HomeTag: infosec

Fuck certs.

As someone who has spent essentially their entire professional career trying to avoid accruing industry certs, I do so love a good gripe about the CISSP.

The whole “certification” system in IT in general and INFOSEC in particular is so laughably corrupt and, worse, has so little relation to actual job skill that the whole damn thing really just needs to be burnt to the ground.

2020-08-23T20:53:18+10:003rd September, 2020|Tags: |

That LiveJournal thing.

Denise has a pretty good write-up of the LiveJournal password breach over at Dreamwidth.


We’ve seen several contradictory claims about when the file was allegedly gathered from LiveJournal: one claim for June/July of 2014, and one claim for sometime in 2017. From what we’ve learned from our users who we’ve spoken to about their accounts, we believe the 2014 claim is more likely to be accurate and that the person(s) who obtained the data in 2014 didn’t use it for several years, but we can’t say for certain. Because of that uncertainty, it’s best if you treat any password you’ve ever used on LiveJournal in the past as compromised, since we can’t tell for certain when the alleged breach happened.

(It’s worth noting Firefox, for example, leans towards the 2017 date. Regardless, assume compromise.)

Also, LiveJournal’s official response—specifically the claim the data are “falsified”—is… interesting. More specifically specifically, what they seem to be claiming is that someone has taken account details from other breaches and attributed them to LiveJournal. Given that I know I, personally, use a LiveJournal-specific email address and I still got a breach noticed from Have I Been Pwned? this is, to put it bluntly, full of shit.

Anyway, tl;dr:

  • change your password at LiveJournal and any other place you may have used the same password
  • don’t reuse passwords
  • activate multifactor where possible, particularly high-value accounts like email addresses and anything financial1
  • use a password manager.2
  1. Also, preference hard tokens over soft tokens/apps over SMS codes. []
  2. I use 1Password, which is nice but kinda expensive; LastPass and KeePass are more affordable options. []
2020-05-28T10:09:03+10:0028th May, 2020|Tags: , |


Interesting look at how Google’s “auto-delete” feature is essentially useless for protecting user privacy.

(Spoiler alert: it’s got to do with the value of user data over time. Basically, by the time Google allows you to auto-delete data from its services, it’s already extracted most of the value from those data.)

2019-12-03T10:51:52+11:0017th March, 2020|Tags: , , |

Kinda sorta.

Have you ever been in that situation where you kii-ii-ii-inda know your password, but not exactly? Like, you know it’s probably the name of a Naruto character but you can’t remember exactly which one, and that it’s got some 1337-speak in it but you can’t remember exactly where?

Well. There’s now an app (script) for that.

Of course the actual real-world use of this script will be password hacking based on recon about a target’s life. So if you know someone has three kids and a wife—or that they love Naruto—and you know their names and birthdays and anniversaries, you plug those values into this and… bam. Quicker than rainbow tables.

(And this is why you never base your passwords on things like your pets, hobbies, and/or family members, kids!)

2019-10-30T08:58:56+11:0025th February, 2020|Tags: , |

Everyone grade.

Before the Internet revolution, military-grade electronics were different from consumer-grade. Military contracts drove innovation in many areas, and those sectors got the cool new stuff first. That started to change in the 1980s, when consumer electronics started to become the place where innovation happened. The military responded by creating a category of military hardware called COTS: commercial off-the-shelf technology. More consumer products became approved for military applications. Today, pretty much everything that doesn’t have to be hardened for battle is COTS and is the exact same product purchased by consumers. And a lot of battle-hardened technologies are the same computer hardware and software products as the commercial items, but in sturdier packaging.

Through the mid-1990s, there was a difference between military-grade encryption and consumer-grade encryption. Laws regulated encryption as a munition and limited what could legally be exported only to key lengths that were easily breakable. That changed with the rise of Internet commerce, because the needs of commercial applications more closely mirrored the needs of the military. Today, the predominant encryption algorithm for commercial applications — Advanced Encryption Standard (AES) — is approved by the National Security Agency (NSA) to secure information up to the level of Top Secret. The Department of Defense’s classified analogs of the Internet­ — Secret Internet Protocol Router Network (SIPRNet), Joint Worldwide Intelligence Communications System (JWICS) and probably others whose names aren’t yet public — use the same Internet protocols, software, and hardware that the rest of the world does, albeit with additional physical controls. And the NSA routinely assists in securing business and consumer systems, including helping Google defend itself from Chinese hackers in 2010.

Bruce Schneier on encryption.

Some of you may recall that one of my Minor Fic Bugbears is any mention of “military grade encryption” because, well. This.

Also see: Any time any politician starts talking about adding in things like key escrow of backdoors into “consumer-grade” encryption (which is what Schneier’s full article is about). In the most generous interpretation, they want to take everyone back to Cold War-era export restrictions on encryption technology. Which… ye-ee-eah. Probably not gonna happen, hey.

2019-10-23T08:13:38+11:001st February, 2020|Tags: |
Go to Top