For many years, I have been saying that “think like an attacker” is bad advice for most people. For example: Here’s what’s wrong with think like an attacker: most people have no clue how to do it. They don’t know what matters to an attacker. They don’t know how an attacker spends their day. They…Read More Think Like An Attacker? Flip that advice!
In light of recent news, such as “FreeBSD washing Intel-chip randomness” and “alleged NSA-RSA scheming,” what advice should we give engineers who want to use randomness in their designs? My advice for software engineers building things used to be to rely on the OS to get it right. That defers the problem to a small…Read More What to do for randomness today?
It’s common to hear that Facebook use means that privacy is over, or no longer matters. I think that perception is deeply wrong. It’s based in the superficial notion that people making different or perhaps surprising privacy tradeoffs are never aware of what they’re doing, or that they have no regrets. Some recent stories that…Read More A Quintet of Facebook Privacy Stories
As I think more about the way people are likely to use a password manager, I think there’s real problems with the way master passwords are set up. As I write this, I’m deeply aware that I’m risking going into a space of “it’s logical that” without proper evidence. Let’s start from the way most…Read More The Psychology of Password Managers
The folks at Hashcat have some interesting observations about 1Password. The folks at 1Password have a response, and I think there’s all sorts of fascinating lessons here. The crypto conversations are interesting, but at the end of the day, a lot of security is unavoidably contributed by the master password strength. I’d like to offer…Read More 1Password & Hashcat
…the new points system rates the driver’s ability to pilot the MINI with a sporty yet steady hand. Praise is given to particularly sprightly sprints, precise gear changes, controlled braking, smooth cornering and U-turns executed at well-judged speeds. For example, the system awards maximum Experience Points for upshifts carried out within the ideal rev range…Read More Gamifying Driving
It’s Data Privacy Day, and there may be a profusion of platitudes. But I think what we need on data privacy day are more tools to let people take control of their privacy. One way to do that is to check your privacy settings. Of course, the way settings are arranged changes over time, and…Read More Happy Data Privacy Day! Go check out PrivacyFix
My friend Raquell Holmes is doing some really interesting work at using improv to unlock creativity. There’s some really interesting ties between the use of games and the use of improv to get people to approach problems in a new light, and I’m bummed that I won’t be able to make this event: Monday Dec…Read More Can Science Improvise?
So it’s cool that this “S.M.A.R.T” stuff tells the computer when the hard drive is failing. The next step in user interface is to take the message out of /Applications/Utilities/Disk Utility and into an interruptive UI, so that I don’t discover this problem when I happen to get an extra drive for backup. I know…Read More When an interrupt is important
In ““Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really?” Andrey Belenko and Dmitry Sklyarov write quite a bit about a lot of password management tools. This is admirable work, and I’m glad BlackHat provided a forum for it. However, as a user of 1Password, I was concerned to read the following about that…Read More Does 1Password Store Passwords Securely?