Two defendants who were charged of deceptive advertising (they placed adds scaring customers into purchasing rouge security software) agreed to a settlement deal where they paid back $1.9 million no longer have to pay back all the money. Why -- they don't have that kind of cash anymore. SO they only owe $116,697 (who makes up these numbers?)
I guess some money is better than none, but why give out judgments that you know will never be paid? Good press in that the public thinks someone is truly being punished would be my guess.
http://www.networkworld.com/community/node/43029?source=NWWNLE_nlt_security_2009-06-26
Friday, June 26, 2009
ACE!!
Took the exam to become ACE certified (AccessData Certified Examiner). The test was pretty easy and now I am just waiting to get the actual certificate so that I can say I am a newly minted certified forensics examiner! One more set of letters to add to my certification soup list:
CISSP GSAE GREM GAWN CREA E|CSA ACE
CISSP GSAE GREM GAWN CREA E|CSA ACE
Wednesday, June 17, 2009
Cheating Deadlines
There is a site that offers corrupted files (word, excel, powerpoint) for a fee that people can use to pretend like they met a deadline. The idea is that you send this corrupted file to your boss or submit as an assignment. By the time the recipient tries to open the file and finds that it doesn't work, you have had extra time to finish whatever the project was!
Apparently, some college instructors have caught on to this and require a hard copy as well as electronic versions or assignments. So much for a paperless office ever happening when sites like this exist.
I wonder if there is something in the metadata of these files that will identify them -- then the people using these can be punished (late penalties, etc) for trying to work around the system!
Apparently, some college instructors have caught on to this and require a hard copy as well as electronic versions or assignments. So much for a paperless office ever happening when sites like this exist.
I wonder if there is something in the metadata of these files that will identify them -- then the people using these can be punished (late penalties, etc) for trying to work around the system!
Tuesday, June 16, 2009
Weakest Link!
What's the weakest link in any security program?? People!
Apparently, the company that built England's newest spy base decided that it made for good marketing material. The company published pictures, the address, and cost estimates for the new building to the dismay of the MI5 (Britain's spy agency)
Nothing stays secret forever, but I would think there was something in the contract about not disclosing details of the secure facility, but -- did they really think they could hide a building?
http://www.timesonline.co.uk/tol/news/politics/article6493658.ece
Apparently, the company that built England's newest spy base decided that it made for good marketing material. The company published pictures, the address, and cost estimates for the new building to the dismay of the MI5 (Britain's spy agency)
Nothing stays secret forever, but I would think there was something in the contract about not disclosing details of the secure facility, but -- did they really think they could hide a building?
http://www.timesonline.co.uk/tol/news/politics/article6493658.ece
Friday, June 12, 2009
PC in a Vase??
For those who don't like the look of a regular PC sitting in their living room... a taiwanees company has build a home media PC that looks like a ming vase. The PC includes a blu-ray player, hard drive, hdmi, ethernet and USB connectors.
Check out the video:
http://www.networkworld.com/video/?bcpid=1343712625&bclid=1363192037&bctid=25961554001
Check out the video:
http://www.networkworld.com/video/?bcpid=1343712625&bclid=1363192037&bctid=25961554001
Sunday, June 7, 2009
DefCon CTF Qualifiers....
--update --
we were ranked 40th in the end. Not too bad for a first time effort ;)
didn't qualify :(
very frustrating... knowing we were close on 3 or 4 challenges, but completely stumped! The "hints" were horrid ('find the key'!! -- how does that help??)
Oh well.. good experience I guess... need a lot more prep for next year if we want to qualify. It was pretty last minute for me, so I didn't do any work to get ready for this -- not even looking at last years challenges!!!
Some Stats:
about 500 teams
top 9 qualify (plus last year's winner)
we were ranked 40th in the end. Not too bad for a first time effort ;)
didn't qualify :(
very frustrating... knowing we were close on 3 or 4 challenges, but completely stumped! The "hints" were horrid ('find the key'!! -- how does that help??)
Oh well.. good experience I guess... need a lot more prep for next year if we want to qualify. It was pretty last minute for me, so I didn't do any work to get ready for this -- not even looking at last years challenges!!!
Some Stats:
about 500 teams
top 9 qualify (plus last year's winner)
Friday, June 5, 2009
Tracking changes in website policies
EFF started a new website (http://www.tosback.org) that tracks changes to the online policies for lots of sites (facebook, ebay, etc)
It isn't an intelligent review of the changes, it just compares the previous version and new version and highlights changes -- the changes can be something like a formatting change, address change, etc... or something more involved.
One thing I found interesting is the frequency of changes -- you can see that ebay changed its user agreement 5 times in 2 days -- but mostly it was switching back and forth between two versions (one effective on June 8, the other June 14) -- so is this something that was a problem on ebay, or the way the EFF was discovering/recoding changes?
It isn't an intelligent review of the changes, it just compares the previous version and new version and highlights changes -- the changes can be something like a formatting change, address change, etc... or something more involved.
One thing I found interesting is the frequency of changes -- you can see that ebay changed its user agreement 5 times in 2 days -- but mostly it was switching back and forth between two versions (one effective on June 8, the other June 14) -- so is this something that was a problem on ebay, or the way the EFF was discovering/recoding changes?
Genius Bank Robber...
There was more to how this guy got caught -- but really?? Posting on your facebook page after robbing a bank: “One in the head still ain’t dead!!!!!! On tha run for robbin a bank Love all of yall.”
Tuesday, June 2, 2009
Security Maxims
Roger Johnston over at Argonne Labs put together a list of 'Security Maxims' -- random truths about security that he and his team learned in doing vulnerability assessments for physical/nulclear systems.
Some of my favorites:
Rohrbach’s Maxim: No security device, system, or program will ever be used properly (the way it was designed) all the time.
Rohrbach Was An Optimist Maxim: No security device, system, or program will ever be used properly.
Irresponsibility Maxim: It’ll often be considered “irresponsible” to point out security vulnerabilities (including the theoretical possibility that they might exist), but you’ll rarely be called irresponsible for ignoring or covering them up.
Troublemaker Maxim: The probability that a security professional has been marginalized by his or her organization is proportional to his/her skill, creativity, knowledge, competence, and eagerness to provide effective security.
A Priest, a Minister, and a Rabbi Maxim: People lacking imagination, skepticism, and a sense of humor should not work in the security field.
I Hate You Maxim 2: The more a given technology causes hassles or annoys security personnel, the less effective it will be.
the entire list is fairly long, but mostly entertaining (at least for a security geek!) http://www.ne.anl.gov/capabilities/vat/seals/maxims.html
Some of my favorites:
Rohrbach’s Maxim: No security device, system, or program will ever be used properly (the way it was designed) all the time.
Rohrbach Was An Optimist Maxim: No security device, system, or program will ever be used properly.
Irresponsibility Maxim: It’ll often be considered “irresponsible” to point out security vulnerabilities (including the theoretical possibility that they might exist), but you’ll rarely be called irresponsible for ignoring or covering them up.
Troublemaker Maxim: The probability that a security professional has been marginalized by his or her organization is proportional to his/her skill, creativity, knowledge, competence, and eagerness to provide effective security.
A Priest, a Minister, and a Rabbi Maxim: People lacking imagination, skepticism, and a sense of humor should not work in the security field.
I Hate You Maxim 2: The more a given technology causes hassles or annoys security personnel, the less effective it will be.
the entire list is fairly long, but mostly entertaining (at least for a security geek!) http://www.ne.anl.gov/capabilities/vat/seals/maxims.html
Monday, June 1, 2009
2009 not that different from 2003!
In an article on CNET, Declan McCullagh reviews the similarities between Bush's cybersecurity plan from 2003 and Obama's plan just released last week. The similarities are frightening -- even the page count is the same (76)! There is even a quiz to see if you can tell Obama's plan from Bush's!
Pointing out the same issues and failing to take action results in ... finding the same issues! Hopefully Obama will actually make some changes (and approve funding) to advance cybersecurity during his term!
Pointing out the same issues and failing to take action results in ... finding the same issues! Hopefully Obama will actually make some changes (and approve funding) to advance cybersecurity during his term!
Subscribe to:
Posts (Atom)