Tuesday, August 30, 2011

if you think less crypto..

if you think less cryptography will result in more security, you might be a security idiot.


yo dawg, we herd u like spying...

from here (original tweet here)

who contracts with a company from a foreign land to perform their spy-craft for them? would the US hire a russian or chinese company to build their spy tools? i don't think so.

Monday, August 29, 2011

if you think a man-sized candy bar...

if you think a man-sized candy bar advertising prop looks like a suspicious package that needs to be reported to authorities then you might be a security idiot.

(inspiration - hat tip to paul ferguson)


from dan glass' G+ post

not a bad representation of the relative effectiveness of intrusion detection systems and intrusion prevention systems at protecting your stuff.

although, when you get into details like why there's a difference between them, it actually doesn't have anything to do with the size of the dog or the size of the fight in the dog (or anything similar or analogous). if an intrusion detection system could say unequivocally that the thing it's detecting should be stopped then it's really not that hard to stop it - it's coming up with the accurate classification of badness in the first place that's hard.

Friday, August 26, 2011

reinforcing the security = inconvenience stereotype

Dilbert.com from dilbert.com

i see no reason why security HAS to be inherently inconvenient, but i know it often turns out to be that way.

i don't always try out new software

from here

this is just something i thought up during one of those rare moments when i was actually trying out a new piece of software, and that really is how i do it.

Thursday, August 25, 2011

green eggs and DRM

from virtual shackles

aside from having a soft spot in my heart for dr. seuss, i think this displays a couple of important points about DRM. not only how it's an anti-consumer technology that works against the users' interests, but also how people often don't care if they're given a compelling enough reward for abandoning their interests. sort of like people giving up their passwords for a candy bar.

if you ruin people's lives..

if you ruin people's lives and tear apart families over a problematic self-serve checkout then you might be a security idiot.

(inspiration, if you can call this story inspirational)

Wednesday, August 24, 2011


from sinfest

in actuality this is the first part in a 6 part story arc that delves into the topic of sensitive info and the need to keep it confidential (part 1, part 2, part 3, part 4, part 5, part 6). strangely enough it has kind of a happy ending, not unlike the revelation that hbgary wound up benefiting from the attack by anonymous. go figure, i guess there are bigger things in this world than just security.

problem phone support scammers?

from memebase after dark (where they use the naughty words)

i'm sure eventually the scammers who call you up and trick you into giving them remote access of your machine (they're like the manual version of scareware) will figure out a script for exploiting mac users too, but as far as i know right now they assume you've got a pc. i suppose you could always lie to them and tell them you have webtv.

Tuesday, August 23, 2011


from here

i realize there are times when applying security patches can be troublesome, but it really is important to make your best effort.

i'z in ur emael..

from here

because someone out there is about as smart as a bag of hammers. go to the link? what link? where see link? must have left it in your other pants/email.

Monday, August 22, 2011

not bieber fever, more like bieber diarrhea

from the art of trolling

if this nightmare isn't enough to make you appreciate both filesystem permissions and backups then i don't know what is. "you can still use them" indeed. you can use them if you never want to sleep again.

(i broke the picture up because it was so large in one direction that every image host i tried scaled the original single image down to the point where you couldn't make out the words or even the biebers - though that might have been a good thing)

if you're concerned about the strength of your password...

if you're concerned about the strength of your password instead of the strength of your passwords, then you might be a security idiot.

(inspiration: "my password better be secure, since i use it in so many places")

Friday, August 19, 2011

password advice

it's a shame this password advice always seems to fall on deaf ears. especially since memory aids are the only real way to stamp out password re-use - nothing that relies on the human brain scales enough to handle today's authentication demands.

passwords and sacred ... horses?

from XKCD

this has been discussed a lot recently in security circles because randall munroe gets a lot right here. unfortunately, for all his reasoned examination of password practices, he failed to question one of the most important sacred cows in password authentication - relying on human memory. when you take that out of the equation (ie. start storing passwords instead of trying to remember them) then the entire equation changes. no careful choosing of passwords, no reason to limit their size or contents, and no need to handle authentication like you're still in the stone age.

Thursday, August 18, 2011


from here

maybe you've heard of malware that renders your data inaccessible and asks you for a ransom in order to get it back? yeah, if you simply have backup copies of that data then the ransomware is pretty much impotent.

mikko makes a funny

mikko hypponen (did i spell that right?) makes a joke about penetration testing.

now that i think of it, i bet outsiders probably think this exact way about pentesting when they hear that term.

Wednesday, August 17, 2011

security research documents

from here

if i may channel tyler durden for a moment, who wants some booger crayons? that "eeewww" you just heard in your head (or said out loud) is the same reaction i have when i go to look at some interesting bit of security research only to find out it's in the typhoid mary of file formats.

internet password book

we can thank @sanitybit for sharing this one on twitter.

in case you can't tell, that's a stack of post-it notes. you know, the same little bits of yellow sticky paper people are famous for writing their passwords on and then sticking onto their monitors - which, as far as security is concerned, is a joke.

there's a couple of ways the above could be interpreted - it could be a book for use in keeping track of internet passwords (ie. enabling the aforementioned bad security practice), or it could represent a compilation of existing attempts at keeping track of internet passwords (thus disabling the bad security practice by swiping people's password post-its). i'm hoping for the latter.

Tuesday, August 16, 2011

spam levels

from here (picture source)

the way spam is reported sometimes makes me wonder when it will reach the point that it's actually oozing out of our computers.

don't encourage them!

from virtual shackles

i can't help but think if people actually gave TSA agents tips for groping them it would encourage further erosion of our liberties. then again, considering how much legal hot water a person would likely find themselves in if they actually managed to have a "happy ending" to a TSA grope session, how much to tip would probably be the least of their concerns.

Monday, August 15, 2011


from here

you really have to wonder about money mules (the people who receive the money stolen from victims and then forward it on to the actual thieves). has it never occurred to them that what they're doing is illegal or wrong or that they might be the next victim?

anti-spam merchandise

hey, want to help support some great anti-spam operations and get cool stuff out of the deal at the same time? well it turns out that both knujon (who help get the people sending you spam shut down) and spamgourmet (who help keep the spammers from ever getting your email address in the first place) have stores on cafe press (knujon's store and spamgourmet's store).

check them out, they've got a lot more available than what i'm showing here. i'm not one to indulge myself when it comes to material things, but my family always wants to know what to get me for christmas/birthdays so i'll be picking a couple things from those stores to add to the list.

Friday, August 12, 2011

defense in depth

from here (source picture)

if the threat of a pitbull doesn't deter a bad guy then hopefully the threat of AIDS will.

2010 Miss TSA Calendar

see the rest here (thanks to dave marcus for the link)

obviously this is shopped (i can tell by the pixels and by having seen plenty of shops in my time) but think about how invasive TSA practices really are and how the agents must begin to see the world - like they should be able to look right through you, like they're entitled or something.

Thursday, August 11, 2011

i don't always play video games

from here

... because it's what i do. of course, if i were a serious gamer i'd have a dedicated computer just for gaming, but that's just as much a form of isolation as using a VM - you just get better performance.

let cooler heads prevail

found on failblog

this illustrates the problem with taking matters into our own hands. not only may our efforts be badly misdirected, but they can backfire too.

Wednesday, August 10, 2011

thorough knowledge

from here (original image found in gwenethf's photobucket account)

it's really not enough to know that there's something nasty on your computer. you need to know what it did, too, otherwise you'll never know what you need to recover beyond the computer itself.

until it goes away

from memebase

computer viruses: they don't just go away. you need to find out what you have and what it can do, and then you have to try to undo what it did.

Tuesday, August 9, 2011


from here

using a dedicated PC or even booting an ordinary PC from a LiveCD just for the purposes of doing online banking is one of the best defenses against banking trojans there is right now. if you don't want to have your accounts drained because you did your banking from a compromised system, this is something you should probably look into.

airport security

from very demotivational

the way airport security has been heading, this seems like a reasonably plausible future.

Monday, August 8, 2011

U mad, cybercrooks?

from here

true story.

think of the children

from very demotivational

protecting the children is a common refrain from policy makers looking to push through liberty-busting legislation. often that legislation has so little to do with protecting children that this would probably be a better alternative.

Friday, August 5, 2011


from here (photo originally from here)

just a little lesson folks. when you click on the play button and get a download instead, something is just not right.

stealth fail

from failblog

yeah, the cops won't notice that at all. i can just imagine the driver pretending this SUV is some sort of spy car with license plates that flip around.

Thursday, August 4, 2011

being a wiz at identity theft

from rofl razzi

that's taking the concept of identity theft to a whole new level, i think.

nothing between them and me but...

from that will buff out

now, i don't know about you, but i wouldn't trust canvas and soft plastic to protect me if i were going through african lion safari. so the thought of trusting it while going through jurassic park just seems a little ridiculous - no way that stops a raptor attack.

Wednesday, August 3, 2011

viruses vs knowledge

thanks to @Luis_Corrons and @jcanto for bringing this to my attention

it's virus day at secmeme, and it's also the day that i admit that graphs can be funny.

it's not a virus

from here

the misuse of the term computer virus is rampant, and it's especially noticeable these days when actual viruses are rare. if you got hit by malware, there's a much better chance it was something non-viral, like a keylogger or a banking trojan. moreover, if you've got a computer problem in general, chances are good it's not even malware related (nevermind being virus related).

(inspired by the character gregory house's frequent insistence that "it's not lupus")

Tuesday, August 2, 2011


from here

as ridiculous as it sounds, apparently it can happen

i don't suppose it needs to be pointed out what a colossal security failure this represents. who are such registries meant to protect, after all? 

perceptual relativity

from XKCD

this really captures the cavernous gap between the perceptions of regular people and those of experts when it comes to computer concepts (and especially computer security concepts).

at the same time it highlights how more knowledge can make something seem less scary and less apt to evoke a panicked response. thus, more knowledge is good.

Monday, August 1, 2011

stranger danger for adults?

from here

inspired by a true tale of facebook dating gone horribly, horribly wrong

i know you're supposed to keep your friends close and your enemies closer, but nowhere in that maxim do they ever mention strangers.

poetic justice

thanks to brian krebs for tweeting about this

i think it's hilarious how a spammer (in fact some call him a spam king) can complain about people sending him too many emails. couldn't happen to a more deserving guy.