesting and captured the audience’s interest. Sure, there were a few yawners, but you expect that given the sheer number of talks. NZCCC was an absolute yawn-fest. Deliveries were universally wooden, read from pieces of dead tree. Nothing made me want to care.

So, conference hosts, here are a couple of tips. If you’re going to host a glorified marketing roadshow, at least make it obvious so that people like me can stay away. And if you’re going to get presenters, at least find some who sound like they’ve got some passion for the subject.

Project Zero publishes an unpatched Windows security flaw

The tech news has been abuzz recently about a Windows security vulnerability that has been published by Google’s Project Zero. The interesting thing here is that the details of the flaw are relatively unimportant. What is important is the way in which the vulnerability was published.

One of the key concepts behind Project Zero is that when a vulnerability is found and reported to the vendor, the vendor has a 90 day window in which to release a patch. The details of the vulnerability are kept secret until either a patch is released, or the 90 day window has elapsed.

The controversy here is that the is that with this particular vulnerability, the 90 day window ran out before Microsoft had come up with a fix. This means that the details of a zero-day vulnerability have been made available to all and sundry, including a proof of concept exploit. This is obviously Not A Good Thing™. Continue reading Project Zero publishes an unpatched Windows security flaw

What part of “zero tolerance on speed” is so hard to understand?

Over the last few years, the New Zealand Police have played with stricter enforcement of the speed limit during the peak holiday periods. Most of the year, they’ll tolerate drivers go to 10km/h over the posted limit. In the holiday periods, the tolerance was dropped to 4km/h. This year, it dropped to 1km/h. In other words, it was pretty much zero tolerance on speeding.

Judging by the traffic on Auckland’s streets and motorways over the last couple of weeks, you’d be hard-pressed to see this in action. Continue reading What part of “zero tolerance on speed” is so hard to understand?

Hello, 2015!

It seems that as you get older, the years pass by faster and faster. I know it’s a huge cliche, but its true. 2014 seems to have passed quicker than any other I can remember, and its been a year of discovery and growth for me.

I have a feeling that the year to come will be a completely different story. It will most definitely be a year of change, of discovering new horizons and pushing my personal boundaries. I wish I could say more, but there are good reasons why that has to be left until another day.

So here’s to 2015, and everything that comes with it!