Thursday, May 31, 2012

double your factors, double your fun..

from here (source image)

sometimes multiple layers of security are a good thing, if they make sense. sometimes multiple layers are pointless because the extra layers don't add any extra security. and sometimes it's promoted in just about the creepiest way i've ever seen.

needing to swipe a card and enter a combination makes this a 2 factor safe, which may be a good idea, but that dog is giving me the willies - not to mention making the entire safe seem cheap and probably insecure. also, with that card reader, i wonder what happens when the unit loses power.

why can't AV do X?

from here (source image)

it amazes me how often 'security experts' will say that AV ought to be able to do better but when pressed will admit to not knowing how to accomplish it themselves. i believe that's the dunning-kruger effect in action, folks.

if you think AV ought to be able to do better, go ahead and build that better AV already.

Wednesday, May 30, 2012

the flame that burns twice as bright...

... burns half as long.

i don't always make so many posts about the same topic, but when i do... they're good ones. this one is to call attention to and show appreciation for the fact that i am actually not the only one who contributes to the "culture of security" with actual culture (as opposed to security, which lots of people contribute).

bob rudis has made a song parody immortalizing the flame worm and it's just about perfect except for 2 things. 1) like my own parodies, it lacks an actual recording of someone singing it
2) what one might expect from a culture of security, and what i can't easily add to my own contributions but what i can add to the contributions of others is fault tolerance through redundancy.

redundancy is of course one of the core principles behind backups, and i like to create backups of great stuff like this because all too often i've seen it vanish from the face of the web. but the thing about backups is that if you can't restore from them then they aren't very useful, so go and check his original and play spot the difference to see if there's anything amiss with this copy (maybe something accidental, maybe something sneaky, maybe something just because i apparently can't use <p>).

(Sing to the tune of “Fame – Remember My name” …
Here’s some YouTube background music)

They’ve been lookin’ at me, but they never did see—
no, no trace of me did they detect;
Gave me time to collect all the data at rest.
I’ve got so much in me: LUA, zlib & sqlite3–
I can infect the USB in your hand. Don’t you know who I am?
Remember my name [FLAME]

I’ve been around forever. Capturing packets on the fly. [HIGH]
My botnet is comin’ together. When researchers see me they’ll cry. [FLAME]
I even infected Lebanon. Lit up the Middle East with my FLAME. [FLAME]
I’ve been around forever. They will remember my name.


I’m not packed up too tight (I take up 20 megabytes).
With no kill date, I’ll never stop.
Give me your mic and I’ll take all you’ve got to give.
Finding me will be tough. Too much (you’ll say ‘enough’!)
I can ride your net but not break (it). Yeah, I got what it takes.


I’ve been around forever. Capturing packets on the fly. [HIGH]
My botnet is comin’ together. When researchers see me they’ll cry. [FLAME]
I even infected Lebanon. Lit up the Middle East with my FLAME. [FLAME]
I’ve been around forever. They will remember my name.



hey symantec, i fixed it for you

from here (source image tweeted by @pstutz)

the original version of this image was just too wrong the let it go. even though i only changed three words, i had to fix it for them.

Tuesday, May 29, 2012

flame worm snoops on all the things!

from here

i don't think i've ever heard of a piece of malware with as complete a set data types to steal as the flame worm. from the documents on your disk to the text on your screen to the words coming out of your mouth. shhhh, the computers have ears/microphones.

six of one, half dozen of the other

found on memebase

if your only purpose in installing security software is to prevent pop-ups that interrupt what you're doing, you might be disappointed. don't get all pissy about the fact that you actually have to participate in keeping your system secure.

Monday, May 28, 2012

security crossword puzzle

found on Queens University ITServices newsletter

this is a pretty cool idea. you can find the clues by clicking the image or by visiting this page. the answers are apparently on the subsequent crossword post on their newsletter.

i wonder how difficult it would be to make security crossword puzzles on a semi-regular basis. or perhaps something else would be more appropriate. a cryptogram perhaps? something to think about.

if you expect security software to do all the work..

from here

attackers are people. software isn't going to outsmart them. quite the opposite in fact.

Friday, May 25, 2012

meanwhile in the facebook men's room

found on very demotivational

it's really hard to resist a good dig at facebook, especially one involving privacy.

support scam success story

from here

this is inspired by a true story wherein a phone support scammer called the principal software engineer for a security company called sourcefire. here's the recording he made:

Thursday, May 24, 2012

i see what you did there

found with a google image search

the joke may be on the creator of this image when you consider what the harriton high school did with the laptops it issued it's students.

private keys

from here (source image thanks to nik cubrilovic for tweeting it)
poor yahoo, they don't seem to be able to do anything right lately.

Wednesday, May 23, 2012

6 year olds who can bypass locks? what could possibly go wrong

honestly, he's a cute kid and i don't imagine he'll turn into some sort of criminal as a result of learning how to impression a lock. what seems more significant here is actually what this says about that kind of lock. how much do you trust your locks after seeing what a 6 year old can do? many thanks to deviant ollam for posting such a great video.

family jewels

from here

really, what on earth could they be keeping safe in there?

Tuesday, May 22, 2012


found on failblog

this guy's already got 10 butterfingers so i guess he won't be needing any more of those. what a klutz.

one does not simply log into...

from here
the irony here, i think, is that there doesn't appear to be a secure login page for undoubtedly there are other sites with the same problem but i suppose there's not a lot of damage someone could do with your cheezburger credentials, so long as you don't re-use them at your bank or something. still, if a site doesn't provide an easy to find https/ssl encrypted login page you should probably complain about it.

Monday, May 21, 2012

is that a bomb in your shorts or are you just happy to see me?

secmeme store section
secmeme store item

yes, that's right, i stuck an anti-terrorism EULA on underwear because apparently the dumbest, most ridiculous terrorist of all time has a posse. i don't know if the TSA would find any comfort in fliers wearing these (they shouldn't, since there's nothing to prevent someone from violating the terms) but it could certainly be an interesting conversation piece in that situation.

they blow up so fast

from here (source image)

yes, i'm pretty sure that's just a costume. a real suicide bomber has to be able to sneak into where ever it is they're going and that kid isn't sneaking anywhere.

Friday, May 18, 2012

oh, those greeks and their horses

from here (original satirical story)

and now i've mixed the metaphors of trojan horses and tentacle porn. you can thank me for the mental image later.

facebook privacy joke

a timely joke about facebook's current business moves and the timeless complexity of their privacy controls.

Thursday, May 17, 2012

paging dr. solomon*

from here (source image)

i found out about this thanks to a tweet by dave lewis. somehow i doubt hospitals are as well equipped to deal with computer infections as they are biological infections (and they don't do all that well with that either).

(*dr. solomon was the founder of an anti-malware company back in the day. he wasn't a medical doctor, though)


found on very demotivational

setting forth deterrents to convince people not to do bad things is certainly important, but so is getting your priorities straight.

Wednesday, May 16, 2012

the most interesting threat vector in the world

found on memebase

ok, maybe it's not the absolute most interesting threat vector in the world. perhaps java has it beat, but it's still pretty high up there on the list of most exploited technologies.

all your internets are belong to ACTA

sometimes you have to laugh at authority run amok, if only to prevent yourself from crying. so let's all laugh at ACTA (and the sneakily appropriate ending to this video)

Tuesday, May 15, 2012

in celebration of #freebyron

sonne-y day
sweeping the crown away
on his way
because justice is sweet
can you tell us how to get
how to get this not to repeat

stay away
everything's not ok
conclusions jumped to here
were quite a feat
can you tell us how to get
how to get this not to repeat
how to get this not to repeat

i figure the exoneration of byron sonne deserves some recognition, and why not with the sesame street tune since this whole thing should have been very, very basic. you only arrest people who actually break the law, not people you irrationally fear might break the law at some point in the future. the concept of "pre-crime" is fiction for a reason.
what happened to byron sonne was hysterical law enforcement, and i don't mean that it was funny.

are there no depths advertisers won't sink to?

found on failbook

ok, so i have no idea if that ad is real or shopped but i could see it being real (can't afford a model? just grab a random picture from the internet!).

of course the security industry knows all too well that fear sells, so why wouldn't the insurance industry use (suspected?) terrorists to sell their goods and/or services.


from here (source image one and two)

oh, josh corman is gonna kill me for this, i'm sure. see, josh talks about anonymous A LOT. he's sort of taken on the mantel of being if not an expert then at least an authority on the topic of anonymous. but then, when you consider the kind of ... thing that anonymous is, it makes you wonder 'how exactly does someone become an authority about that subject?' - hence the ancient aliens meme reference. not trying to say being an expert on anonymous is anything like being an expert on aliens, mind you, i just think the argument could be made that it brings similar questions to mind.

Monday, May 14, 2012

one strong password, two strong passwords...

one strong password,
two strong passwords,
three strong passwords,
five strong passwords,
six strong passwords,
seven strong passwords,

were you expecting that to end with "more" like the old one potato two potato song?

not this time. this is just a little limerick to remind you that the only way to follow good password advice at scale is to use password management software to store passwords. remembering more than 7 strong, unique passwords is beyond many people's capabilities (heck, for some people even 7 is too high).

sometimes you should trust your gut

found on failbook

when something feels weird or wrong, don't just ignore it, trust your instincts.

Friday, May 11, 2012

missing security

found with google image search

i can't quite put my finger on it, but something is missing with this security fence.

wireless security fail

from here (originally tweeted by @ryanaraine)

yeah, he definitely doesn't see why not, because he's looking in the wrong direction. total lack of situational awareness there.

Thursday, May 10, 2012

1..2..3..4.. i declare a cyberwar

from here (source image)

i'm sorry, am i supposed to take cyberwar seriously? well maybe it would help if the serious people didn't treat it so absurdly.

what's up, cop?

from here (image source)

anticipating outcomes is important in security (and in insecurity). clearly carrots don't help with foresight. some pranks just aren't worth it.

Wednesday, May 9, 2012

on the internet, no one can tell...

from here

you may laugh (or not), but the so-called "hacking" that people do when they discover someone else hasn't logged out of their account can be done just as easily (and maybe even as intelligently) as a cat walking across a keyboard of the same non-logged-out system.

steal all the american secrets

from here

i don't know how things work in mike rogers' neighborhood, but in the real world CISPA is not going to stop the chinese.

Tuesday, May 8, 2012

one does not simply give meaningful password hints

from here (source image)

it could be that this person was clever and their password has absolutely nothing to do with lord of the rings - but chances are good that that isn't the case here.

please place your bombs under your seats or in the overhead storage

from here (source image)

the thought occurs that if turning on electronic devices on planes was really a seriously problem then the flight crew wouldn't simply ask nicely that you turn them off, the devices would be on the list of contraband and they'd be taken away from you before you ever got on the plane.

Monday, May 7, 2012

malware (parody)

ain't found a sinkhole for me yet
can't take down my botnet
seems every click results in scareware
bullet proof hosting, and yes
i double fluxed my DNS
the passwords stream to me from spyware

yeah they come to snuff the malware
yeah here comes the malware, yeah
an old virus never dies
no, no, no, an old virus never dies.

once installed, banker trojans
send all your money to my homeland
click on me, real nude pictures, not a ploy
got my tests 'gainst anti-virus
don't give those vendors no time for rest
0-days please, when there's just no foolin' you

yeah they come to snuff the malware
yeah here comes the malware, yeah
an old virus never dies
no, no, no, an old virus never dies.

 this is a parody of "Rooster" by Alice In Chains (maybe someday i'll be in a position to actually record my parodies instead of just leaving you with the lyrics and your imagination)

scumbag filevault

from here

gee, apple, how many security screw-ups do you think you can get away with before your users start holding you accountable?

Friday, May 4, 2012

for bird-brained crooks only

found on picture is unrelated

a scarecrow (or scarecop as the case may be) seems unlikely to work against a person.

security that looks good on paper

found on there i fixed it

security that looks good on paper doesn't always work out in real life.

fake security can work... as a deterrent. a beware of dog sign can make a bad guy look for easier pickings even if there's no dog present. but the thing about fake security is that it has to appear convincing.

Thursday, May 3, 2012

a dirty job indeed

from here

hearing that al Qaeda was hiding secret documents in porn, the jokes just write themselves.

under cover

from here

the lady doth protest too much, methinks. no i don't know if it's actually a lady, but how often do i get to quote shakespeare here?

Wednesday, May 2, 2012

well there's your problem

found on memebase

you can see examples of derpina everywhere, even (it seems) in the security community.

ROSI coloured glasses

from here (image source one and two)

security can, and sometimes does, cost a lot of money. if you're not careful, you can make really poor (bone-headed, even) investments. not unlike alameda county spending >$300k on an armoured personnel carrier when they can't even keep all their schools open.

Tuesday, May 1, 2012

gaming the app store

found on

well, it certainly seems to be that easy to game the approval process for apple's app store. check out the article this picture comes from for a more in-depth analysis.

self-XSS of the lambs

from here (thanks to nick owen for the inspiration)

always be wary of people asking you to paste strange code into your address bar. they're probably trying to get you to launch an XSS attack on yourself.