Friday, September 29, 2017

Never heard of Shannon or her friend Maxim

from here
You can go on Google and find memes about spam, botnets, viruses, and ransomware, but when it comes to memes about Kerckhoff's Principle/Shannon's Maxim I'm pretty sure you're going to be coming here.

That's my personal work computer

found on Imgur

It never ceases to amaze me what people think they are entitled to do with company-owned hardware. Check out the Imgur link for this security tale, because it's got more details and other stories too.

Thursday, September 28, 2017

Don't call me, I'll call you

from here

I do wonder if I gave the guy who called me a fair chance, but he made an unsolicited phone call to ask permission to send me email because he didn't want to send unsolicited email. Really, phone-guy?

He then pretended to know what my email address was. I don't know who thinks this stuff up but it's bananas. Presenting me with the wrong email address makes it clear to me that you didn't get my contact info from anyone who knows me and also that you are hoping that you either guessed right or that I'll follow the natural human inclination to correct someone when they're wrong. That's not gonna happen. Too many red flags. I'm not giving you my real email address or even the format we use for corporate email addresses at work. I don't want to click on whatever it is you were planning to send me. I don't want to take the chance that you're trying to penetrate our organization through either malware or social engineering.

Can you patch a plot hole?

posted to Instagram by James Lewis

Well that seems like a pretty glaring plot hole, although the show may have started around the time when the Silk Road was taken down by the authorities, so trust in the darknet may not have been high.

Wednesday, September 27, 2017

What are your GPS coordinates today?

from here

You don't necessarily need to have good OpSec in order to get on the 10 most wanted list, but you do need good OpSec to stay there. Just ask the guy who gave away his location with an Instagram post.

Them's the rules

found on Navy Memes

You'd think a weapon like that would at least need to be stored down in the hold in a secure container

Tuesday, September 26, 2017

On ALL of the computers that you maintain

from here

Before you tell me how you already run AV free on your own computer, take note of the title of the post. Do you have a computer at work? Do you have parents and/or children with computers? Right, go ahead and remove it from those too.

Bad Luck Marcus

found on Reddit

I didn't make this (believe it or not I'm quite a bit better at digital image manipulation than this) but when I stumbled across it while searching for memes I knew I just had to share it. Credit goes (I think) to Reddit user 98cwitr.

If you were going to choose a meme to modify in order to represent the absurd tribulations of Marcus Hutchins, then Bad Luck Brian seems like a perfect fit.

Monday, September 25, 2017

Do you want to play a game?

from here

Never underestimate the unusual ways that people view security concepts. Each person sees the world the the lens of their own unique experiences. Sometimes that isn't helping them and you point them down the correct path, but sometimes you might be the one with the crazy ideas and they're trying to set you straight.

Is there anyone this doesn't apply to?

found on Memegenerator

I suspect if you examine people's practices closely enough you'd find that most people (even security people) violate the principle of least privilege at least some of the time, Heck, Microsoft even went so far as to nerf the administrator account because they gave up on the idea of people only using admin sparingly. Does UAC now mean that people don't have to worry about least privilege anymore?  Does it give us a licence to be lazy about security? I don't know, but I'm going to continue using a non-admin account for day-to-day computing, regardless of the presence of UAC on my machine.

Friday, September 22, 2017

Why admin isn't always admin

from here

You know how nowadays when you want to run something that requires administrator access you have to right-click and choose "Run as administrator" even though you're already logged in as a user who is a member of the Administrators group? Yeah, Microsoft had to literally change how administrative users work because people couldn't be trusted to follow the principle of least privilege.

Setting up 2 accounts (a non-admin one for everyday use and an admin one for actual administration) was apparently too complicated for most people so now it's just assumed that everyone is running as admin so to get the REAL administrative you have to "Run as administrator".

Inconvenient truth about the war on cryptography

found on Imgflip


Thursday, September 21, 2017

Security vendors in glass houses

from here (source image)

McAfee really shouldn't be throwing stones here, considering their own intelligence community ties. And you know what? With all the focus on the NSA in recent years, ties to American spies is probably going to carry more weight internationally than Americans might realize.

The song of my people

found on Imgur

Part of me wishes I had found the entire song parody that this meme alludes to, but another part of me is glad I didn't. We don't need to get into details about how things break when you apply patches (necessitating the practice of testing patches on a test system before rolling them out to production systems)

Wednesday, September 20, 2017

Of course pirates want to steal resources

from here

Although the site operators have tried to explain what their intentions were, the fact remains that The Pirate Bay ran miners on people's computers without their consent. The distance between this and distributing mining trojans is vanishingly small.

The secret purpose of The Great Firewall of China

found on Memecenter

On the other hand, perhaps instead of making them smarter, it's designed to help identify the smarter ones so that they can be conscripted into China's cyberwarfare unit.

Tuesday, September 19, 2017

Hope you didn't get taken to the cleaners

from here

If you are a user of CCleaner then you should know that it has had malware embedded in it recently and you probably ought to get the latest version that eliminates that particular problem.

Why not both?

found on Imgflip
There's nothing that says a streaming site won't show you a movie AND infect your computer. They aren't mutually exclusive and just because you saw the video doesn't mean your computer didn't pick up something nasty along the way.

Monday, September 18, 2017

What happens if they're already in the house

from here

A locked door only helps if the baddies are still on the outside, not on the inside with you.

Spying on yourself

found on Chuckles Network

Having spyware on your system would certainly make it an asset, but not in a 007 sort of way. More like a you've been owned sort of way.

Friday, September 15, 2017

For want of a patch our data was lost

from here

Keeping up to date is hard? When you've got that much data that's that sensitive you either keep it safe or you don't keep it at all. I don't care how hard it is, this isn't a valid excuse at this scale.

P is for privacy

found on Meme Generator


Thursday, September 14, 2017

I sense another governmental agency coming

from here

Maybe it's just me but I think if you take 14 months to clean up after a USB worm, maybe banning an antivirus vendor's products from being used in your agencies isn't such a good idea. Honestly, you need all the help you can get.

Perverse incentives for security updates

found on Quick Meme

There's a kernel of truth in this conspiracy theory. When Sun has figured out a way to monetize attempts to update their software (by nagging you and then pre-checking a checkbox to install a 3rd party toolbar) then there's something kind of suspicious about Java requiring a security update - the argument could be made that they have a financial incentive to leave a few vulnerabilities in the product in order to force users to go through the install process all over again and in at least some cases forget to uncheck the checkbox for that toolbar.

Wednesday, September 13, 2017

What happens when your face is your password

from here

Our faces are probably the part of the human body that we change the most often, whether it's with shaving or makeup or surgery or injury. Of all the biometrics one could use to unlock a device, it is perhaps the most problematic.

That's one way to disinfect your computer

found on Chuckles Network

On the one hand, this may very well eliminate biological viruses so the statement could actually be true. On the other hand I now want there to be a malware removal tool called Lysol to take advantage of this kind of misunderstanding.

Tuesday, September 12, 2017

Not the kind of 'friendly' skies you want to fly

from here

Maybe we could fly the professional skies in stead? Or better yet, how about the polite skies? That sounds good to me.

Fraud or not

posted to the Boing Boing forum by forceblink

The complicated problem of figuring out whether something like this is a scam or not is the fact that Equifax seems to have behaved in some decidedly scammy ways in the past. There needs to be a way to protect yourself without giving up the very same sorts of data that was compromised in the first place, and Equifax needs to stop trying to screw victims over.

Monday, September 11, 2017

Identity Theft 'Protection'

from here

I can't imagine how consumers are supposed to trust Equifax now that they've been breached and over 100 million records were exposed. It's a good thing for Equifax that they don't need consumers to trust them, they just need other businesses who get breached to give them their own customers' details in order to offer those customers free credit monitoring in response to their own breach.

Ultimately, though, it is the fate of all large databases of valuable information to eventually be breached. We need to rethink what information we compile and hold on to for the long term.

I'd wait too, wouldn't you?

found on Imgur bur originally from Carbon Based Slice

They say patience is a virtue, but I guess it's also a part of good OpSec by helping you avoid entering secrets into computers you don't (and probably shouldn't) trust.

Of course 2 factor authentication could help in this scenario, but many 2 factor authentication schemes these days use the phone, so....

Friday, September 8, 2017

Crooks don't want to work harder than they have to

from here

If you're looking for money then you rob banks because that's where the money is. If you're looking for personal info then you rob Equifax because increasingly that's where the personal info is.

There's actually a couple of reasons why breaching Equifax may have been easier than compiling the data

  1. Equifax may not have done a good job of protecting the data (we don't know yet)
  2. The more breaches there are the more work is required to collect the data from all the various sources

No master keys allowed

found on Imgur

A password that a lot of people use is a password that will get you into a lot of accounts without much effort. Eliminating this is a good thing.

The weird thing is that it would have been harder to do this without all the password breaches because they're what tell us what the commonly used passwords are.

Thursday, September 7, 2017

Now we know why they're so virus prone

from here

Computers running Microsoft operating systems (be they Windows or DOS) were not the only ones to get viruses, but viruses certainly were more prolific on them than any other kind of system. I wonder why that might be.

Jack Vale: Scamming the elderly online


Watch on YouTube

Wow. I knew scammers were greedy, underhanded assholes, but if this is real then that characterization is an understatement. Scamming the elderly is one thing, but trying to take them for virtually everything they have? Despicable.

Wednesday, September 6, 2017

Do you practice safe hex?

from here

There is a school of thought that says a certain kind of browsing is responsible for a great deal of the nastiness people found on their computers, and part of safe hex involved avoiding unsafe sites or at least doing something to mitigate the threat.

But do people even know the term "safe hex" anymore? It was big in the 90's, but it seems like the security community has opted (foolishly in my opinion) for the "users should just be invisibly protected without having to know anything" model so nobody talks about safe hex anymore. Frankly, if people can't be automatically protected from something as simple as biological viruses, I'm not sure how we can expect that kind of protection against intelligent adversaries.

On the other hand, I'm not even sure what constitutes safe hex now. The computing landscape has become so fragmented, it's difficult to keep up with what the best practices are for this platform or that technology, and the more things that get computers put into them the worse that is going to get.

That's not how any of this works

found on Failbook


  1. You should know what your favourite anything is. If you don't then you don't have a favourite
  2. If you don't know the answer now then you won't remember it in the future when you need it
  3. Other people aren't supposed to choose the answer to your security question for you, it's supposed to be personal
  4. If other people know the answer to your security question then it's not very secure
  5. etc...
It's hard to believe so much security fail can fit in such a small Facebook status.

Tuesday, September 5, 2017

Let's see what kitty's been up to today

from here

We don't even try to hide the data collection capabilities of smart devices for animals, why should we be surprised when the smart devices we use have many of the same capabilities?

The security clause has security claws

found on Pinterest

There's actually a ton of cool security cat memes on this Pinterest page. As near as I can tell, many of them came from the Security Awareness Company's Security Cat line of posts, but I can't find the exact link for this (hence the Pinterest link).

Monday, September 4, 2017

Achy Breaky Pacemakers

from here

One of the lessons from this story is that security problems aren't going to simply go away just because they're inconvenient for the business. You will eventually have to deal with it and I can't think of many ways of dealing with it that are worse than waiting a year to issue a warning about problems with pacemakers.

Stop reading my statuses!

found on Some Ecards

Friday, September 1, 2017

What could possibly go wrong?

from here

If this is the kind of fore-thought we can expect from the new FCC, I think we're going to need to find an alternative interpretation for those 3 letters.

A question for all the ransomware victims

found on Imgflip

If you've got ransomware, this is a question you need to ask yourself before you decide to pay the ransom.