So Bill Brenner has a great article on “How to survive security conferences: 4 tips for the socially anxious .” I’d like to stand by my 2010 guide to “Black Hat Best Practices,” and augment it with something new: a word on etiquette. Etiquette is not about what fork you use (start from the outside,…Read More Conference Etiquette: What’s New?
John Boyd’s ideas have had a deep impact on the world. He created the concept of the OODA Loop, and talked about the importance of speed (“getting inside your opponent’s loop”) and orientation, and how we determine what’s important. A lot of people who know about the work of John Boyd also know that he…Read More Boyd Video: Patterns of Conflict
The Washington Post reports that there will be a “New agency to sniff out threats in cyberspace.” This is my first analysis of what’s been made public. Details are not fully released, but there are some obvious problems, which include: “The quality of the threat analysis will depend on a steady stream of data from…Read More The New Cyber Agency Will Likely Cyber Fail
If you listen to the security echo chamber, after an embarrassing failure like a data breach, you lose your job, right? Let’s look at Seahawks Coach Pete Carroll, who made what the home town paper called the “Worst Play Call Ever.” With less than a minute to go in the Superbowl, and the game hanging…Read More What CSOs can Learn from Pete Carroll
It didn’t take long for the Seahawk’s game-losing pass to get a label. But as Ed Felten explains, there’s actually some logic to it, and one of his commenters (Chris) points out that Marshawn Lynch scored in only one of his 5 runs from the one yard line this season. So, perhaps in a game…Read More An Infosec lesson from the "Worst Play Call Ever"
Paul Gowder has an interesting post over at Prawfblog, “In Defense of Facebook Copyright Disclaimer Status Updates (!!!).” He presents the facts: …People then decide that, hey, goose, gander, if Facebook can unilaterally change the terms of our agreement by presenting new ones where, theoretically, a user might see them, then a user can unilaterally…Read More The Unexpected Meanings of Facebook Privacy Disclaimers
Lately I’ve noted a lot of people quoted in the media after breaches saying “X was Security 101. I can’t believe they didn’t do X!” For example, “I can’t believe that LinkedIn wasn’t salting passwords! That’s security 101!” Now, I’m unsure if that’s “security 101” or not. I think security 101 for passwords is “don’t…Read More Security 101: Show Your List!
I’m having a problem where the “key identifier” displayed on my ios device does not match the key fingerprint on my server. In particular, I run: % openssl x509 -in keyfile.pem -fingerprint -sha1 and I get a 20 byte hash. I also have a 20 byte hash in my phone, but it is not that…Read More IOS Subject Key Identifier?