Friday, August 31, 2012

anti-cyberwar merchandise

Make Video Games Not Cyberwar Products

this is another of the secmeme designs that was lost to cafepress' inane restrictions. i imagine it's because it looks like the video game called pong. yes, it looks like pong, but i played pong on one of those really old dedicated single-game consoles with the twisty controllers and this doesn't look THAT much like pong.

anyways, this is meant as a message for the people making all those so-called cyber weapons. i think you're going to touch people in a more positive and rewarding way if you follow the advice on this shirt.

phish merch

Phish Products

his was the thing that made me open a zazzle store. i spent hours making the image i previously posted from scratch and then got told that it wasn't allowed because it was an altered cheers logo. i really wanted to see this picture on a coaster so i found a way. i also put it on some mobile device cases and t-shirts (may take a while to show up) and i'm kind of surprised how it looks on a dark background.

Thursday, August 30, 2012

SQLi Name Tag revamped

do you remember when i made that SQL injection name tag merchandise and put it in the secmeme store? yeah, no, neither do i because i apparently forgot to post it here. it's just as well because the original version had a hardcoded name that only would have been useful to people named robert (it was a riff on one of randal munroe's most famous XKCD comics).

at any rate, in the process of playing around with the store, adding graphics, etc. i decided the SQLi Name Tag item needed to be revamped so that it might actually be useful to people who aren't named robert so here's the new design.
now you might be thinking that this is going to be useful to even fewer people than  the one i previously described, but in fact cafepress has a rather neat feature whereby you can set text objects as variables in designs that you create with their in-browser designer so when you're selecting an item to buy from this category you can change the person name as well as the name of the table that's getting dropped. so for example, one i might wear when i'm going up to a booth at a conference might look something like this

now, unfortunately the in-browser designer can only make square designs and those don't work so well on actual name tag stickers (which aren't square). that may be just as well since stickers are often sold in groups of 10 or 50 at cafepress, and you may very well not want them all to say exactly the same thing. so for this particular case i made a variation on the design meant to be written on when you use it.
the writable design is only available for stickers, while the cafepress personalizable design is available in a variety of shirts and some buttons.

site update

i hope you don't mind me taking this opportunity to draw attention to some of the changes that have been made to the site in the last little while. it's not a frequent occurrence so please bear with me.

Social Networking
there is now a facebook page for this site, and a google plus page as well.

at first i was just sharing links to this site and letting the respective social network grab whatever little thumbnail was appropriate for the post in question. however, i never really liked the idea of forcing people to actually come to this site in order to view the content when it came to the RSS feed (which is why i try to make sure the content is directly viewable in things like google reader), so i made the decision instead to share the pictures (or videos when i get around to making more) directly and simply link back. that way you can enjoy the content where ever you happen to be seeing it instead of having to open a new page. animated gifs seem to be a special case (because facebook doesn't seem to like them) but for static images or youtube videos that's the process i'll be trying to follow going forward.

i haven't worked out a way to post content automatically yet (and i may not find one since i'm doing more than just sharing a link) so there will often be a pretty wide window of opportunity for people share secmeme posts themselves before i've put the content on the official pages. please feel free to keep doing so. don't wait for me, the moment may be lost by the time i get the content mirrored on FB or G+.

Merchandise
the most minor thing is that one of you asked that the "may not prevent malware" store category include stickers so i added them. it's really easy for me to add stuff like that for existing designs so feel free to make a request if i didn't include something you'd like to see.

i've also opened up a second store, this time with zazzle. i got tired of spending hours on a design only to be told by cafepress that it's not acceptable (frequently after i've already posted about it here) for some generally intellectual property related reason. not that my designs violate IP law, mind you, but since cafepress pulls shenanigans like selling your designs for their price and giving you what they think you deserve back as compensation it seems likely they can't use the DMCA's safe harbor provision to protect themselves and thus have decided to be much more restrictive about what's allowed. i'm not planning to switch over completely to zazzle at this time since zazzle doesn't have all the same things cafepress has, and zazzle doesn't let me set the mark-up to 0 (which seems bizarre to me, but maybe 0 mark-up seems bizarre to others). zazzle does seem to have some customization options for buyers that cafepress doesn't, but the opposite also seems true.

Graphics
if you do visit this site, or the facebook or google plus pages, or either of the stores you might notice i've finally come up with some actual dedicated secmeme graphics. i'm no graphic designer by any stretch of the imagination, but i am gradually becoming more comfortable with creating images from scratch rather than simply modifying existing stuff. i hope they're legible/understandable.

wow, that's a lot of words for an entry on this site. good thing i don't do it very often.

Wednesday, August 29, 2012

have you seen this gif?


When someone says “$thing is unhackable”


if you have seen this animated gif and the accompanying caption then in all likelihood you already know about the InfoSec Reactions tumblr blog created by @aloria. if you haven't seen it yet then what are you waiting for? go check it out and have a laugh. it seems to specialize in animated gifs and already has quite a bit more contributions from others than i've managed to get in the ... hmm... 4 years that secmeme's been around (so congrats to @aloria on that).

ransomware secured

from here

no, ransomware that encrypts your files is not the kind of encryption you're looking for. move along.

Tuesday, August 28, 2012

attract police in all the countries

from here

inspired by mikko hypponen saying "this is the way to make sure all the police will want to find you" in this video.

java warning

(unmodified image source)

i don't know about you, but it seems to me that java deserves a warning label, like the ones on cigarette packages.

since there's a lot of hand wringing going on right now about an unpatched java vulnerability being exploited in the wild, here's some links brian krebs shared that should be useful to find out if your system is vulnerable and what to do about it

Monday, August 27, 2012

cyber derp

from here

i still find it hard to believe that the text from the first 2 panels is an actual quote from an actual lieutenant general. it's basically the military equivalent of 'the internet is a series of tubes'. how can anyone take cyberwar seriously when stuff like this is going on?

the cyberwar in afganistan

from here (source image)

no, i'm not making up the idea of offensive cyber operations in afganistan, just depicting what i suspect they amount to.

Friday, August 24, 2012

i fought the terrorists and the terrorists won

stumbled across this while searching for something else on google image search

it's sometimes said that the goal of terrorists is to make you live in terror. if the ridiculous things we're now willing to go through in order to feel safe is any indication, the terrorists would seem to have won.

chill out, man

from here

it really makes you wonder what the folks at amazon were thinking when they named their new back-up service "Glacier". i can imagine they were thinking that they could say it freezes your data so it never changes, but a) glaciers are so synonymous with slow that the word "glacial" actually means 'extremely slow', and b)  freezing generally doesn't end well for the thing that gets frozen. in fact, Robert Frost penned a rather famous poem that touches on just that concept:
Some say the world will end in fire,
Some say in ice.
From what I've tasted of desire
I hold with those who favor fire.
But if it had to perish twice,
I think I know enough of hate
To say that for destruction ice
Is also great
And would suffice.

Thursday, August 23, 2012

i see what you did there

found on failbook

some things just shouldn't be shared (and some things probably shoudn't be done in the first place).

hashes merchandise

store item (store category)

so, i liked that phrase so much i decided to put it on some clothing, even though it's only likely to appeal to a small set of people. now you can make a statement without even opening your mouth. as usual, no mark-up for me since i'm not trying to make money on this stuff.

Wednesday, August 22, 2012

the cloud's prayer

from here (image source one, two, three, and four)


could this parody of a child's bedtime prayer be considered cyber-blasphemy?

don't wanna go where everybody knows my username


this actually started just out of the parodied cheers lyrics. rather that try to parody the entire theme song i spoofed the cheers bar sign instead.

hmm, i could maybe see this on beer coasters.

Tuesday, August 21, 2012

theme for the surveillance state


i thought of this basically right after my last post about wenlock and mandeville (the anthropomorphized surveillance cameras that were used as the mascots for the london olympics) but unfortunately work kept me too busy to finish it before the olympics ended. i wonder if they've taken them down and made a liar out of me. i can't imagine why they would, though.

i considered making this into a youtube video and actually singing this parody of barney the dinosaur's famous song, but i decided to spare you all that ear-bleeding experience and went for the 'follow the bouncing ball' gag instead (which took me 3 tries to get right). i have new appreciation for how hard and tedious an animator's job is.

hashes or it didn't happen

from here

are you like me, folks? are you finding some vendors care more about building brand recognition than giving useful information? this one is by request from jindrich kubec. i hope i captured what he had in mind.

Monday, August 20, 2012

if you think we can get meaningful security...

if you think we can get meaningful security out of computers without changing the way we use computers, you might be a security idiot.
(inspiration? - just look at all the people who say security needs to be simple, easy, invisible, or someone else's job)

run as who?

When I 'run as' administrator on Windows XP it's because the administrator is actually a different account from the one I normally use.
When I 'run as administrator' on Windows 7 it's because Windows forgot that I'm the damned administrator! 

i think the principle of least privilege is a great thing, but i HATE UAC. UAC is microsoft's attempt to make least privilege happen transparently as if by magic, but magic and technology never seem to mix well.

Friday, August 17, 2012

don't worry

from here (source image)

i can't help but think of a line from this bowser & blue song when see that hand gesture in those gloves. let's all do the finger wave, indeed.

crack me twice, shame on me

from here (image source)

y'know, it's embarrassing enough when a large news organization is compromised and used to spread false news, but to let the same thing happen a second time in as many weeks? someone should probably be looking for a new job right now. (hat tip to dave lewis)

Thursday, August 16, 2012

security memes page on G+

found on the security memes google+ page

yes there's a security memes page on google+, and no it's not run by me (well, at least that particular one isn't). i think i should add this site to my list of links to other media. it's a shame there don't appear to be any entries more recent than march, though. maybe more will come.

our next hash function will be called pepper

from here

oh, lame pun coon, thank you for letting me blame my lame puns on you.

Wednesday, August 15, 2012

two factor authentication?

from here

no, username & password do NOT count as two factor authentication. usernames are not authenticators, they are identifiers, and while identifiers are important to say who you think you are, they in no way prove you are who you say you are.

calling all code breakers

from here (source image)

it seems the encryption used by gauss was better than anticipated, so now kaspersky wants people's help to crack the encryption.

Tuesday, August 14, 2012

brings computer to flu shot clinic...

found on i can has cheezburger

unfortunately, some people actually think this way. it's hard to imagine how people who are so technologically impaired can ever become more secure.

i'd like a meat-lover's pizza

from here (image source)

advertising job openings at the TSA on pizza boxes? i didn't think i could respect an authority figure any less than i did TSA agents before. i was wrong. some people get their driver's license from a cracker jack box, others get their career from a pizza box.

Monday, August 13, 2012

your victim is in another castle



a knife can be a pretty good weapon in some circumstances, but you gotta figure there are things that can trump a knife and you can probably find some pretty conveniently in a convenience store. or as this blogger put it - don't bring a knife to a beer fight

war on macgyver reaches new heights

from here (source article)

knee-jerk attempts to protect people frequently result in ridiculous outcomes. think twice, do once.

Friday, August 10, 2012

what cyber-weapons aren't

from here (source image one, two, three, and four)

that fourth panel nearly got me. technically the gauss malware could theoretically be affected by magnets, but you couldn't selectively affect just the gauss malware - it would wipe out everything else too.

perfectly safe airlines



from the makers of snuggley the security bear. i didn't realize mark fiore had a youtube channel.

Thursday, August 9, 2012

i spy with my little blimp

from here

i can't help but think a spy blimp would be a little too conspicuous, even at high altitude. the size just gives it away.

scams aren't just an email problem

found on very demotivational

in case you're having difficulty reading that letter, it starts:
Please forgive my presumption in contacting you in this way, but I would like to request your help. You...
while what's depicted is technically an anime rather than an historical document, it is a classic example of how a 419 / nigerian / advanced feee fraud style of scam letter is composed. it highlights the fact that such scams can work just as well with a physical letter as they do in an email. in fact, the formal wording may actually seem that much more approriate in the context of a physical letter. it's not hard to believe, then, that such scams have been around for a very, very long time.

Wednesday, August 8, 2012

cybercrime costs

from here (source article)

i remember a time when one company said there were 200,000 viruses and another company came along and said no there were 300,000 viruses.

that kind of math may fly when counting malware, but it really shouldn't when it comes to money.

security marketing fail (possibly NSFW)

from here (source tweet and image)

thanks to @infosecjerk for tweeting his (not unreasonable) reaction to this picture originally tweeted by @pertermannmc. i don't know whose bright idea this paint job was, but i can't unsee what @infosecjerk called it.

Tuesday, August 7, 2012

trolling tech support scammers

here's some pure comedy genius from @paperghost (aka chris boyd). i can't help but laugh at how they're apparently oblivious to the fact that the person they called knows they're up to no good.
storified here

(i opted to not embed the storify code because when i previewed it it gave me a service unavailable error)

surveillance mascots are watching you

from here (source image)

thanks to @mikko for drawing my attention to this. where else but in london would they try to make CCTV cameras cute and friendly looking. what better way to normalize the surveillance state than to turn it's quintessential element into a cute and cuddly cartoon character?

Monday, August 6, 2012

security isn't my job, it's my lifestyle

security isn't my job, it's my lifestyle

i considered this as a possible catch phrase some time ago as the result of a deductive exercise, because security really isn't part of my job description at all, and my interest in it dates back to primary school. that didn't seem like something a lot of people would be able to relate to, though, so i filed this away until i could find a way to use it.

but @chort came up with an excellent analogy to making healthy lifestyle choices, and the commitment and willingness to change behaviour (as well as our tendency to look for easy fixes that don't require work and consequently don't work) is a great fit for security and gives this phrase a meaning a lot more people can grab hold of.

for the really good security professionals, security isn't just their job, it is part of their lifestyle - and for the ordinary people who haven't made that lifestyle choice yet, framing it this way gives them a more realistic idea of what it takes to be secure.

of online backups and online attacks

from here

inspired by the sad story of mat honan who lost "more than a year’s worth of photos, emails, documents, and more". this isn't even really a cautionary tale about remote wiping as much as it is about the need to have local backups that you control. online backups are convenient, but they're as susceptible to remote compromize as anything else you put online.

for backups to be useful in restoring from an attack, the backups themselves must be impervious to attack.

Friday, August 3, 2012

facebook police



while facebook may not actually have people in body armour driving around beating up suspected spammers, reporting something as spam when it isn't can have negative consequences for people. this applies outside of facebook (or even the internet) too. misreporting badness to authorities can seem harmless, but if they're people they have better things to do than chase down false threats, and if they're automated processes you could be teaching them bad habits that will come back to bite you later.

nature's own security system

found on very demotivational

i suspect if there's one thing a bike thief would probably not want to deal with, it's a swarm of bees. shame  no one else would want to deal with them either.

Thursday, August 2, 2012

if you had to choose...

from here (source image one and two)

the american symbol of police abuse of power is a man spraying a (supposedly) non-lethal dose of a toxin in kids faces. the canadian symbol of police abuse of power is a man who's afraid of soap bubbles.

i think if one of them had to be terminated, i'm glad it was lt. pike. officer bubbles may have been a dick, but no system of authority is perfect, there will always be those who abuse their power, and lt. pike makes me appreciate how lucky we canadians are to have officer bubbles instead.

say hello to my little friend



who doesn't love a feel good security camera video of a bunch of thugs having a brown-trouser moment as one of their would-be victims pulls out a gun and starts firing?

Wednesday, August 1, 2012

i just stored files for you, and this is crazy

from here (source image)

if you expose the personal details of millions of people...

if you expose the personal details of millions of people by not following your own encryption policies, and then go on to continue not following your own encryption policies, you might be a security idiot.

(inspiration)