Category Archives: SecurityBlog

Last week I spent time with a lot of normal people. Well, they were all computer folks, but not the sort one would find in a typical security circle. It really got me thinking about the bubble we live in as the security people. There are a lot of things we take for granted. IContinue reading “Thoughts on our security bubble”

If you’re in the security industry these days things often don’t look very good. Everywhere you look it sometimes feels like everything is on fire. The joke is there are two types of companies, those that know they’ve been hacked and those that don’t. The world of devices looks even worse. They’re all running oldContinue reading “Security will fix itself, eventually”

Almost every industry goes through a time when new novel features are sold as some sort of add on or extra product. Remember needing a TCP stack? What about having to buy a sound card for your computer, or a CD drive? (Does anyone even know what a CD is anymore?) Did you know thatContinue reading “Security isn’t a feature, it’s a part of everything”

A long time ago Ken Thompson wrote something called Reflections on Trusting Trust. If you’ve never read this, go read it right now. It’s short and it’s something everyone needs to understand. The paper basically explains how Ken backdoored the compiler on a UNIX system in such a way it was extremely hard to get ridContinue reading “Trusting, Trusting Trust”

I had a discussion with some people I work with smarter than myself about training developers. The usual training suggests came up, but at the end of the day, and this will no doubt enrage some of you, we can’t train developers to write secure code. It’s OK, my twitter handle is @joshbressers, go tell meContinue reading “Can we train our way out of security flaws?”

Anytime you work on a software project, the big events are always new releases. We love to get our update and see what sort of new and exciting things have been added. New versions are exciting, they’re the result of months or years of hard work. Who doesn’t love to talk about the new coolContinue reading “Software end of life matters!”

Unless you live under a rock, you’ve heard of the Badlock security issue. It went public on April 12. Then things got weird. I wrote about this a bit in a previous post. I mentioned there that this better be good. If it’s not, people will get grumpy. People got grumpy. The thing is, this is aContinue reading “What happened with Badlock?”

There was a news story published last week about the almost total lack of cybersecurity attention in undergraduate education. Most people in the security industry won’t be surprised by this. In the majority of cases when the security folks have to talk to developers, there is a clear lack of understanding about security. Every nowContinue reading “Cybersecurity education isn’t good, nobody is shocked”

Every now and then the conversation erupts about what is security really? There’s the old saying that the only secure computer is one that’s off (or fill in your favorite quote here, there are hundreds). But the thing is, security isn’t the binary concept: you can be secure, or insecure. That’s not how anything works.Continue reading “Security is really about Risk vs Reward”

If you’ve been paying any attention for the past few weeks, you know what ransomware is. It’s a pretty massive pain for anyone who gets it, and in some cases, it was a matter of life and death. It’s easy to understand what makes this stuff scary, but there’s another angle most haven’t caught onContinue reading “Ransomware is scary, but not for the reasons you think it is”