Security is really about Risk vs Reward

Every now and then the conversation erupts about what is security really? There’s the old saying that the only secure computer is one that’s off (or fill in your favorite quote here, there are hundreds). But the thing is, security isn’t the binary concept: you can be secure, or insecure. That’s not how anything works.Continue reading “Security is really about Risk vs Reward”

Ransomware is scary, but not for the reasons you think it is

If you’ve been paying any attention for the past few weeks, you know what ransomware is. It’s a pretty massive pain for anyone who gets it, and in some cases, it was a matter of life and death. It’s easy to understand what makes this stuff scary, but there’s another angle most haven’t caught onContinue reading “Ransomware is scary, but not for the reasons you think it is”

I’m going to do something really cool in 3 weeks! … Probably.

If you pay attention to the security news, there is something coming called Badlock. It just set off a treasure hunt for security flaws in Samba. Rather than link to the web site (I’d rather not support this sort of behavior), let’s think about this as reasonable people. I can imagine three possible outcomes toContinue reading “I’m going to do something really cool in 3 weeks! … Probably.”

Everything is fine, nothing to see here!

As anyone who reads this blog knows, I’ve been talking about soft skills in security for quite some time now. I’m willing to say it’s one of our biggest issues at the moment, a point which I get a lot of disagreement on. I have sympathy for anyone who thinks this stuff doesn’t matter, IContinue reading “Everything is fine, nothing to see here!”

Containers are like sandwiches

During the RSA conference, I was talking about containers and it occurred to me we can think about them like a sandwich. Not so much that they’re tasty, but rather where does your container come from. I was pleased that almost all of the security people I spoke with understand the current security nightmare containersContinue reading “Containers are like sandwiches”

The interesting things from RSA are what didn’t happen, and containers are sandwiches

The RSA conference is done. It was a very long and busy show, there were plenty of interesting people there and lots of clever ideas and things to do. I think the best part is what didn’t happen though. We love talking about the exciting things from the show, I’m going to talk about theContinue reading “The interesting things from RSA are what didn’t happen, and containers are sandwiches”

Let’s talk about soft skills at RSA, plus some other things

It’s been no secret that I think the lack of soft skills in the security space is one of our biggest problems. While usually I usually only write all about the world’s problems and how to fix them here, during RSA I’m going to take a somewhat different approach. I’m giving a talk on FridayContinue reading “Let’s talk about soft skills at RSA, plus some other things”

Thinking about glibc and Heartbleed, how do fix things

After my last blog post Change direction, increase speed! (or why glibc changes nothing) it really got me thinking about how can we start to fix some of this. The sad conclusion is that nothing can be fixed in the short term. Rather than trying to make up some nonsense about how to fix this, I wantContinue reading “Thinking about glibc and Heartbleed, how do fix things”

Change direction, increase speed! (or why glibc changes nothing)

The glibc issue has had me thinking. What will we learn from this? I’m pretty sure the answer is “nothing”, which then made me wonder why this is. The conclusion I came up with is we are basically the aliens from space invaders. Change direction, increase speed! While this can give the appearance of doing something,Continue reading “Change direction, increase speed! (or why glibc changes nothing)”

glibc for humans

Unless you’ve been living under a rock, you’ve heard about the latest glibc issue.CVE-2015-7547 – glibc stack-based buffer overflow in getaddrinfo() It’s always hard to understand some of these issues, so I’m going to do my best to explain it using simple language. Making security easy to understand is something I’ve been talking about for a longContinue reading “glibc for humans”