Josh More's Blog's Comments

Comment on Password Security and Schools by Mala

Mala — Thu, 17 Dec 2015 07:08:54 +0000

I’ve seen similar reioisctrtns but still consider the security sufficient ifa) you have some random login number that you write downb) your account gets blocked after 3 tries.If the login number was your account number it could be used for denial of service, so I prefer a random number.Of course someone could still steal your hashed password from the bank and brute-force it which is easier for simple password.But then this is not much easier than installing a trojan, staging a man in the middle attack or sniff your password by other means.

Comment on New Book: Breaking In to Information Security by W. Schmidt

W. Schmidt — Fri, 25 Jul 2014 03:05:08 +0000

I’m not sure you can “break in” to information security, unless you end up working in forensics or law enforcement directly out of college. In my case I was a network engineer for about five years for a large corporation. I ran into a consultant and helped him with an assessment of our data center, organized our diagrams, explained address schemas, found lost equipment, etc. He recruited me to come work for him when he changed firms a few months later.

My entire foundation as some one that designed and implemented networks was reversed, and I ended up working doing penetration testing, risk assessments, and various types of IT audits and consulting projects.

Without the initial industry experience, I’m not sure I would have had a foothold. Although some people can “break” directly into security, the best foundation in my mind is to start learning a normal IT disciplline: development, networking, windows, database administration. From there, learn security as a concept, and from your initial knowledge you’ll at least have something to say about one area of security, and perhaps that’s where you specialize. Since I wasn’t a developer, I’d make a pretty awful application penetration tester, but then again I’d never posit to be one.

To succeed in a field that is based on deconstruction, try learning to construct something first, then at least you can tell people how to put it back together when you break it.

Comment on Firefox and Facebook by Using Facebook without being tracked | wiredread

Using Facebook without being tracked | wiredread — Tue, 11 Mar 2014 07:23:38 +0000

[…] Firefox and Facebook […]

Comment on Sophos: Pushing the Boundaries by LonerVamp

LonerVamp — Thu, 03 Jan 2013 22:21:27 +0000

Recent drama aside, Sophos is as mixed a bag as most any other offering. Their AV is fine but their enterprise support for the host-based firewall leaves much to be desired. And you’re right; it all comes down to specifically picking a solution for the business at hand, rather than saying a single product is best for all comers.

Comment on Hoaxicane Sandy by Josh

Josh — Tue, 30 Oct 2012 17:30:52 +0000

Well, it’s only technically “infringing” if you can track down the original, find how it was licensed and verify that it is being used in a manner contrary to law. Of course, “stolen” has the same issues. :)

I probably should have said “Then it lists a bunch of sites that are using this image without credit.”, but what’s done it done.

Comment on Hoaxicane Sandy by Kenny

Kenny — Tue, 30 Oct 2012 17:27:38 +0000

@Josh, It wasn’t even that I was nitpicking on, but props on updating with the info.

I was more pointing out the terminology “stolen”. Technically it’s “infringing”, no? :)

Comment on Hoaxicane Sandy by Josh

Josh — Tue, 30 Oct 2012 16:45:42 +0000

@Kenny, In order to get this post out fast enough yesterday, I had to skim a bit on the research. I have since tracked down the original (and verified) and was able to provide credit to the original photographer. Sorry it took so long.

Comment on Hoaxicane Sandy by Kenny

Kenny — Tue, 30 Oct 2012 15:19:17 +0000

@Josh — I don’t get it. If the image is stolen, how am I seeing it right here????

@miniterdod — fined or jailed? Really? That seems a bit of a harsh reaction.

I thought this time around the exposing-the-hoax photos came pretty much on the heels of the hoaxes themselves. People want to know they’ve been hoaxed more than they want to believe the hoax.

Comment on Hoaxicane Sandy by ministerdod

ministerdod — Tue, 30 Oct 2012 13:12:59 +0000

THe people posting these pictures and spreading these lies need to be fined or jailed

Comment on Security Certification 2/3 – Learning by Josh

Josh — Wed, 25 Jul 2012 13:27:34 +0000

J.,

You raise some very good points. Of course, there is no perfect way to do this, and the system does result in a “learning margin” rather than learning/dollar. Measuring learning is difficult, especially measuring potential learning. It may not be possible to forecast anything reasonably. In the end, as you state, you have to answer “is this certification right for me?”

However, for a security practitioner, I would argue that the 100% “learning margin” you get in accounting or marketing may be worth more than a 20% learning margin in yet another security cert. My own studies in the fields of Psychology and Economics, for example, have done more for my career than picking up a GWEB or GWAPT cert would have. There comes a point in security where it seems people add certs to add certs and focus more on the letters than the learning. Personally, I doubt that a fourth, ninth or fifteenth certification really adds much career or income-wise when compared to your third, eighth or fourteenth certification.

This is, of course, bad news for certification companies that seem to be creating paths and “ladders” to success. I wish they worked, but I have yet to see much evidence than anything beyond three certifications in a field do much to benefit one’s career.