Cyber security simplifies to three pillars:
Our efforts to thwart the bad guys can cause collateral damage. Hardening authentication and confidentiality against unwanted access can break availability for the good guys. Being more careful about system integrity can lead to a blizzard of false alarms. Improving one area of security hurts another.
You never see your actual password or pass phrase as you enter it. Not unless you’re interacting with a toy system whose designers and implementers have never heard of shoulder surfing.
Web forms and graphic login screens do password masking — one star or ball for each character entered. That provides helpful feedback: “Did I really get that key pressed or not?”
The problem, for the professionally paranoid, is that password masking still exposes the number of characters in the password, enormously decreasing the brute-force search space.
Tools like ssh and scp (and, if you last used the Internet 20 years ago, ftp and rsh) turn off remote echo during password entry. It’s assumed that you can touch-type your passphrase in the blind. Why in the world would you be trying to use a computer, if you can’t use a keyboard? Or so I and my high school typing teacher would assume!
But in the past few months, I have seen a disturbing number of people who say “I use computers at work,” but who are locked out if they have to really use a keyboard.
I, and Mr. Harner, are disappointed by their nonsense.
Confidentiality done right assumes no “password recovery” or backdoor. As I’ve explained here and with much less restraint here, backdoors are security holes. Huge, gaping, drive-a-truck-through-them holes.
Grown-up real-world ciphers require an attacker or “data recoverer” to guess the key. Which, if you are protecting sensitive data, shouldn’t be practical.
So, if you use a good cipher with a good key, and then you lose the key, you also lose the data.
Safe alternatives exist! What you need is key escrow accessed only through M-of-N access control.
To avoid race conditions which could blow up the system,
vim may create a fresh copy of an edited file and redirect the references pointing to it by manipulating file system links at the very end. The
passwd program may do this to
/etc/shadow in case there happen to be multiple concurrent password changes underway.
Those are nice improvements, routine system maintenance has become far more reliable. But the overnight run of Tripwire or AIDE may bring enough false alarms to keep me busy for much of the following day.
There isn’t one.
I wish I could offer one to you, because then I could also use it! But in the real world we have to deal with these tradeoffs, carefully selecting the best compromise. Risk management, not risk avoidance.
We talk about concepts like security tradeoffs in Learning Tree’s System and Network Security Introduction course. Check out that class if you find these philosophical differences interesting. We use AIDE in the Linux optimization and troubleshooting course. If you’ve been to the Linux server administration course and you’re looking for the next step in your Linux professional development, it’s a good course to take.