Friday, December 31, 2010

look behind you

from failblog

if lack of awareness of the risks all around you can turn out this badly for a bad guy, imagine how badly it can turn out for you.

Thursday, December 30, 2010

Wednesday, December 29, 2010

i'z in ur facebook...

source and inspiration from the naked security blog. is america's dumbest criminals still on the air?

Tuesday, December 28, 2010

not-so-private dressing room

from failblog

i don't even have to go into this dressing room to see how nice it is inside... oh wait.

Monday, December 27, 2010

you may already be a 'winner'

from failblog

be careful of those contests you don't remember entering. even if you aren't wanted by the cops, someone else might be trying to fool you (someone who themselves might be wanted by the cops).

Friday, December 24, 2010

above the law

via failblog

at first you might think the lesson here is to be careful your own tools and capabilities aren't used against you, but this vehicle is parked in a fire zone. just as the police cannot be above the law, security people should not be above the security policy. they need to set an example for everyone else, not operate on a "do as i say, not as i do" basis.

Thursday, December 23, 2010

you use that password how many places?

from the wonderful mind of randall monroe at xkcd

don't let this fictional attacker's lack of action lull you into a false sense of safety. reusing your password does in fact open you up to attacks just as is described here and there are plenty of people out there willing to compromise your banking and other accounts for profit (though not all attackers will bother to set up a webservice to capture your credentials; phishing, malware, and user database compromises do an adequate job of capturing those as is).

Wednesday, December 22, 2010

immodest proposal

found source image on boingboing but the true source is here

well they don't call it security theatre for nothing, though we may never know what the plot of this play was.

Friday, December 3, 2010


from failblog

it's funny because it's true. after all, how else do you think the graffiti could get there?

Thursday, December 2, 2010

close the iron curtain please, i'm trying to pee

from very demotivational

so all those times i mentioned following people into the washroom with a camera (because they had outrageous philosophies on privacy that included things like "if you don't have anything to hide ..."), apparently the russians didn't get the joke.

sorry russia, i didn't mean to give anyone ideas.

Tuesday, November 30, 2010

new old meme: the joke

ah, the venerable joke. a funny story told and retold, passed on from one person to another. a classic meme if ever there was one.

this satirical story about a traveler having a 'happy ending' during an enhanced pat-down inspired me to come up with an actual honest to goodness joke. i honestly don't come up with my own jokes very often, but when inspiration strikes you gotta play the cards you're dealt.

virgin airways

a young man goes to the airport in order to catch a flight, but because of privacy and health concerns he elects to 'opt out' of the full body imaging machine. when the TSA agent takes him aside for alternative screening he says to the agent

young man: "so did you hear about that guy who ejaculated during an 'enhanced' pat down?"

TSA agent: "excuse me?"

young man: "yeah, apparently the agent wasn't familiar with what piercings would feel like and wound up spending a little too much time 'down there'."

TSA agent: "i see. so, uhh... do you have any piercings i should know about?"

young man: "no, but i am a virgin, and i'd like to still be one when i finally get through security."


Friday, November 12, 2010

if you keep your fire extinguisher locked up...

if you keep your fire extinguisher locked up so securely that it's safer than you are then you might be a security idiot


Thursday, November 11, 2010

if public transit...

if public transit seems like as good a place as any to read out private financial information over the phone then you might be a security idiot

Wednesday, November 10, 2010

who's giving you your security advice?


really, at least once you should ask yourself where the security advice you listen to is coming from. there may be ulterior motives, or there may even be a complete and utter lack of credibility. just as the unexamined life is not worth living, so too is the unexamined security advice not worth following.

Tuesday, November 9, 2010

facebook password trick

from i am bored with thanks to FSLabsAdvisor for pointing it out.

don't fall for this one, kids.

Monday, November 8, 2010

we need those YMCA guys to spell out 'virus'

hat tip to mikko hypponen for this one

you don't want a V-I, R, U-S...

Friday, November 5, 2010

no security is perfect

from i has a hotdog (with a hat tip to the security curve blog)

nothing's perfect, except maybe the expression on that dog's face.

Thursday, November 4, 2010

how can i fail thee, let me count the ways

from failblog

how many things can you find wrong in this video? obviously the security guard isn't familiar with how the gate limits traffic to only one direction. that's definitely something he needs to have a better grasp of. he could also stand to have a better grasp on his gun - really not the sort of thing you want to leave laying on the ground. can you find anything else? leave a comment and let me know.

Wednesday, November 3, 2010

CCTV and there's still nothing on

from very demotivational

it goes without saying, that camera isn't going to catch anything. someone at some point wasn't thinking clearly and rendered what could have been a useful security feature absolutely useless.

Tuesday, November 2, 2010

would you like an error log with your transaction receipt

from john graham-cumming

and yes, that is a windows error on an italian ATM. now you can marvel, as i did, at john's bravery for using such a device.

Monday, November 1, 2010

dictionary attack in middle earth

great explanation of a dictionary attack on a password system from the abstruse goose. hat tip to mikko hypponen for finding it

Friday, October 29, 2010

democracy just leveled up

found on boing boing

what you're looking at is a voting machine. no really, an actual voting machine. doesn't it make you feel all warm and fuzzy knowing how secure those electronic voting machines are? your democracy is in good hands. good strong hands, with nimble fingers and lightning fast thumbs. no button mashing here, no sir.

Thursday, October 28, 2010

i spy with my little eye

from the failblog

bad enough that there is no privacy between urinals, but clearly the designer of this public restroom failed to consider that when you aren't busy aiming you're even more likely to look around.

Wednesday, October 27, 2010

Tuesday, October 26, 2010

protect your privacy

from learn from my fail
while we might reasonably expect people to respect our privacy, we cannot rely on them to do so. if you don't actively protect your privacy then you'll have no privacy.

Monday, October 25, 2010

compensating controls FTW

from the failblog

this is an excellent example of compensating controls. the crocodile compensates for the fall. you might be able to survive one or the other, but not both.

Friday, October 22, 2010

which is more important? part 2

from failblog

i'm sure having something to hold onto while going down stairs is important, but i sure hope nobody needs to get through that fire door. when it comes to conflicting safety features, i think the risk of people falling down the stairs is easier to accept than the risk of people dying in a fire.

Thursday, October 21, 2010

which is more important?

from the failblog

ridiculous protection can cripple safety/security measures. i sure hope nobody needs to get into that fire safety plan in an emergency.

Wednesday, October 20, 2010

i will lock my computer

thanks to mikko hypponen for this one

it's good advice too, unless you don't mind the people nearby playing tricks on you or embarrassing you by sending out messages you would never send.

Tuesday, October 19, 2010

deterrence fail

from failblog

prevention by deterrence doesn't work if it's obvious that others weren't deterred.

Monday, October 18, 2010

more than one reason to respect privacy

from learn from my fail

sometimes respecting other people's privacy is as much for your own good as it is for theirs. some things cannot be unseen.

Friday, October 15, 2010

safe from midgets, maybe?

from the failblog
this is why it's so important to understand security, at least at a basic level, otherwise you do things like lock up bikes in such a way that a thief merely needs to lift it in order to steal it.

and on a side note, i've seen so many examples of poor bike security, it's no wonder they get stolen so much.

Thursday, October 14, 2010

more than meets the eye

from ebay but found on schneier's blog

coffee cups (some insulation expected) disguised as SLR camera lenses. these definitely hold more than 3 ounces. oh well, so much for that silly TSA rule.

Wednesday, October 13, 2010

know your tools

from learn from my fail

this underscores why it's important to understand what various tools are for, because otherwise you could wind up mis-using them (sometimes to hilarious results)

Tuesday, October 12, 2010

backups are important, m'kay?

from learn from my fail (if that isn't a hat tip to the memetic nature of knowledge transfer, i don't know what is)

backups - don't delete pictures without them.

Monday, October 11, 2010

protect what's really important

from the failblog

i suppose the bike owner should get some points for at least trying to protect his/her property. unfortunately you really need to be intelligent about how you use your security tools and protect what's really important to you. locking up the front wheel of the bike, when wheels can be easily removed from bikes, means that only the front wheel gets protected.

Friday, October 8, 2010

easy-open locks?

found on failblog

the very notion of an easy-open lock seems strange enough - i mean, how secure could that really keep things - but the idea of using them in a prison, of all places, really underscores how bad an idea easy-open locks are. if there's one place where you don't want the locks to be easily opened, it's in jail!

Thursday, October 7, 2010

password selection fail

found on failbook.

i know the traditional advice is that you should select a password that's easy for you to remember, but it also has to be difficult for other people to guess. your name does not qualify, even if you include your last name.

Wednesday, October 6, 2010

ftc on phishing

some interesting videos depicting what phishing might look like in the real world. originally found at the sunbelt blog

believe it or not, these videos were produced by the federal trade commission. yes, the FTC has a youtube page. who'd have guessed?

Tuesday, October 5, 2010

it's the little things that get you

i don't know where i got this but it's very true and shows how important attention to details can be.

Monday, October 4, 2010

god is watching

courtesy of failblog

hoping people will do the right thing? hope is not a very good security strategy.

Wednesday, September 29, 2010

i'm safe now

found on

see how multiple instances of the same protective layer don't really cover that much more? this is why using multiple scanners doesn't count as defense in depth.

Wednesday, September 22, 2010

he is the very model of an infosec professional

i shall of course link back to the network security blog where i found this, but gems like this require redundancy (plus some minor email obfuscation):
Lyrics by Rob Slade (slade at victoria dot tc dot ca)
Sung to the tune of “The Major General’s Song,” from
“Pirates of Penzance,” by Gilbert and Sullivan [1]
CISSP (solo):
I am a Certifiable Security Professional
I’ve countermeasures physical, administrative, technical
I know the ports of TCP and backdoors with malign intent
And survey risk analysis to prove the safeguards wisely spent
I’m very well acquainted, too, with matters of the blackhat crew
Attendance on the IRC phrack channel makes my colleagues stew
With viruses and zero days I’m teeming with a lot o’ news,
With many cheerful facts about the weaknesses in Usenet news
CIO Chorus:
With many cheerful facts about the weaknesses in Usenet news (etc.)
I’m very good at ACLs and mandatory access modes
I know the disassembled names of CPU compare opcodes
In short, in matters physical, administrative, technical
I am the very model of an infosec professional!
In short, in matters physical, administrative, technical
He is the very model of an infosec professional!
I know our mythic history, LaPadula, Biba, and Bell
I know the biometric facts, memorized CERs as well
I understand the lattice, roles, rules, and discretion base
And pseudorandomize my keys to maximize the address space
I’ve tokens, tickets, one-time passwords, smart cards and a kerberos
And Centralized Remote Authentication to remove the dross
I’m proof against the DoS, Man-in-the-Middle and brute force attacks
My proprietary off-the-shelf stuff’s licenced and it never cracks.
His proprietary off-the-shelf’s all licenced and it never cracks.
My audit logs are analysed, detect intrusions evey time
My legal counsel’s up to date with all the best computer crime
In short, in matters physical, administrative, technical
I am the very model of an infosec professional!
In short, in matters physical, administrative, technical
He is the very model of an infosec professional!
In fact when I know what is meant by “data link” and “twisted pair”
When I can tell a fibre optic cable from a trigger hair
When Internet Explorer I no longer use the Web to surf
Or let my users chat on IRC on all my network turf
When I have learnt that firewalls can filter out the packets bad
When I know that the guy with foreign bank accounts might be a cad
In short when I’ve a wee bit of professional paranoia
You’ll say a better CISSP has never addressed yuh.
You’ll say a better CISSP has never addressed yuh.
For my security training, managerial though it may be
Lacks practical direction and real-world applicability
But still, in matters physical, administrative, technical
I am the very model of an infosec professional!
But still, in matters physical, administrative, technical
He is the very model of an infosec professional!
like martin mckeay, i'd really like to hear this sung. i'm trying it myself, but it's a bit of a mouthful at times. sometimes it's easier to write things than to say them out loud.

Tuesday, September 21, 2010

security by "i don't want any part of that"

this was found by @snipeyhead.

the anti-theft value is obvious, but what do you call this? security by obscurity? security by perversity? and if you did happen to drop it on the ground and have to go looking for it, would you really want to be seen picking it up? especially if they go with @snipeyhead's suggestion for the version 2 model.

Monday, September 20, 2010

facebook and privacy, together at last - or not

found on failbook. no, not the facebook that failed, that's friendster.

what i love is that apparently nobody made the connection that toph did. maybe zuckerberg really was right about privacy no longer being the norm. excuse me while i check my bathroom for hidden cameras.

Friday, September 17, 2010

web defacer wins...

screenshot originally from the sunbelt blog

Thursday, September 16, 2010

top 9 ways to safer social networking

trend micro's rik ferguson shared a list of 9 ways to stay safer while engaging in social networking. for example:
2 – When you create your profile consider each piece of information that you share and whether if it is necessary or even relevant to that site. Do you need to share telephone numbers for example, maybe if your mail or direct messages come direct to your phone that is enough. Think practically don’t complete a form just because it is in front of you.
check out the whole thing here and stay safe out there.

Wednesday, September 15, 2010

creepy CAPTCHA

found on boingboing

CAPTCHA's are supposed to be for distinguishing humans from machines, but this one looks like it's switched sides

Tuesday, September 14, 2010

PCI data security video

found on graham cluley's blog

i thought for sure i'd already posted this before (because i've definitely seen it before) but i couldn't find it. hopefully it's not a duplicate (i already have to worry about duplicates? wow).

and for you home users who don't know what PCI is, it's a short form of PCI DSS, which is Payment Card Industry Data Security Standards. that's the security standards that people involved in processing credit or bank card purchases are supposed to follow. of course some of them are good for home users to follow too.

Monday, September 13, 2010

dilbert on security

thanks to mikko hypponen for drawing my attention to this. the dilbert archives are searchable and you can find all the cartoons that involve security by searching for "computer security". the results can be found on by clicking here and of course i've added this to the outside media section too.

Friday, September 10, 2010


i'll be adding @SecurityHumor to the 'Links To Other Media' list on the side bar here because, frankly, if there's one security twit who deserves to be linked here it's him/her(/it?). i don't even link to my own twitter account (i have a twitter account? shhhhh, don't tell anyone), but @SecurityHumor (as the username suggests) uses security topics (the new 'Here You Have' mass mailing worm being the topic used above) as grist for the comedy mill.

one of the theories i operate this site on is that by making security topics funny you make them more interesting, and by extension you make people think about them more. i don't mean thinking about security in the sense that people will weigh the security risks and make better choices and maybe even start following best practices - rather, simply that the security topics will enter their bubble of awareness (if only in a tangential way) and result in someone being more receptive to thinking about security on a deeper level. whether or not they actually do think about it on a deeper level is a different matter entirely.

oh and @SecurityHumor, consider this your #followfriday.

Thursday, September 9, 2010

hi and lois on security

found via schneier's blog

i think i've heard of this done with voting machines too. oh, and ATMs. fills you with confidence, doesn't it?

Wednesday, September 1, 2010

sensor x

this piece of apparent packaging comes to the internet thanks to @SecurityHumor.

Tuesday, August 31, 2010

toll gate fail

epic losers brings us photographic evidence of why it's necessary to look at context when considering security measures. you can't just add a toll gate without considering the area you're going to add it.

Monday, August 30, 2010

how is your password not like your fiance

courtesy of failbook

passwords: can't live with them, but they're a heck of a lot easier to change than your fiance.

Friday, August 27, 2010

Thursday, August 26, 2010

covet thy password

nick owen pointed this one out. as you can probably guess, nick's got a thing about passwords, and there are valid criticisms of password authentication like this one. sharing passwords is bad security.

Wednesday, August 25, 2010

frustrated anti-virus

found on the doghouse diaries

your anti-virus may not actually hate you if you don't keep it registered and up to date, but it certainly can stop helping you.

Tuesday, August 24, 2010

a new twist on security theatre

this, of course, is the good kind of security theatre - theatre that teaches about security (the threat landscape, the pool of countermeasures, etc), as opposed to supposed security that is really all just for show. this really humanizes the concepts and makes them more relate-able for people.

shame they went heavy on the "we protect you" market-speak, though.

found on f-secure's safe and savvy blog

Monday, August 23, 2010

you have searched me for the last time

found on emergent chaos but originally from upgrade: travel better. adam shostack of emergent chaos is 100% responsible for the funny caption/headline though.

Friday, August 20, 2010

Thursday, August 19, 2010

the devil comes clean

pvp, or player vs. player, had an interesting sub-plot storyline starting here and ending with the punchline above where the security angle was revealed. it doesn't take supernatural or otherworldly powers to know your deepest, darkest, innermost secrets when you blab them through an unsecured email system.

Wednesday, August 18, 2010

security has gone to the dogs

found on security curve, though apparently it was originally from i has a hot dog

yeah dogs can be good security, sometimes, but other times not so much.