My s.o. and I watched WarGames last night, and I enjoyed it not only for the kitschy nostalgia of an 8-inch floppy disk, but for some of the lessons of good information security practices that we still have trouble remembering:

1. Don’t write down your password.  Matthew Broderick’s character is able to break into his high school’s computer system and alter his grades because he reads the password off the secretary’s desk every couple weeks.
2. Don’t make high-security systems publicly accessible.  The W.O.P.R. computer (wasn’t that a great name?) that controls the launch of the US nuclear arsenal is accessed over a public phone line.  Firewalls, anyone?  Bueller?

It does seem like folks are generally getting a lot better with #2, but #1 seems to be a tougher nut to crack.  It’s understandable, because it’s much more of a human behavior issue, but sometimes you just wonder, have we learned nothing in 20 years?

It is very risky to enable all client-side scripting technologies when browsing the web (plugins/ActiveX/ JavaScript/Flash etc…).  I installed the “NoScript” extension for Firefox, which allows JavaScript to run only on some whitelisted sites. It is a wonderful idea, except that it comes with a list of pre-enabled sites with some that you can’t delete (the arrogance of dictating unerasable sites!), and the defaults are to not block Flash and other plugins. Moreover, it’s only as secure as DNS, unless you require the “full addresses” option through which I presume you could require an https (SSL) url. Unfortunately there is no way to enable “base 2nd level domains” *and* require SSL, to say for example that I want to trust all *.purdue.edu sites that I contact through SSL and that have valid SSL certificates. It is better than nothing, but needs SSL support to be really useful.  Most people don’t understand the limitations and vulnerabilities of DNS, and the need for SSL, and will therefore have an unwarranted feeling of security while using this plugin.