Wednesday, October 31, 2018

If it's FIPS I sips

from here

Having recently become constrained by FIPS 140-2 compliance I found myself wondering "How am I supposed to hash passwords?". Then I wondered "How have other FIPS 140-2 compliant vendors been hashing passwords?" - and then I thought of the most obvious answer* and all the breaches of government systems seemed a lot less surprising.

(*Using a cryptographic hash instead of a password hash)

TSA Agent Halloween Costume

found on Halloween Costumes

I'm not sure which is easier, getting a TSA costume from an online store, or getting job with the TSA in order to get their uniform. Give them a try and tell me how it works out.

Tuesday, October 30, 2018

The objectionable object lesson

from here

I've never done this (to a phone*), but I ... know a guy tries to teach people a lesson about mobile security.

(*I can't say I've never changed the wallpaper on an unlocked desktop computer)

Always lock your computer

found on Quora

What he reads can and will be used against you in the room of baths.

Monday, October 29, 2018

This is the faux-lice, we have you surrounded

from here

It's amazing who gets to carry a badge and a gun in Michigan. About as amazing as seeing anti-malware companies teaming up with malware vendors, and I imagine there will be just as much done about it - absolutely nothing.

Sometimes car thieves are the least of your worries

found on

From what I've been able to gather, this is at least partially true. People do leave their car doors unlocked in Churchill for just this reason. I'm not sure if there's an actual law about it (I am not a lawyer), but the fact that it's even a custom demonstrates how threat models can change depending on the prevailing circumstances.

Friday, October 26, 2018

If you really don't want to be noticed

from here (source image 1 and 2)

There's a weird kind of irony in the fact that people wearing high visibility vests somehow become basically invisible. No one watches or pays any attention to them.

Someone should sell these

found on Silicon Investor

Someone should sell these because not all of us are gifted with the graphic design skills necessary to do this convincingly

Thursday, October 25, 2018

All trademark and no tradecraft

from here

Governmental spyware vendors keep getting breached (as does everyone else), but nothing quite compares to the spectacular self-own by Wolf Intelligence. A shame their customers victims were also exposed in the process.

Don't bring a spray can to a bong fight

Watch on YouTube

I'm not sure what was IN the spray can, but it looks like it might as well have been air freshener. Clearly not a winning attack strategy. Someone isn't having a very happy Marijuanukah.

Monday, October 22, 2018

Gosh darn policy revisions

from here

One of the computing ironies I encountered years ago was the fact that Microsoft had to update the software it uses to perform Windows Update. Literally, Windows Update needed to be updated before it could update anything else.

Microsoft isn't the only software vendor that has a special piece of software designed to update other software, either. Google has one for updating Chrome, for example.

I feel certain that at least 1 if not more of those updater programs that themselves sometimes require updates also had a privacy policy update in the wake of GDPR.

Maybe use a Post-It note just this once

found on Daily LOL Pics

Passwords on Post-It notes is of course a bad idea in general, but so is admitting you forgot your anniversary. Honestly it's hard to say which one has worse consequences, but your adversary is present a lot more often in the second scenario.

Friday, October 19, 2018

If at first you don't succeed...

from here

Recidivism is exactly why cyber-criminals are a bad fit for security companies. Crackers may not be as dumb as this guy, but they might just be confident enough in their own intelligence to think they've worked out all the bugs in their criminal enterprise.

I wonder what a Nigerian prince can turn into

found on Ha Ha Humor

If this is the kind of people Nigerian cyber-criminals deal with on a day to day basis, it goes a long way to explaining why their scams appear so dumb.

Thursday, October 18, 2018

No wonder people have difficulty with technical jargon

from here

Look, I understand that language changes, even technical language, but usually the terminology misuse is performed by the masses in at least partial ignorance of the proper use of the term.

In this case, however, there is no way laymen would have misused "fileless" to refer to instances where files are actually used. "Fileless" is or at least was intuitive enough that even the unwashed masses could have understood it. Not anymore, however, and the people responsible for making an easy term complicated and nonsensical? That would be technical people. People who should have known better. People who should have realized they could simply create a new term if they wanted to include cases not covered by the original intuitive definition of "fileless".

Making security harder to understand is not helping. Don't do that.

Too bad my time can't fit nearly as many

found on Imgur

If you're going to annoy me at random times and give me no control over it then you sure as hell better make sure it doesn't happen very often. It doesn't seem like those kinds of user experience issues matter to Microsoft anymore, though.

Wednesday, October 17, 2018

Who wants to play update roulette?

from here

Abusing the already shaky trust users have in software updates is going to result in devices remaining vulnerable to attacks that could be prevented, all so that greedy corporations can get even more of our money.

How to destroy cryptocurrency

Watch on YouTube

Yes, I know those aren't actual bitcoins, litecoins, and ethereum whatevers. Once upon a time, however, one of those bitcoin medallions would have cost you a bitcoin to get.

What this YouTube channel does is feed viewer submitted items through a miniature industrial shredder, so some cryptocurrency enthusiast out there must have lost their enthusiasm. And since cryptocurrency only has value so long as people have faith in it, this does represent cryptocurrency being destroyed at least a little bit

Tuesday, October 16, 2018

Back then there were 'no graphics' involved

from here

Yes, there is in fact a difference between steganography and stenography.

And also, yes, you now have a steganography pun.

Kids say the darnedest things

found on iFunny

Remember when kids would just say "My dad can beat up your dad"? I guess it was inevitable that technology would seep into those kinds of exchanges.

Things have also gotten a lot more violent and dark, which is troubling.

Monday, October 15, 2018

The one time a back door would be useful

from here (source article)

I don't know about you, but I think I'm going to stick with dumb locks for the foreseeable future.

And my admin password is an Icelandic volcano

found on Meme Base

Yeah, no, not that volcano, a different one.

It probably wouldn't be a good idea for Harinelina to use this as a password, of course, but with that many characters, it's pretty good even without numbers and symbols.

Friday, October 12, 2018

Passwords don't make everything more secure

from here

Thanks to Bloorjack Horseman for reminding me of this problem. Though I haven't encountered it (yet) with Adobe Reader (probably because I use something else to view PDFs), I have seen needless sign-in requirements added to other things, like Visual Studio.

You might think that forcing you to log into an app makes it more secure. Taken to an absurd extreme you might even think this would solve the problem of software vulnerabilities because PoC exploits wouldn't even be able to pop CALC.EXE without knowing the right password.

But here's the paradox - the more things that require passwords, the more people will get burned out from entering passwords and ultimately the more it will encourage people to not only use simple passwords but to also reuse them everywhere.

Adding sign-in requirements to things that could (and for a long time did) work perfectly well without them is just going to exacerbate the password problems we're already struggling with. It will make security worse, not better.

Now you can have even better (national) security

found on Reddit

By all accounts, Apple seems to have done a really good job of protecting the biometric information people are recording on their phones. But even if they did a perfect job, do you think Apple's competitors will all be so diligent?

Thursday, October 11, 2018

Which one(s) do I whitelist in NoScript to make it work?

from here

And if that wasn't bad enough, frequently adding a source to the whitelist will uncover still more untrusted sources that you didn't even know about before.

Who wants to feel loved by my spam folder?

found on Memedroid

I suppose if you look really hard, you too could find an actual use for spam.

Wednesday, October 10, 2018

More like a letting-it-all-hang-out-house

from here (image source)

I wanna sleep too

found on Imgur

I know this EXACT feeling. I live this every freaking time.

Tuesday, October 9, 2018

Truth in advertising from an advertising giant

from here

Some people like to say that Google is just like Facebook when it comes to privacy, but while Facebook doubles down in the face of breaches, Google takes a different path.

Safari OpSec

found on Izismile

Operational security isn't just for crooks and spooks. It can help protect endangered species as well.

Monday, October 8, 2018

They're just making the unaccountability official

from here

Giving cops permission to destroy property for any reason they can come up with seems like a license to abuse their authority.

And it's all security theatre too, since (at least in the case of aircraft) the chance of collision with a drone is less than the chance of collision with a turtle.

Have no fear, Insecurity Guard is here

Watch on YouTube

I can't help but wonder, if he can't even handle things on the floor, how was he going to deal with that fence?

Maybe something like this?

Watch on YouTube

Friday, October 5, 2018

Some will even say the blockchain can fix it

from here

The security industry has it's share of ambulance chasers, and the ambulance of the day is supply chain risks, thanks to a report by Bloomberg News. Are there real risks associated with supply chains? Sure, but actual incidents of compromise by supply chain attacks are pretty rare, even if you assume what Bloomberg reported is true (and we don't know that yet).

Don't hit send just yet

found on Imgur

If you simply must send sensitive information, look into how to encrypt it before you send it.

Thursday, October 4, 2018

Everyone is the AV guy/gal there

from here

You know who you are and you know what you've done. I'm not going to shame you any more than you've already shamed yourself.

Awareness without knowledge

found on Meme.XYZ

The down side of making sure everyone has heard of viruses without telling them how to recognize one is that people start to think everything is a virus.

Wednesday, October 3, 2018

Unsafe gun safe

from here

Securing your firearm is supposed to keep it out of the wrong hands - you know, like your kids. So you're probably not going to be satisfied with something a child could open.

In case you think this is hyperbole, watch this video
GunVault, SVB 500: Opened With A Gum Wrapper from Handgun Safe Research on Vimeo.

How to make sure you protect your password

found on Imgur

Tuesday, October 2, 2018

Who needs backdoors when you've got Windows

from here

I'm not sure the folks at Microsoft thought through how Cortana asks for your password during a PC reset.

Fur Disk Encryption

found on Google Image Search

You'd think Google Image Search would be able to find the original but it seems like it only exists in the cache now. The links are broken.