infosec

/Tag: infosec

Truthiness.

I work in a corrupted industry, variously known as the “infosec” community or “cybersecurity” industry. It’s a great example of how truth is corrupted into “Truth”.

At a recent government policy meeting, I pointed out how vendors often downplay the risk of bugs (vulnerabilities that can be exploited by hackers). When vendors are notified of these bugs and release a patch to fix them, they often give a risk rating. These ratings are often too low, in order to protect the corporate reputation. The representative from Oracle claimed that they didn’t do that, and that indeed, they’ll often overestimate the risk. Other vendors chimed in, also claiming they rated the risk higher than it really was.

In a neutral world, deliberately overestimating the risk would be the same falsehood as deliberately underestimating it. But we live in a non-neutral world, where only one side is a lie, the middle is truth, and the other side is “Truth”. Lying in the name of the “Truth” is somehow acceptable.

Robert Graham on “Truth”.

While I don’t think Graham is wrong on his larger point (that of truth versus “Truth”), it does bear pointing out that literally the Number 1 problem in INFOSEC risk assessment is that the vast majority of it is qualitative, not quantitative. That is, it’s based on gut feelings and instincts and who can make the most persuasive argument, not actually any unchanging empirical fact, and that this something large portions of the more operationally minded members of the community find almost impossible to deal with…

2018-09-05T09:06:48+11:0012th February, 2019|Tags: culture, infosec, politics|

Oh Pillowfort, no.

Pillowfort… wut u doin’, man?

(With original credit here.)

Edited to add: From reports by other users, it seems Pillowfort isn’t doing any robust sanitization on usernames at all, allowing things like slashes and period and spaces that break their own UI. This is… not good. Weren’t they supposed to’ve done a “security audit” after their hack a few weeks back?

2018-12-20T09:01:46+11:0020th December, 2018|Tags: fandom, infosec, pillowfort, social media, tech|

Cyberfaking.

Former president Bill Clinton has contributed to a cyberthriller The President is Missing, the plot of which is that the president stops a cybervirus from destroying the country. This is scary, because people in Washington D.C. are going to read this book, believe the hacking portrayed has some basis in reality, and base policy on it.

Robert Graham on bad policy.

A good chunk of my day job is trying to communicate to non-INFOSEC people how various different INFOSEC threats, a) actually operate, and b) what actually works against them. It is, I would have to say, not an easy job. And it’s a not-easy job made all the more not-easy by the fact that pop culture depictions of hacking, viruses, and so on are all just so bad

(Also: Bill Clinton co-wrote a Jame Patterson-branded extruded fiction product. What a world we live in.)

2018-06-26T11:16:25+11:0019th December, 2018|Tags: infosec|

HTTPS is still bullshit, part one million.

In this episode: HTTPS is still bullshit because it does not enforce single origin. That is, a website can appear as “valid HTTPS” while serving up to you malicious third-party JavaScrpit and cookies and iframes and all sorts of attendant garbage.1 Worse, because of the way the Modern Internet™ works (i.e. being monetized by third-party adtech), there is no way of changing this without either, a) breaking every major website, or b) creating a multi-tier internet based around which websites can afford to shell out hundreds of dollars a year for EV certs.

  1. So long as they’re being served from a site that also uses HTTPS. Which pretty much everyone does nowadays, even malware vendors, largely thanks to Google pushing the technology to sell more analytics products.
2018-06-15T07:06:03+11:005th December, 2018|Tags: infosec, ssl, tech|

Bad life choices.

James Mickens on machine learning, AI, and security.

From the keynote’s summary:

Using case studies involving machine learning and other hastily-executed figments of Silicon Valley’s imagination, I will explain why computer security (and larger notions of ethical computing) are difficult to achieve if developers insist on literally not questioning anything that they do since even brief introspection would reduce the frequency of git commits.

2018-09-10T08:24:52+11:005th September, 2018|Tags: infosec, tech|

Psuedorandom.

The world expert on password analysis (no, really) looks at the “secret codes” posted by QAnon conspiracy trolls… and determined they’re very obviously just keyboard mashing. The methodology used to determine this is pretty interesting, too, and makes total sense when explained. You can even follow along yourself at home!

Also of interest: the “codes” were almost certainly generated by someone using a QWERTY keyboard, which probably means someone in the US (UK keyboards have slightly different symbol arrangements above the number keys, as do Russian keyboards that have joint Cyrillic/English layouts).

2018-08-15T08:45:17+11:0015th August, 2018|Tags: culture, infosec|