Wednesday, November 30, 2011

"Brave": i don't think it means what you think it means

from here (story in the national post)

i'm torn. either they've been so successful at eliminating risks that soccer balls are now a reasonable priority, or they've completely lost touch with reality. i suspect the latter. surely there must be more important threats to safety than rudimentary toys.

this area is being watched

found on ugliest tattoos

i find myself wondering what kind of message a tattoo like that is supposed to be sending. security cameras are often used as deterrents in real life, but i think there would be easier preventative controls in this context.

Tuesday, November 29, 2011

ai had de advantij but ai losted it

from here (previously found on failbook)

isn't it about time that thieves learned that phones are often linked to their rightful owner's social networking account? then again, those gold teeth tell me this guy is definitely old school.

she's super spry

from failblog after 12

this is the kind of thing that happens when rules and policies are mindlessly enforced and inflexible. ID is intended to make sure someone who is too young can't buy alcohol. if a 92 year old woman can pass for someone who is too young then she ought to be able to sell whatever secret she has to looking that good and make a fortune and pay someone else to get her booze for her.

Monday, November 28, 2011

truth in security (true insecurity)

found on MthruF

sometimes there can be truth in a password. especially when your password describes you as a lazy piece of $#!+ and is written on a post-it stuck to your monitor.

tattoo bomber

found on ugliest tattoos

when it comes to bad ideas in an airport, tattooing a bomb to your abdomen has to rank pretty highly. airport security will not be amused.

Friday, November 25, 2011

to scan or not to scan, that is the question

found on the art of trolling

shock sites are actually the tame version of what someone with malicious intent could do with faked QR codes. they could send you to a site that automatically installs malware on your system too.

pepper spray all the things

from here

power corrupts, and absolute power corrupts absolutely. is unchecked power the same as absolute power? maybe not but it's pretty darn close.

Wednesday, November 23, 2011

not quite kicking ass

found on failblog

authority (the broad class of strategies whereby, instead of resisting attack, a group neutralizes the attacker) isn't something that just magically comes out working perfectly. competence needs to be developed, practice is required, and mistakes get made (especially early in the development). this goes for budding self-defense enthusiasts as well as standard law enforcement who, although they have plenty of experience with traditional crime, are still working on getting up to speed when it comes to cybercrime. as increasing reports of arrests show, they are getting there, but there's still a long road ahead and law enforcement is only one part of the equation (sometimes the laws have catching up to do too).

until that catching up happens, though, their efforts are going to be laughable at best.

pull for delicious candy

found on failblog

sometimes i think the analogy of the trojan horse is a little too abstract for people, especially when it comes to explaining the more ambiguous instances where the trojan horse program isn't actually malicious in itself but simply presented in a false light with a malicious intent (the example i often use is that of FORMAT.COM renamed to SEXYFUN.EXE).

this example i hope is a little more concrete and easy to understand. a fire alarm is by no means a bad thing in and of itself, in fact it's a very important and desirable thing to have when there's a fire. but if you dress it up like a candy dispenser, all hell will break loose when children come by.

Tuesday, November 22, 2011

there's no such thing as 'off the record' online

there's no such thing as 'off the record' online
 i don't mean this in a figurative way - everything in the online world is recorded, literally. it's how the medium works. a recording is made in the computer's memory of the sounds you make, the images you present to the camera, the words you type, the links you click, etc. (depending on what exactly you're doing online) and a copy of that recording is sent along a path to whatever it's final destination is supposed to be. at some later point that recording and maybe even the copies (though it's impossible to be sure with the copies) are deleted or overwritten, but recording (and thus 'the record') is a fundamental and unavoidable part of online interaction. 'off the record' simply can't exist there.

who watches the watchers?

original story from the daily mail

ignoring the reputation of the source for a moment, this highlights an issue that comes up more times than you might think - who watches the watchers? unfortunately the answer seems to be "nobody" most of the time.

Monday, November 21, 2011

stealth, ur doin it wrong

from here (story here)

let's face it, nobody is that stealthy - not even ninja's. whenever anyone tries to be stealthy, there are still ways to see what they're up to if you know what to look for, whether it's a guy in camouflage gear or a piece of malware that masks it's presence.

the only way to really not be seen is to not be in the places people are looking for you.

automatic teller needs automatic updates

thanks to eugene kaspersky for tweeting the picture

windows in an ATM, and automatic updates haven't been enabled yet? i wonder what other security precautions have failed to be enabled.

Friday, November 18, 2011

worth more than your arm

found on this post about biometric passports

one of the things my mother taught me was that i should never wear anything on my wrist that is worth more than my arm. the idea had to do with theft of property, but as this comic shows there's a related issue for biometrics. people keep saying your biometrics can't be stolen but that's not really true - they can be stolen, and such theft can be messy.

what's wrong with this picture

found on failblog

i'll be honest, when i first saw this i didn't see what the big deal was. partially that was because i had to scroll down to see the entire image, but also because the safety hazard here doesn't really stick out that much due to it's small size. i suppose if i went in there drunk and with poor aim, the hazard might become shockingly obvious.

the difficulty recognizing subtle forms of danger is a recurring theme in security. that's why tricks like phishing or telephone support scams or malicious email attachments (to name just a few) work so well.

Thursday, November 17, 2011

human error has the advantage

found here using tineye (thanks to @mikko and @ervistusha for tweeting a photograph of this comic)

no matter how complex and sophisticated you make your security controls, human error can always result in undesirable consequences. this comic is quite effective at presenting human error as equally matched against the collection of every security control you can think of.

it reminds me of the joke
Programming today is a race between software engineers striving to build bigger and better idiot- proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. - Rich Cook                      

i spy with my huge eye

found on failblog

usually the point of a peephole is to allow you to see who's at your door without letting that person know anything about you (including whether you're even there). it's a tool made with privacy in mind. that privacy kind of goes out the window when you've got a big fat window right beside it.

more to the point, however, a peephole really has no purpose on the door to a stairwell. privacy tools can be very useful, but not when they're put in places that don't make sense.

Wednesday, November 16, 2011

on the internet there is always someone watching

on the internet there is always someone watching
 i suspect one of the things preventing people from grasping the privacy consequences of their online activity is that in the offline world people consider themselves to be in private when there's no one else around, and since there's often no one else around when they go on the internet, that sense of privacy persists even though it really shouldn't.

i'z in ur cockpit

from here

thanks to @mikko for posting a picture of a 777 cockpit with a windows device in it.

Tuesday, November 15, 2011

security win?

from there i fixed it

you might look at this and think it's a security win, and i suppose compared to some of the bad bike security we've seen here that would seem like a reasonable conclusion - but never forget that some attackers are more advanced than others

hobo skimmer

from here

we've seen some low tech skimmers here before, but i think this takes the cake.

Monday, November 14, 2011

Y U NO Log Off?

from the art of trolling

clearly good advice to be had here, but will the account owner ever actually see this public computer again? who knows.

legit at gmail seems legit

from here

because putting "legit" in the email address just makes it seem so much more legit.

Friday, November 11, 2011

the internet can be creepy

Internet Story from Adam Butcher on Vimeo.

this is, if nothing else, an illustration of why you should be careful about who you trust on the internet - not just when you're going to meet them in real life, but whenever you do anything at their prompting. the internet can be creepy - watch out for the creeps.

steam got burned

from the Ctrl-Alt-Del sillies

i don't think this needs any explanation, but it's still nice to see i'm not the only one who makes puns out of security breaches.

Thursday, November 10, 2011

parental attribution

from failblog (who knew they had a section specifically for parenting?)

and here we have a wonderful example of how hard attribution can be. pop-quiz: is it really stephanie's dad talking? how can anyone tell? it could be that stephanie is just a really clever liar.

now, instead of a mother who's son has regrettable tastes, imagine this was a nation state trying to attribute something that happened on a computer using about the same amount of information as is available here.

it's hard not to consider cyberwar ridiculous when viewed through this lens.

well, i suppose it's fat...

from failbook

if you've ever wondered what the big deal about search history privacy is and why it's important that search data be anonymized, i think this example spells that out pretty plainly.

nobody wants to know where you plan to stick aragorn figurines.

Wednesday, November 9, 2011

if you think nearly two dozen prostitutes...

if you think nearly two dozen prostitutes constitutes a normal level of contraband slipping through the cracks of prison security, then you might be a security idiot.


if you think a security measure...

if you think a security measure that is less accurate than a coin toss ever had any place in an airport then you might be a security idiot.


Monday, November 7, 2011

iz attakin ur siet

from here (original story from the register)

umm, yeah, i'm not sure how anyone could have made such a boneheaded mistake unless one of the stipulations for this cracking challenge was "no peeking".

if you antagonize a group...

if you antagonize a group with more military training and experience than you, then you might be a security idiot.


Thursday, November 3, 2011

the scam that would be meme

(first and second source)

[Post only available for Internet Gold account holders]

crack a smile

from here (source story from the imperva blog)

on the one hand, i finally found the builder for making multi-image comics (was doing it by hand before and i think it showed). on the other hand, yet another security company calling cracking "hacking".

Wednesday, November 2, 2011

modern building security

found on failblog
it's always seemed kinda funny to me that buildings which you'd expect to be high security venues (like a bank) would go for the modern look and have glass doors and replace exterior walls with glass.

if people can break through that barrier without even trying you better believe that people who are trying can get in.

everyone's parents on a computer

from memebase

yup, that pretty much seems to be what parents do. if only there was a way to get them to remember not to do that. unfortunately memory is one of the things people often start to lose as they age, and that suggest that some people may never be able to defend themselves online.

Tuesday, November 1, 2011

if you never wanted nude pictures of you on the internet...

from know your meme

i'd definitely like to use this one more often. gotta find the template.

clicked on attachment

from here

don't think this qualifies for success kid? how many people have tried this and failed? yeah, i thought so.