During tonight’s iPhone judging contest, one of the projects was one which handles personal information in a way which requires a fair degree of security. Unfortunately I didn’t have the time to make some simple observations about security, so I’ll note them here instead. So here are some simple security rules of thumb:
(1) “Never underestimate the power of human stupidity.” — Robert Heinlein.
(2) Security by obscurity simply gives a single point of failure. That includes things like “hidden” encryption keys.
(3) Unless you have a degree in Mathematics with a specialty in abstract algebra and encryption algorithms, and later either got a Ph.D. in encryption security or apprenticed at the NSA for a few years, do not create your own encryption algorithm. (These guys invented their own system, and how many microseconds did it take to break it?)
(4) Always salt your passwords: One-way hashing never is.
(5) Never pad your blocks with zeros.
(6) Be aware of man-in-the-middle attacks and design to work around them.
(7) Two factor authentication means something other than what the banks think it means.
(8) Security only increases the cost to break in a system: if you put something behind a security barrier that is worth more than the cost of breaking the system, someone will break it.
(9) Social engineering is your greatest enemy. The best key lock systems protected by armed guards, security cameras and a barbed wire fence won’t protect you against a helpful employee who holds the back door for some nice young man.
(10) If you don’t understand the stuff above, for God’s sake, hire someone who does.