half-assed recovery

from here

inspired by a usenet thread (remember those?)

mindlessly restoring drive images is kind of like hanging the target back up after the attacker knocked it down.

congrats on helping to kill SOPA

from here

i actually played around with the idea of making this site go dark, but decided that somebody needed to help highlight the fact that there is a bigger picture than just SOPA itself. it's been suggested that there are a variety of different adversaries that people face online (and off), and unfortunately their own government (or for most of us in the case of SOPA, a foreign government) is one of them.

war on the unusual

from here (image source one, two, and three)

the TSA are apparently not the brightest bulbs in the chandelier. they really did mistake an insulin pump for a gun. someone turn on a light for these guys.

failure is always on the list

from here

the problem with the checklist is that it promotes the idea of following a simple sequence of steps rather than taking a more comprehensive approach. simple approaches often have simple ways to bypass.

privacy decay

from here

inspired by bob rudis' tweet about the linkedin change

pwnAnywhere

poor symantec. that source code leak from before may not have had any impact on it's anti-virus product yet, but apparently anonymous has found ways of exploiting pcAnywhere and symantec is warning people to stop using it.

(unaltered image source)

privacy policy beta

this is in recognition of google's recent move to revise their privacy policies and the fact that they will likely piss people off and have to revise them again (and again). google gets away with a lot when they slap the word beta on things, though, so perhaps that's what they should do this time.


(source image)

if you chain your bike to nothing but itself...

if you chain your bike to nothing but itself, then you might be a security idiot.

if you use a wire chain that can be easily broken with pliers, chances are exceptionally good that you're a security idiot.

and if you do all that not five feet from a bus stop where a thief can make a speedy getaway without even removing the chain, then you're definitely a security idiot.

(inspired by my morning commute to work)

mobile computing and shoulder surfing

from here

mobile computing gives people the ability to access computing resources wherever they go. unfortunately, human nature is such that people go where there are other people. it's difficult to maintain the operational security necessary to even do something as simple as enter a password when you're in a public place surrounded by other people.

and infosec professionals think the only problem with the consumerization of IT is locking down the device (or the data on it)? ha! are they ever in for a surprise.

WTF anonymous?

from here

are you like me, folks? did anonymous' retaliation for the megaupload takedown make you scratch your head and wonder what the heck they were thinking? it's not like the takedown harms filesharing at all, since file locker sites are a dime a dozen (heck, even google docs is a file locker of sorts). the takedown really seems to do more to harm the interests of SOPA/PIPA supporters than anything else, since taking down a foreign website and making arrests overseas highlights just how much of an unnecessary power-grab those proposed bills really were.

as some were suggesting on twitter, it seems like they're trying to snatch defeat from the jaws of success.

don't keep anything worth stealing

found on failblog

one of my favourite anti-theft techniques is to not carry around anything worth stealing. it works in other contexts too, for example a great way for companies to avoid having customer credit card numbers stolen from them is to not keep the numbers in the first place.

i answer to a higher authority

found on failblog

'i answer to a higher authority' - or at least a more northerly one. i think the only way santa and his elves would be above the law is when they're literally above them, while the sleigh is in flight. as far as our system of legal authority is concerned, it's representatives are the highest authority.

just because...

found on very demotivational

just because it says police doesn't mean they are police. not unlike just because an email says it's from your bank doesn't mean it really is from your bank.

your face is your password, mine is a lockbox

found on the often disturbing picture is unrelated

bizarre as it appears, i have a feeling that the keyhole face is going to eventually become an icon for identity protection. just as soon as people start taking their identities seriously.

limited brain cells available

(clearly i'm no randal munroe. then again, if randal munroe used mspaint...)

this was inspired by a story mikko hypponen tweeted about involving criminals spending 6 months building an elaborate tunnel to break into a cash machine that only had "limited funds available".

malware & foursquare

from here

inspired by the story of the koobface gang and their practice of checking in on foursquare from their headquarters in st petersburg.

now, i don't want to say that foursquare makes you a target, but it does make it easier for people to target you, so if you're doing bad things then maybe you should keep that in mind... or not.

flying higher in the friendly skies

found on failbook

i'm calling shenanigans. if it had been an honest TSA agent the weed would have been reported, and if it had been a dishonest one the agent would have kept it for themselves.

why, why are laws a thing you can buy?

aside from the fact that laws like SOPA and PIPA would probably snuff out this and many other sites (hey, you don't think lolthreats would fare any better than lolcats do you?), this video raises an interesting question about laws being a thing you can buy. in fact, it may well be one of the most important questions of our age.

regulation, law enforcement, and other forms of authority can usually be thought of as a class of strategies for meeting the basic human need to keep ourselves and the things we value safe, much like security is (which is why i'll often include content that strictly speaking has more to do with authority than security). but when laws become a commodity that can be bought and sold then the entire system of legal authority is being gamed and is no longer fit for it's intended purpose. then laws can only protect the interests of the people rich enough to buy them.

don't let SOPA/PIPA pass, but also don't make the mistake that they are the width and breadth of the problem. they are merely a symptom. if they don't pass then the people paying for them will just pay more for new versions. so long as laws are a thing you can buy...

infection

from here (note: for those unfamiliar with the slang, "pwned" is a synonym for "compromised")

much like like the term "virus", "infect" is misused a lot. in fact, each misuse implies the other.

as the comic implies, the distinction is important because how we respond depends a great deal on what we're responding to. if we get confused by sloppy word choice we're liable to make a sloppy action choice.

never underestimate your opponents

found on the fail blog

never underestimate your opponents. you might be surprised what kind of barriers they can overcome

dear fake facebook security

from here

so apparently there's a phishing attack that's changing people's facebook accounts to show up as the above and then chatting with their friends posing as "facebook security" and telling them they need to confirm their account.  the story can be found on the securelist blog

TSA are from mars, rubiks cubes are from venus

from on icanhazcheezburger.com

and you thought they had problems with shoes. from the looks of it, this classic toy just confounds them.

three pronged defense

i realized not too long ago that most of the designs in the secmeme store revolve around passwords, so i decided to do something related to malware. this one is on a bunch of shirts and some other items like mugs and calendars. i can never decide where to draw the line with these so if someone wants to see this on something i haven't already included, all one needs do is ask.

windows, Y U NO...

from here

because i installed my patch tuesday updates a couple of days ago and now (at the time of writing) i've got a bunch more and a prompt telling me i need to restart. the more annoying you make the update process, the less inclined users will be to update.

if you leave your baby outside...

if you leave your baby outside, in the rain, unattended, next to a sign post as though it were a dog, while you go into a convenience store for smokes and/or tickets, then you might be a security idiot (and a terrible parent)

(inspired by events i witnessed on the commute to work this morning)

all your source

from here

the stolen source code isn't quite as stale as this meme, but it's close.

why hacker?

from here (image sources one, two, three, and four)

i'm not going to beat around the bush. i think the term "hacker" is widely misused, even by so-called experts. it's inconsistent with the existing model and it ignores historical usage.

some like to argue that the meaning of words change with use (and more importantly misuse), but the irony in that argument is that if misuse really changed the meaning of words then the meaning of "irony" should have changed a long time ago. it's notoriously difficult to get right. i probably failed right here.

if you think a machine can't be outsmarted...

if you think a machine can't be outsmarted by a person then you might be a security idiot.

identity theft irony

found on terry zink's blog thanks to a tweet by @virusbtn

it's obviously facetious, but if the identity thief faced even worse charges than his victim then it might actually make sense to let the authorities continue thinking he's someone else in spite of serving jail time - it would be less jail time.

scan me!

from here

i suspect i'm not the first person to 'misuse' QR codes, and i'm certainly not the first person to think about it.

i used a QR code generator to create the code but if you don't trust my links, well:

arire tbaan tvir lbh hc, arire tbaan yrg lbh qbja

when good things start finding you

you can find plenty of good things online, but:

when good things start finding you, it's probably too good to be true.

just a little heuristic to help identify some of the scams and malicious content out there. not foolproof of course, but nothing is.

in the beginning i put the entire sentence as the catchphrase, but on further consideration i decided it was catchier this way. people can qualify it as needed.

never gonna lose your trust like stratfor

from here

you'd think it was bad enough that an intelligence firm like stratfor lost peoples info (including their credit card numbers) but to add insult to injury those people have gotten rick-rolled too

fighting X with X

from here

what could go wrong? you wind up with 2 fires, that's what.

so guess what i think of japan's plan to fight viruses with viruses. yeah, great plan.

we find the defendant... in need of a new trial

from here (image source)

kind of amazing that a convicted murderer can get a new trial just because the records of his old trial were lost in a malware attack. then again, when the only record of the conviction has clearly been maliciously tampered with (possibly in more ways than are initially evident), that raises the kinds of doubt you don't want to have about a murder conviction.

code red velvet

found on boing boing

i think this video does a pretty good job of highlighting how absurd confiscating cupcakes due to their frosting is.

scam bait

from here (image source one, two, and three)

if the scammers are really making money off of kim jong il then i really don't want to live on this planet anymore.

if your password is on this list...

here's a design in recognition of the stratfor compromise. i didn't use the actual passwords from the analysis of that compromise, however, because that would be awfully narrowly focused. instead i used the 25 worst for all of 2011. that way it can just as easily apply to the next breach, and the one after that, and the one after that.

APT is people!

from here (image source)

it's surprising how even people who are in a position to know better have difficulty staying on point about the nature of APT (advanced persistent threat). i hope this soylent green reference (with a dash jonathan swift for the more literate out there) helps.

FUD by any other name

from here (image source)

after that condom image you might be tempted to think this is a doctored photo. it's not. i don't pretend to understand the reasoning for doing something so dumb. all it says to me is that they're subtly embracing FUD.

wearin protecshun

from here (image source)

in the process of hunting down source images for the design i posted about yesterday, i happened across this picture and just could not leave it alone.

reaver

from here (router image source)

those poor wireless routers. now they have to contend with reavers too. bustin' their security, making them dangerous to use.

rigged for attacker's pleasure

so, this was originally intended to be a design for some merchandise at the secmeme store but when i tried previewing it on various articles of clothing and accessories it just didn't look right. it didn't look like something anyone would want to wear or carry.  i mean who, other than a giant dick, wants to wear a big condom on their shirt or hat? a shame, too, because it took me hours (due to a complete lack of skill) to turn this source image into what you see above.

oh well, i suppose if anyone does want it on something (i dunno, maybe a skin for an electronic device or something) then they can easily let me know, but otherwise i'm considering this one a design failure. oh well.