Still no news from the security front… 03 Bombe Drums

Still no news from the security front…

This week I was doing research for one of our internal knowledge session when I stumbled across an interesting piece of history. I was tracing the history of computer security when I found an interview from Wired from the first people who implemented passwords as a security measure. They interviewed technicians like Fred Schneider and Fernando Corbató who worked at MIT back in the 60’s. The article centers on a system (CTSS) which was built in the early 60’s, a time in which we were struggling to build computers which were more powerful than some watches we produce today. And remember, that stuff send us up to space and back. It was really good to read, as it seemed that nothing had really changed in all that time of technological innovation. There where several excerpts which I particularly liked in that respect, like this one:

The CTSS guys could have gone for knowledge-based authentication, where instead of a password, the computer asks you for something that other people probably don’t know — your mother’s maiden name, for example. But in the early days of computing, passwords were surely smaller and easier to store than the alternative, Schneider says. A knowledge-based system “would have required storing a fair bit of information about a person, and nobody wanted to devote many machine resources to this authentication stuff.

“Nobody wanted to devote many machine resources to this authentication stuff”, talk about ringing a bell… download As a community I believe we have not grown beyond this statement. I don’t mean to say that we haven’t built better authentication mechanisms and better security systems, but for the most part, our attitude towards authentication has not changed. Most developers and architects still basically think: “Well fine, just slap a password on it and it will be OK” if there is no embedded authentication mechanism available. I have only seen a handful of applications which have expanded on this mechanism and that is a real shame. The real kicker is that there are so many ways of solving this problem intelligently is stead of following the 1960’s solution. Just think about the integration possibilities with the existing security infrastructure or how you can best support soft and hard tokens. But that was not the only thing that got me, just read this (for the same article)

The irony is that the MIT researchers who pioneered the passwords didn’t really care much about security. CTSS may also have been the first system to experience a data breach.

This even made sense in some twisted way. The people who were charged with building this system were basically trying to build a shared computing system, not a computing vault of any kind. We can learn from this and move on, I suppose. So how about this: If you tag on security as some sort of secondary objective, don’t expect it to be really good, expect to be breached. So If you want software to be secure, make sure it is designed secure.