Category Archives: Security

I’ve noted a few times in the past the whole security industry is run by magicians. I don’t mean this in a bad way, it’s just how things work. Long term will will have to change, but it’s not going to be an easy path. When I say everything is run by magicians I speakContinue reading “Security and Tribal Knowledge”

If you pay attention at all, this week you heard about a security flaw in OpenSSH. Link to scary security flaw Of course nothing is going to change because of this. We didn’t make any real changes after Heartbleed or Shellshock, this isn’t nearly as bad, it’s business as usual. Trying to force change isn’tContinue reading “OpenSSH, security, and everyone else”

If you live in the US you can’t escape the news about the Powerball lottery. The jackpot has grown to $1.3 Billion (with a capital B). Everyone is buying tickets and talking about what they’ll do when they win enough money to ruin their life. This made me realize the unfortunate truth about security weContinue reading “What the lottery and security have in common”

Over the holiday break I spent a lot of time reading and thinking about what the security problem really is. It’s really hard to describe, no analogies work, and things just seem to keep getting worse. Until now! Maybe. Well, things will probably keep getting worse, but I think I’ve found a way to describeContinue reading “A security analogy that works”

If you have any sort of gym membership you dread the month of January. Every year, there are countless people who make a resolution to get in shape, so the gym is flooded with people for much of January. I’m in favor of everyone staying in shape and having a gym membership, my point isn’tContinue reading “Security reminds me of the gym on January 2”

Mallory was dead: to begin with. Bob knew he was dead, and nobody liked Bob, he was the security guy, nobody likes the security guy. “Merry Christmas Bob!” said Alice. “Bah humbug!” was the reply. Bob had to work over Christmas protecting the network, he had no reason to be merry. As Bob opened theContinue reading “A Christmas Cyber”

If you’re old enough, you remember reading a lot about the coming “paperless office”. It never came, but I realized there are parallels we can draw in the context of our current security problems. Back in the 90’s, everyone wanted a paperless office. It sounded neat and with the future coming, who would need paperContinue reading “Security is the new paperless office!”

I had a meeting with some non security people to discuss some of the challenges around security. It’s a rather popular topic these days but nobody knows what that means (remember 5 years ago when everyone talked about cloud but nobody knew what that meant?). The details are irrelevant, the most important thing that cameContinue reading “Security lacks patience”

There’s a story of a toothbrush security advisory making the rounds. This advisory is pretty funny but it matters. The actual issue with the toothbrush isn’t a huge deal, an attacker isn’t going to do anything exciting with the problems. The interesting issue here is we’re at the start of many problems like this we’re goingContinue reading “Where is the physical trust boundary?”

This tweethttps://twitter.com/RichFelker/status/666325066838339584 Led to this threadhttp://marc.info/?t=144778171800001&r=1&w=2 The short version is there are some developers from Red Hat working on gcc attempting to prevent ROP style attacks. More than one person has accused this work of being pointless and a waste of time. It’s not, the waste of time is arguing about why trying new thingsContinue reading “If your outcome is perfect or nothing, nothing always wins”