Wednesday, April 30, 2014

You Can Pick Your Nose But Don't Pick Those

from here

Seriously, a good password manager will not only store and enter passwords for you, it'll generate them too. Choosing them yourself is so obsolete.

It's On Port 80? That Should Be Fine

link to tweet

It's true that firewalls have simply forced people (good and bad) to tunnel over ports that are most likely to be open but, despite this, the addition of a firewall in later service packs of Windows XP made a huge improvement in security for that platform.

Tuesday, April 29, 2014

SSL Encryption Isn't Magical Security Dust

from here (background info)

SSL encryption isn't magical security dust that solves all security problems. It does a pretty good job of preventing legitimate visitor's data from getting leaked to malicious 3rd parties, but it does absolutely nothing to protect a website against a malicious visitor. Sears clearly needs a better way to handle website vulnerability reports.

Thanks to Louis Nadeau for tweeting about this, and Andrew Leeming for bringing it to my attention.

(Update 2016/08/13: According to Louis Nadeau, everything went much more smoothly after that initial mix-up, but wow what a mix-up)

Is this really an unpickable lock?


(Thanks to Squelchtone for tweeting this)

Is this lock unpickable? Possibly, but that doesn't mean what you might think it means. Lock picking is only one type of attack one can perform on a lock. It doesn't mean the lock can't be bypassed in some other way.

Maybe impressioning would work. Here's a video by Deviant Ollam showing a 6 year old performing an impressioning attack on a lock.

Monday, April 28, 2014

Keep An Eye Out For His Ill Communication

from here (source article)

Thanks to @SecurityHumor for the idea.

I Can Has All UR Money... Or A Job?



Trying to rob a bank with a note written on your job application has LOLThreat written all over it.

Friday, April 25, 2014

Bathroom Insecurity: You're Dealing With It Wrong

from here (source image)

You need to understand the problem before you can select the right tools for the job.

The Trojans Are Not Falling For It Again

found on the meta picture

I wonder if the old man's name was Odysseus.

Thursday, April 24, 2014

Too Bad I Can't Operate My Mouth Securely

from here

OpSec (aka operational security - basically behaving or using technology in a secure manner) and SecOps (aka security operations - basically performing duties related to providing security) are not the same thing. Not even close.

Keep private things private, no matter what…

found on the meta picture

The only way anyone has privacy is if people respect that privacy. If you don't respect the privacy of others then how can you expect others to respect yours?

Wednesday, April 23, 2014

Maybe You Should Stop Playing Games

from here

Here's a sentiment that really needs to go die in a fire. Security isn't something you win or lose at, don't treat it like it's a game. Cybercrime is CRIME. Nobody talks about regular criminals "winning", and it's not because criminals aren't getting away with stuff (they certainly are), but rather because that's a ridiculously simplistic way of looking at the world.

Defenses will always have weaknesses. There will always be victims. Stop putting all your eggs in the prevention basket and start learning how to recover from failure. Being able to recover from failure is the only way anyone succeeds.

Flappy Bird On A Point Of Sale Terminal



Can you think of any GOOD reason why playing some arbitrary game on a point of sale terminal should even be possible? Why does the device have that capability? It may be cheaper to build out of mass produced computer equipment capable of doing anything than specially built electronics that can only do limited things, but if cost is the reason then we're basically just whoring out the security of our data for the price of those cost savings.

(Thanks to Mikko Hypponen for bringing this video to my attention)

Tuesday, April 22, 2014

Come At Me, Terrorists

from here (source image)

Go ahead, try some funny business on her airplane. I dare you.

Security is at an All-Time High

found on fail blog

For those times when you want to demonstrate the futility of only blocking what you know is bad.

(Thanks to Paul Ferguson for bringing this picture to my attention)

Monday, April 21, 2014

You Better Watch Out, Santa

from here (source image)

"Do you know who I am?"

I have no idea why famous people bother saying that - it shouldn't matter who you are or who you think you are, the law is supposed to apply to everyone.

(Thanks to Paul Ferguson for bringing my attention to the original picture)

Finally Someone Who Refuses To Be Terrorized

found on the art of trolling

We really need more people like this mailman, instead of the people who who think every unusual LED display or out of place deodorant can is actually a bomb.

Friday, April 18, 2014

That's What The MAN SED MORE Or LESS

from here

If you know what cron is then you might actually be that old sys admin.

Minimum Security Redefined

found on imgur

Apparently this is supposed to be the smallest lock in the world. I doubt this can actually be used to protect anything. Does it really qualify as a lock if it can't actually prevent someone from gaining access?

Thursday, April 17, 2014

You Still Use WEP? #ReactionWoof

from here (source image)

Explanoit proposed all the details necessary for a new advice animal macro. He wants people to tweet this dog reacting to amazingly stupid technology situations/ideas and tag them with the hashtag #ReactionWoof. I figured I'd take that final step and actually put the caption on the picture like you'd expect to see with a meme.

Host Unknown presents: I'm a C I Double S P (CISSP Parody)



This video about Certified Information Systems Security Professionals has been doing the rounds on twitter lately. I wish I knew what it was supposed to be a parody of.

Wednesday, April 16, 2014

Yo Dawg, I Heard You Like Protection..

from here (source image)

This is how much sense it makes to use multiple layers of the same defense for defense in depth.

Every Little Kid’s Dream

found on the meta picture

It may sometimes seem like "security" prevents us from doing the things we want, but that's not true. What's actually impeding us is someone else's interests taking precedence over our own. "Security" is just the mechanism by which that is being carried out.

Tuesday, April 15, 2014

Curiosity Killed The Cat

from here (source image)

Remind me again why malware samples should be available to anyone who wants to look at them?

(No, I'm not saying malware is as bad as guns. I'm saying stop underestimating human stupidity. The gun merely highlights that stupidity.)

Can't Argue With That Logic

found on the chive

There's actually a school of thought that suggests malware lures are ridiculously bad on purpose. The theory says that the people smart enough to realize what it is will figure they don't have to bother doing anything about it because it's so obvious that no one will fall for it - but of course some people still do.

Monday, April 14, 2014

Security Burnout And Other Whining

from here

People are part of the system. That means they are sometimes part of the problem. Quit your belly aching and start working on solutions that acknowledge that fact.

(Inspiration)

And the Heartbleed jokes keep coming...

tweeted by Graham Cluley

Thanks to Graham Cluley for tweeting this joke. Also, we now know for certain that private keys do get leaked, so if you're patching systems against this bug you're probably going to want to replace your certificate too.

Friday, April 11, 2014

Hard To Believe The Security Of So Many Rests On The Shoulders Of So Few

from here

Perhaps if OpenSSL had enough financial resources to support more than a measly 4 core developers (only 1 of whom is full time) problems like the Heartbleed bug could be avoided.

Fake Taylor Swift On Heartbleed

tweet link

Thanks to whoever runs that fake Taylor Swift account for making this joke. There is some concern that Heartbleed leaks private keys, necessitating the replacement of SSL certificates, hence the joke.

Thursday, April 10, 2014

Narrow Fences

from here (source image)


Some preventative measures are wholly inadequate for their intended purpose and should probably be put out of their misery.

Booth Babes? No Thank You

tweeted by Mike Rothman

Thanks to Mike Rothman for tweeting his and every other security person i've ever met's opinion of using booth babes at security conferences. I wonder when we're going to stop focusing on the babes and start holding the booth pimps accountable, though.

Wednesday, April 9, 2014

Time To Change All The Passwords

from here

It may seem alarmist to suggest changing all passwords, but since vulnerable webservers could have their entire memory contents dumped remotely, and since we have no idea which sites were vulnerable over the 2 years this bug has existed, the safest course of action is to assume all passwords are compromised. At the very least you should be changing passwords for the sites that are known to have been vulnerable when the news broke.

As this article points out, though, you shouldn't bother changing the password for a site while that site is still vulnerable (and if it is still vulnerable, you should probably not use it until it's fixed). When the dust has finally settled, though, your passwords should definitely all be changed.


Gary Warner: Why Do We Call It Cyber CRIME?



Everyone chipping in and doing their part is certainly something to think about. It might be the only way to get cyber crime to be treated like actual crime.

Tuesday, April 8, 2014

Windows: Finally Secure After All These Years

from here (source image)

You can make things arbitrarily secure, but you're likely to make them useless in the process.

(Happy Windows XP End-Of-Life, by the way)

So Long XP

tweeted by Ben Ten (really?)

Today's the day Microsoft stops supporting Windows XP. It's end-of-life for an old friend, but not death. In all likelihood it will continue as the undead for quite some time.

Monday, April 7, 2014

There is no cloud, just other people's computers



Like Graham Cluley, I think people could benefit from dropping the abstraction that "cloud computing" represents - at least as far as security goes. Once you start thinking of cloud storage and other online services as existing on other people's computers, the security implications become much more obvious.

(And yes, that is a spoof of the "There is no spoon" scene from The Matrix)
There is no cloud, just other people's computers 
Hopefully this catches on.

Well Isn't That Thoughtful

tweeted by Yesid Gonzalez

I'm sure there are no ulterior motives there. No, none at all.

Friday, April 4, 2014

The Most Non-XBOX Developer In The World

from here

I just shook my head when I read about a 5 year old bypassing XBOX's security.

A Community I Would Like To Live In

found on the meta picture

A community protected by Batman seems like it would be a pretty safe place, unless you're a criminal.

Thursday, April 3, 2014

Maybe it's just geared towards average users

link to tweet

I'm sure AVG is actually quite good at what it does, but any student or Excel jockey to talk about AVG and they're going to think you're referring to a function for calculating averages.

Throwing Your Neighbors Under The Bus

found on the zooom

This is apparently a real product you can buy. Ironically, this door mat is so clever, someone might decide to steal it.

Wednesday, April 2, 2014

Treading Lightly

from here (source image)

It's amazing how even something as massive as an elephant can tread lightly enough to get over this fence without damaging it. Even in the animal kingdom, adversaries benefit from having intelligence.

He Couldn’t Bare To Be Bullied

found on the meta picture

It doesn't matter how big you are, if you don't know how to defend yourself even the smallest threat can be dangerous.

Tuesday, April 1, 2014

Surveillance is a dirty business

from here (source image)

If NSA stood for Neighborhood Shit Avengers, this would be their sign.

I Can Has Time Out?

tweeted by Peter Durfee

Thanks to Peter Durfee for tweeting this newspaper clipping. For the full story, see this article in the Houston Chronicle.