Liminal states

An important clarification on point #2: the goal is not to interfere with other passengers getting to their destinations. As AP’s Ray Henry describes in TSA chief: Resisting scanners just means delays, the government is trying to convince travelers not to exercise their rights. But as We Won’t Fly’s George Donnelly discusses, Opt Out Day could make security lines move faster by reducing the number of people flying and giving travelers better information than the TSA is providing.

Whether or not you’re planning on opting out, it’s important to know your rights — and to know what your options are if something goes wrong. Fortunately, there are a lot of great resources out there. Here’s a quick guide:
Continue Reading »

If somebody starts chatting with you and asks you to try a link, be wary …

No, I didn’t click on the link. I do my best to keep up with security patches, but why take the chance of visiting a site that’s likely to be filled with malware?

See the final version here

Thanks to Adam, Jason, and Alem for the initial list; Sarah, tptacek, Locke1689, mahmud, Wayne, PeterH, Steve, and SonyaLynn for comments on the previous draft, and Damon for the wording on #7.

Continue Reading »

It’s counter-intuitive to think of Microsoft as a poster child for security.  But the progress they’ve made since 2001 along with the challenges they continue to face have a lot of lessons for anybody in this space — including Diaspora, the “privacy-aware, personally-controlled, open-source, do-it-all social network”.

Several of the comments on my previous post Diaspora: what next? were from former colleagues at Microsoft, and they made excellent points.  Here’s my attempt to build on the list that Adam, Jason, and Alem started off.
Continue Reading »

Security warning: If you don’t intend to share your phone number on Facebook, ask a friend to check their Phonebookand see if it’s there.  And it’s a good time to check to your privacy settings — my brother Greg has instructions on The Happy Accident.

Update, October 7: See the Twitter discussion in the first comment.

Continue Reading »

Another Shakacon presentation, this one from Deviant Ollam.  The short answer: fly with firearms.

Continue Reading »

Sarah Blankinship and I are presented Securing with the Enemy: Social strategy and team of rivals at Shakacon today.  More about our talk later; this post has notes from the keynote presentation on The Art of Espionage, by Luke McOmie (aka Pyr0) of British Telecom.

Luke’s consulting includes “real world risk assessments”, which sometimes involves breaking into his clients’ companies to test their security.  So it’s a great opportunity to hear about the kinds of techniques the real bad guys use.  Fascinating stuff!

Continue Reading »

Yesterday my former Microsoft colleague Matt Lerner, now at FrontSeat (“software for civic life”) sent out mail about the new ObamaCTO.org site, a user-powered forum for gathering and prioritizing ideas for Obama’s new CTO.  Anybody can register, vote on ideas, or submit your own; in a twist from digg-style rating, each person is limited to ten votes, and you can apply up to three on any given topic.  Unsurprisingly, I immediately voted for Ensure reliable & trustworthy election technologies.🙂

The site’s very well done, powered by UserVoice, with a straighforward interface.  Micah Sifry’s Never Mind Who; What Should S/he Do? on techPresident has more details on this site (as well as a new report on the role of the CTO from the 21st Century Right to Know Project).

And far be it from me to pass an opportunity for grassroots activism by.  Here’s my submission:

Require independent review of projects by technical experts

Over the last 8 years, many governmental projects have failed to take into account basic principles of systems and software engineering, design, computer security, and privacy.  The REAL ID proposal, for example, stored personal data in unencrypted form, relied on databases which didn’t yet exist, and ignored the questions of false positives due to inaccurate data.  Independent review by experts can detect these issues early in the process, which either gives time for them to be addressed or allows the project to be rethought far more cheaply.

If you think it’s reasonable, please vote it up!

jon

Just saw this in a thread in the One Million Strong for Barack Facebook group: the Barack Obama Keating Economics page on YouTube appears to have been hacked. It’s fixed now … but here’s a screenshot:

The Part of: link at the bottom apparently went to the McCain ad “The One.” (No, I didn’t click on it myself.)

Draft posted August 14. Substantially revised August 17.

The second of a two-part series on the Black Hat USA 2008 security conference.

Back when we lived in San Francisco in the 1990s, we were huge fans of Fuji TV’s Iron Chef, then shown with subtitles on a local cable station. When local chef Ron Siegel repeated his winning “lobster confront” menu at Charles Nob Hill, word got leaked to the Iron Chef mailing list and we managed to get seats … wow! And I’ll never forget the time that Bobby Flay in his exuberance jumped on the sushi board; so of course when I was at Caesar’s I had to have lunch at his Mesa Grill.

Iron Chef is also a good lens to looking at Black Hat from the perspective of the consulting I’m doing for San Francisco-based startup Coverity. This gives a completely different picture of the conference than the political and front-page-news of Vegas Baby! Black Hat, glitter, and pwnies. It’s just as interesting though, thanks in no small part to Fortify’s Iron Chef Black Hat.

Continue Reading »

The first of a two-part series on the Black Hat USA 2008 security conference.

Vegas, baby!

Continuing my tradition, I was in Las Vegas for Black Hat but didn’t attend the conference proper. My brother was able to come up from LA to meet me, so I decided to hang out with him instead — Vegas, baby!

This meant my Black Hat “attendance” was mostly networking at a couple of parties. Which certainly gives an interesting perspective on the conference ... in these more social settings, discussions are wide-ranging and informal, and there are opportunities for all kinds of different connections. Sites like Infoworld, Wired’sThreat Level , and Microsoft’s Ecostrat blog have great coverage of what happened during the sessions at Black Hat and Defcon, and are well worth checking out. Here’s my idiosyncratic view.

Kevin McLaughlin’s Learn From Lincoln, Says U.S. Cyber Chief on ChannelWeb is a particularly interesting lens for Black Hat, describing a talk by Rod Beckstrom (Director of the National Cyber Security Center in the U.S. Department of Homeland Security).

Continue Reading »

In RSA: “It feels like something’s missing” earlier this week, I mentioned that I found myself wondering whether what I was seeing at the show responded to security problems as experienced by users. Coincidentally enough, when I checked Slashdot today there were several of interesting security-related threads. So while it’s far from a statistically-valid sample, it’s still agreat chance to ask: is the industry successfully addressing these kinds of problems?

Let’s start with Oklahoma Leaks 10,000 Social Security Numbers, which is by far the most serious single issue:

“By putting SQL queries in the URLs, they not only leaked the personal data of tens of thousands of people, but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list.”

Continue Reading »