Friday, March 30, 2012

the malware invasion game

if you've got a long enough memory you'll probably notice that i posted about this video last year. however, what i failed to realize at the time was that that was just the introductory sequence to a web-based video game made by panda called the malware invasion.

the game has 2 levels. the first involves intercepting various threats from various vectors before they get into your PC, but as the volume of incoming materials increase you'll probably find you rely more and more on the magic anti-virus button rather than being able to intercept the threats on your own.

the second level is more of a timed quiz where you're asked whether a variety of scenarios are safe or not - prompting you to think about when and how much you should trust during your day to day computer use.

at the end of the day/game, of course, they're still trying to move product. panda is a security vendor, that's what they do. that doesn't mean this little bit of edu-tainment can't still be an interesting and enlightening diversion, though.

on your knees!

from here

so, that email really happened. hard to imagine what that security company was thinking sending me unsolicited marketing material. harder still to imagine why they would address me as master. even if they had me in their database as "web master", shouldn't they have addressed it to "web"?

Thursday, March 29, 2012

i can haz bag ... ?

from here (story)

being prepared is important, both if you're doing bad things AND if you're trying to prevent bad things. if your adversary is as unprepared as this guy, you might find your preparations weren't really necessary, but better that then to not be prepared and have an adversary who is.

prepare for the worst and hope for the best.

"critical" infrastructure

from here (image source one and two)

power plants, water treatment plants, etc. seemed to work perfectly well without an internet connection. plugging them into an inherently unsecurable network really seems like a homer simpson sort of move.

Wednesday, March 28, 2012

duqu: too many dollars, not enough sense

from here

as sophisticated as duqu may be, and as fascinating as other people may find it, i still see one great big fail parade.

in soviet russia...

from here (the story)

doing bad things has consequences. you can't always predict what those consequences will be. but even so, WTF?

Tuesday, March 27, 2012

at least it requests permission

from fredo & pid'jin

so it turns out that comic from this morning that i found on one of the cheezburger sites was actually originally from a regular webcomic called fredo & pid'jin. pretty funny stuff, and some of the comics there even deal with security/privacy issues - like this one that pokes fun at devices that are being designed to share things that have no business being shared.

work with their strengths

found on comixed

all security tools have their individual strengths and weaknesses. it's important to work with those strengths and not try to make something do what it was never intended to do (even if the marketing says it was).

Monday, March 26, 2012

redefining system crash

from here (image source)

a term you sometimes here in security (and perhaps elsewhere) is "situational awareness". it refers to being aware of what's going on around you so that you can act appropriately as conditions change. if you're distracted by other things, your situational awareness is not going to be at it's best and you'll make bad decisions, so the person responsible for the above setup is either going to make a mess of their car or their computer or both.

good advice no matter the source

found on failbook

someone obviously has a good sense of irony, presenting good advice about avoiding a number of fraudulent facebook posts as still another type of fraudulent facebook post. it makes a certain amount of sense, too, because clearly these formulas work.

i'm waiting for abraham lincoln to tell us that when we're older we're going to look like this dad who walked in on his daughter and there will be 100,000 people viewing our facebook profiles and they're all like us except they don't have this free ipad we could get just by clicking...

Friday, March 23, 2012

lulzsec zombies

from here

because apparently neither retirement nor even arrest will keep this group down.

dude, where's my gun?

from here (source image)

a second take on this picture of a missing gun poster. what do you think, can you see ashton kutcher as a cop?

Thursday, March 22, 2012

serve & protect?

from here (source image)

obviously it's a bad thing if the cops can't keep their own guns in their possession - someone can get a gun illegitimately that way. but on the other hand, when you consider how badly police are behaving these days it might be better if they don't have their guns.


inspired by the revelation that facebook tracks you online even if you never sign up with their service. maybe tracebook is really just the next stage of facebook.

Wednesday, March 21, 2012

value found in strangest of places

from here (original story)

never assume you're safe just because you don't have anything a crook would want. the variety of things that people will try to steal never ceases to amaze. like these plastic weapons of foot contusion, for example.

passphrases: how secure are they?

from here

inspired by this tweet by @virusbtn suggesting that passphrases are very secure in theory. i question some of the basic assumptions of that theory when the best case scenario requires a 43+ character passphrase in order to rival a 10 character password (based on an entropy of 1.5 bits per character in english text versus an entropy of 6.555 bits per character of printable ascii).

Tuesday, March 20, 2012

password selection formulas

found on memebase

i can't decide which is worse: using "password" as your password, or using a password selection formula so simple that the next password is "password2".

i don't think people who give out password advice (like using password selection formulas) take these kinds of degenerate cases into account; which is a shame, because the info they're passing on definitely degenerates on it's trip into the user's head.

beware of stupid

from here (image source)

it's not unheard of for fake security to work as a deterrent, but only if you're smarter than your adversary. otherwise your bluffing will be as obvious as an electrified wooden fence.

Monday, March 19, 2012

stopping crime

from here (image source)

of course in reality you can't really stop all crime, but it doesn't seem unreasonable to expect cops to be able to at least stop this from happening.

Friday, March 16, 2012

facebook (on the onion)

this is, as you might imagine, satire. i gather it's from the onion news network. the thing about the onion is that it's satire is sometimes so close to reality that it's hard to distinguish the two. it's not that hard here, but this does elicit some interesting questions about the compatibility of facebook use and operational security.

social networking profiles

from here

if someone is caught compiling detailed profiles on people in order to better manipulate their purchasing decisions, not only are those profiles error prone but the entire practice is generally considered creepy and kind of evil (in a big brother sort of way).

but if they give people the opportunity to build those same sorts of profiles about themselves with the (rather empty) promise that it will help them connect with people then nobody seems to pay attention to how that profile data will be abused.

giving things (or services) away seem to stop people from considering you as a potential adversary. no wonder it figures so prominently in con artist scams.

Thursday, March 15, 2012

targeted ads are a strange game

from here

i really can't see how google can compete with facebook for the hearts and minds of advertisers without descending to facebook's level of evil (zuckerberg: "they 'trust me'. dumb fucks.").

hope is not a strategy

if you're just doing something willy-nilly and hoping for the best, you're in for a rude awakening because:
hope is not a strategy.
i don't recall where i first heard this but it goes along quite nicely with yesterday's post about prayer not being a defense. hope is a nice thing to have, but it doesn't actually get you what you need. it doesn't help you achieve any concrete goal.

Wednesday, March 14, 2012

prayer no defense against cyberattack

from here (original story)

if prayer was going to help anyone, you'd think it would help the vatican. but they've been hit twice now so clearly prayer and hope and faith just don't cut it when it comes to defending yourself online.

no doubt they weren't relying solely on prayer, of course. it would be stupid to do so. jesus saves souls, not websites.

stationary bike isn't going anywhere

from here (image source)

somehow i doubt that bike was going anywhere even before it got chained up. it's not like you can make a quick getaway on it.

Tuesday, March 13, 2012

the privacy bus has left the station

found on failblog

i've seen people crap on the bench in a bus shelter (thankfully, i didn't see it in progress), but i've never seen a toilet bowl in one.

are you the key master?

from here (image source)

if you try to mindlessly apply security you're bound to lock yourself out of something.

Monday, March 12, 2012

loose clicks sinks ships

from here

the idea that NATO officials are falling for fake facebook profiles is... alarming. too much focus on security operations and not enough on operational security leads to very bad outcomes.

defense in depth it ain't

found on failblog

i wonder what genius decided a second layer of fencing would overcome the weaknesses of the first layer. clearly, if someone can get past one fence, they can get past two.

Friday, March 9, 2012

R.I.P. chrome's perfect record

from here (image source one, two, three, and four)

just paying my respects to chrome. it had a pretty good record for a while, there, but all good things come to an end. no security is perfect.


from here (image source)

a reminder that there's more to physical security than just putting locks on doors.

Thursday, March 8, 2012

keeping people out fail

from here (source image)

a fence without a gate i can understand. a gate without a fence is a little dumber, but i've posted a few of those here so i kinda understand that too. but a fence in place of a gate-without-a-fence? what the.. i don't even...

if you're hoping the police won't try to verify...

if you're hoping the police won't try to verify your claim of being an FBI agent, then you might be a security idiot.


Wednesday, March 7, 2012

body scanners

from here (source image)

so apparently (or as you can probably tell by looking at the picture) metal weapons are the same colour as the background. without the contrast afforded by standing in front/behind the weapon, it becomes invisible. read more about this epic failure of the TSA here.

from lulzsec to lolthreat

from here (soure image one, two, and three)

S.A. Boo? yeah nice try, Sabu. it's pretty idiotic to try to pass yourself off to the police as an FBI agent when you're only an FBI informant. worse when you can't produce supporting identification. and then to use the name Boo? maybe there's some stockholm syndrome sort of deal going on with all the 'handling' he got, but thanks for the lulz. that move was rather ridiculous. who would have thought that the leader of lulzsec would wind up a lolthreat?

Tuesday, March 6, 2012

expert AV usage

from here (virus image source)

let's wish all these security experts who don't use AV some luck. they're going to need it.

flip flopping on security

found on There I Fixed It

it may seem sometimes like you ought to protect all the things but it's OK to recognize that some things just aren't worth the effort.

and even if these were, i doubt anyone would want to steal just one of them.

Monday, March 5, 2012

security with a twist

found on failblog

i'm going to go out on a limb here and suggest that normally you'd use something more substantial than a drinking straw tied in a knot to keep things secure.

did you know?

did you know that locking your luggage wasn't really worth a hill of beans as far as security is concerned? well, now you do. makes you wonder why you bother buying those little luggage locks in the first place, doesn't it?

Friday, March 2, 2012

how a paper tiger marks it's territory

found on failblog

law enforcement isn't much use if it's toothless. authority has to be backed up with the power to actually do something lest it be considered a paper tiger.


found on failblog

zuckerberg wants to allow younger kids on facebook in the name of education. is this the kind of education he wants them to have? CAPTCHAs that probably should have PG13 ratings?

Thursday, March 1, 2012

privacy: i duzn't haz it

from here (image source)

on the plus side, i'm sure this makes sharing toilet paper easier.

i used to be a happy clicker like you...

from here (image source)

in case you've managed to make it to 2012 without figuring this out yet, clicking on anything and everything is not such a good idea. there's bad stuff out there. exercise caution when you use a computer.