Cargo cult security – how not to use hashing
Sometimes, I still get surprised by the lack of thought behind some software systems that have made it to production. This time, I stumbled over a 2 year old reddit thread about the Swedish city Västerås using WiFi to track the movements of people, storing hashes of their smartphone MAC addresses, in the rather naive misbelief that hashing would render people anonymity. That leads me to a subset of the subject of cargo cult programming: cargo cult security.
In short, cargo cult programming means that you use a chunk of code because you more or less know what is does, but have no idea of how it works. That means you can’t modify the code, and you probably also unknowingly include redundant code.
In my example of cargo cult security, the developers in question used hashing as a means to anonymize users. From a cargo cult perspective, hashing works well for storing passwords, so if it’s used for a completely different application it should work there too, right? No, actually quite wrong.
If you want your Windows PC to lock (i.e. require you to enter your password to use it) after a period of user inactivity, you can go to the screen saver setting and check “On resume, display logon screen”. But what if you want the screensaver to be activated after e.g. 10 minutes, but you don’t want the PC to lock until after 20 minutes? In Windows XP, you could resort to the ScreenSaverGracePeriod registry hack. However, in Windows 7 and later, the PC will be locked no later than 60 seconds after the screensaver kicks in, no matter what ScreenSaverGracePeriod value you have specified. To remedy this flaw, I whipped up IdleLock, a small utility that locks your PC after a selectable time of user inactivity.