Tuesday, September 30, 2014

Is Bash Safe Yet?

from here

The answer is almost certainly no, so stop asking already. Perhaps the question we should be asking is if any software is ever truly safe.

When All You Have Is A Certification, Everything Looks Like Your Course Material

tweeted by Rob Rosenberger

Thanks to Rob Rosenberger for tweeting this Condescending Wonka meme. Considering that (from what I heard) someone was actually trying to exploit Shellshock to run CMD.EXE, then I can definitely believe there are people out there who think their Microsoft-centric body of knowledge applies to this *NIX-related vulnerability and that certainly deserves some condescension.

Monday, September 29, 2014

Everything Fails Sometimes

from here

Your defenses are going to fail, probably more than once, and if you can't handle that... well... you're gonna have a bad time.

Breaking Bash

tweeted by @naehrdine

Thanks to @naehrdine for tweeting this photo of a t-shirt celebrating the shellshock vulnerability.

I wondered if there was some place people could buy their own but unfortunately all I was able to find was this very similar graphic that Chris Hoth thought would make a good t-shirt (guess what, Chris, it does)

and this t-shirt with a distinctly different graphic but along the same idea

It makes me wonder if @naehrdine got hers custom made or something.

Friday, September 26, 2014

Biometrics Aren't Just For Logging On

from here


This guy's OpSec is really all over the place. What is the threat model he's using to decide how to protect himself?

LangSec Cat Wants Better Parsers Not Bigger Patties

tweeted by @andreasdotorg

Thanks to @andreasdotorg for tweeting this meme highlighting the language-theoretic security perspective on the recently uncovered bash vulnerability. I like the idea of LangSec Cat, and hope it can make language-theoretic security as widely known as LOLCat made cheeseburgers.

Thursday, September 25, 2014

If This Joke Bombs, I Hope You Don't Get Shellshocked

from here

Hey, everyone else is making jokes about the bash vulnerability, it would be weird if I didn't.

Stop Following Me, NSA

found on the meta picture

Hey, if there's targeted advertising, why not targeted CAPTCHAs?

Wednesday, September 24, 2014

Slouching Hacker, Skid And Braggin'

from here

If I had known how well the original Technologically Impaired Hacker gag would do I would have dedicated this whole week to the meme.

I Think Dog Food Costs More Than a New Gate

found on i can has cheezburger

Whether the owners realize it or not, a damaged metal fence is a terrific complement to a beware of dog sign. It provides an example of what someone who refuses to beware might be in for.

Tuesday, September 23, 2014

Ever Heard Of Changing Your Password?

from here (source image)

Thanks to Tero Koistinen for tweeting the original image. Clearly wear and tear can affect security long before it affects functionality.

PBS' NOVA Labs On Cyber Security



This video from PBS' NOVA Labs is a pretty good explanation of hackers and hacking. Turns out they did a few more as part of an educational series on cyber security. In fact, they've even made a game. Thanks to Chris Wysopal for bringing it to my attention.

Monday, September 22, 2014

Technologically Impaired Hacker

from here (source image)

I went back and forth over whether to call this a cracker or a hacker. I have to admit I feel a little dirty going with hacker, but crackers do seem to be a subset of hackers, and I think this will have wider appeal this way. I've got a few more of these up my sleeve, too.

What's The Secret Catword?

found on the chive

I bet a can opener could be used as a remote exploit to gain access.

Friday, September 19, 2014

Exploits Of A Technical Writer

from here and here

When I heard that Amazon had an XSS vulnerability involving such things as book titles, I knew I wanted to make a tribute to Randall Munroe's "Exploits Of A Mom". Little Bobby Tables has done so much to raise awareness of SQLi vulnerabilities, why shouldn't XSS get some attention too? Especially with Amazon dropping the ball and proving they belong to Generation XSS, then a few days later news of an XSS vulnerability in the DNS lookup site who.is, and now we find out even eBay has had an XSS vulnerability being actively used to steal user credentials for the better part of a year.

The question you need to ask yourself now is, are you a GenXSS'er as well?

Somewhere Out There Is A Very Confused And Armed Monkey

found on the meta picture

If you rely on something to keep you safe, it might be a good idea to double check it on a regular basis.

Thursday, September 18, 2014

Aaarrr... Where Be This NSA "Treasure Map"?

from here

What an appropriate name for this NSA program. It's almost as if they acknowledge that they're pirates of privacy.

The Perfect Bait

found on the meta picture

Kids are more discerning these days. They don't want candy, they want their iDevices to work.

Wednesday, September 17, 2014

At Least Apple Is Taking Steps To Improve

from here (source image)

Hard to believe PayPal has the gall to put a full page ad in the New York Times when they hand out your email address to everyone you have a transaction with (as if part of the reason we use PayPal isn't because we don't actually trust those people we have transactions with).

Thief Skills

found on the meta picture

Alternatively, the thief could just bring their own front wheel. Keep that in mind next time you lock your bike this way.

Tuesday, September 16, 2014

Probably Best To Not Tempt Fate

from here (source image)

I don't know if that threat of punishment is real or not, but I wouldn't want to find out.

Security Vs Convenience

found on the chive

One wonders why they even bother to lock the door. It's only going to keep out those who can't read.

Monday, September 15, 2014

If You Think Searching An Airplane Passenger AFTER...

If you think searching an airplane passenger AFTER they get to their destination is going to stop anything bad from happening, you might be a security idiot

(Inspiration)

The FBI Be Like...

found on memebase

Of all the jobs the FBI is expected to take on, doesn't chasing after people who leak nude celebrity photos seem a little trivial by comparison?

Friday, September 12, 2014

Oh Conficker, Why Can't We Quit You?

from here

I have a somewhat speculative relationship with the Conficker worm, so I'm not exactly pleased to hear from F-Secure that it's still doing so well.

The NSA Has All Your Selfies

tweeted by @LibertarianWing

Thanks to @LibertarianWing for this cartoon reminding us all that what some cyber-pervs did to a bunch of female celebrities, the NSA has been doing to all of us.

Thursday, September 11, 2014

What Could Possibly Go Wrong?

from here (source image)

"Never wear something on your wrist that's worth more than your arm" is an actual lesson my mother taught me as a child.

TSA Sharp Logic

found on the meta picture

Brought to you by the clear plastic baggie industrial complex. On the plus side, it'll help stop leaks from ruining your clothes.

Wednesday, September 10, 2014

Now You Can Have The Best Of Both Worlds

from here (source video and image)

I don't think Apple could have had a worse security SNAFU right before the unveiling of their mobile wallet than the breach of privacy of over one hundred of their most high profile customers. Will their mobile wallet be vulnerable? It's a computer that runs software, of course it'll be vulnerable, it's just a matter of how much effort people want to put into finding out how to exploit it; and since it's going to have money in it, it's worth a lot more now.

Why So Blasé?

tweeted by Rob Rosenberger

Thanks to Rob Rosenberger for tweeting this meme that raises an interesting question: Why aren't people losing their minds about the NSA the way they are about the iCloud leak? Maybe if the NSA were making everything they collect public it would elicit the same reaction.

Tuesday, September 9, 2014

For "Performance"

from here

Home users do it for computer performance, and enterprise admins do it for job performance (they don't have the resources to check firewall logs, never mind tending to the more advanced features in an AV suite).

And people wonder why AV always seems to do such a crummy job.

Teamwork Isn't Always a Good Thing

found on i can has cheezburger

Teamwork sucks when the team is your adversary. It can give them abilities that they wouldn't have individually.

Monday, September 8, 2014

The CAPTCHA Shall Make Him A Penitent Man

from here or here (source article)

Imagine that. The criminal mastermind behind the Silk Road done in by improper use of a CAPTCHA. Check out Brian Krebs' full article here.

You Can Leak It. We Can Help

tweeted by @SynAckPwn

Thanks to @SynAckPwn for tweeting (and apparently creating) this wonderful logo celebrating the fact that Home Depot has suffered a breach that affects virtually all of it's stores across the entire US.

Now, I don't know about you, but this seems like the kind of thing that would look awesome on a shirt. I wonder if @SynAckPwn could be convinced to make that a reality.

Friday, September 5, 2014

Java GTFO (merchandise)

Java GTFO T-Shirts, Buttons, Stickers, Drinkware at Cafepress


For when you need to exorcise the evil spirit of java from a computer. The power of security compels you!

This is, of course, taken from a rage comic I made in response to a tweet from Lysa Myers a while back.

I don't know if CafePress or Zazzle will allow this design to stay in their stores, but we'll never know unless we try. If both stores ban the design I'll just include the actual images here for people to make their own items ad-hoc. I don't think either store prevents that. As always, the CafePress mark-up is 0% and the Zazzle mark-up is 5% (because it won't let me go any lower).

It's Easy To Remember But Not Hard To Guess

found on Dan Kaminsky's blog

"I am Groot" is really more of a passphrase than a password, but despite that it's still not very strong because it's basically the only thing he says. What else would you guess if you were trying to crack his password?

Thursday, September 4, 2014

If You Hate The NSA Shouldn't You Hate The Leaker Too?

from here

What's this? The same topic 4 days in a row? Well, this is the story that just keeps on giving, and apparently respecting the privacy of those celebrities is going to be good for your computer's health.

The Celebrity Nudes Hacker Gets Hacked



So now even Conan O'Brien has covered the hack-back concept. An eye for an eye may seem like a tantalizing option, but just keep in mind that in order to give a criminal a taste of their own medicine you kind of have to break the law and become a criminal yourself, and in the process you turn the bad guy into a victim which may make a jury sympathize with him more. I'd advise against it, frankly. It just creates too many problems.

Wednesday, September 3, 2014

Tuesday, September 2, 2014

What, Like An Actual Camera?

from here

Doing a little double duty here, offering a bit of advice and proposing a new catch phrase:
The problem with smartphones is they're smart enough to betray you
Hopefully people take them both to heart, but definitely the part about being more wary of smartphones.

The Lengths Some People Will Go To

found on the meta picture

Who says privacy is dead? Clearly it's still very important to some people. One wonders if maybe the ends could have been achieved a little easier, though - like perhaps simply swallowing the SIM card or something.

Monday, September 1, 2014

Pervs Everywhere Rejoice

from here

Here's what I learned from living in apartments with thin walls: When it comes to privacy, you get what you give. We can't expect others to respect our privacy if we don't respect the privacy of others.

We All Have A Right To A Secret Identity

tweeted by The Electronic Frontier Foundation

This is one of the more clever privacy fan-signs being held up by cosplayers at DragonCon in support of Project Secret Identity - an effort to raise awareness of how important privacy and anonymity are for free expression. They're still looking for people to participate, either online or in person at DragonCon. Check the site for details.