Data Breach Victims or Enablers?

Back in May,  my good friend Eric Cowperthwaite caused a stir with a blog post about security breach victims getting demonized for failing to prevent break-ins. Other industry friends passionately disagreed. My thinking on the matter continues to evolve. But as is usually the case, my thinking takes me to the middle. Companies that suffer a breach -- Home Depot and Target have been among this year's biggest poster children ...

Continue reading

After 9-11, Fear Made Us Stupid

Included in all the tweets and Facebook postings about the 13th anniversary of 9-11 yesterday was this from friend and co-worker Martin McKeay: Never forget 9/11 and terrorism. But don't forget how many rights have been taken from us in the name of fighting terrorism. He's got that right. There's been plenty of outrage in recent years over the U.S. government running wild, violating our privacy in the name of ...

Continue reading

Exposing Gregory Evans: It Can Be Done

Thanks to the efforts of Attrition.org, we've known for years that LIGATT Security and Gregory Evans can't be trusted. That article includes a long list of examples where Evans has committed plagiarism and threatened those who question his credentials as a hacker. There are court documents on the Internet that add to the evidence. I won't go into the full summary of misdeeds here, because veteran security professionals have ...

Continue reading

Five security lessons from ‘Mars Attacks!’

If you look closely, the 1996 Tim Burton film "Mars Attacks!" offers us a few security lessons. Let the following clip play as I run through some examples... http://youtu.be/VYHeZCEFwhI Lesson 1: If you release a white dove over someone's head before you verify who you're dealing with, you have failed to practice due diligence. The resulting bad press could damage your brand. Lesson 2: Regarding Jack Nicholson's speech about two ...

Continue reading

Privacy under fire: Aaron Sorkin saw it coming in 1999

I've long been a fan of "The West Wing," which follows the drama of fictional president Josiah Bartlet and his senior staff. The series launched well before the privacy debates that are now the norm. But series creator Aaron Sorkin was way ahead of his time all those years ago when he focused on Internet privacy in the season one episode "The Short List." In the episode, Bartlet has nominated ...

Continue reading

Weak Passwords: Mel Brooks warned us

Look back more than 20 years and you'll find that we were warned about the dangers of weak passwords long before it was much of a thought in anyone's minds. The warning came from Mel Brooks in a 1980s Star Wars spoof called "Spaceballs." Observe: http://youtu.be/_JNGI1dI-e8 Class dismissed.

How About an Award for Sleaziest Vendor Booth?

So here's an idea... Since many of us are in agreement that security vendors should have booth displays at security cons that reflect the strength of their technology instead of resorting to booth babes and trashy signs, why not do a little something to hold their feet to the fire? Let's have a contest at each conference for sleaziest booth. The vendor who wins gets a design-to-be-determined award sure to ...

Continue reading

Black Hat 2014 and Media FUD

I get it. I really do. I used to be an online journalist, and I know how much pressure there is to bring in page views. I'm sure I've even written a few headlines that played up the fear factor to get clicks. I'm human, and humans are often misguided. But if I've learned anything, it's that throwing around words like "terrifying" and "scary" do more harm than good -- ...

Continue reading

To Those Missing Security Summer Camp

I'm seeing a lot of friends online bumming out because they can't make it to Black Hat, BSidesLV and DEF CON this year. I feel for them. I missed four years in a row -- 2008, 2009, 2010 and 2011 -- because of a scheduled family event that landed in the same calendar position as the Vegas events. I don't regret skipping Vegas those years. Not for a second. In my world family comes ...

Continue reading

(ISC)2′s New App Security Council

Truth: I used to think (ISC)2 was one of the most useless organizations on the planet. They never seemed to listen to the people who had invested in their CISSP training. A couple years ago, people even started to brag about letting their certifications expire. But something happened that gave me renewed faith in the organization. A bunch of talented, well-known security professionals started running for seats on the (ISC)2 ...

Continue reading