Friday, December 30, 2011

malware's progression

from here (image sources here, here, here, and here)

it seems to me that if printers are going to be susceptible to malware now then eventually everything we put technology into will be - including the crapper.

bouncer (of junk mail)

just a simple shirt design i thought might be fitting for those in infosec who fancy themselves tough guys/gals.

Thursday, December 29, 2011

yoda's password

some more merch from the secmeme store. this one was intended to look like a post-it note with a username and password on it. you know, the kind that gets stuck to monitors and other places. as such i didn't do any clothes with this one (though i suppose i could if people want me to) because people generally don't stick post-it notes to their clothes.

now there are at least 3 ways of looking at this. first, we generally do really judge passwords by their size, and that combined with the fact that there is upper and lower case letters with a number (S1ze has a 1 in it) and a symbol might make one believe that this is a pretty strong password (the password force is strong with yoda). password strength meters would certainly say that this is a good, strong password. however, because the password is composed of dictionary words, there's actually a lot less entropy here than you might realize. but the biggest and most obvious problem, of course, is that writing it down on a post-it that you stick to your monitor invalidates any security it might have.


from here (thanks to @mikko for bringing the incident to my attention)

you might question the authenticity of the image, you may argue it looks faked, that no one would be so foolish, but i grabbed this screenshot from the following video that i found on this swedish news site

according to the news site there are humourous acronyms beyond what you can easily make out in the picture(s)/video.

PWN3D (the 3 looks more like a backwards E to my eye)
URANOOB (the first i can't make out, even in the picture @mikko tweeted)

*update: thanks to @Rob_OEM for pointing me towards the following image of an equivalent eyechart

*update: just to clear up any confusion, as @mikko rightly points out, the original gaffe was made by a norwegian news channel. the site i linked to above is a swedish site that was simply reporting on the gaffe. and thus ends (i hope) one of the longest secmeme posts ever.

Wednesday, December 28, 2011

yes i can hear you

inspired by a loud talker on a bus, i figure there are a number of ways of getting the message across that "you shouldn't be doing that here!" - from apparel for you or your dog, to accessories, to even some stationary. whipping out a journal with this on the cover and starting to write things down would probably freak some people out. the items can be found here.

secmeme's got merch

never let it be said that i'm afraid to try new things. some time ago i started fiddling around with cafepress and i started to make some designs. first for shirts but then some other things too. what you see above is my first attempt. i put it on a bunch of clothes that you can check out and even buy here.

it occurs to me that shirts and other merchandise is actually a pretty good medium for catchphrase-type memes since it just takes one person to wear it and lots of people s/he encounter will be exposed to the phrase/meme.

there's no logo or anything pointing back to, mind you. i suppose i could have done something like that but i'm not trying to advertise the site.

furthermore, i've tried to make sure the mark-up is $0.00. that means i get no money from the sale of these items unless i missed something somewhere, and i might because $0 is not a default cafepress seems to endorse. i'm not looking to turn a profit (or even pay for the secmeme domain registration). what i want is for the items to be seen, and every extra penny someone has to pay is an extra reason not to buy and use the item and that's contrary to the whole exercise. no point in letting greed erect barriers to success.

Tuesday, December 27, 2011

anonymous denial

from here

the very idea that anonymous could know that someone claiming to be anonymous wasn't in fact anonymous implies a centralized structure to anonymous. someone somewhere would have to know who is part of the group in order to make claims about who isn't. since anonymous has claimed that's not the case for some years now, the person making this denial doesn't actually understand anonymous' structure as defined by anonymous.

then again, i suppose agnosis (no knowledge) and anonymous (no name) have a tendency to go hand in hand..

anonymous causality?

from here

better late than never. today i've been inspired by a rather bizarre claim by anonymous that they didn't crack stratfor

Monday, December 26, 2011

facebook membership award

from here

just in case you couldn't tell that the idea of facebook giving away 1.5 million dollars was a scam, they threw in a country that is, shall we say, renowned for a lack authenticity.

leave virustotal alone

from here (image source)

i couldn't make up my mind whether to plead virustotal's case using Y U NO guy or chris crocker, so i did both.

Friday, December 23, 2011

grandma got indefinitely detained

i knew the moment i saw this guy that i've posted a TSA-related video with him before (here) but i just couldn't resist another one, especially with a christmas theme.

in case you're wondering why this might be topical, the devil's in the details. it's not just detainment, it's indefinite detainment. it's a reference to the NDAA bill whereby the "homeland" is supposedly classified as part of the battlefield and US citizens may be subject to indefinite military detainment without trial. at least that's the fear, and that kind of blatantly unchecked power would certainly put fear into me.

the TSA is the perfect foil to raise awareness about this with, since their particular brand of security theatre of the absurd is the one that's most familiar to average folks.

the war on icing

from here (story here)

i originally had some other posts lined up for the last day before christmas, but since christmas is such a big travel season and since some things that highlight airport authority run amok caught my eye, i thought i'd post those instead.

and as far as this story goes, i'd like to show them a "gel" (SNL-style). maybe even rub their noses in it a little.

Thursday, December 22, 2011

DDoS users, Y U NO...

from here

inspired by @briankrebs question "why you no load,"

PayPal not EmailPal

from here (image source)

they may call themselves my 'pal', but they sure don't do me any favours when it comes to keeping my paypal email a secret. a secret, single-use email address can be very useful for foiling phishing attempts, and boy do paypal users need protection from phishing.

Wednesday, December 21, 2011

twist and shout

a little over a week ago i made a post about santa's list getting leaked. turns out one of the videos i used was made by an organization that is no stranger to security - in fact, that was just one of a number of security related videos they've made. here's another taste.

great to see other people being successful at using humour to help raise security awareness. they've got a better selection of videos on their vimeo page, but unfortunately i can't embed those - which is a shame, really, because the videos can definitely serve as good advertising for them.

where reading URLs as a security measure went to die

from here (image source)

one of the big challenges for mobile security is that mobile devices aren't big.

Tuesday, December 20, 2011

i hackd ur gps

from here (image source)

i don't know if authentication was part of the GPS design, but for applications like autonomous military navigation it really needed to be.

never bring a taser to a lightsaber fight

from here (story of ridiculous police tom-foolery here)

it's not like the lightsaber was real or anything. it's about the same league as an empty gift wrap tube, but apparently that's all it takes to foil high tech police ordinance. come to think of it, i wonder what foil would do.

Monday, December 19, 2011

at least someone gets it

found on failbook

this is probably not the kind of transparency facebook wants with their privacy initiative.

safety haz a flavr

from here (image source, logo source)

inspired by the tale of the department of homeland security snowcone machine that schneier posted about

Friday, December 16, 2011

biometric security

found on wikimedia commons

believe it or not, any security a system like this might have would come from that little uniformed guy in the lower corner making sure you aren't trying to fool the system. makes you wonder if all the R&D that goes into biometrics is worth it, doesn't it.

think before you click

from here (image source one, two, three, and do you really wanna know?)

not trying to say you need to be smart, only that you need to be thoughtful and take care in what you do.

Thursday, December 15, 2011

cyberwarfare: fantasy vs reality

from here (source for top image)

that's right, boys and girls. the practice of cyberwarfare is the creation and use of software. not nearly as sexy as the media makes it out to be, is it?

the ascent of passwords

from here (image source)

i am so tired of security experts telling people how to do passwords like a monkey.

Wednesday, December 14, 2011

GIMP Y U NO whitelist friendly

from here

try it yourself. run GIMP, where seemingly every function is encapsulated in it's own separate executable, in a whitelist controlled environment and have fun clicking on whitelist prompts ad infinitum.

quick, call google's chris dibona

from here (image source)

i'm not going to say that chris dibona was uttering weasel-words and trying to twist the truth when he referenced a small part of the malware problem (viruses) to bolster his accusation that AV vendors who made android versions were charlatans; mainly because hanlon's razor suggests not ascribing to malice that which can be adequately explained by stupidity. but i will say i'm having a hard time believing he's actually that dumb, considering android malware is not a new phenomenon.

Tuesday, December 13, 2011

infosec naughty list

speaking of the naughty list, it seems someone's taken the effort to compile a list of bad actors in the infosec community
the infosec naughty list is actually quite a bit longer than what's pictured above, and it happens to include explanations of why people (or entire industries) are on the list.

and despite a previous remark i may have made about infosec and AV, i don't necessarily disagree with what the list has to say there, although the brush they're using might be a little too broad - those who don't sell snake oil and spread FUD generally don't get much attention so you've probably never heard of them.

the naughty list got leaked

so it seems that santa's list has been leaked this year

that's really unfortunate, but apparently something similar happened last year too

y'know, if santa's workshop isn't more careful the public is going to lose faith in santa. just look at what happened to sony after they were repeatedly breached. they.... oh, wait, right, they went back to business as usual. never mind then.

i wonder, though, considering the repeated failure to keep such highly sensitive, personal information secure, and also the increasing commercialization of the holiday season, will we be seeing calls to occupy the north pole before too long? i'm going to go out on a limb and suggest that probably wouldn't be such a good idea.
 (image source)

Monday, December 12, 2011


i found this meme in someone else's collection this time. meme collection, that is, not the other thing.

i don't always ignore infosec professionals...

from here

there's only so much "AV marketing lied to me! there needs to be something that does what they promised!" that i can take before i tune that nonsense out.

Friday, December 9, 2011

nothing says stealthy data extrusion like...

from here (source image found here)

i dunno, maybe i could have also made a joke about the insider threat here (since it clearly goes inside him)

a pen-tester's story

thanks to @mikko and @candolin2 for tweeting this

wonderfully told story, and i have to admit i might well have taken the same opportunity had i been in his place

Thursday, December 8, 2011

infosec restrooms

from here (thanks to dave marcus for posting the photo)

malware on 2 out of 3 lost USB drives?

from here

the folks at sophos have the details, but that statistic alone should be enough to warn you away from picking up errant USB drives. leave it be, you don't know where it's been.

Wednesday, December 7, 2011

another damn 0day breach enabler

it's that time again. there's another adobe exploit. another patch to apply. another reason to dump adobe entirely and use something else. think about it.

hey cnet, i fixed it for you

from here

because apparently the folks at cnet don't see a problem bundling crapware with the software you're downloading from yeah, what could possibly go wrong? (see brian krebs' write-up)

Tuesday, December 6, 2011

you shall not pass

from here

if your firewall isn't set up this way (denying all except the fewest trusted exceptions possible) then you might wanna change that.

con + dum: together at last

from here

inspired by a story of advertisers (and i use that term loosely) who decided it would be a good idea to send friend request spam posing as the unborn children of their target audience in order to advertise condoms. the mashable story is also where the source image for this picture comes from.

Monday, December 5, 2011

he sees you when you're doing what now?

this is actual merchandise from someone's zazzle store that i found with google

i never really realized but this whole "he sees you when you're sleeping, he knows when you're awake" business is actually really creepy from a privacy standpoint.

conficker: what do you see?

from here

apparently john bumgarner thinks conficker was the work of the stuxnet gang. others seem to think he's full of hot air. my suspicion is this is a case of the human brain seeing patterns even when none are there.

Friday, December 2, 2011

i can haz over reakshun?

from here (ridiculous story with video)

honestly, there are legitimate corrective measures that address threats to people's safety and security, and then there's batshit crazy overkill. increasingly, cops seem to be taking the overkill route. lucky thing the kid didn't get tazed or pepper sprayed.

what's it like to be a money mule?

what's it like to be a money mule? i imagine the added fiber makes them quite regular, but the inevitable paper cuts must be awful.

see also: filthy lucre.

(inspiration - thanks for putting that question in my head, dancho)

Thursday, December 1, 2011

anti-virus: if you need it there...

from here (image found on esarcasm)

sometimes security controls work via the concept of deterrence. i'm sure she's a great gal, but that symbol in that location would definitely give me pause.

(and starting off december with two panty posts is certain to put me on the wrong one of santa's lists)

password protected panties

from here (image found on esarcasm)

i'm fairly certain this security will yield quite easily to brute force or even side channel attacks. an insider attack (where you have an accomplice on the inside willing to help you) would still be the ideal, however.

Wednesday, November 30, 2011

"Brave": i don't think it means what you think it means

from here (story in the national post)

i'm torn. either they've been so successful at eliminating risks that soccer balls are now a reasonable priority, or they've completely lost touch with reality. i suspect the latter. surely there must be more important threats to safety than rudimentary toys.

this area is being watched

found on ugliest tattoos

i find myself wondering what kind of message a tattoo like that is supposed to be sending. security cameras are often used as deterrents in real life, but i think there would be easier preventative controls in this context.

Tuesday, November 29, 2011

ai had de advantij but ai losted it

from here (previously found on failbook)

isn't it about time that thieves learned that phones are often linked to their rightful owner's social networking account? then again, those gold teeth tell me this guy is definitely old school.

she's super spry

from failblog after 12

this is the kind of thing that happens when rules and policies are mindlessly enforced and inflexible. ID is intended to make sure someone who is too young can't buy alcohol. if a 92 year old woman can pass for someone who is too young then she ought to be able to sell whatever secret she has to looking that good and make a fortune and pay someone else to get her booze for her.

Monday, November 28, 2011

truth in security (true insecurity)

found on MthruF

sometimes there can be truth in a password. especially when your password describes you as a lazy piece of $#!+ and is written on a post-it stuck to your monitor.

tattoo bomber

found on ugliest tattoos

when it comes to bad ideas in an airport, tattooing a bomb to your abdomen has to rank pretty highly. airport security will not be amused.

Friday, November 25, 2011

to scan or not to scan, that is the question

found on the art of trolling

shock sites are actually the tame version of what someone with malicious intent could do with faked QR codes. they could send you to a site that automatically installs malware on your system too.

pepper spray all the things

from here

power corrupts, and absolute power corrupts absolutely. is unchecked power the same as absolute power? maybe not but it's pretty darn close.

Wednesday, November 23, 2011

not quite kicking ass

found on failblog

authority (the broad class of strategies whereby, instead of resisting attack, a group neutralizes the attacker) isn't something that just magically comes out working perfectly. competence needs to be developed, practice is required, and mistakes get made (especially early in the development). this goes for budding self-defense enthusiasts as well as standard law enforcement who, although they have plenty of experience with traditional crime, are still working on getting up to speed when it comes to cybercrime. as increasing reports of arrests show, they are getting there, but there's still a long road ahead and law enforcement is only one part of the equation (sometimes the laws have catching up to do too).

until that catching up happens, though, their efforts are going to be laughable at best.