Monday, April 30, 2012

errorism in 3... 2... 1...

found on google image search

not every bad guy is a mastermind, and the ones that aren't tend to undermine the ones who are.

double security

from here (source image)

thanks to dave lewis for tweeting the source picture. those are a pair of RSA security tokens (something you can use in addition to or in place of passwords), by the way. clearly this person has 2 different systems they need access that both use security tokens. imagine if you had to do that for all your online accounts. you'd need a bigger key ring.

Friday, April 27, 2012

i don't always sell my old hard drives..

from here

inspired by this tweet from graham cluley

would you like some internet...?

from here (source image)

those darned pre-checked checkboxes are at it again.careful when you're installing stuff, you might find some little browser window parasite along for the ride.

(i guess paul ferguson was right about there being a secmeme joke in this image. i was also contemplating "i had ur browser window but i eated it" but i've already used the "but i eated it" joke recently)

Thursday, April 26, 2012

if you raise a terror alert...

if you raise a terror alert because a 4 year old girl hugged her grandmother, then you might be a security idiot


ai had protekshun...

from here

it's not just the anti-virus industry or the security industry in general. everyone who sells protection exaggerates their capabilities.

come to think of it, everyone who sells anything exaggerates how good that thing is. it's part of selling. you'd think we could do a better job of taking security vendor claims with a grain of salt, then.

Wednesday, April 25, 2012

one does not simply install and forget security software

from here

software tools may do the repetitive stuff, but they can't do the entire job and they never will. the user must always be the brains of the operation.

another view of anonymous

found on hijinks ensue

this, i think, captures a perspective that isn't often discussed in security circles. one that is perhaps more prevalent outside of the security community. people are (or were, when this webcomic was fresh) afraid of anonymous. they're afraid to say or do the wrong thing. anonymous seems to have power people don't understand and that makes them scared.

but here's a hint: it's not magical, it's not supernatural, and it's not something that was bestowed upon them. the power anonymous wields is just the power of people. what anonymous does is what any group of sufficiently motivated people can do.

(and yes, i know the image is small enough that it's hard to read the text bubbles. the full sized image is too big to fit here, and you really want to visit the source site for the context anyways because not everyone will remember that old-time episode of the twilight zone)

Tuesday, April 24, 2012

cispacat meme


so it appears that someone else got the bright idea of using memes to help raise awareness of something. in this case, it's raising awareness of what is potentially another example of authority run amok (some people are calling CISPA the son of SOPA, or SOPA 2.0).

obviously the site has a lot more pictures than just this one example here.

cyber security guard

found on shin's blog

so that little guy is the future of security - makes you feel safer already, doesn't it?

Monday, April 23, 2012

research: so that's what they're calling it these days

from here

if there is in fact a real camera, i very much doubt there's legitimate research going on. i'm pretty sure any figures being recorded are not numerical.

Friday, April 20, 2012

who does asymmetry favour now?

from here

conventional wisdom is that computer security is asymmetric in favour of the attacker. it certainly seems to be the case with so-called cyber-crime, but i genuinely question whether that's something inherent to being on the attacking side or whether there's more to it than just that.

keys? we don't need no stinkin' keys

found on there i fixed it

have you ever left something valuable unattended inside your car? bet you won't do that again.

Thursday, April 19, 2012

nothing to hide

from here (source image and story)

if you have nothing to hide you have nothing to fear, or so they say, but put that saying to the ultimate test and they put you in jail.

funny how that works.

Wednesday, April 18, 2012

the most challenging spearphishing target in the world

from here

there's a whole lot of spearphishing that would fail if people just took those two simple precautions.

the wrong way to teach privacy awareness

found on memebase (source story)

never mind the fact that he was invading the girl's privacy in the first place, and never mind the fact that his actions will probably get him charged with distributing child-porn; you can't teach the importance of something you don't understand yourself, and it's pretty clear he didn't have any kind of grasp on the harm this kind of privacy violation can cause

Tuesday, April 17, 2012

one does not simply scan for APTs

from here

nevermind the fact that APT is people, not software, and so doesn't actually exist within the computer; this experiment where anti-virus was tested against a simulated APT attack seems rather absurd. algorithmic defenses will always be weak against non-algorithmic threats. machines can always be outsmarted by people. take a page out of seussian security and use the right countermeasures for the threat in question.

EXIF was made for stalking

from here (source story)

this isn't the first time i've posted a comic making fun of criminals who give away key geographic locations by leaving the EXIF metadata in their pictures intact, and it probably won't be the last.

problem is, the same data can be used against law-abiding citizens. do yourself a favour and scrub your digital photos before you share them.

Monday, April 16, 2012

if you expect a company to hire you...

if you expect a company to hire you after you break into their computers and threaten them, then you might be a security idiot.


hire you or else? i choose else

from here (back story)

extortion is simply not a viable job hunting strategy. at least not for most normal jobs.

Friday, April 13, 2012

... laugh at you we will

from here

thanks to didier stevens for this hilariously bad phishing email.

don't want no short, short spam

from here (original tweet)

considering how many shorteners include some word denoting 'small' in their name, i imagine there are quite a few that are sub-optimal for enlargement spam, but 'shorten me' would certainly be the worst i've heard of.

(update: created a poster out of it because it was just too good not to try and share with the cheezburger crowd)

Thursday, April 12, 2012

too high security

found on i raff i ruse

while complex passwords certainly help keep things secure, there is also certainly a point of diminishing returns where additional complexity does more to thwart you than it would an attacker. a 100 character password isn't going to stop any more attackers than a 50 character password would, but it's at least two times the nightmare to try and enter it properly.

the internet is watching

found on icanhascheezburger

more true than most people realize. even ignoring all the other ways you can be watched on the internet, there have been multiple instances of webcams being used against people, even kids.

Wednesday, April 11, 2012

mobile insecurity: the walking data breach

from here

if you can't take a stranger into your office, how come you can bring your office out to a bunch of strangers?

i tend to think the punch line works just as well as a catch phrase. this is a much over-looked aspect of mobile security (or the lack thereof).

Dave Marcus makes a funny

posted to twitter by @DaveMarcus

i guess i'm not the only one who thinks the recent mac malware episode deserves to have some fun poked at it.

Tuesday, April 10, 2012

dealing with the security industry

from here (image source one and two)

if you haven't heard, apparently apple hasn't figured out friend from foe yet and has tried to squash a server used by dr web to monitor the new mac botnet. it's hard for me to imagine that an anti-malware company i've known about for close to two decades is considered unknown by a major software and hardware vendor like apple.

probably the safest facebook 'app' as well

found on memebase

i have a sneaking suspicion that if you looked at usage, "block" would probably be one of the more frequently used things on facebook, even if it isn't technically an app (as far as i know). that's probably a good thing.

Monday, April 9, 2012

f'ing smart meters: how do they work?

image source one and two

i was amused to learn from brian krebs' blog that people can hack their smart meters just by sticking strong magnets on them. that's a pretty dumb design flaw.

maybe we should start calling them passjibberish

found on gocomics

while it's true that they're called passwords, that doesn't mean we should be making them out of words.

Friday, April 6, 2012

SecOps vs. OpSec

no amount of security operations can make up for a lack of operational security

normally things i post here (especially catch phrases) are meant for the widest possible audience. this one, however, will probably have more meaning to people in information security. it basically boils down to this: you could be bruce schneier himself trying to beef up the security operations of a company but if the guy in the cubical next to you is a happy clicker all your effort is for naught.

quite an apt complaint

found on infosuck

it's kind of a shame what happens to terminology once media and marketing forces get their grubby little hands on them. APT used to mean something very specific. now it hardly means anything at all.

Thursday, April 5, 2012

may not prevent malware

store section

i was originally inspired to do this by this tweet by quentyn taylor

before anyone gets any bright ideas to accuse me of trying to gleefully rub mac fanboys' noses in the news of the recent mac botnet or of displaying schadenfreude, you folks can just bite me. i have been trying to warn people that the faux-invulnerability of macs were going to bite them on the ass for years - and since the risk has clearly increased, so too should the effort put into getting the message across that using a mac doesn't make you safe from malware.

also, i'm not profiting off the misery of others - as always, my markup is $0.

(hopefully my hand drawn apple is different enough from the apple logo that cafepress doesn't bring down the ban-hammer on it - they police that sort of thing y'know)

(update: already banned. thanks for nothing cafepress. oh well, i'll keep trying.)
(update 2: unbanned after an exchange with their intellectual property police. they were reasonable. this time)
(update 3: added stickers to this store category by request in the comments - see how easy that is?)


from here (original tweet)

oh, those poor, poor mac fanboys. chances are they're part of that half-million strong botnet. so much for not needing anti-virus.

Wednesday, April 4, 2012

how to...

from here (image source)

if the government really wants to know how to stop internet enabled espionage and sabotage against high-security targets then i have a real simple solution for them.

all security fails

found on XKCD (make sure you visit for the mouse-over commentary)

it doesn't matter how high the security is, every security tool and technique has the potential for failure. the real question is not whether you can avoid it but how you deal with it when it happens and whether you've planned for it.

Tuesday, April 3, 2012

are you a security hipster?

from here

inspired by the news that sumatra PDF 2.0 has been released. maybe it's just me, but i think hipster kitty is strangely appropriate for discussing alternative software. there's a sort of hipster quality to selecting software that most other people don't use - and yet, even though hipsters are generally frowned upon, when it comes to keeping your stuff safe, not being mainstream actually helps.

your nose shouldn't be this far up in my business

from here

this is most likely just meant as a deterrent, but i think it backfires. i don't think anyone has the moral authority to take this kind of action, and without such authority such an action is bound to inspire some sort of rebellious behaviour in response.

Monday, April 2, 2012

i can haz freedum?

from here (source image)

freedom in a cage? what's next, secrets under glass?

sometimes it seems like security places limits on your freedom. often times it's just placing limits on your freedom to do things you probably shouldn't be doing anyways, but sometimes it limits legitimate freedoms. it's important to recognize when this latter sort of limitation has occurred because we shouldn't be sacrificing our freedoms for security or we'll wind up looking as absurd as this caged braveheart statue.

popularity: i haz 2 much

from here (story)

popularity may be good, but too much of a good thing is definitely bad. you need to strike a balance between popularity and privacy. when a teenaged girl has to flee her own birthday party, that balance is just not there.