security memetics

security - expectation versus reality

2009-07-10T18:00:00.001-04:00

found on xkcd

sometimes attacks are much simpler than you'd expect, you just have to think outside the box.

if making personal copies...

2009-07-09T18:00:00.000-04:00

if making personal copies of trade secrets worth millions of dollars seems A-OK to you then you might be a security idiot

(inspiration)

if you hope for a terror attack...

2009-07-08T18:00:00.000-04:00

if you hope for a terror attack against your own country in order to prove how insecure your country is then you might be a security idiot.

(inspiration)

if you let your door lock keypad get worn down...

2009-07-07T18:00:00.002-04:00

if you let your door lock keypad get worn down to the point where it's more break-n-enter by numbers than it is a combination lock, you might be a security idiot.

(inspiration)

if you think you can put an end to corruption...

2009-07-06T18:00:00.001-04:00

if you think you can put an end to corruption by getting rid of pockets then you might be a security idiot.

(inspiration)

if you raise the bomb threat alarm...

2009-07-02T18:00:00.001-04:00

if you raise the bomb threat alarm over an air freshener then you might be a security idiot.

(inspiration)

if your hard drives find their way...

2009-06-25T18:00:00.001-04:00

if your hard drives find their way to a market in ghana without ever having the sensitive data on them removed or protected in any way then you might be a security idiot.

(inspiration)

if you laugh when...

2009-06-24T18:00:00.001-04:00

if you laugh when presented with security problems that affect you then you might be a security idiot.

(inspiration)

if you hardcode your own password...

2009-06-23T18:00:00.001-04:00

if you hardcode your own password into the password stealing trojan you're making then you might be a security idiot.

(inspiration)

if you sue your auditors...

2009-06-22T18:00:00.003-04:00

if you sue your auditors because they didn't stop you from doing stupid things then you might be a security idiot.

(inspiration)

if you sell off the electronic devices...

2009-06-21T18:00:00.001-04:00

if you sell off the electronic devices used by a presidential campaign without clearing the memory first, then you might be a security idiot.

(inspiration)

if you let prison inmates escape...

2009-06-20T18:00:00.002-04:00

if you let prison inmates escape by climbing in a man-sized box intended for express courier delivery then you might be a security idiot...

(inspiration)

if you overlook the threat...

2009-06-19T18:00:00.001-04:00

if you overlook the threat represented by a 25 foot long missile because it has the word "viagra" painted on it then you might be a security idiot...

(inspiration)

security fail redux

2009-06-18T18:00:00.001-04:00

from epiclosers

yeah, so in case you didn't realize it, securing a car is a lot different from securing a bicycle. it's really important that your security strategy matches the asset you're trying to secure.

if nude pictures of your wife...

2009-06-17T18:00:00.000-04:00

if nude pictures of your wife get leaked on the internet because you left your UNLOCKED iphone at mcdonalds, then you might be a security idiot...

(inspiration)

risk management fail

2009-06-16T18:00:00.001-04:00

from failblog

i don't think these guys are managing their risks very well, but for some reason i really wouldn't want to go over there and tell them that.

if you think a wireless protocol...

2009-06-15T18:00:00.000-04:00

if you think a wireless protocol that can be cracked in seconds is good enough to protect credit card transactions then you might be a security idiot...

(inspiration)

security fail

2009-06-14T18:00:00.001-04:00

from failblog

sort of like closing the barn door after the horses have escaped - locking this door has absolutely no benefit.

the security guy and the frog

2009-05-12T23:52:00.003-04:00

a couple of years ago my boss came up to me and started spinning a tale... he told me to imagine i was walking along when all of a sudden i encounter this frog, but instead of just an ordinary frog this is a special frog because it talks... apparently the frog says that it wasn't always a frog and that if i kiss it it will be come a beautiful woman (not to mention other tempting suggestions)... so when my boss finishes this tale he asks me "would you kiss the frog?"... my answer?

NO

at this point he proceeds to tell me (and the others in the room) this humourous tale of the engineer and the frog, the punchline of which (with his telling of it at least) has the engineer saying "women are alright, but a talking frog is really cool!"... he got quite a chuckle out of my apparently being so similar to this stereotypical engineer in the story, and has brought it up in passing a number of times since then...

the wording of the story makes it pretty clear that it's underlining the differences in values between the geeky engineer and a normal person (the engineer values a talking frog over a beautiful woman) but as i explained to my boss, my answer, my choice had nothing to do with those sorts of evaluations...

the reality is that it's not really a choice between a beautiful woman and a talking frog - if both were present at the same time then that would be the choice (and i would certainly choose the woman over the frog) - but in reality the choice is whether or not to believe the frog when it makes those promises... to me, kissing a frog for the promise of a beautiful woman is like giving up my passwords for a candy bar, it's a strategically bad move, and there are any number of ways it could backfire... the reality is that my answer (and the answer of any security guy worth his salt) comes from one place and one place only -

i don't trust the frog*...
(*in fact, i don't trust much at all, and that's probably what gives me an edge over the average person with respect to security)

if you donate mp3 players

2009-03-25T23:44:00.000-04:00

if you donate mp3 players full of military documents to thrift stores for the benefit of the less fortunate then you might be a security idiot...

(inspiration)

if your password is ...

2009-03-25T23:42:00.000-04:00

if your password is "password" then you might be a security idiot...

(inspiration)

Facebook Privacy: Beyond The Blacklist 2 - Sandboxes

2009-01-10T19:07:00.001-05:00

in the previous 2 articles on this topic (Facebook Privacy: The Limited Profile Blacklist and Facebook Privacy: Beyond The Blacklist - Whitelists) i discussed both selectively blocking access to certain things and selectively allowing access to certain things respectively... both of which have their place but both of which require a certain amount of trust in the person you're adding to your friend list...

if you participate in any of the social gaming on facebook then you know that the current game design du jour focuses heavily on rewarding the user for adding their facebook friends to the game... since it can be hard to find people amongst your real life friends who want to play the same games you do the easiest strategy for advancing in these games is to add strangers from within the game to your facebook friends list...

the social gaming is just an example, by the way, there are any number of reasons why you may be faced with need to add people you don't know well enough to call friend to your friend list and this can present a problem... how can you know the person is safe to add to your profile if you don't know the person yet? on the other hand, how can you get to know the person if you don't make a connection with them using the friend list?

it's a catch-22 situation but it turns out there is a solution which may or (as in my case) may not be obvious - make a second profile with nothing personal in it and connect to that person through this new non-personal profile... this non-personal profile is essentially a sandbox - bad things can happen with it and it doesn't matter because there is nothing sensitive, nothing of value in it... i don't just mean that you left out your real date of birth or your cell phone number or any of that stuff, it's also separate from your actual friends so if something bad does happen you won't be exposing them to any risk...

facebook may not like the idea of their users having 2 profiles a piece but they'll have to get over it because a sandbox profile fills a very important need - it gives users a tool with which they can build relationships from the very beginning, before knowing whether or not a person is trustworthy enough to add to their real profile, and without making the person jump through any hoops like getting to know each other via some alternate channel before adding them (i've done that, it's no fun being the difficult one)...

as i alluded to before, this was not an obvious strategy to me - which is a surprising considering i go on and on about the blacklist/whitelist/sandbox triad for malware protection - but it took a pair of ladies (laura ly and tammy vickery) to clue me in to this one... i suppose it shouldn't really be surprising, though... all things considered i actually would expect the fairer sex to have more experience protecting themselves from people online...

related posts:
Facebook Privacy: The Limited Profile Blacklist
Facebook Privacy: Beyond The Blacklist - Whitelists

Facebook Privacy: Beyond The Blacklist - Whitelists

2009-01-10T19:06:00.001-05:00

in the previous article on this topic (Facebook Privacy: The Limited Profile Blacklist) i described a simple blacklist model of privacy control... it's good for when you have very simple needs but if you find you have different groups of people that each should be seeing different things then you may find using a blacklist method difficult to manage - especially if you, like me, don't find blocking access to be a natural way of thinking...

in real life, rather than sharing everything in my life with everyone save for a select few i make a mental note to block, i selectively share different things with different people... it turns out that with facebook's privacy controls, not only can you configure something so that people on a particular list can't see it, you can also configure something so that only people on a particular list can see it... this is the opposite way of doing things from a blacklist and so it's called a whitelist...

you can use a whitelist model like this:

go to the friends page and make a new friend list called "Real Life Friends"
now make another list called "Online Only Friends" (you can actually call these 2 lists anything you want, these names are just an example based on my usage)
goto "Settings->Privacy Settings"
now if you're like me you have a deeper level of trust with your real life friends than you do with people you only know online so for each item under "Profile", "Contact Information", "Applications", and "Photo Album" choose the "Customize" option and then enter "Real Life Friends" in the "Some Friends" box (some of the items don't have a "Some Friends" box so you won't be able to whitelist access to these, but there are only 4 that i know of and they're all pretty basic/fundamental profile items)
for your online only friends select which of those items you want them to be able to see and customize the privacy settings to add "Online Only Friends" to the "Some Friends" box on those items
finally, save all your changes for each group of items (profile, contact, etc)

now when you add a new friend they won't be able to see any of this stuff unless you specify them as either a real life friend or an online only friend... also, although in this example the two lists were mutually exclusive you can have many lists and some of them may have overlap (ie. a person might be in more than one list) - with this method if they're in any of the lists that is allowed to see a profile item they'll get to see it...

in essence this is a method of granting permission to things... it's very much like how a system administrator might set up permission to computer resources (which is why in reality my privacy-related friends lists start with ACL, not only does it make them easier to find amongst other friend lists, ACL stands for access control list)... i moved to the whitelist method when i realized i might need to control access for multiple separate groups of people and that doing so with blacklisting wouldn't be as intuitive for me... i found it easier to be less restrictive with things when i was granting permission than when i was blocking access...

related posts:
Facebook Privacy: The Limited Profile Blacklist
Facebook Privacy: Beyond The Blacklist 2 - Sandboxes

Facebook Privacy: The Limited Profile Blacklist

2009-01-10T19:04:00.002-05:00

if you're a facebook user and have even the slightest inclination towards maintaining a certain amount of privacy you've probably run into the problem of having contacts you want to have on your friend list but who you want to share fewer details with than you do with others... maybe it's a friend who isn't as close as some of your other friends, maybe a spouse or other family member, maybe it's a work contact... whatever the reason is, you're in luck because facebook has privacy controls that are remarkably flexible...

the first method i encountered for doing this is called the limited profile method - the name and concept is a carry-over from when facebook's privacy controls were simpler but less flexible... what it used to entail doesn't really matter anymore, but what it entails now is this:

you make a new friend list called "Limited Profile" (though actually you can name it whatever you like) and add to that list the people who you want to have only limited access to your profile
then under "Settings->Privacy Settings" you go through all the basic profile, contact information, photo albums, and applications and for those things you want to keep secret you choose the "Customize" option
then enter either a person's name or in this case "Limited Profile" (so that you don't have to do this over and over again each time you add a friend with limited access) in the "Except These People" box
and finally don't forget to save your changes

now as an example, if there's a photo album you don't want just anyone to see and you've configured that album to with "Limited Profile" in the "Except These People" box then anyone in the "Limited Profile" friend list should be unable to see the photos in that photo album..

this blocking of people on the "Limited Profile" list is essentially an application of the blacklist concept (kind of like a list of banned people)... it's pretty simple but also pretty effective... this is the first model of privacy protection i played with and although i've moved on to other techniques for the most part i still use this for a very special person; someone i can't reasonably keep off my friends list but also someone i don't want knowing all my business - my mom...

related posts:
Facebook Privacy: Beyond The Blacklist - Whitelists
Facebook Privacy: Beyond The Blacklist 2 - Sandboxes

new meme: Here's what I do

2009-01-10T19:00:00.000-05:00

alrighty then, it's a new year, we need a new meme - except like past memes this is an old meme... this is basically the word of mouth advice meme...

obviously a website isn't word of mouth, but hey, stuff that travels by word of mouth has to start somewhere, why not here?