Friday, September 30, 2011

the problem with stealth

from very demotivational

stealth: it's all fun and games until someone loses a jeep.

although the disappearance of the army vehicle probably had more to do with theft, the punchline underscores something that actually can be a problem in computer security. when you try to use stealth, when you try to hide things from people, even if it's for a good cause it can still end badly. you may think you're keeping something important out of harm's way by hiding it from unsophisticated users, but things should never be hidden from administrators.

if this is all backing up means to you

from here (image source)

how many people use computers or mobile computing devices (like smartphones or handheld game consoles or ipods)? just about everyone, right? now how many of those do you think back up their data in case something bad happens? yeah, just about none of them.

Thursday, September 29, 2011

make a backup from the neck up

found on

oh, how i wish we could back up our actual brains. but we can do the next best thing - seeing as how we regularly use computers to augment our brains (giving us memory and knowledge that would be unimaginable otherwise), we can back up the computers.

yes, i am a v1agr@ spammer

another take on the image from brian kreb's post

there must be some sort of cultural difference between us because i can't honestly see any reason for wearing a viagra shirt. not if i was a user and it changed my life (reliance on such things seems better kept on the down low), not if i were a pusher and it changed my life (yet another thing i wouldn't want other people knowing if it were the case).

that shirt draws so much of the wrong kind of attention, i can't help but think of this as a lolthreat.

Wednesday, September 28, 2011

in soviet russia

original picture and story can be found at krebs on security

it's hard to resist making this joke about a russian viagra spammer in a viagra shirt.

i guess that answers that question

from the economist

has the country changed? i think the answer is obviously yes. it becomes more and more of an authoritarian state with each passing thought that bounces around inside the heads of those in power. each time in the name of preventing bad things, but ultimately adding poorly thought out prevention, often with no hope of actually being useful.

but as long as the halls of power can keep people focused on the scary terrorists they can grab up more and more power without being noticed by enough people to make a difference.

Tuesday, September 27, 2011

if you issue a court order that forbids the use of a real name...

if you issue a court order that forbids the use of a real name by a supposed member of anonymous (because he was using his real name when he was supposed 'anonymous') then you might be a security idiot.


cool lockpicking videos

this is the first of a 24 part series of short videos explaining lockpicking, with a focus on how to do it and how to make the tools for doing it. thanks to schuyler towne for tweeting this and for putting the videos (along with a number of other interesting lockpicking videos that you should check out) on his youtube channel.

it will definitely be an eye opener when you realize exactly how secure the locks you use every day are (or aren't).

Monday, September 26, 2011

wire cutter security fail

from failblog though i've seen it elsewhere too, like reddit

you wouldn't think this needs to be said but apparently some people don't get that you can't secure wire cutters by tying them to something with a piece of wire.

Friday, September 23, 2011

not quite what backing up means

from keeping life creative (found with google image search)

backing up is important, but not for that reason.

danger and crowd sourcing

from XKCD (be sure to check the original to see the mouse-over punchline)

this does a good job of demonstrating the danger of crowd sourcing the evaluation of something - if the criteria of primary importance is difficult for the average person to evaluate then the crowd sourced evaluation is going to be garbage. now think about how that applies to security software that implements a reputation system. i don't really want to trust the unwashed masses about whether the file i just downloaded is safe or not - if they were so good at making that determination they wouldn't need the security software in the first place.

Thursday, September 22, 2011

these aren't the nyms were's looking for. move along.

from agent-x comics

finally a case where the real name policy is actually useful. if only it weren't fictional.

backup or stickup?

found on the make it work blog

while it is important to ensure that your backups don't fail (if they fail then they won't be useful to you when you need them most), this is not the way to avoid backup failure.

Wednesday, September 21, 2011

we don't need no water, let the macintosh burn

from mac.appstorm

i don't know if i'd actually let my computer burn, but that isn't too far off from the peace of mind i get knowing i have backups.

if you beat a special needs kid...

if you beat a special needs kid because you think his colostomy bag looks like a gun, then you might be a security idiot.


Tuesday, September 20, 2011

in case of disaster...

from journal of a photographer

this is, of course, an excellent example of what not to do. have a better disaster recovery plan than this. among other things, make sure you have backups (they aren't that onerous)

lulzsec in the memes

from the art of trolling

if you don't get the funny, that's because it's actually an infographic - in fact, the above is just a preview of the infographic. the full thing is here.

it's interesting that they used nyan cat's crap rainbow to represent leaked info. it gives a whole new meaning to data extrusion.

Monday, September 19, 2011

just click it

from memebase after dark

one of the security best practices that came about due to email and instant messaging worms was that if someone sends you a file or link you should verify that they intended to send it before opening it. obviously sometimes that's not enough (as 'Derpina' above apparently knows).

how did the chinese hack google's server?

thanks to stefan tanase for posting this joke

Friday, September 16, 2011

zero security

the rest of the article can be found here along with a video (thanks to @attritionorg for tweeting it)

here's the thing: passwords (or launch codes, which are essentially the same thing) are important, and if you don't do them right there can be all sorts of bad consequences. usually not nuclear war, but perhaps we shouldn't discount that possibility entirely.

i'm kinda surprised we're still here. we are still here, aren't we?

who do you trust

from failbook

you'd like to think you can trust your family, wouldn't you? well, take that feeling with a grain of salt and don't give them your password.

Thursday, September 15, 2011

cyberwar veteran

from the ottawa citizen (thanks to richard stiennon for tweeting it)

this really poses an interesting question: if cyberwar is real and happening right now, does that mean someday we'll have cyberwar veterans like the one pictured above, telling cyberwar stories to his grandkids? if that seems too ridiculous then maybe, by extension, it's too ridiculous to call what's going on right now 'cyberwar'.

i don't always go on vacation

from here (inspiration omitted to protect the innocent)

when you announce to the world that you're going on vacation and will be offline for X number of days, that's X number of days that bad guys have to try and compromise your accounts and do bad things. even if you don't think there's anyone specifically out to get you, your announcement is probably searchable and opportunists who've never even heard of you before can easily find it.

Wednesday, September 14, 2011


from here (clipping source)

if you thought the problem of accurate attribution of misdeeds was some obscure problem unique to cyberwarfare, think again. we live in a world where grandmothers, dead people, and network printers get accused of copyright infringement, where small businesses are sued by their own bank when someone steals all their money, and where the jewish people have repeatedly been blamed for society's problems throughout history.

attribution is something that doesn't seem like it should be hard, but clearly if a goat can be charged with attempted grand theft auto then attribution much harder than we give it credit for.

i'z in ur yard...

from here (story here)

that guy should take this as a sign; careful about being the aggressor because you might just wind up the victim.

Tuesday, September 13, 2011

sony: not even once

from memebase

and no, this one wasn't made by me. the sony breach was so big it hit the mainstream.

warning: default passwords on hotel safes

found this on boing boing and figured it was worth passing on a warning about. if you watch the video it should be pretty clear why a default password on a safe is a problem, but it also demonstrates why default passwords are a problem in general - if some thing (a safe, a door, a database, etc) has a default password then someone who happens to know that password can bypass the security on ALL instances of that thing. yours, mine, everyone's stuff is at risk when protected by a security system that has a default password.

Monday, September 12, 2011

who's the king spearphisher?

from here

generally i try to make sure i don't give the bad guys ideas, but when it comes to an idea that could cause them to destabilize each others businesses and relies exclusively on the 'honour among thieves' to prevent it from happening, i think i'll make an exception.

hey, quick you guys, warn each other not to do this.

gumby tries/fails to rob convenience store

originally found through boing boing, but i thought their video with the kids singing had too much artificial silliness. so i found an alternate video which better portrayed the crooks raw stupidity.

Friday, September 9, 2011

i'z in da tatu parler...

from here (story here)

now, i've heard of putting incriminating evidence on your facebook profile before, but on your face? really?

a compromising position

from here

that's the reason security so often fails in practice, folks, because the people that are made responsible for security have to make compromises at the behest of their pointy haired bosses because security is often seen as 'getting in the way' (largely because people are resistant to changing/improving the way they use computers).

Thursday, September 8, 2011

ai runz in 2 ur puhlees stashun...

from here (story here)

this has got to rank right up there with badmouthing someone only to find out they're standing right behind you.

not so temporary security idiocy

[normally i'd just post one short quip here with a link to my inspiration, but in this case there's idiocy coming from too many directions for just a single quip.]

if you think publishing decryption keys protecting sensitive government documents is OK because they're supposedly "temporary", then you might be a security idiot.

if you think there's any such thing as a "temporary" decryption key for an encrypted file you published on the internet, then you might be a security idiot.

if you think anything posted on the internet is "temporary", then you might be a security idiot.

if you try to prosecute someone for leaking sensitive data that you were in the process of leaking yourself, then you might be a security idiot (and a raging hypocrite).


Wednesday, September 7, 2011

check twice, run once

a new catch phrase (assuming it actually 'catches').
check twice, run once
 pretty obviously a derivative of a woodworking adage "measure twice, cut once", and with the same underlying meaning - double check what you're doing before you do something you might regret.

in this new context, however, it applies to running programs (or generally just clicking on anything) and the idea is to promote the use of multiple layers of security checks to stop something from activating if it happens to be malware.

(and why "run once"? because, although there have been examples to the contrary, it is not unheard of for a malware sample to appear to do nothing when clicked, thus prompting the user to click several more times)

don't have a cow, man

story here

i don't know what's stranger, the ploy or that it apparently worked so well. it's amazing the kinds of ploys that crooks can make work, both in real life and online.

Tuesday, September 6, 2011


from here

are you like me, folks? have you turned off every email notification LinkedIn has and are still receiving emails? does it feel like they're behaving like spammers by not letting you opt out of their emails?

i don't know about you, but i'm starting to think that if they're going to behave like spammers then i should start treating them like spammers. and i don't mean in the passive way.

now there's a deterrent

from failblog

it's a good thing they have such an effective deterrent, because their actual security doesn't look too effective. even if that padlock wasn't open, it doesn't seem like it would actually lock anything there.

Monday, September 5, 2011

i don't always log into my accounts from a public terminal

from here

honestly, there just isn't any way to be sure those public internet kiosks are safe. do not enter a password on those.

don't facebook in public

from failbook

it's bad enough that you can never be sure that public computers aren't compromised by some keylogger or other something else that steals your credentials - but add to that the natural tendency to treat public computers the same as your home computer and leave yourself logged into things and it becomes hard to escape the simple truth that you simply shouldn't log into anything (facebook included) on a public computer.

Friday, September 2, 2011

curious eyes

posted here by team cymru apparently as an example poster in their awareness program

a pretty good attempt at raising awareness, too. curious eyes everywhere has a creepy sort of undertone that makes one want to hide stuff better.

fiscal the fraud fighting ferret on ATM security

originally found on the naked security blog well, who'd have thought the police would come up with something like this. pretty good production value, and certainly informative. good work, queensland police. check out the 'fiscal' playlist, they've got more where this came from.

Thursday, September 1, 2011


from the comedic stylings of comediva (thanks to rob slade for posting to twitter) yes, virginia, there are privacy concerns with regards to google. this video does a pretty interesting job of anthropomorphizing google's services in a single entity, privacy issues and all. oh, the preview image for the video might seem a little risque (at least the one i see does), but i didn't see anything in it that would qualify as NSFW.

the all-seeing eye of google

from XKCD

google's street view has just about always been controversial for it's perceived invasiveness with respect to privacy. i doubt it could actually read your social security number (though the others might be doable with a high enough resolution image) but i have no doubt that such numbers may be findable through other google services. google really is capable of collecting very detailed profiles on people, and the extent to which that may or may not creep you out is pretty much directly proportional to how much you trust google not to misuse that data. some people obviously trust them more than others.