|
|
Technology Industry News & Career Management information, brought to you by BrainWave Consulting Company.
October 2008 - Posts
-
Video in Japanese. And an (unrelated) cartoon.... Share Post: Read More...
|
-
RSA interviewed me about my talk at the RSA Conference in London earlier this week.... Share Post: Read More...
|
-
Really: We had an email recently from an observer "curious as to why the webcam that was inside the shop/bar is no longer there, or at least, functional". The email was from the Defense Threat Reduction Agency in the United States. When we replied that it was simply a short term technical problem, we asked why on earth they could... Share Post: Read More...
|
-
It's not a new scam to switch bar codes and buy merchandise for a lower value, but how do you get away with over $1M worth of merchandise with this scam? In a statement of facts filed with Tidwell's plea, he admitted that, during one year, he and others conspired to steal more than $1 million in merchandise from large... Share Post: Read More...
|
-
This is a story of how smart people can be neutralized through stupid procedures. Here's the part of the story where some poor guy's account get's completely f-ed. This thief had been bounced to the out-sourced to security so often that he must have made a check list of any possible questions they would ask him. Through whatever means, he... Share Post: Read More...
|
-
No, really. (Commentary here.) This is just ridiculous. Of course the bad guys will use all the communications tools available to the rest of us. They have to communicate, after all. They'll also use cars, water faucets, and all-you-can-eat buffet lunches. So what? This commentary is dead on: Steven Aftergood, a veteran intelligence analyst at the Federation of the American... Share Post: Read More...
|
-
Item 1: Kip Hawley says that the TSA may reduce size restrictions on liquids. You'll still have to take them out of your bag, but they can be larger than three ounces. The reasons -- so he states -- are that technologies are getting better, not that the threat is reduced. I'm skeptical, of course. But read his post; it's... Share Post: Read More...
|
-
Even if there's no cash coming out of your company's pocket you can put the vendor's expenditures to better uses. READ MORE Share Post: Read More...
|
-
NIST is holding a competition to replace the SHA family of hash functions, which have been increasingly under attack. (I wrote about an early NIST hash workshop here.) Skein is our submission (myself and seven others: Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker). Here's the paper: Executive Summary Skein is a new... Share Post: Read More...
|
-
Chilling story of a death-row inmate with a contraband cell phone. If we can't keep contraband out of prisons, how can we possibly hope to keep it out of airports?... Share Post: Read More...
|
-
Cryptographers have long joked about rubber-hose cryptanalysis: basically, beating the keys out of someone. Seems that this might have actually happened in Turkey: According to comments allegedly made by Howard Cox, a US Department of Justice official in a closed-door meeting last week, after being frustrated with the disk encryption employed by Yastremskiy, Turkish law enforcement may have resorted Read More...
|
-
I generally avoid commenting on election politics -- that's not what this blog is about -- but this comment by Barak Obama is worth discussing: [Q] I have been collecting accounts of your meeting with David Petraeus in Baghdad. And you had [inaudible] after he had made a really strong pitch [inaudible] for maximum flexibility. A lot of politicians at... Share Post: Read More...
|
-
When another candidate beats you out, here's how to find out why, and how to avoid being beat the next time. READ MORE Share Post: Read More...
|
-
This data squid was seen at the big demonstration against surveillance that took place in Berlin on October 11, as part of the international privacy action day "Freedom not Fear." The German is Datenkrake, which has a bad connotation to it, like sucking in everything it can get.... Share Post: Read More...
|
-
-
Deciding on compensation and raises isn't as simple as many employees think. READ MORE Share Post: Read More...
|
-
Interesting: In a nutshell, the guide advocates that organizations calculate cyber security risks and costs by asking questions of every organizational discipline that might be affected: legal, compliance, business operations, IT, external communications, crisis management, and risk management/insurance. The idea is to involve everyone who might be affected by a security breach and collect data on Read More...
|
-
Clever work: The researchers from the Security and Cryptography Laboratory at Ecole Polytechnique Federale de Lausanne are able to capture keystrokes by monitoring the electromagnetic radiation of PS/2, universal serial bus, or laptop keyboards. They've outline four separate attack methods, some that work at a distance of as much as 65 feet from the target. In one video demonstration, researchers... Read More...
|
-
Kip Hawley, head of the TSA, has responded to my airport security penetration testing, published in The Atlantic. Unfortunately, there's not really anything to his response. It's obvious he doesn't want to admit that they've been checking ID's all this time to no purpose whatsoever, so he just emits vague generalities like a frightened squid filling the water with ink.... Share Post: Read More...
|
-
It's the ultimate movie-plot threat: terrorists using child porn: It is thought Islamist extremists are concealing messages in digital images and audio, video or other files. Police are now investigating the link between terrorists and paedophilia in an attempt to unravel the system. It could lead to the training of child welfare experts to identify signs of terrorist involvement as... Share Post: Read More...
|
-
Last week I wrote about a story that indicated that terrorist fear mongering is working less well. Here's another story, this one from Canada: two pipeline bombings in Northern British Columbia: Investigators are treating the explosions as acts of vandalism, not terrorism, Shields said. "Under the Criminal Code, it would be characterized as mischief, which is an intentional vandalism. We... Share Post Read More...
|
-
While I am strongly opposed to a national ID, I have consistently said that giving strongly secured ID cards to groups like port workers is a good idea. It's happening in New England: The scannable card serves as proof that a background check has been performed and it contains features aimed at preventing misuse. In addition to a photograph, the... Share Post: Read More...
|
-
IT's costs shouldn't be much higher than retail, if any. If they are, take a close look at how you do business. READ MORE Share Post: Read More...
|
-
Quantum cryptography is back in the news, and the basic idea is still unbelievably cool, in theory, and nearly useless in real life. The idea behind quantum crypto is that two people communicating using a quantum channel can be absolutely sure no one is eavesdropping. Heisenberg's uncertainty principle requires anyone measuring a quantum system to disturb it, and that disturbance... Share Post: Read More...
|
-
-
Examples of very bad Service Desk calls. READ MORE Share Post: Read More...
|
-
Interesting: My all-time favourite [short con] only makes the con artist a few dollars every time he does it, but I absolutely love it. These guys used to go door-to-door in the 1970s selling lightbulbs and they would offer to replace every single lightbulb in your house, so all your old lightbulbs would be replaced with a brand new lightbulb,... Share Post: Read More...
|
-
-
Great article from The Atlantic.... Share Post: Read More...
|
-
From the LEET '08 conference: "Designing and implementing malicious hardware," by Samuel T. King, Joseph Tucek, Anthony Cozzie, Chris Grier, Weihang Jiang, and Yuanyuan Zhou. Abstract: Hidden malicious circuits provide an attacker with a stealthy attack vector. As they occupy a layer below the entire software stack, malicious circuits can bypass traditional defensive techniques. Yet current work on Read More...
|
-
It's about time someone wrote this paper: ABSTRACT Googling for "SQL injection" gets about 4 million hits. The topic excites interest and superstitious fear. This whitepaper dymystifies the topic and explains a straightforward approach to writing database PL/SQL programs that provably guarantees their immunity to SQL injection. Only when a PL/SQL subprogram executes SQL that it creates at run time... Read More...
|
-
I was interviewed for Dr. Dobb's Journal. Way back before the first edition of Applied Cryptography, Dr. Dobbs Journal published my first writings about cryptography.... Share Post: Read More...
|
-
Remember when the U.S. government said it was only spying on terrorists? Anyone with any common sense knew it was lying -- power without oversight is always abused -- but even I didn't think it was this bad: Faulk says he and others in his section of the NSA facility at Fort Gordon routinely shared salacious or tantalizing phone calls... Share Post: Read More...
|
-
If a leader doesn't trust his/her staff there are many possible reasons. Each leads to a different solution. READ MORE Share Post: Read More...
|
-
BART, the San Francisco subway authority, has been debating allowing passengers to bring drinks on trains. There are all sorts of good reasons why or why not -- convenience, problems with spills, and so on -- but one reason that makes no sense is that terrorists may bring flammable liquids on board. Yet that is exactly what BART managers said.... Share Post: Read More...
|
-
Raising prices or making contract terms more onerous can drive good customers to find less pricey alternatives. READ MORE Share Post: Read More...
|
-
The readers were hacked when they were were built, "either during the manufacturing process at a factory in China, or shortly after they came off the production line." It's being called a "supply chain hack." Sophisticated stuff, and yet another demonstration that these all-computer security systems are full of risks. BTW, what's it worth to rig an election?... Share Post: Read More...
|
-
We engage in risk management all the time, but it only makes sense if we do it right. "Risk management" is just a fancy term for the cost-benefit tradeoff associated with any security decision. It's what we do when we react to fear, or try to make ourselves feel secure. It's the fight-or-flight reflex that evolved in primitive fish and... Share Post: Read More...
|
-
Elcomsoft is claiming that the WPA protocol is dead, just because they can speed up brute-force cracking by 100 times using a hardware accelerator. Why exactly is this news? Yes, weak passwords are weak -- we already know that. And strong WPA passwords are still strong. This seems like yet another blatent attempt to grab some press atttention with a... Share Post: Read More...
|
-
Used against the IRA: One of the most interesting operations was the laundry mat [sic]. Having lost many troops and civilians to bombings, the Brits decided they needed to determine who was making the bombs and where they were being manufactured. One bright fellow recommended they operate a laundry and when asked "what the hell he was talking about," he... Share Post: Read More...
|
-
Rejection letters don't have to be dry, meaningless, and lacking in personality. Or do they? READ MORE Share Post: Read More...
|
-
Squid can communicate with each other without any other fish noticing: Squid and their relatives have eyes that are sensitive to polarised light and to them and are known to use it to signal to one another. Their predators on the other hand, like seals or whales, don't share this ability and cannot see the squids' signals. Most of all,... Share Post: Read More...
|
-
Guess the year: Murderous organizations have increased in size and scope; they are more daring, they are served by the most terrible weapons offered by modern science, and the world is nowadays threatened by new forces which, if recklessly unchained, may some day wreck universal destruction. The Orsini bombs were mere children's toys compared with the later developments of infernal... Share Post: Read More...
|
-
According to a massive report from the National Research Council, data mining for terrorists doesn't work. Here's a good summary: The report was written by a committee whose members include William Perry, a professor at Stanford University; Charles Vest, the former president of MIT; W. Earl Boebert, a retired senior scientist at Sandia National Laboratories; Cynthia Dwork of Microsoft Research;... Read More...
|
-
Heard about this: The Maryland State Police classified 53 nonviolent activists as terrorists and entered their names and personal information into state and federal databases that track terrorism suspects, the state police chief acknowledged yesterday. Why did they do that? Both Hutchins and Sheridan said the activists' names were entered into the state police database as terrorists partly because Read More...
|
-
In a blatant attempt to get some PR: In a new paper, Bernd Roellgen of Munich-based encryption outfit PMC Ciphers, explains how it is possible to compare an encrypted backup image file made with almost any commercial encryption program or algorithm to an original that has subsequently changed so that small but telling quantities of data 'leaks'. Here's the paper.... Share Post: Read More...
|
-
Financial investment and investing in finance aren't the same thing ... but we sure thought they were. READ MORE Share Post: Read More...
|
-
This is the best article I've read on the story.... Share Post: Read More...
|
-
Politically speaking, whether you avoid a meeting is less important than how you avoid it. READ MORE Share Post: Read More...
|
-
Turns out you can add anyone's number -- or remove anyone's number -- to/from the Canadian do-not-call list. You can also add (but not remove) numbers to the U.S. do-not-call list, though only up to three at a time, and you have to provide a valid e-mail address to confirm the addition. Here's my idea. If you're a company, add... Share Post: Read More...
|
-
Most counterterrorism policies fail, not because of tactical problems, but because of a fundamental misunderstanding of what motivates terrorists in the first place. If we're ever going to defeat terrorism, we need to understand what drives people to become terrorists in the first place. Conventional wisdom holds that terrorism is inherently political, and that people become terrorists for political Read More...
|
-
Good Q&A on clickjacking: In plain English, clickjacking lets hackers and scammers hide malicious stuff under the cover of the content on a legitimate site. You know what happens when a carjacker takes a car? Well, clickjacking is like that, except that the click is the car. "Clickjacking" is a stunningly sexy name, but the vulnerability is really just a... Share Post: Read More...
|
-
Interesting: CSRF vulnerabilities occur when a website allows an authenticated user to perform a sensitive action but does not verify that the user herself is invoking that action. The key to understanding CSRF attacks is to recognize that websites typically don't verify that a request came from an authorized user. Instead they verify only that the request came from the... Share Post: Read More...
|
-
-
On Wednesday I was interviewed by the Irish Times.... Share Post: Read More...
|
-
This essay of mine was published in The Guardian yesterday. Nothing I haven't said before.... Share Post: Read More...
|
-
Compensation is based on the law of supply and demand. Use it to your advantage. READ MORE Share Post: Read More...
|
-
Nice paragraph on the limitations of risk management in this occasionally interesting interview with Nicholas Taleb: Because then you get a Maginot Line problem. [After World War I, the French erected concrete fortifications to prevent Germany from invading again -- a response to the previous war, which proved ineffective for the next one.] You know, they make sure they solve... Share Post: Read More...
|
-
Now this is clever: "I came across the ad that was for a prevailing wage job for $28.50 an hour," said Mike, who saw a Craigslist ad last week looking for workers for a road maintenance project in Monroe. He said he inquired and was e-mailed back with instructions to meet near the Bank of America in Monroe at 11... Share Post: Read More...
|
-
This is good: Microsoft Corp. and the state of Washington this week filed lawsuits against a slew of "scareware" purveyors, scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software. The case filed by the Washington attorney general's office names Texas-based Branch Software and its owner James Reed McCreary IV, alleging that McCreary's... Read More...
|
-
I wish I'd known: A 28-year-old delivery man from the UK who bought a Nikon Coolpix camera for about $31 on eBay got more than he bargained for when the camera arrived with top secret information from the UK's MI6 organization. Allegedly sold by one of the clandestine organization's agents, the camera contained named al-Qaeda cells, names, images of suspected... Share Post: Read More...
|
-
I get that this is terrorism: A 24-year-old convert to Islam has been sentenced to 35 years in prison for plotting to set off hand grenades in a crowded shopping mall during the Christmas season. But I thought "weapons of mass destruction" was reserved for nuclear, chemical, and biological weapons. He was arrested in 2006 on charges of scheming to... Share Post: Read More...
|
|
|
|