Data Breach Victims or Enablers?

Back in May,  my good friend Eric Cowperthwaite caused a stir with a blog post about security breach victims getting demonized for failing to prevent break-ins. Other industry friends passionately disagreed. My thinking on the matter continues to evolve. But as is usually the case, my thinking takes me to the middle. Companies that suffer a breach -- Home Depot and Target have been among this year's biggest poster children ...

Continue reading

After 9-11, Fear Made Us Stupid

Included in all the tweets and Facebook postings about the 13th anniversary of 9-11 yesterday was this from friend and co-worker Martin McKeay: Never forget 9/11 and terrorism. But don't forget how many rights have been taken from us in the name of fighting terrorism. He's got that right. There's been plenty of outrage in recent years over the U.S. government running wild, violating our privacy in the name of ...

Continue reading

Exposing Gregory Evans: It Can Be Done

Thanks to the efforts of Attrition.org, we've known for years that LIGATT Security and Gregory Evans can't be trusted. That article includes a long list of examples where Evans has committed plagiarism and threatened those who question his credentials as a hacker. There are court documents on the Internet that add to the evidence. I won't go into the full summary of misdeeds here, because veteran security professionals have ...

Continue reading

The Stupid, It Burns

There are times where I just marvel at the abject stupidity of some folks. Case in point was the posting on Pastebin over the weekend where a group of "hackers" (wow, I use that term lightly) calling themselves "Wycked" posted a database dump from McDonald's Malaysia. The premise being that they compromised the site. Small problem with that however. You see, the "Havij Injection Project" already posted that same database ...

Continue reading

Privacy under fire: Aaron Sorkin saw it coming in 1999

I've long been a fan of "The West Wing," which follows the drama of fictional president Josiah Bartlet and his senior staff. The series launched well before the privacy debates that are now the norm. But series creator Aaron Sorkin was way ahead of his time all those years ago when he focused on Internet privacy in the season one episode "The Short List." In the episode, Bartlet has nominated ...

Continue reading

No Cyber Experience? Strategy! Um…

Michael Daniel is the person who is on point for shaping cyber security in the US government. I find it rather disquieting that the White House cyber security coordinator espouses his lack of technical knowledge as a plus. From Gov Security: "Being too down in the weeds at the technical level could actually be a little bit of a distraction," Daniel, a special assistant to the president, says in an ...

Continue reading

How About an Award for Sleaziest Vendor Booth?

So here's an idea... Since many of us are in agreement that security vendors should have booth displays at security cons that reflect the strength of their technology instead of resorting to booth babes and trashy signs, why not do a little something to hold their feet to the fire? Let's have a contest at each conference for sleaziest booth. The vendor who wins gets a design-to-be-determined award sure to ...

Continue reading

Black Hat 2014 and Media FUD

I get it. I really do. I used to be an online journalist, and I know how much pressure there is to bring in page views. I'm sure I've even written a few headlines that played up the fear factor to get clicks. I'm human, and humans are often misguided. But if I've learned anything, it's that throwing around words like "terrifying" and "scary" do more harm than good -- ...

Continue reading

To Those Missing Security Summer Camp

I'm seeing a lot of friends online bumming out because they can't make it to Black Hat, BSidesLV and DEF CON this year. I feel for them. I missed four years in a row -- 2008, 2009, 2010 and 2011 -- because of a scheduled family event that landed in the same calendar position as the Vegas events. I don't regret skipping Vegas those years. Not for a second. In my world family comes ...

Continue reading

(ISC)2′s New App Security Council

Truth: I used to think (ISC)2 was one of the most useless organizations on the planet. They never seemed to listen to the people who had invested in their CISSP training. A couple years ago, people even started to brag about letting their certifications expire. But something happened that gave me renewed faith in the organization. A bunch of talented, well-known security professionals started running for seats on the (ISC)2 ...

Continue reading