i actually played around with the idea of making this site go dark, but decided that somebody needed to help highlight the fact that there is a bigger picture than just SOPA itself. it's been suggested that there are a variety of different adversaries that people face online (and off), and unfortunately their own government (or for most of us in the case of SOPA, a foreign government) is one of them.
the problem with the checklist is that it promotes the idea of following a simple sequence of steps rather than taking a more comprehensive approach. simple approaches often have simple ways to bypass.
this is in recognition of google's recent move to revise their privacy policies and the fact that they will likely piss people off and have to revise them again (and again). google gets away with a lot when they slap the word beta on things, though, so perhaps that's what they should do this time.
mobile computing gives people the ability to access computing resources wherever they go. unfortunately, human nature is such that people go where there are other people. it's difficult to maintain the operational security necessary to even do something as simple as enter a password when you're in a public place surrounded by other people.
and infosec professionals think the only problem with the consumerization of IT is locking down the device (or the data on it)? ha! are they ever in for a surprise.
are you like me, folks? did anonymous' retaliation for the megaupload takedown make you scratch your head and wonder what the heck they were thinking? it's not like the takedown harms filesharing at all, since file locker sites are a dime a dozen (heck, even google docs is a file locker of sorts). the takedown really seems to do more to harm the interests of SOPA/PIPA supporters than anything else, since taking down a foreign website and making arrests overseas highlights just how much of an unnecessary power-grab those proposed bills really were.
as some were suggesting on twitter, it seems like they're trying to snatch defeat from the jaws of success.
one of my favourite anti-theft techniques is to not carry around
anything worth stealing. it works in other contexts too, for example a
great way for companies to avoid having customer credit card numbers
stolen from them is to not keep the numbers in the first place.
'i answer to a higher authority' - or at least a more northerly one. i
think the only way santa and his elves would be above the law is when
they're literally above them, while the sleigh is in flight. as far as our system of legal authority is concerned, it's representatives are the highest authority.
aside from the fact that laws like SOPA and PIPA would probably snuff out this and many other sites (hey, you don't think lolthreats would fare any better than lolcats do you?), this video raises an interesting question about laws being a thing you can buy. in fact, it may well be one of the most important questions of our age.
regulation, law enforcement, and other forms of authority can usually be thought of as a class of strategies for meeting the basic human need to keep ourselves and the things we value safe, much like security is (which is why i'll often include content that strictly speaking has more to do with authority than security). but when laws become a commodity that can be bought and sold then the entire system of legal authority is being gamed and is no longer fit for it's intended purpose. then laws can only protect the interests of the people rich enough to buy them.
don't let SOPA/PIPA pass, but also don't make the mistake that they are the width and breadth of the problem. they are merely a symptom. if they don't pass then the people paying for them will just pay more for new versions. so long as laws are a thing you can buy...
from here (note: for those unfamiliar with the slang, "pwned" is a synonym for "compromised")
much like like the term "virus", "infect" is misused a lot. in fact, each misuse implies the other.
as the comic implies, the distinction is important because how we respond depends a great deal on what we're responding to. if we get confused by sloppy word choice we're liable to make a sloppy action choice.
so apparently there's a phishing attack that's changing people's facebook accounts to show up as the above and then chatting with their friends posing as "facebook security" and telling them they need to confirm their account. the story can be found on the securelist blog
i realized not too long ago that most of the designs in the secmeme store revolve around passwords, so i decided to do something related to malware. this one is on a bunch of shirts and some other items like mugs and calendars. i can never decide where to draw the line with these so if someone wants to see this on something i haven't already included, all one needs do is ask.
because i installed my patch tuesday updates a couple of days ago and now (at the time of writing) i've got a bunch more and a prompt telling me i need to restart. the more annoying you make the update process, the less inclined users will be to update.
if you leave your baby outside, in the rain, unattended, next to a sign post as though it were a dog, while you go into a convenience store for smokes and/or tickets, then you might be a security idiot (and a terrible parent)
(inspired by events i witnessed on the commute to work this morning)
i'm not going to beat around the bush. i think the term "hacker" is widely misused, even by so-called experts. it's inconsistent with the existing model and it ignores historical usage.
some like to argue that the meaning of words change with use (and more importantly misuse), but the irony in that argument is that if misuse really changed the meaning of words then the meaning of "irony" should have changed a long time ago. it's notoriously difficult to get right. i probably failed right here.
it's obviously facetious, but if the identity thief faced even worse charges than his victim then it might actually make sense to let the authorities continue thinking he's someone else in spite of serving jail time - it would be less jail time.
kind of amazing that a convicted murderer can get a new trial just because the records of his old trial were lost in a malware attack. then again, when the only record of the conviction has clearly been maliciously tampered with (possibly in more ways than are initially evident), that raises the kinds of doubt you don't want to have about a murder conviction.
here's a design in recognition of the stratfor compromise. i didn't use the actual passwords from the analysis of that compromise, however, because that would be awfully narrowly focused. instead i used the 25 worst for all of 2011. that way it can just as easily apply to the next breach, and the one after that, and the one after that.
it's surprising how even people who are in a position to know better have difficulty staying on point about the nature of APT (advanced persistent threat). i hope this soylent green reference (with a dash jonathan swift for the more literate out there) helps.
after that condom image you might be tempted to think this is a doctored photo. it's not. i don't pretend to understand the reasoning for doing something so dumb. all it says to me is that they're subtly embracing FUD.
so, this was originally intended to be a design for some merchandise at the secmeme store but when i tried previewing it on various articles of clothing and accessories it just didn't look right. it didn't look like something anyone would want to wear or carry. i mean who, other than a giant dick, wants to wear a big condom on their shirt or hat? a shame, too, because it took me hours (due to a complete lack of skill) to turn this source image into what you see above.
oh well, i suppose if anyone does want it on something (i dunno, maybe a skin for an electronic device or something) then they can easily let me know, but otherwise i'm considering this one a design failure. oh well.