Stop Trying to Violently Separate Privacy and Security

Stop Trying to Violently Separate Privacy and Security:

Let’s focus all this Pedantic-Chi Energy on finding, classifying, and protecting the data in the first place. That’s what companies actually need help with.

(Via Daniel Miessler)

It’s an epic rant that Daniel wrote. His emotions are almost palpable when you read it. This would be more powerful if he stepped away emotionally. The post gets nasty at times, and personal attacks aren’t warranted.

The message, almost lost in Daniel’s frustration, is valid: the distinction between security and privacy is small. I tend to agree.

Also on:

An intensive introduction to Cryptography

An intensive introduction to Cryptography:

These are … lecture notes for an introductory but fast-paced undergraduate/beginning graduate course on cryptography. I am using these notes for Harvard CS 127.

You can also download all lecture notes in a single PDF file.

I am diving in. I thought I had a decent grasp on the basics of cryptography but I am learning a ton with this so far.


If you have any comments, suggestions, typo fixes, etc.. I would be very grateful if you post them as an issue or pull request in the GitHub repository where I am maintaining the source files for these notes.

What resources are you using?

Are you finding things that challenge your understanding and assumptions?

Also on:

The Effectiveness of Publicly Shaming Bad Security

The Effectiveness of Publicly Shaming Bad Security:

If a company is going to take a position on security either in the way they choose to build their services or by what their representatives state on the public record, they can damn well be held accountable for it:

Whether those rejecting shaming of the likes I’ve shared above agree with the practice or not, they can’t argue with the outcome. I’m sure there’ll be those that apply motherhood statements such as “the end doesn’t justify the means”, but that would imply that the means is detrimental in some way which it simply isn’t. Keep it polite, use shaming constructively to leverage social pressure and we’re all better off for it.

(Via Troy Hunt’s Blog)

A long read. Troy captures several examples supporting his thesis. Sadly, he’s right. My concern is that, as society becomes immured to security issues, this tactic will work less and less frequently.

Also on:

17 Years Later: Applying Post-9/11 Lessons to Potential Cyber Attacks

17 Years Later: Applying Post-9/11 Lessons to Potential Cyber Attacks:

Cyberattacks don’t produce the unmistakable, crystallizing violence that our nation experienced on 9/11. Instead, they unfold more insidiously. And, in that sense, we’re not still waiting for a cyber 9/11. It’s already here.

(Via Just Security)

Also on:

NCSC: Time for Boards to Get Cyber Literate

NCSC: Time for Boards to Get Cyber Literate:

During the speech, Martin posed five basic questions board members should be asking of their technical teams.

These cover: how the organization deals with phishing, privileged IT accounts, software and device patching, supply chain security and authentication.

“Crucially, we are also telling you what to look for in the response,” he added.

“If the answer is: ‘We have hired X and bought Y to address the problem,’ ask the question again. You need to understand what is actually happening — not what activity has been bought.”

(Via Infosecurity)

Cannot agree more.

Martin admitted that the government’s strategy on providing businesses with cybersecurity advice and best practice hasn’t worked out as expected, with organizations focusing on good governance and simply outsourcing expertise.

Focusing on good governance is not a bad thing. Many organizations don’t do it well if at all. However, it might not help much independent of other activities.

Outsourcing expertise also isn’t a bad thing, but boards need to know that they cannot outsource ownership and responsibility. Finding a “trusted security advisor” is a great move, and any worth their salt will help educate the board.

Ultimately, this is the key take-away:

… board members can’t manage risk they don’t understand, so they must become more cyber-literate …


Also on:

California’s bad IoT law

California’s bad IoT law:

It’s based on the misconception of adding security features. It’s like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips. The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add “security features” but to remove “insecure features”. For IoT devices, that means removing listening ports and cross-site/injection issues in web management. Adding features is typical “magic pill” or “silver bullet” thinking that we spend much of our time in infosec fighting against.

We don’t want arbitrary features like firewall and anti-virus added to these products. It’ll just increase the attack surface making things worse. The one possible exception to this is “patchability”: some IoT devices can’t be patched, and that is a problem. But even here, it’s complicated. Even if IoT devices are patchable in theory there is no guarantee vendors will supply such patches, or worse, that users will apply them. Users overwhelmingly forget about devices once they are installed. These devices aren’t like phones/laptops which notify users about patching.

(Via Errata Security)

Read the whole article for the full take. I tend to agree with all the points.

Also on:

Quantum Computing and Cryptography

Quantum Computing and Cryptography:

At its core, cryptography relies on the mathematical quirk that some things are easier to do than to undo. Just as it’s easier to smash a plate than to glue all the pieces back together, it’s much easier to multiply two prime numbers together to obtain one large number than it is to factor that large number back into two prime numbers. Asymmetries of this kind — one-way functions and trap-door one-way functions — underlie all of cryptography.

To encrypt a message, we combine it with a key to form ciphertext. Without the key, reversing the process is more difficult. Not just a little more difficult, but astronomically more difficult. Modern encryption algorithms are so fast that they can secure your entire hard drive without any noticeable slowdown, but that encryption can’t be broken before the heat death of the universe.

(Via Schneier on Security)

Bruce’s focus is on quantum computing but he talks about cryptography generally in an accessible way. It’s a good summary. One could take this post and make a good presentation to high level leadership to educate them on the topic.

If someone could please take that same deck and present it to the Australian government and US law enforcement, that would be great.

Of course, Bruce talked about government backdoors many times.

Also on:

Religious groups find their calling in threat sharing

Religious groups find their calling in threat sharing:

When it comes to protecting faith-based organizations from hackers, divine intervention will only get you so far. Congregations, like any other collection of people, can benefit from trading threat intelligence to mitigate the spread of malware.

With that in mind, religious groups recently became the latest sector to create a threat-sharing hub by setting up the Faith-Based Information Sharing and Analysis Organization (FB-ISAO).

Citing growing threats to donor data and religious websites, the FB-ISAO’s backers said it will fill a void by working with technology vendors to offer faith-based groups threat analysis and make them more resilient to attacks. The organization, founded in June but publicized on Monday, is open to American citizens of all faiths.

(Via Cyberscoop)

Every industry and organizational group should have some kind of threat intelligence sharing capability. These are not a cure-all by any stretch, but help even a moderately mature security team detect and respond at least a little faster.

Also on:

Supply Chain Security

USB flash drivers sent with Conext Combox and Conext Battery Monitor products, part of Schneider Electric’s solar power range, were “contaminated” during the manufacturing process, according to a security advisory released by the industrial equipment manufacturer.

Schneider Electric says that the USB media “may have been exposed to malware during manufacturing at a third-party supplier’s facility.”

Here’s the thing: people won’t remember who Conext is. They probably provide bits and bobs for a bunch of other companies, and this issue might impact those other companies (and consumers, obviously). But this will be associated with Schneider because they are they headliner.

Also on:

ACTION Is How You Skyrocket Your Career, Not “Learning”

ACTION Is How You Skyrocket Your Career, Not “Learning”:

Are you the type of person that reads a blog post, reads things on Twitter, goes to forums, and discovers all of this interesting stuff that you can implement at work or new technology you can learn, but think you don’t have the time?  This post is for you.  In this post, I want to talk about those people who consume a lot of information, gather all of this knowledge about various topics, as well as being aware of the new technologies but don’t take the next step of implementing it.  They don’t take any action on it at all; all of us are guilty of this to some degree.

(Via Adam the Automator – DevOps, Automation, PowerShell)

I do this. I need to curtail it.

Also on: