Tuesday, November 30, 2010

Celebrate Computer Security Day

November 30 is Computer Security Day, so I sat down for a chat with Itinerant Cryptographer, my resident computer security expert.

Mama Joules: Welcome to Mama Joules, Itinerant Cryptographer. You certainly have an unusual name. What do you do for a living?

Itinerant Cryptographer: I do research in computer security and cryptography. Most of my work is in applied cryptography - cryptography applied to real-world problems such as electronic voting and encrypting files based on passwords.

MJ: That sounds interesting. What is cryptography?

IC: Cryptography is the mathematical end of computer security. It includes encryption, which is a way of scrambling up information so that no one can read it except the person with the key, and other related ideas like digital signatures and information hiding.

Some ways that people use cryptography:

-- You have a movie and you want to embed a copyright notice in [it].

-- [You are playing an] online multi-player game [and want] to make sure that somebody else can't steal your player or the items that your player owns.

-- [You want] to keep a log of events on a computer that can't be deleted or tampered with without detection.

A digital signature lets you send a message [so that] anybody who knows your public key can identify that the message comes from you and hasn't been changed. Microsoft, for example, uses digital signatures when they distribute updates or programs. That lets your computer verify that the program really came from Microsoft.

The most important place where most people use encryption every day is SSL (secure socket layer). When you order things online and use a credit card, that information goes through an encrypted connection.

MJ: What are the biggest threats facing computer security today?

IC: A big problem in computer security is that over the last ten years or so, attacks over computer systems have moved from being done by hobbyists for fun to attacks that are done by criminals for a profit. When they were done by amateurs, the attacks tended to be more like pranks. Now, the attacks tend to be a lot more serious, more professional. They are harder to defend against and there are a lot more of them.

MJ: What can we, as users, do to make our personal computers more secure?

IC: Unplug them? (laughs)

You need to have a personal firewall and a virus scanner. A personal firewall is a computer program that sits between the outside world and your computer and tries to prevent bad communications from coming in from the outside and taking over your computer. Computer attacks are all about communicating. They can cause the computer to crash or malfunction in a useful way.

Imagine your computer is a house. A house has not only doors, but windows and an attic, air ducts, and maybe a crawl space underneath. What a firewall is supposed to do is block off most of those access points [to your home] except for the doors. You still have to lock your doors - keep your web browser and software up to date and run your virus scanner - but the firewall makes it harder to get in.

You need to be careful about accepting things over the Internet. If you click on a link and it tells you to download some software to view a movie, it may be trying to carry out an attack or take over your computer.

An attacker only has to find one weak point, like an Achilles heel. That's why computer security is a really hard challenge. You never get to the end of it. You never know if you've got all the bugs or the weakness. We can look for bugs in software. Weaknesses only show up if there's an attacker to exploit them.

MJ: What resources would you suggest for someone who is interested in cryptography, but doesn't know where to start?

IC: That's a good question. You're going to need to study a lot of math. And you also want to become a good computer programmer.

There are a lot of paper and pen ciphers that are good starting points - for example, the Vigenere cipher, the Caesar cipher, and the Rail Fence cipher. In a cipher, each individual piece of a message gets scrambled up. For example, each letter might be changed into a different letter. A cipher usually involves some calculation.

In a code, whole words or ideas get encoded into different words or ideas. A code uses a table or code book to translate the information. Read about the Navajo Code Talkers. These American soldiers used a different language [than English] as their code during World War II.

MJ: How are you planning to celebrate Computer Security Day?

IC: I think I'll go to work. (smiles)

Photo credit: Gil Paradis, via BurningWell.org

No comments: