Wednesday, October 18, 2017

Tuesday, October 17, 2017

We don't need no stinkin' WiFi

from here (source image)

The main problem with forgoing wireless in favour of wired networking (because perhaps you don't trust wireless anymore) is mobile computing. There are solutions, sort of, but not good ones.

VPNs would probably be better than longer cables.

(The captions are derived from "We don't need no stinkin' badges" and "You're gonna need a bigger boat", because I can help by mix my memetic metaphors)

At least the threat was silent

found on Quick Meme

I'm not sure which is funnier; how true this is or the fact that there seems to be a meme category called "Scumbag Norton Antivirus"

Monday, October 16, 2017

Wireless is too mainstream

from here

I don't know the details at the time of writing this (because they haven't been released yet) but since I make it a point to avoid wifi I have a feeling I'm going to be safe from this.

A passcode - don't leave your phone without it

found on the ExpressVPN blog

So this particular meme comes from a blog post with 30 other security memes you should probably check out.

Friday, October 13, 2017

Everyone is their parents' tech support

from here

It doesn't matter how successful you are, you could be the CEO of your own tech company, but when it comes to your parents, you are the first line help desk and they want their computers fixed.

Maybe you should just get an iPad instead

found on Meme Center

They used to advise people to get Apple computers in order to get a computer without having to worry about viruses. Some people still do give and/or follow that advice, but the Mac wasn't virus proof and as time has gone on it has become a bigger and bigger target. I think it's only a matter of time before the dominant advice shifts to "Get an iPad" because it's even more virus-resistant and it can do pretty much anything the average person would use a computer for these days.

Of course, with a large enough market share, the iPad will eventually succumb to the perils of malware as well. It may look different than the malware problem we're familiar with now, but one way or another if the money is there then the attackers will try to find ways to take it.

Thursday, October 12, 2017

At least remembering it shouldn't be a problem

from here

People find all kinds of ways of getting around the complexity requirements in password policies.

I ... may have known a guy in university who used this technique.

The most unfortunate truth in the security world

found on the Archer Security Group website

The fact is that we're faced with situations that involve security fairly often, but most people don't think about security nearly as often, which means they're taking actions with security implications without thinking about what they're doing. You can't expect that to turn out well in the long run.

Wednesday, October 11, 2017

Are you trying to fix a problem or cause one?

from here

I remember dealing with this sort of thing in the past and I wondered what kind of headaches this caused normal people who don't have sacrificial computers specifically prepared for exposure to malware.

Say "Jeez"

found on the Security Checks Matter blog

Taking a picture of personnel doing classified work? What could possibly go wrong?

Tuesday, October 10, 2017

Then I turned my computer off and on again and the Internet came back

from here

Whenever any loudmouthed child challenges you to give them your IP address, always give them that one and then have a hearty chuckle at the ensuing silence.

The More You Know

found on Imgflip

Did you ever think that "firewall" was kind of a weird term and wondered where it came from? Well, this seems like a pretty good explanation.

Monday, October 9, 2017

And I'd have done a better job of it, too

from here

I'm not against computers. I think computers are great. I even like the idea of having computers conveniently available where ever you go. Putting computers in everything under the sun is a bit much, though.

Making things hard for the TSA

found on Endless Origami

I've never heard of this webcomic before, but I love the name, and the comics are pretty good too.

Friday, October 6, 2017

I can't see the difference, can you see the difference?

from here

Self-replication is literally the defining characteristic of viruses. You'd think an authority on computer security like Rob Graham would know such a basic fact about such an old and widely recognized security topic.

Why didn't I think of that?

found on Quick Meme

Thursday, October 5, 2017

I can quit whenever I want

from here

I'd prefer to live LESS dangerously

found on the Black Hills InfoSec blog

I remember when macro viruses were running rampant. Let's not have a repeat of that, m'kay?

Wednesday, October 4, 2017

Change ALL the passwords

from here

No, literally, ALL Yahoo passwords need to be changed. If you had an account with them in 2013, your account was compromised because ALL 3 billion Yahoo accounts were compromised then.

Putting the pass in password

found on Imgflip

As nonsensical as some password policies are, being able to create a usable password that satisfies those requirements on the first try can sometimes seem like a small miracle.

Tuesday, October 3, 2017

They couldn't possibly interfere with each other

from here

Just so you don't rush out and do what the image says, this is BAD advice mallard. Multiple AVs will interfere with each other, sometimes invisibly. You don't want that.

In dystopian future, robot messes are cleaned up by you

tweeted by @Munin

Thanks to @Munin for both the joke and for giving me leave to pass the joke along in spite of his Twitter privacy settings.

Monday, October 2, 2017

There is no "Get Out Of Blame Free" card

from here

Over and over again we see examples of breached organizations claim that it was the work of state-sponsored attackers, seemingly as a way of deflecting blame in spite of the horrendously bad security practices that are almost always uncovered. This needs to stop. I realize that anyone can be breached, and that if your targeted by state-sponsored attackers there's probably nothing you can do - but that doesn't give you a licence to do nothing. As the title of this post says, there's no "Get Out Of Blame Free" card - you've got to work hard for your absolution.

Why haven't we grown out of this yet?

found on Memes Happen

I witnessed this very thing at work last week. I pointed out that it was a cliche, but I don't think that was appreciated. This pattern has been going on for decades, though. In fact, this is how I developed an interest in viruses nearly 30 years ago.

Friday, September 29, 2017

Never heard of Shannon or her friend Maxim

from here
You can go on Google and find memes about spam, botnets, viruses, and ransomware, but when it comes to memes about Kerckhoff's Principle/Shannon's Maxim I'm pretty sure you're going to be coming here.

That's my personal work computer

found on Imgur

It never ceases to amaze me what people think they are entitled to do with company-owned hardware. Check out the Imgur link for this security tale, because it's got more details and other stories too.

Thursday, September 28, 2017

Don't call me, I'll call you

from here

I do wonder if I gave the guy who called me a fair chance, but he made an unsolicited phone call to ask permission to send me email because he didn't want to send unsolicited email. Really, phone-guy?

He then pretended to know what my email address was. I don't know who thinks this stuff up but it's bananas. Presenting me with the wrong email address makes it clear to me that you didn't get my contact info from anyone who knows me and also that you are hoping that you either guessed right or that I'll follow the natural human inclination to correct someone when they're wrong. That's not gonna happen. Too many red flags. I'm not giving you my real email address or even the format we use for corporate email addresses at work. I don't want to click on whatever it is you were planning to send me. I don't want to take the chance that you're trying to penetrate our organization through either malware or social engineering.

Can you patch a plot hole?

posted to Instagram by James Lewis

Well that seems like a pretty glaring plot hole, although the show may have started around the time when the Silk Road was taken down by the authorities, so trust in the darknet may not have been high.

Wednesday, September 27, 2017

What are your GPS coordinates today?

from here

You don't necessarily need to have good OpSec in order to get on the 10 most wanted list, but you do need good OpSec to stay there. Just ask the guy who gave away his location with an Instagram post.

Them's the rules

found on Navy Memes

You'd think a weapon like that would at least need to be stored down in the hold in a secure container

Tuesday, September 26, 2017

On ALL of the computers that you maintain

from here

Before you tell me how you already run AV free on your own computer, take note of the title of the post. Do you have a computer at work? Do you have parents and/or children with computers? Right, go ahead and remove it from those too.

Bad Luck Marcus

found on Reddit

I didn't make this (believe it or not I'm quite a bit better at digital image manipulation than this) but when I stumbled across it while searching for memes I knew I just had to share it. Credit goes (I think) to Reddit user 98cwitr.

If you were going to choose a meme to modify in order to represent the absurd tribulations of Marcus Hutchins, then Bad Luck Brian seems like a perfect fit.

Monday, September 25, 2017

Do you want to play a game?

from here

Never underestimate the unusual ways that people view security concepts. Each person sees the world the the lens of their own unique experiences. Sometimes that isn't helping them and you point them down the correct path, but sometimes you might be the one with the crazy ideas and they're trying to set you straight.

Is there anyone this doesn't apply to?

found on Memegenerator

I suspect if you examine people's practices closely enough you'd find that most people (even security people) violate the principle of least privilege at least some of the time, Heck, Microsoft even went so far as to nerf the administrator account because they gave up on the idea of people only using admin sparingly. Does UAC now mean that people don't have to worry about least privilege anymore?  Does it give us a licence to be lazy about security? I don't know, but I'm going to continue using a non-admin account for day-to-day computing, regardless of the presence of UAC on my machine.

Friday, September 22, 2017

Why admin isn't always admin

from here

You know how nowadays when you want to run something that requires administrator access you have to right-click and choose "Run as administrator" even though you're already logged in as a user who is a member of the Administrators group? Yeah, Microsoft had to literally change how administrative users work because people couldn't be trusted to follow the principle of least privilege.

Setting up 2 accounts (a non-admin one for everyday use and an admin one for actual administration) was apparently too complicated for most people so now it's just assumed that everyone is running as admin so to get the REAL administrative you have to "Run as administrator".

Inconvenient truth about the war on cryptography

found on Imgflip

Thursday, September 21, 2017

Security vendors in glass houses

from here (source image)

McAfee really shouldn't be throwing stones here, considering their own intelligence community ties. And you know what? With all the focus on the NSA in recent years, ties to American spies is probably going to carry more weight internationally than Americans might realize.

The song of my people

found on Imgur

Part of me wishes I had found the entire song parody that this meme alludes to, but another part of me is glad I didn't. We don't need to get into details about how things break when you apply patches (necessitating the practice of testing patches on a test system before rolling them out to production systems)

Wednesday, September 20, 2017

Of course pirates want to steal resources

from here

Although the site operators have tried to explain what their intentions were, the fact remains that The Pirate Bay ran miners on people's computers without their consent. The distance between this and distributing mining trojans is vanishingly small.

The secret purpose of The Great Firewall of China

found on Memecenter

On the other hand, perhaps instead of making them smarter, it's designed to help identify the smarter ones so that they can be conscripted into China's cyberwarfare unit.

Tuesday, September 19, 2017

Hope you didn't get taken to the cleaners

from here

If you are a user of CCleaner then you should know that it has had malware embedded in it recently and you probably ought to get the latest version that eliminates that particular problem.

Why not both?

found on Imgflip
There's nothing that says a streaming site won't show you a movie AND infect your computer. They aren't mutually exclusive and just because you saw the video doesn't mean your computer didn't pick up something nasty along the way.

Monday, September 18, 2017

What happens if they're already in the house

from here

A locked door only helps if the baddies are still on the outside, not on the inside with you.

Spying on yourself

found on Chuckles Network

Having spyware on your system would certainly make it an asset, but not in a 007 sort of way. More like a you've been owned sort of way.

Friday, September 15, 2017

For want of a patch our data was lost

from here

Keeping up to date is hard? When you've got that much data that's that sensitive you either keep it safe or you don't keep it at all. I don't care how hard it is, this isn't a valid excuse at this scale.

P is for privacy

found on Meme Generator

Thursday, September 14, 2017

I sense another governmental agency coming

from here

Maybe it's just me but I think if you take 14 months to clean up after a USB worm, maybe banning an antivirus vendor's products from being used in your agencies isn't such a good idea. Honestly, you need all the help you can get.

Perverse incentives for security updates

found on Quick Meme

There's a kernel of truth in this conspiracy theory. When Sun has figured out a way to monetize attempts to update their software (by nagging you and then pre-checking a checkbox to install a 3rd party toolbar) then there's something kind of suspicious about Java requiring a security update - the argument could be made that they have a financial incentive to leave a few vulnerabilities in the product in order to force users to go through the install process all over again and in at least some cases forget to uncheck the checkbox for that toolbar.

Wednesday, September 13, 2017

What happens when your face is your password

from here

Our faces are probably the part of the human body that we change the most often, whether it's with shaving or makeup or surgery or injury. Of all the biometrics one could use to unlock a device, it is perhaps the most problematic.