Browsed by
Category: security

You have the right… to reverse engineer

You have the right… to reverse engineer

This NYTimes article about the VW diesel issue and the DMCA made me think about how, 10 years ago next month, the Digital Millennium Copyright Act (DMCA) almost kept Mark Russinovich from disclosing the Sony BMG Rootkit. While the DMCA provides exceptions for reporting security vulnerabilities, it does nothing to allow for reporting breaches of… integrity. I believe that we need to consider an expansion of how researchers are permitted to, without question, reverse engineer certain systems. While entities need a…

Read More Read More

How I learned to stop worrying and love the cloud

How I learned to stop worrying and love the cloud

For years, companies have regularly asked me for my opinion on using cloud-based services. For the longest time, my response was one about, “You should investigate what types of services might fit best for your business,” followed by a selection of caveats reminding them about privacy, risk, and compliance, since their information will be stored off-premises. But I’ve decided to change my tune. Beginning now, I’m going to simply start telling them to use cloud where it makes sense, but…

Read More Read More

Mobile devices or cloud as a solution to the enterprise security pandemic? Half right.

Mobile devices or cloud as a solution to the enterprise security pandemic? Half right.

This is a response to Steven Sinofsky’s blog post, “Why Sony’s Breach Matters”. While I agree with parts of his thesis – the parts about layers of complexity leaving us where we are, and secured, legacy-free mobile OS’s helping alleviate this on the client side, I’m not sure I agree with his points about the cloud being a path forward – at least in any near term, or to the degree of precision he alludes to. The bad news is that…

Read More Read More

Who shot Sony?

Who shot Sony?

I’m curious about the identity of the group that broke in to Sony, apparently caused massive damage, and compromised a considerable amount of information that belongs to the company. For some reason, journalists aren’t focusing on this, however. Probably because it doesn’t generate the clicks and ad views that publishing embarrassing emails, salary disclosures, and documented poor security practices do. Instead, they’re primarily focusing on revealing Sony’s confidential information, conveniently provided in multiple, semi-regular doc dumps by the party behind…

Read More Read More

It is past time to stop the rash of retail credit card “breaches”

It is past time to stop the rash of retail credit card “breaches”

When you go shopping at Home Depot or Lowe’s, there are often tall ladders, saws, key cutters, and forklifts around the shopping floor. As a general rule, most of these tools aren’t for your use at all. You’re supposed to call over an employee if you need any of these tools to be used. Why? Because of risk and liability, of course. You aren’t trained to use these tools, and the insurance that the company holds would never cover their…

Read More Read More

You have a management problem.

You have a management problem.

I have three questions for you to start off this post. I don’t care if you’re “in the security field” or not. In fact, I’m more interested in your answers if you aren’t tasked with security, privacy, compliance, or risk management as a part of your defined work role. The questions: If I asked you to show me threat models for your major line of business applications, could you? If I asked you to define the risks (all of them) within…

Read More Read More

Is the Web really free?

Is the Web really free?

When was the last time you paid to read a piece of content on the Web? Most likely, it’s been a while. The users of the Web have become used to the idea that Web content is (more or less) free. And outside of sites that put paywalls up, that indeed appears to be the case. But is the Web really free? I’ve had lots of conversations lately about personal privacy, cookies, tracking, and “getting scroogled“. Some with technical colleagues, some with…

Read More Read More

Running Windows XP after April? A couple of suggestions for you

Running Windows XP after April? A couple of suggestions for you

Yesterday on Twitter, I said the following: Suggestion… If you have an XP system that you ABSOLUTELY must run after April, I’d remove all JREs, as well as Acrobat Reader and Flash. This was inspired by an inquiry from a customer about Windows XP support that arrived earlier in the day. As a result of that tweet, three things have happened. Many people replied “unplug it from the network!” 1 Several people asked me why I suggested doing these steps. I’ve begun…

Read More Read More

Security and Usability – Yes, you read that right.

Security and Usability – Yes, you read that right.

I want you to think for a second about the key you use most. Whether it’s for your house, your apartment, your car, or your office, just think about it for a moment. Now, this key you’re thinking of is going to have a few basic properties. It consists of metal, has a blade extending out of it that has grooves along one or both sides, and either a single set of teeth cut into the bottom, or two sets…

Read More Read More

Remember the Clipper chip?

Remember the Clipper chip?

I happened to bring up the Clipper chip in a conversation with a colleague today, where we were discussing the latest NSA-related news, communication privacy, (and of course the Apple 5s). Looking back at it now, it’s fascinating how much advice the past gives us today. I encourage you to read the words of Whitfield Diffie in his testimony to the US House of Representatives on May 11, 1993: “I submit to you that the most valuable secret in the world…

Read More Read More