Everytime I seem to open a newspaper I find out about some new security failure. Not even Duluth is able to escape the dangers of security holes. This is the most basic truth about systems, and it’s one the keeps even John ‘Stonewall’ Technology up at night: every system is breakable.

But here is where your security knowledge can help change the process it takes to get there. In a way, we’re chasing the time complexity of failure. Not optimizing, but minimizing. What’s the best lower bound we can come up with for system intrusion? How does your security match up? You can be Francois Frenchman during World War II, or you can be Davy Crockett at the Alamo. (forgive the obnoxious joke on the French)

The secret, in many cases, is the way you keep your keys. Just like crawling around a video game, there are different keys that a hacker can pick up to get access to your system. You probably know all of the main ways to pick them up: wireless captures, packet sniffing, saved forms on your machine, phishing and things of the like. But the key is, if a section of your daily work is breechable, don’t use it for anything important. Haven’t you noticed that super villains always get that wrong? And look what happens to them!

Example: I use a handy extension called Bookmark Synchronizer for Firefox to synchronize my research at work and at home (in addition to Google Notebook). This tool uses plaintext FTP from my computer to upload and download the XML bookmark definitions to a web server. So if someone sniffed my connection, they could get my password. But by creating a separate account for this task, I give access only to this folder. And since the folder isn’t accessible by any other public means, it prevents unfriendlies from executing any uploaded scripts or commands that would give them access to the machine.

The same thing with MySQL account permissions. Let’s say that one day you write a quick php interface to a table but slip up and miss a SQL injection hole. Well, depending on the account information that you’re using then someone either has the ability to bring the database to it’s knees or sting its ankle. If you don’t need a program to have insert/update ability don’t give it to the program. And give yourself at least 9 months of consideration time before you give a frontend application the ability to alter table structure (slight exaggeration, maybe).

So you understand the concept of keys, right? Trivial FTP or web based keys are basic door keys. Master keys are the keys that give someone access to the same terminal that you get to say every day. And the boss key? Well that’s the key to financial accounts, private keys, or anything else that will let someone OFFICIALLY act as you on a network.

My advice, don’t let anyone get your stuff…ever. But if something breaks and they wind up with a key, you better hope that they’re going to wind up with a key to a chest with a few rupees in it and not a key to the third level where you keep the only weapon that can possibly defeat you. Just please don’t tell me that you were also going to put the key to your tower on that same level…please.