 |
| Image from Unsplash |
Pssst… Can you keep a secret? I hand you a sealed envelope with a name on it. The secret is inside. You are not allowed to look into the envelope yourself. When the person whose name is on it shows up, you give them the envelope. They look inside, seal it again, and hand it back to you. You keep it until next time. And you do absolutely nothing else with it.
This is
roughly how things work when two computer systems communicate in many cases.
For example because one system runs a program that needs data stored on another
system. System A must then log in to system B, because of course not everyone
is allowed to retrieve those data – another computer system included. In the
first paragraph, you stored an envelope; system A has a digital equivalent: a
digital vault. It stores the password in encrypted form. When A needs to
retrieve data from B, it takes the password from the vault, decrypts it, and
uses it to log in to B.
The key
idea is that no human is involved. And that no human ever sees the password.
Which means nobody can misuse A’s account. Just like you didn’t peek into the
envelope, no one ever sees the decrypted password. At least, that’s the idea.
Some time ago a colleague sent me an email with the subject line: SIGH… He had
discovered that someone secretly looked inside the envelope – or its digital
equivalent: manually decrypted the password. And then tried to manually log in
with that account ‘just to see if it works’. While such an account is really a
machine-to-machine account: meaning it is intended for one machine (A) to log
in to another (B).
That sigh
on the subject line meant something like: do they still not get it? Mind you,
we are talking about administrators and developers doing this. You would expect
them to understand how it works. That opening an envelope addressed to someone
else is simply not allowed. And that manually logging in with a machine account
is also not allowed. The sigh was also because this was certainly not an
isolated incident. It happens far too often. And that undermines our security.
You might ask why this is even possible. But that’s not the point here. Of
course, it shouldn’t be possible, but right now it simply is.
If you see
a bench in the park with a sign saying WET PAINT, do you touch it to check if
it really is? Why would you? You risk getting paint on your fingers and the
bench won’t look any better. Most people understand that you're not supposed to
touch it. The same goes for those encrypted passwords. That something is
possible does not mean it is allowed to do, or wise.
Deep down
you know that. But just to be safe, another call to everyone who sometimes
takes things a bit too lightly: don’t do it. If only because my sighing
colleague is getting grey hairs from it, and because I end up writing in
astonishment about something I thought you would understand by now. And of
course I’m grateful for all those colleagues who simply do things right <3
*: There
are alternatives, but I leave those aside here.
And in the big bad world…
- Cybersecurity vacancies are shifting from technology to governance.
- The United States is seeking new allies.
- Researchers discovered a highly advanced malware framework for Linux.
- Even earbuds and speakers sometimes need an update.
- Police and prosecutors in the Netherlands want more funding for IT.
- Privacy‑friendly AI also exists.
- ENISA had a document drafted by AI—and it didn’t go well. [GERMAN]
No comments:
Post a Comment