Twitter is banning a list of 370 passwords that it feels are insecure. Twitter says that these passwords are too obvious for users of their system.
So what made the list? password (of course -- even made the list twice), butter (seriously?), testing (for those times you don't know what will work), twitter (lol!). Plus lots of names (amanda, barney, crystal, ...), some cities (austin, dallas, and newyork made the list) as well as many sports teams (raiders, cowboys, lakers, ...)
Twitter isn't saying how it came up with this list of passwords. Maybe these are the most common ones or the ones they cracked in less than 5 seconds?
Regardless of where these came from, if you password for anything that you care about is on this list, you should definitely change it. And the list of what you should care about? Anything that has information that you would not want broadcast on the evening news, put on a billboard in front of your house, or announced on the radio.
here's a link to the list of passwords: http://www.techcrunch.com/wp-content/uploads/2009/12/Twitter-banned-passwords.txt
Another set of passwords not to use: http://www.sophos.com/blogs/gc/g/2009/01/16/passwords-conficker-worm/ (this is the set used by the conficker worm to spread.)
Wednesday, December 30, 2009
Monday, November 23, 2009
Webroot's Online Shopping Tips
Good advice from webroot about online shopping ---
Only make purchases from secure Web sites. The fastest way to tell? Look at the web address on the page where you're entering your credit card information. Secured Web sites start with "https:" instead of "http:".
1. Think Before You Click: Never click links to unfamiliar Web sites. If you use a search engine to find gifts, treat every result with caution -- especially the ones promising a link to an unbelievable deal.
2. Install Security Software: At a minimum, your PC should have security software with up-to-date antispyware, antivirus and firewall protection.
3. Know the Retailer: If you are unfamiliar with the retailer you want to purchase from, look for more information about the company by contacting the Better Business Bureau.
4. Use a Credit Card, Not a Debit Card: If you are a victim of fraud or cybercrime, most credit card agreements limit your liability for the charges.
5. Monitor Your Credit: It is important to monitor your credit report and/or credit status on a regular basis to quickly spot anything unusual.
6. Ask About a "Single Use" Credit Card: Many credit card companies are now able to issue single-use credit card numbers for online purchases -- so you can avoid using your real credit card number online. (Discover uses Single Online Account Numbers and Citibank has a One-time use number. You do have to have online access to your credit card account set up to access these services)
Only make purchases from secure Web sites. The fastest way to tell? Look at the web address on the page where you're entering your credit card information. Secured Web sites start with "https:" instead of "http:".
1. Think Before You Click: Never click links to unfamiliar Web sites. If you use a search engine to find gifts, treat every result with caution -- especially the ones promising a link to an unbelievable deal.
2. Install Security Software: At a minimum, your PC should have security software with up-to-date antispyware, antivirus and firewall protection.
3. Know the Retailer: If you are unfamiliar with the retailer you want to purchase from, look for more information about the company by contacting the Better Business Bureau.
4. Use a Credit Card, Not a Debit Card: If you are a victim of fraud or cybercrime, most credit card agreements limit your liability for the charges.
5. Monitor Your Credit: It is important to monitor your credit report and/or credit status on a regular basis to quickly spot anything unusual.
6. Ask About a "Single Use" Credit Card: Many credit card companies are now able to issue single-use credit card numbers for online purchases -- so you can avoid using your real credit card number online. (Discover uses Single Online Account Numbers and Citibank has a One-time use number. You do have to have online access to your credit card account set up to access these services)
Thursday, November 12, 2009
It's all about ...popularity!
Another hacking tool was released for the iPhone today -- this one is a bit more serious and can steal data (contacts, messages, email, etc). The previous hack released earlier this week would replace the user background with a Rick Astley image.
According to F-Secure's Runald “... we’ve already seen more serious vulnerabilities in the iPhone in a year and a half than we’ve seen in the whole life of Symbian and Windows mobile OSes,”
So why so many hacks against a Apple devices? iPhones are poular. Many people jailbreak their iphones so they can install apps that aren't signed and approved by Apple. It's a much more appealing target for hackers -- much the same as windows PCs have been a more appealing target that Apple for years.
The number of hacks is not so much about the security of the product, but about the desire for a hacker to break it -- if they really want in, they will find a way.
According to F-Secure's Runald “... we’ve already seen more serious vulnerabilities in the iPhone in a year and a half than we’ve seen in the whole life of Symbian and Windows mobile OSes,”
So why so many hacks against a Apple devices? iPhones are poular. Many people jailbreak their iphones so they can install apps that aren't signed and approved by Apple. It's a much more appealing target for hackers -- much the same as windows PCs have been a more appealing target that Apple for years.
The number of hacks is not so much about the security of the product, but about the desire for a hacker to break it -- if they really want in, they will find a way.
Monday, November 9, 2009
Friday, October 2, 2009
Stupid Criminals....
A guy robbing a house in West Virginia decided that facebook just couldn't wait. While in the house, he used the owner's computer to sign in and check facebook. Too bad for him that he left his account signed in when he made his escape!
Maybe facebook addiction has its uses :)
Maybe facebook addiction has its uses :)
Thursday, August 27, 2009
Security 610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
I will be mentoring SANS 610: Malware Analysis in San Antonio starting Nov 3rd.
The class covers both behavioral and code analysis to provide a more rounded approach to malware reverse engineering.
The first half of the class shows students how examine a program's behavioral patterns and assembly code, and study techniques for bypassing common code obfuscation mechanisms. The course also takes a look at analyzing browser-based malware.
in the second half, the class will focus on static code analysis, learning to examine malicious code to understand its flow by identifying key logic structures and patterns, looking at examples of bots, rootkits, key loggers, and so on. The class will teach how to analyze self-defending malware through unpacking techniques and bypassing code-protection mechanisms and how to bypass obfuscation techniques employed by browser-based malicious scripts.
For more information or to register... SANS 610
The class covers both behavioral and code analysis to provide a more rounded approach to malware reverse engineering.
The first half of the class shows students how examine a program's behavioral patterns and assembly code, and study techniques for bypassing common code obfuscation mechanisms. The course also takes a look at analyzing browser-based malware.
in the second half, the class will focus on static code analysis, learning to examine malicious code to understand its flow by identifying key logic structures and patterns, looking at examples of bots, rootkits, key loggers, and so on. The class will teach how to analyze self-defending malware through unpacking techniques and bypassing code-protection mechanisms and how to bypass obfuscation techniques employed by browser-based malicious scripts.
For more information or to register... SANS 610
Tuesday, August 25, 2009
laws of technology
network word has put together a list of "Unwritten Rules of Technology" Basically the Murphy's Laws of the tech world
some of my favorites:
--If you close the PC case with screws before testing, it won't work; If you test before closing, it will.
-- If it's broken and you call tech support, it will fix itself while you're on hold.
-- When entering "Captcha" verification codes on a Web site, you'll always type in the numeral 1 when the site wants a lowercase L, and a capital O when the site wants the number 0. (And vice versa!!)
anyone who has worked with computers has lived through a good numbers of these -- more than once!
some of my favorites:
--If you close the PC case with screws before testing, it won't work; If you test before closing, it will.
-- If it's broken and you call tech support, it will fix itself while you're on hold.
-- When entering "Captcha" verification codes on a Web site, you'll always type in the numeral 1 when the site wants a lowercase L, and a capital O when the site wants the number 0. (And vice versa!!)
anyone who has worked with computers has lived through a good numbers of these -- more than once!
Thursday, August 20, 2009
programs infecting programs...
A new(ish) virus running around out there self-injects itself into the source code of any Delphi program it finds on a system. It compiles itself into the code and then goes off in its new carrier program to infect others.
Sophos has recieve over 3000 unique files with the virus which means it probably isn't all that new -- and probably infected some major software houses. Some of the infected files have been malicious code themselves -- meaning the malware author(s) were infected themselves!
Other than spreading itself around, the virus doesn't do anything else -- but the possibilty of a truly malicious virus using the same technique to spread is there.
Most AV scanners are detecting this now -- so as usual, make sure your antivirus is up to date :)
Sophos has recieve over 3000 unique files with the virus which means it probably isn't all that new -- and probably infected some major software houses. Some of the infected files have been malicious code themselves -- meaning the malware author(s) were infected themselves!
Other than spreading itself around, the virus doesn't do anything else -- but the possibilty of a truly malicious virus using the same technique to spread is there.
Most AV scanners are detecting this now -- so as usual, make sure your antivirus is up to date :)
Sunday, August 2, 2009
BlackHat
I survived yet another BlackHat conference in Vegas. I thought the con was really good this year -- some improvements made the entire experience much better.
Instead of vendors lining (and cloggin) the hallways, all the booths were in a ballroom. Lots more room to walk around and talk to people, and so much easier to move from one talk to the next. Great move! The also moved lunch inside (previous years it was downstairs out through the pool and in a tent). Much better to just use another room in the conference area.
I saw a lot of really cool talks -- building a darknet (private network) using a browser, using some memory analysis tools to find what commands were performed with a common exploit tools, and some new things to make reverse engineering easier.
It was great to see the people I used to work with, and those people who I only get to see at conferences. No DefCon for me this year (baby Ezri trumps a conference!) but the 2 days of BlackHat wore me out enough that it was probably a good year to cut short my Vegas trip.
Now on to a week of vacation, then back to reality!
Instead of vendors lining (and cloggin) the hallways, all the booths were in a ballroom. Lots more room to walk around and talk to people, and so much easier to move from one talk to the next. Great move! The also moved lunch inside (previous years it was downstairs out through the pool and in a tent). Much better to just use another room in the conference area.
I saw a lot of really cool talks -- building a darknet (private network) using a browser, using some memory analysis tools to find what commands were performed with a common exploit tools, and some new things to make reverse engineering easier.
It was great to see the people I used to work with, and those people who I only get to see at conferences. No DefCon for me this year (baby Ezri trumps a conference!) but the 2 days of BlackHat wore me out enough that it was probably a good year to cut short my Vegas trip.
Now on to a week of vacation, then back to reality!
Monday, July 27, 2009
Welcome Ezri Kathryn
The newest member of the family joined the world at 8:05 PM on Saturday July 25th! Mom and baby are doing great and expected to be home today.
Now I have a favorite oldest and favorite youngest niece :)
Wednesday, July 15, 2009
tag- you're it Firefox...
Microsoft patched it's latest browser vulnerabilties yesterday, and now there is a zero-day exploit for firefox 3.5! The proof of concept code executes calculator on the compromised machine.
There is a vulnerability in the way Firefox is processing javascript codes which allows an attacker to execute arbitrary code. When the attack doesn't work, the browser crashes, or the script causes FF to give errors.
the proof of concept is here: http://www.milw0rm.com/exploits/9137
When I tried the PoC, I got a message saying the script was unresponsive (A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.) At that point you can either continue or stop the script.
Using the no-script add-in mitigates the threat (unless you choose to allow scripts on the page with the attack!)
No response from FF yet about a patch.
There is a vulnerability in the way Firefox is processing javascript codes which allows an attacker to execute arbitrary code. When the attack doesn't work, the browser crashes, or the script causes FF to give errors.
the proof of concept is here: http://www.milw0rm.com/exploits/9137
When I tried the PoC, I got a message saying the script was unresponsive (A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.) At that point you can either continue or stop the script.
Using the no-script add-in mitigates the threat (unless you choose to allow scripts on the page with the attack!)
No response from FF yet about a patch.
Friday, July 10, 2009
browse & get owned
Microsoft is calling a new vulnerability/exploit floating in the wild a 'browse and get owned' attack vector. The victim simply has to visit the compromised site to get infected -- no handy pop-ups asking you to install stuff, no notices to install new activeX... just a silent install of malware.
Most of the sites that a compromised are currently serving Chinese-related content, but that could change quickly.
MS has published a temporary fix (http://support.microsoft.com/kb/972890) And will have the permanent fix as part of next week's patch Tuesday updates. There are an additional 2 Internet Explorer vulnerabilities being patched next week, but the details of those are sketchy.
The temporary fix uses MS's 'Fix IT' to disable the Video ActiveX control that is vulnerable. There is also an 'unfix it' option to re-enable the control. I ran the fix and so far have not seen any negative effects. Manually disabling the control can be done by editing the registry (not recommend!) to set the 'kill bit' for the control.
Most of the sites that a compromised are currently serving Chinese-related content, but that could change quickly.
MS has published a temporary fix (http://support.microsoft.com/kb/972890) And will have the permanent fix as part of next week's patch Tuesday updates. There are an additional 2 Internet Explorer vulnerabilities being patched next week, but the details of those are sketchy.
The temporary fix uses MS's 'Fix IT' to disable the Video ActiveX control that is vulnerable. There is also an 'unfix it' option to re-enable the control. I ran the fix and so far have not seen any negative effects. Manually disabling the control can be done by editing the registry (not recommend!) to set the 'kill bit' for the control.
Thursday, July 9, 2009
MilW0rm Closes!
** UPDATE**
The site is back online! Apparantly the outcry was sufficient to motivate str0ke and friends to bring the site back up!
** END UPDATE **
A well-known, public site for posting and finding the newest, latest, greatest, coolest exploits has shut down. The owner published the following:
"Well, this is my goodbye header for milw0rm. I wish I had the time I did in
the past to post exploits, I just don't :(. For the past 3 months I have
actually done a pretty crappy job of getting peoples work out fast enough
to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the
authors on this site. I appreciate and thank everyone for their support in
the past. Be safe, /str0ke "
Hopefully someone in the community will step up to get the site back up. While it was used by some malicious people to find exploits -- many of the good guys used the sites in their day to day work creating network defenses and testing their own sites to improve security.
Thanks to str0ke for all the time and work he put into the site! Good luck with whatever you do next
The site is back online! Apparantly the outcry was sufficient to motivate str0ke and friends to bring the site back up!
** END UPDATE **
A well-known, public site for posting and finding the newest, latest, greatest, coolest exploits has shut down. The owner published the following:
"Well, this is my goodbye header for milw0rm. I wish I had the time I did in
the past to post exploits, I just don't :(. For the past 3 months I have
actually done a pretty crappy job of getting peoples work out fast enough
to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the
authors on this site. I appreciate and thank everyone for their support in
the past. Be safe, /str0ke "
Hopefully someone in the community will step up to get the site back up. While it was used by some malicious people to find exploits -- many of the good guys used the sites in their day to day work creating network defenses and testing their own sites to improve security.
Thanks to str0ke for all the time and work he put into the site! Good luck with whatever you do next
Thursday, July 2, 2009
Licensed to ....
hack? New legistlation being proposed by Sens. John “Jay” Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine) introduces the idea that cybersecurity professionals should be certified and licensed. The DoD already tried the certification thing -- cybersecurity people are supposed to have at least one of a number of recognized certifications in order to perform cybersecurity work. Since 2004, only about a third of the people performing IA work actually have a recognized credential.
If this passes, it would be a crime for a non-licensed processional to provide security services to a government agency or any system/network designated as critical infrastructure.
What isn't clear -- what defines a cybersecurity job? security services? Who will decide the licensing requirements? Who picks the certifications that 'count'? And what is part of 'critical infrastructure'?
I believe that certifying professionals is a good thing, but making it illegal for non-certified people to work on systems is a bad idea. Most of the more respected certifications require a certified professional to have years of experience (i.e. CISSP) -- so people could be stuck in a catch-22 situation -- cant do the work without the cert, cant get the cert without having done the work. I also think that passing a test doesn't make you good at something, it means you passed a test. Just looking for that piece of paper when hiring is not going to mean you get better qualified people.
As for licensing -- this brings to mind the PI licensing requirement that Texas has for any one doing 'investigative work'... which includes digital forensics, some computer repair, most incident response work. A PI license tells nothing about a persons qualifications in cyber security, but somehow the Texas Legislature thought requiring a PI license was a good idea.
Someone is going to have to create, maintain, test, and validate all of the licensing criteria. Who would be in charge of this? Would that be the same organization that provided training to pass the tests?
There are a lot more questions than answers with this proposal. And the cynical part of me thinks that it won't matter since it will take many years to develop criteria anyway and by that time, cybersecurity may not be the 'new hotness' and we can all ignore the politicians attempts to define things they really don't understand!
http://defensesystems.com/Articles/2009/06/22/feat-cybersecurity-training.aspx
If this passes, it would be a crime for a non-licensed processional to provide security services to a government agency or any system/network designated as critical infrastructure.
What isn't clear -- what defines a cybersecurity job? security services? Who will decide the licensing requirements? Who picks the certifications that 'count'? And what is part of 'critical infrastructure'?
I believe that certifying professionals is a good thing, but making it illegal for non-certified people to work on systems is a bad idea. Most of the more respected certifications require a certified professional to have years of experience (i.e. CISSP) -- so people could be stuck in a catch-22 situation -- cant do the work without the cert, cant get the cert without having done the work. I also think that passing a test doesn't make you good at something, it means you passed a test. Just looking for that piece of paper when hiring is not going to mean you get better qualified people.
As for licensing -- this brings to mind the PI licensing requirement that Texas has for any one doing 'investigative work'... which includes digital forensics, some computer repair, most incident response work. A PI license tells nothing about a persons qualifications in cyber security, but somehow the Texas Legislature thought requiring a PI license was a good idea.
Someone is going to have to create, maintain, test, and validate all of the licensing criteria. Who would be in charge of this? Would that be the same organization that provided training to pass the tests?
There are a lot more questions than answers with this proposal. And the cynical part of me thinks that it won't matter since it will take many years to develop criteria anyway and by that time, cybersecurity may not be the 'new hotness' and we can all ignore the politicians attempts to define things they really don't understand!
http://defensesystems.com/Articles/2009/06/22/feat-cybersecurity-training.aspx
Friday, June 26, 2009
Don't have to pay settlements
Two defendants who were charged of deceptive advertising (they placed adds scaring customers into purchasing rouge security software) agreed to a settlement deal where they paid back $1.9 million no longer have to pay back all the money. Why -- they don't have that kind of cash anymore. SO they only owe $116,697 (who makes up these numbers?)
I guess some money is better than none, but why give out judgments that you know will never be paid? Good press in that the public thinks someone is truly being punished would be my guess.
http://www.networkworld.com/community/node/43029?source=NWWNLE_nlt_security_2009-06-26
I guess some money is better than none, but why give out judgments that you know will never be paid? Good press in that the public thinks someone is truly being punished would be my guess.
http://www.networkworld.com/community/node/43029?source=NWWNLE_nlt_security_2009-06-26
ACE!!
Took the exam to become ACE certified (AccessData Certified Examiner). The test was pretty easy and now I am just waiting to get the actual certificate so that I can say I am a newly minted certified forensics examiner! One more set of letters to add to my certification soup list:
CISSP GSAE GREM GAWN CREA E|CSA ACE
CISSP GSAE GREM GAWN CREA E|CSA ACE
Wednesday, June 17, 2009
Cheating Deadlines
There is a site that offers corrupted files (word, excel, powerpoint) for a fee that people can use to pretend like they met a deadline. The idea is that you send this corrupted file to your boss or submit as an assignment. By the time the recipient tries to open the file and finds that it doesn't work, you have had extra time to finish whatever the project was!
Apparently, some college instructors have caught on to this and require a hard copy as well as electronic versions or assignments. So much for a paperless office ever happening when sites like this exist.
I wonder if there is something in the metadata of these files that will identify them -- then the people using these can be punished (late penalties, etc) for trying to work around the system!
Apparently, some college instructors have caught on to this and require a hard copy as well as electronic versions or assignments. So much for a paperless office ever happening when sites like this exist.
I wonder if there is something in the metadata of these files that will identify them -- then the people using these can be punished (late penalties, etc) for trying to work around the system!
Tuesday, June 16, 2009
Weakest Link!
What's the weakest link in any security program?? People!
Apparently, the company that built England's newest spy base decided that it made for good marketing material. The company published pictures, the address, and cost estimates for the new building to the dismay of the MI5 (Britain's spy agency)
Nothing stays secret forever, but I would think there was something in the contract about not disclosing details of the secure facility, but -- did they really think they could hide a building?
http://www.timesonline.co.uk/tol/news/politics/article6493658.ece
Apparently, the company that built England's newest spy base decided that it made for good marketing material. The company published pictures, the address, and cost estimates for the new building to the dismay of the MI5 (Britain's spy agency)
Nothing stays secret forever, but I would think there was something in the contract about not disclosing details of the secure facility, but -- did they really think they could hide a building?
http://www.timesonline.co.uk/tol/news/politics/article6493658.ece
Friday, June 12, 2009
PC in a Vase??
For those who don't like the look of a regular PC sitting in their living room... a taiwanees company has build a home media PC that looks like a ming vase. The PC includes a blu-ray player, hard drive, hdmi, ethernet and USB connectors.
Check out the video:
http://www.networkworld.com/video/?bcpid=1343712625&bclid=1363192037&bctid=25961554001
Check out the video:
http://www.networkworld.com/video/?bcpid=1343712625&bclid=1363192037&bctid=25961554001
Sunday, June 7, 2009
DefCon CTF Qualifiers....
--update --
we were ranked 40th in the end. Not too bad for a first time effort ;)
didn't qualify :(
very frustrating... knowing we were close on 3 or 4 challenges, but completely stumped! The "hints" were horrid ('find the key'!! -- how does that help??)
Oh well.. good experience I guess... need a lot more prep for next year if we want to qualify. It was pretty last minute for me, so I didn't do any work to get ready for this -- not even looking at last years challenges!!!
Some Stats:
about 500 teams
top 9 qualify (plus last year's winner)
we were ranked 40th in the end. Not too bad for a first time effort ;)
didn't qualify :(
very frustrating... knowing we were close on 3 or 4 challenges, but completely stumped! The "hints" were horrid ('find the key'!! -- how does that help??)
Oh well.. good experience I guess... need a lot more prep for next year if we want to qualify. It was pretty last minute for me, so I didn't do any work to get ready for this -- not even looking at last years challenges!!!
Some Stats:
about 500 teams
top 9 qualify (plus last year's winner)
Friday, June 5, 2009
Tracking changes in website policies
EFF started a new website (http://www.tosback.org) that tracks changes to the online policies for lots of sites (facebook, ebay, etc)
It isn't an intelligent review of the changes, it just compares the previous version and new version and highlights changes -- the changes can be something like a formatting change, address change, etc... or something more involved.
One thing I found interesting is the frequency of changes -- you can see that ebay changed its user agreement 5 times in 2 days -- but mostly it was switching back and forth between two versions (one effective on June 8, the other June 14) -- so is this something that was a problem on ebay, or the way the EFF was discovering/recoding changes?
It isn't an intelligent review of the changes, it just compares the previous version and new version and highlights changes -- the changes can be something like a formatting change, address change, etc... or something more involved.
One thing I found interesting is the frequency of changes -- you can see that ebay changed its user agreement 5 times in 2 days -- but mostly it was switching back and forth between two versions (one effective on June 8, the other June 14) -- so is this something that was a problem on ebay, or the way the EFF was discovering/recoding changes?
Genius Bank Robber...
There was more to how this guy got caught -- but really?? Posting on your facebook page after robbing a bank: “One in the head still ain’t dead!!!!!! On tha run for robbin a bank Love all of yall.”
Tuesday, June 2, 2009
Security Maxims
Roger Johnston over at Argonne Labs put together a list of 'Security Maxims' -- random truths about security that he and his team learned in doing vulnerability assessments for physical/nulclear systems.
Some of my favorites:
Rohrbach’s Maxim: No security device, system, or program will ever be used properly (the way it was designed) all the time.
Rohrbach Was An Optimist Maxim: No security device, system, or program will ever be used properly.
Irresponsibility Maxim: It’ll often be considered “irresponsible” to point out security vulnerabilities (including the theoretical possibility that they might exist), but you’ll rarely be called irresponsible for ignoring or covering them up.
Troublemaker Maxim: The probability that a security professional has been marginalized by his or her organization is proportional to his/her skill, creativity, knowledge, competence, and eagerness to provide effective security.
A Priest, a Minister, and a Rabbi Maxim: People lacking imagination, skepticism, and a sense of humor should not work in the security field.
I Hate You Maxim 2: The more a given technology causes hassles or annoys security personnel, the less effective it will be.
the entire list is fairly long, but mostly entertaining (at least for a security geek!) http://www.ne.anl.gov/capabilities/vat/seals/maxims.html
Some of my favorites:
Rohrbach’s Maxim: No security device, system, or program will ever be used properly (the way it was designed) all the time.
Rohrbach Was An Optimist Maxim: No security device, system, or program will ever be used properly.
Irresponsibility Maxim: It’ll often be considered “irresponsible” to point out security vulnerabilities (including the theoretical possibility that they might exist), but you’ll rarely be called irresponsible for ignoring or covering them up.
Troublemaker Maxim: The probability that a security professional has been marginalized by his or her organization is proportional to his/her skill, creativity, knowledge, competence, and eagerness to provide effective security.
A Priest, a Minister, and a Rabbi Maxim: People lacking imagination, skepticism, and a sense of humor should not work in the security field.
I Hate You Maxim 2: The more a given technology causes hassles or annoys security personnel, the less effective it will be.
the entire list is fairly long, but mostly entertaining (at least for a security geek!) http://www.ne.anl.gov/capabilities/vat/seals/maxims.html
Monday, June 1, 2009
2009 not that different from 2003!
In an article on CNET, Declan McCullagh reviews the similarities between Bush's cybersecurity plan from 2003 and Obama's plan just released last week. The similarities are frightening -- even the page count is the same (76)! There is even a quiz to see if you can tell Obama's plan from Bush's!
Pointing out the same issues and failing to take action results in ... finding the same issues! Hopefully Obama will actually make some changes (and approve funding) to advance cybersecurity during his term!
Pointing out the same issues and failing to take action results in ... finding the same issues! Hopefully Obama will actually make some changes (and approve funding) to advance cybersecurity during his term!
Friday, May 29, 2009
Day 1!
My first blogpost -- exciting news is that I set up a blog (finally). A little behind the curve on this one, but life got in the way!
Just for fun today -- here is a link to a TED talk about crazy fish that can look like algae!
http://www.ted.com/index.php/talks/david_gallo_shows_underwater_astonishments.html
Just for fun today -- here is a link to a TED talk about crazy fish that can look like algae!
http://www.ted.com/index.php/talks/david_gallo_shows_underwater_astonishments.html
Subscribe to:
Posts (Atom)