Home/Tag: infosec

Everything is compromised.

Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren’t, including your credit card information, Social Security number, mother’s maiden name, date of birth, address, previous addresses, phone number, and yes — even your credit file.

Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.

Brian Krebs on security realities.

The full article has some strategies individual users (and companies, though that’s probably less relevant to This Audience) can do, taking into account Realities #1 and #2.

2019-01-07T08:16:34+11:0016th May, 2019|Tags: infosec|

Who’s who.

Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar.

Brian Krebs on legitimacy.

Spoiler alert: SSL is still a goddamn scam.

2018-12-31T22:49:16+11:003rd May, 2019|Tags: infosec, tech|


I work in a corrupted industry, variously known as the “infosec” community or “cybersecurity” industry. It’s a great example of how truth is corrupted into “Truth”.

At a recent government policy meeting, I pointed out how vendors often downplay the risk of bugs (vulnerabilities that can be exploited by hackers). When vendors are notified of these bugs and release a patch to fix them, they often give a risk rating. These ratings are often too low, in order to protect the corporate reputation. The representative from Oracle claimed that they didn’t do that, and that indeed, they’ll often overestimate the risk. Other vendors chimed in, also claiming they rated the risk higher than it really was.

In a neutral world, deliberately overestimating the risk would be the same falsehood as deliberately underestimating it. But we live in a non-neutral world, where only one side is a lie, the middle is truth, and the other side is “Truth”. Lying in the name of the “Truth” is somehow acceptable.

Robert Graham on “Truth”.

While I don’t think Graham is wrong on his larger point (that of truth versus “Truth”), it does bear pointing out that literally the Number 1 problem in INFOSEC risk assessment is that the vast majority of it is qualitative, not quantitative. That is, it’s based on gut feelings and instincts and who can make the most persuasive argument, not actually any unchanging empirical fact, and that this something large portions of the more operationally minded members of the community find almost impossible to deal with…

2018-09-05T09:06:48+10:0012th February, 2019|Tags: culture, infosec, politics|

Oh Pillowfort, no.

Pillowfort… wut u doin’, man?

(With original credit here.)

Edited to add: From reports by other users, it seems Pillowfort isn’t doing any robust sanitization on usernames at all, allowing things like slashes and period and spaces that break their own UI. This is… not good. Weren’t they supposed to’ve done a “security audit” after their hack a few weeks back?

2018-12-20T09:01:46+11:0020th December, 2018|Tags: fandom, infosec, pillowfort, social media, tech|


Former president Bill Clinton has contributed to a cyberthriller The President is Missing, the plot of which is that the president stops a cybervirus from destroying the country. This is scary, because people in Washington D.C. are going to read this book, believe the hacking portrayed has some basis in reality, and base policy on it.

Robert Graham on bad policy.

A good chunk of my day job is trying to communicate to non-INFOSEC people how various different INFOSEC threats, a) actually operate, and b) what actually works against them. It is, I would have to say, not an easy job. And it’s a not-easy job made all the more not-easy by the fact that pop culture depictions of hacking, viruses, and so on are all just so bad

(Also: Bill Clinton co-wrote a Jame Patterson-branded extruded fiction product. What a world we live in.)

2018-06-26T11:16:25+10:0019th December, 2018|Tags: infosec|

HTTPS is still bullshit, part one million.

In this episode: HTTPS is still bullshit because it does not enforce single origin. That is, a website can appear as “valid HTTPS” while serving up to you malicious third-party JavaScrpit and cookies and iframes and all sorts of attendant garbage.1 Worse, because of the way the Modern Internet™ works (i.e. being monetized by third-party adtech), there is no way of changing this without either, a) breaking every major website, or b) creating a multi-tier internet based around which websites can afford to shell out hundreds of dollars a year for EV certs.

  1. So long as they’re being served from a site that also uses HTTPS. Which pretty much everyone does nowadays, even malware vendors, largely thanks to Google pushing the technology to sell more analytics products. []
2018-06-15T07:06:03+10:005th December, 2018|Tags: infosec, ssl, tech|

Bad life choices.

James Mickens on machine learning, AI, and security.

From the keynote’s summary:

Using case studies involving machine learning and other hastily-executed figments of Silicon Valley’s imagination, I will explain why computer security (and larger notions of ethical computing) are difficult to achieve if developers insist on literally not questioning anything that they do since even brief introspection would reduce the frequency of git commits.

2018-09-10T08:24:52+10:005th September, 2018|Tags: infosec, tech|