October 2007
Gazing in the Crystal Ball
Four times in the last month I have been contacted by people asking my predictions for future cyber security threats and protections. One of those instances will be as I serve on a panel at the Information Security Decisions Conference in Chicago next week; we’ll be talking about the future of infosec.
Another instance when I was contacted was by the people at Information Security magazine...
Spammers employ stripper to crack CAPTCHAs →
You are the weakest link.
Avi Rubin's Blog: A case of the wrong technology... →
As Avi notes, the cryptography may not make a difference. Too often people believe that encryption solves the important security problems.
That’s why, back in 1995, I said the following (which has been widely quoted):
Encryption is equivalent of using heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to...
Educause 2007: Can You Have Too Much... →
Thoughts on Virtualization, Security and...
The “VMM Detection Myths and Realities” paper has been heavily reported and discussed before. It considers whether a theoretical piece of software could detect if it is running inside a Virtual Machine Monitor (VMM). An undetectable VMM would be “transparent”. Many arguments are made against the practicality or the commercial viability of a VMM that could provide performance, stealth and...
House panel chief demands details of cybersecurity... →
Legit Linux Codecs In the U.S.
As a beginner Linux user, I only recently realized that few people are aware or care that they are breaking U.S. law by using unlicensed codecs. Even fewer know that the codecs they use are unlicensed, or what to do about it. Warning dialogs (e.g., in Ubuntu) provide no practical alternative to installing the codecs, and are an unwelcome interruption to workflow. Those warnings are easily...
Official: International hackers going after U.S.... →
OK, so who isn’t in our networks?
Phishers (almost) scam grocery giant out of $10... →
E-mail fraud isn’t limited to acts against individuals.
Moral: It’s generally a good idea to verify important changes out-of-band, especially when e-mail is involved!
Rational Survivability: Finally...A Good Use for... →
:NEWS+ANALYSIS: :Cyber Wars (10/1/07) --... →
Rational Security: Apathy and Alchemy: When Good... →
Another great blog entry frm Mr. Hoff.
Security engineering is like any other engineering — we spend enough to prevent (or easily recover from) expected risks. We can’t protect against every risk, so we make some calculated risk management decisions.
What complicates the picture is that we don’t have good risk models for IT (especially given the rate of change and churn); we...
Hypocritical Security Conference Organizers
Every once in a while, I receive spam for security conferences of which I’ve never heard, even less attended. For example, today I received spam for the 7th European Conference on Information Warfare and Security. Typically the organizers of these conferences are faculty members, professors, or government agency employees who should know better than hire companies to spam for them. Do these...
Rational Security: On Castles: Moats,... →
This is a great post on a theme that several of us tried to convey before. Static defense alone will not keep us safe indefinitely.
Static walls only work in two cases: when the attacking force did not have the resources to maintain a full siege, or when a relief force from somewhere else came and drove off the attacking force. History of castles, forts, palisades, trenches, and even the...
VoteTrustUSA - Swiss Armored Cars and Voting →
Great analysis, and not only because he quotes me! :-)
Disloyal Software
Disloyal software surrounds us. This is software running on devices or computers you own and that serves interests other than yours. Examples are DVD firmware that insists on making you watch the silly FBI warning or prevents you from skipping “splashes” or previews, or popup and popunder advertisement web browser windows. When people discuss malware or categories of software, there is usually...
Security and Risk Management Strategies Blog:... →
I also responded to this, so see the comments.
Solving some of the Wrong Problems
As I write this, I’m sitting in a review of some university research in cybersecurity. I’m hearing about some wonderful work (and no, I’m not going to identify it further). I also recently received a solicitation for an upcoming workshop to develop “game changing” cyber security research ideas. What strikes me about these efforts — representative of efforts by hundreds of people over...
Sorry, You Used That Password 28,452 Times Ago -... →
RIAA Hits a Sour Note With Its File-Sharing Witch... →
More commentary on copyrights and file sharing.
The Privacy Place » Is That Vault Really... →
Nice comments on Microsoft’s new HealthVault service
Leak Severed a Link to Al-Qaeda's Secrets →
Moral of the story? Don’t share secrets with the White House.
Tiny 'tin whiskers' imperil electronics →
It’s worth noting that not all of the threats to our cyber infrastructure are software-based.
Some comments on Copyright and on Fair Use
Over the past decade or so, the entertainment industry has supported a continuing series of efforts to increase the enforcement of copyright laws, a lengthening of copyright terms, and very significant enforcement efforts against individuals. Included in this mess was the DMCA — the Digital Millenium Copyright Act — which has a number of very technology unfriendly aspects.
One result of...
Separating work from personal use of the computer →
We will see many more stories like this. People — performing personal business on company machines, and company business on personal machines — have to no intent to create forensic problems, but it is a natural outgrowth of that use.
But what is the alternative?
'Old fuddy-duddy' can continue age discrimination... →
Well, I should hope so! As an older guy, I can say that I may not be as fast at some things as I used to be, nor is my memory as sharp. But I also have a much broader set of experiences and knowledge than I did when I was 20, so I look at problems a different way.
We can’t know (yet) whether Dr. Reid was improperly terminated from his position. However, any company that makes personnel...
DHS e-mail snafu reveals info on thousands of... →
Once again DHS reveals itself to be a shining example of….something.
FakeChecks.org →
Good site to share with people — shows some of the current scams being used to commit financial fraud online.
CERIAS newsletter #1 →
The first edition of the new bimonthly CERIAS newsletter is out! Take a look and let us know what you think.