Stepto Rising

Like many of you, I was shocked last week to hear that Stephen "Jamie" Toulouse (@Stepto) had fallen into a deep coma. Family members took to social media to say that his prognosis wasn't looking good; that he wasn't expected to survive. But thanks to excellent medical care, prayer and what is surely a strong will to live, Stepto -- director of hacker success at HackerOne -- seems to have ...

Continue reading

The Way Forward for Chris Roberts, One World Labs

The plight of One World Labs Founder Chris Roberts has been picked to death on social media this past week. There's all the trouble he's in with the FBI for his airplane-hacking claims. There's the hit to his company, which had to let a lot of good security talent go last week. Some shake their heads in disbelief because he apparently spoke to the FBI about his activities without a ...

Continue reading

In the end, @Sidragon1’s Tweet was the problem

At RSA Conference 2015 here in San Francisco, there's a lot of discussion about weaknesses to the electrical and wifi systems aboard airplanes. The discussion often turns to the case of hacker Chris Roberts (@Sidragon1 on Twitter). There's been a lot of strong reaction to news of Roberts being pulled from a plane for jokingly tweeting that he might mess around with the plane's electronic systems. There's a lot of overreaction ...

Continue reading

RSA Parties 2015

Nothing like waiting until the very last minute to post an RSA Parties 2015 list. Day jobs + kids = you get the idea. That being said, I'm happy to note that Akamai Technologies (my day job) will be hosting a party this year in conjunction with AT&T. Be sure to come out and meet @csoandy, @billbrenner70, @mckeay and myself @gattaca. Now, this is a simple curated RSA Parties 2015 list but, if ...

Continue reading

Reflections

I find myself sitting in a hotel room in some random city this evening with a glass of wine, several open powerpoint decks and Family Guy on the television. A moment of reflection if ever there was one. It occurs to me that Liquidmatrix just had it’s 17th birthday in February. That is a helluva long time for a website of any description. It has been a lot of ...

Continue reading

A Failed Hacker Unmasking Exercise

"A ridiculous article which purports to show us the face of a hacker..." -- Chris Wysopal, CTO of Veracode, in a tweet The ability of media outlets to create sophisticated images and graphics is light years beyond what it was when I was a young journalist in the 1990s. The technology has spawned a lot of cool projects, like this visual of a botnet from my former employer, CSOonline.com. ...

Continue reading

Bad Anti-Hacking Laws: We Can Educate the Public

There's much alarm in the security community over new anti-hacking laws President Obama plans to float in his State of the Union address next week. The alarm is justified. What he proposes, as my friend Rob Graham (@ErrataRob) wrote in this important post, "are blunt political solutions which reflect no technical understanding of the problem." Obama's proposed anti-hacking laws are designed to arm companies with legal protections for sharing information ...

Continue reading

Microsoft Wrong to Cancel Patch Alerts

For the last few years I've been praising Microsoft for taking great strides to improve security. This morning, I'm tempted to take it all back. For the last decade, Microsoft has issued advance notifications the Thursday before each security patch release. It's been a valuable service, helping IT security practitioners to be better prepared. Yesterday, the software giant announced it was ending the service, claiming that not enough people are ...

Continue reading

UPnP Devices Used in DDoS Attacks

Attackers are using Universal Plug and Play (UPnP) devices to launch massive DDoS assaults, Akamai's Prolexic Security Engineering & Research Team (PLXsert) warned this morning in an advisory. PLXsert estimates that 4.1 million UPnP devices are potentially vulnerable to exploits used for reflection DDoS attacks. That's about 38 percent of the 11 million devices in use around the world. PLXsert plans to share the list of potentially exploitable devices to members of the ...

Continue reading

Data Breach Victims or Enablers?

Back in May,  my good friend Eric Cowperthwaite caused a stir with a blog post about security breach victims getting demonized for failing to prevent break-ins. Other industry friends passionately disagreed. My thinking on the matter continues to evolve. But as is usually the case, my thinking takes me to the middle. Companies that suffer a breach -- Home Depot and Target have been among this year's biggest poster children ...

Continue reading