Security

Secure, Easy to Use, Simple. Choose two.

Colin Walker — Tue, 22 Apr 2008 19:18:09 GMT

I was reading an interesting post over at depressedprogrammer that I found by way of digg's Technology section which talked about Captchas. Specifically the worst Captcha known to man.

I haven't a shred of doubt that you all, by now, are intimately familiar with the foul evil that is the Captcha. This woefully necessary evil's howling cries shake my very soul with the implications they put forth. While their previous necessity and usefulness is not lost on me, their ability to crush even the strongest vestiges of user enjoyment and ease of use must not be overlooked.

In the world of the Internet we're all aware of the increasing need for security in all of its glorious and awe inspiring forms. The varied denizens of the tubes dance about the great Tree of all that is Encryption, the beginning and the end of all that is good and noble in Internet security. We rejoice as our data is transmitted safely, carefully, indeed almost lovingly from point A to points B, C, Q, R and Zed, safe from the slavering, would-be thieves and henchmen along the way. I have no intention to debate this, nor the audacity to attempt to refute the usefulness of the ever increasing measures of security used to keep private data ... well ... private.

My issue with the Captcha, as is alluded to in this article by the demonstration of how truly impractical they have become, is that they do more harm than good. In an attempt to scale with the arms race that is the security war, pitting the good citizens of the web against those vile and nefarious hacker types, they are more of a problem for real users than they are for crackers. People that are trying to discern what in the name of all that is hypertext those images are supposed to represent are left banging their heads against the keyboard and flinging various USB devices across the room in anger while the script kiddies and hackers cruise through with programs that unravel the captchas as fast as they are released. Those precious little kittens are transformed into vicious, snarling beasts sent forth from the depths to devour your hope and will to continue.

I understand the need for security, but why does security have to get in the way of productivity, ease of use and usefulness? This has been the case as it is definitely the easiest trade-off to make. Increasing security in all the easy ways solves the problem in the short term, but by choosing only two of the options in the title, you're ensuring that someone, somewhere is getting left out. There are better answers.

Dig deeper. Look for things that are inherent in the connections and transmissions of real users that are hard to spoof. Put together many pieces of data to identify who it is that's accessing your site, good or bad. Take a more pro-active approach and profile who is connecting, what they are doing, and how you can identify good vs. bad users. By laying the shroud of responsibility on the user, making them the one solely in charge of identifying themselves in a manual and increasingly difficult fashion, you do nothing but deter real users while the very people you are trying to stop feel nearly no burden whatsoever.

This is part of why you'll often hear me raving about how amazing the inspection engine alone in TMM is. By the time you've allowed someone to even request the download in question from your site you could have filled a virtual filing cabinet with the information collected by your BIG-IP. All that you need to do is extract it, perhaps via iRules. It's this type of information that I feel is the answer to real Web security, not images of kittens behind alpha-numeric characters run through a Photoshop filter. Is BIG-IP the only answer? Of course not, it's just a great option. Do yourself a favor, look at the whole picture, and don't scare off your users with those terrifying kittens.

Technorati Tags: DevCentral,iRules,Security,Captcha,Ramblings,Kittens

RSA - A day spent by the beach...sort of

Colin Walker — Wed, 07 Feb 2007 18:58:00 GMT

So I got the chance to head down to check out a day of the 2007 RSA Conference that's going on this week down in San Francisco. I could see the water while in the taxi heading from SFO to the show, so it was almost like a day at the beach...right? A foggy, cold day at the beach...except entirely indoors.

Once I'd shaken the cobwebs out of my head that were firmly attached after having woken up at 2:40AM (yes, in the morning) to get ready and drive to the airport for my 6AM flight, I enjoyed checking things out. I've been to conferences, that's nothing new, but this was my first 100% security devoted conference. While many things were the same, tons of booths with flashing lights, frisbees, booth babes, candy and more to try to draw you in, there was a different twist on it all since it wasn't a development conference or one focused on web technologies, given languages or even platforms.

It was interesting to be able to walk around the conference and see everything from things that seem like standard fare to me (hello iRules security examples and FirePass demonstrations) to things like biometric scanning technologies and companies promising to be the best at encrypting the data on my hard-drive. Some of this stuff was really cool, and it was kind of nice to be able to browse around and check out some technologies that I might not have otherwise spent much time looking into. We all know there's only so much time to geek out during the day, and I'd just get spread too thin in my ... err ... geekery to be able to stay "up" on everything that's going on out there.

The response at the F5 booth was pretty good for the first day of the Conference, especially considering the different talks that were going on that kept people interested and corralled off of the show floor for chunks of the day. I even got some video of Lori and Alan from F5 doing some presentations at the booth about Web 2.0 security and Spam blocking respectively. I'll try to get those edited and ready for DCTV here in the near future, so stay tuned. ;) I didn't, unfortunately, get any big name interviews like I had kind of hoped to, but there's always next year.

All in all, it was a good time, and I was glad to be able to go participate and take in some of the things that were going on. Hopefully I'll be able to attend again in the future, and maybe this time have a more solidified schedule for interviews and talks to catch.

#Colin

Break out the tin foil hats, they're listening!

Colin Walker — Thu, 11 May 2006 18:27:00 GMT

I suppose I shouldn't really be surprised by the news I read today. Honestly, I guess it's not surprise that washes over me when I read this sort of thing. It's more a feeling of deep seated dread. Dread, anger, and helplessness. It's the last of which that irritates me the most.

F5 FirePass makes the Front Page!

Colin Walker — Mon, 08 May 2006 23:40:00 GMT

Network World has an article running on their front page right now talking about our plans to improve FirePass, our SSL VPN product here at F5.

The article discusses upgrading the capabilities of the systems so that they can handle up to 20,000 concurrent users. The reason this article is so cool to me is the part where they

Did you know?: RFID hacking is easy, widespread, and growing fast.

Colin Walker — Fri, 05 May 2006 16:25:00 GMT

It's frightening how easy it is to steal someone's RFID information and duplicate it in minutes. In the example the article lists they're only stealing access to an office building. While losing computer equipment would be bad enough, imagine the implications of this easy, touch-free, nearly unnoticable theft to civilians in the non-tech arena. What happens when all Passports have RFID tags? How about Credit Cards? Car ignitions? Even the doors to your home? Now imagine that it's just as

Did you know?: RFID implants becoming common place. Surely it's Double-plus ungood.

Colin Walker — Thu, 04 May 2006 18:12:00 GMT

The idea of inserting a trackable, constantly transmitting electronic device, which is non-upgradable, underneath my very epidermis, brings forth painful visages to which my mind's eye can only summon echoing shreaks of terror and unfathomable dread as a response.

iRules: Removing the "Server: BIGIP" header

Colin Walker — Fri, 07 Apr 2006 18:09:00 GMT

A question was recently posed to the forums on how to further sanitize the information being passed when redirecting an HTTP request.

I use an iRule to redirect HTTP traffic to HTTPS and it works fine, 
...
However I noticed that BigIP adds a "Server: BIG-IP" header in the response, is there a way to remove it ?

Well, due to the fact that this is being redirected, and the way the BIG-IP inserts this header, we have to actually use TCP commands, as bl0ndie pointed out:

when HTTP_REQUEST {
   set my_loc "http://www.i_want_a_bigip_for_christmas.com"
   TCP::respond "HTTP/1.1 302 Found\r\nLocation: $my_loc\r\nConnection: close\r\nContent-Length: 0\r\n\r\n"
   TCP::close
}

So there you have it. It's short and sweet, and useful for anyone trying to mask what's going on in the DMZ to the fullest. You can check out the full posting here.

Code hard,
#CWout

Did you know: Someone's trying to "sanitize" suspicious traffic?

Colin Walker — Fri, 27 Jan 2006 01:32:00 GMT

Critical applications being networked makes the network critical.

Colin Walker — Wed, 25 Jan 2006 19:10:00 GMT

If you have a critical application being delivered over the network, then guess what...your network is now critical. Moreover, as this article and many before it go on to discuss, the network that these applications run on becomes more than just a delivery mechanism, it becomes part of the application itself.

Avoid getting hooked by Phishing...

Colin Walker — Mon, 05 Dec 2005 20:15:00 GMT

So your bank sends you an email saying that they need you to update your account info online. Sure, the hostname seems a little funny, but the site looks legit. They have all the same pictures and text...it must be official, right?

Think again. That site might just be a fraudulent attempt at Phishing, and before you know it, they'll have access to whatever account you were supposed to log into, and they'll be running amuck with it.

A couple of folks here at F5 have been working on a way to cut down on Phising attempts by helping those companies with our BIG-IP in front of their sites make use of the technology, and keep their customers that much safer.

Not only is it a good way to display the power of iRules, and give an example of some of the things you can do, but I like the idea of making the web a safer place, too. ;)

-Colin

Listening to Ben Folds Five - Selfless, Cold, and Composed