i'z in mai drug lab ...

ah, geolocation technology - you might want to pay attention to how that can be used against you.

if remembering a different, complex password ...

if remembering a different, complex password for every site one uses sounds reasonable to you, then you might be a security idiot.

(best practices should include memory aids, and not just as an afterthought)

convinced me, you have not

those spammers have got to step up their game. this 'person' is so obviously a computer it's ridiculous.

trust but verify

it's important for us, socially, to place trust in others - but from a security perspective trust can be easily misplaced. hence the phrase "trust but verify". even more importantly, though, when it comes to the people we trust to protect us someone has to watch the watchers.

location, location, location

perhaps you've heard the saying "location is everything". normally it has to do with real-estate but as geolocation becomes more pervasive, awareness of the importance of location (and especially the importance of keeping that information private) is bound to become more mainstream.

privacy awareness fail

it's important to understand how to protect privacy before you balk at facebook's failure to do so

warning: don't copy javascript into the URL bar when asked

i don't often come across malicious content online, but when i do i warn people about it.

today's lesson is to not copy javascript into the URL bar when you're in facebook (though that probably holds for other most other social networking websites too). here's an example of what can happen.

while using facebook you might receive an invitation to an event like this

maybe you'll also receive a message like this

or perhaps you'll get a wall post that looks like this

then when you click you find yourself on a page laying out a step by step process like this one

if you're confused by the instructions they even have a nice little youtube video to explain how it's done

all you really need to do is click through the steps

then it takes you back to facebook where you're supposed to paste some javascript into the URL bar, and when you do (along with the other things that happen behind the scenes) you wind up at a page like this

continue doesn't take you anywhere, of course. the only thing you can do here is prove your identity by taking a quiz (yeah right).

of course there's no such thing as proving your identity by taking a quiz. the quiz requires you to sign up to some mobile service in order to get your results, and that mobile service isn't free. and guess what, there's no longer any mention of those 650 facebook credits anywhere at this point.

what you don't realize is that copying that javascript into the URL bar did a lot more than take you to some strange site. it also sent off facebook messages and wall posts and invitations to an event it just created in your name. and each person who falls for this spreads the scam further and further
if there's one thing you should take away from this it's that you shouldn't copy javascript into the URL bar in facebook. it's basically a trick that the bad guys use to get their malicious scripts past facebook's defenses.

up here silly


now, i'm not trying to say that surveillance is a bad thing, but you should probably have a better clue about where the threat is if you're going to try using surveillance technology.

i iz in ur stor...

the lolbuilder makes stuff like this a lot easier than trying to do it myself, but i have to hand it to the would-be thief (from this new story) because i wouldn't have been able to stick a chainsaw down my pants.

perception of updates

keeping up to date is important (security updates, at least, are supposed to close avenues of attack which bad guys might use against you), but obviously different people see updates in a different way.

could passwords be too pervasive?

people have become accustomed to the idea of passwords unlocking access to special things like their bank accounts or their tree forts, but perhaps some greater thought needs to be put into how passwords work so that social engineering schemes like this one won't fool people quite so easily.

passwords are shared secrets, both the giver and the receiver must know them in order for them to work. if you don't have any reason to think the receiver will know the password other than some strange guy on the street saying they will then probably you should expect them to not know the password you're giving them.

password strength

it's not meant as a judgment, it's meant as constructive criticism. weak passwords are easily broken and the people who make password strength meters are just trying to help you keep yourself and your accounts safe. try not to take what they say too personally.

when in doubt, type it out

brian krebs' post detailing ways to stay safe after the epsilon breach has a rather catchy phrase that is also pretty good advice:
when in doubt, type it out
the meaning of which being that when you receive a link in an email that you're unsure of (or maybe even if you are sure) it's safer to visit the company's website by typing out their web address than it is to click on that link.

of course if it's a company you've done business with in the past it's even better if you just follow a bookmark you saved on some previous visit so that you can avoid typos (which some people do exploit). that doesn't fit in a catch phrase, though (at least not yet).

thought leader

thanks to rob slade for pointing out this hilarious video

affordable home what?

with a motto like "affordable home burglary", you really have to wonder what it is they're actually selling. i'm sure they must be good salespeople, though, if they can sell burglary.

i'z in ur jale...

that's one way to lock your car

while rooting around for an optimal source for this photo, i found this with 49 other pictures on unique scoop in their post 50 ways to fail at security. looks like i'm not the only one who finds ridiculous attempts at security funny.