Security

I have a great friend (who may not agree with that “great” part after this) who refused to have a facebook page. I can’t disagree with the idea of being the part of the few left in America without one, but it has become somewhat of a joke with us. Friend: Why didn’t you tell me?! Me: I did tell everyone, via Twitter and Facebook A few nights ago while we were chatting via Jabber I decided to play a little joke and create him a Facebook page. ...

My house in DC was broken into. More specifically my garage, which is behind my house, was broken into and a few things stolen. Other than the asshole move of keying my car, nothing of great value was lost. All the same the process got me thinking about my life as an InfoSec professional and the similarities of our homes to our enterprises. I will use my home as an allegory to how we handle our digital worlds and what I learned. ...

Shameless exploit of meme I know... I can’t take it anymore! I lurk on irc.freenode.net and /r/netsec and have seen a few too many mornings now that some person is safe, they used Tor. There is a big misunderstanding in what Tor actually does and protects. Here is my log in the fire to help explain the technology. Lets start with the basics… ...

OMG THIS DUDE IS AT THINK COFFEE! Sometimes we get a little too focused in on what the root of a vulnerability is. I find myself thinking this a good bit with the advent of geolocation tagging and “check-ins” as the security world runs around with hair on fire. Rather than accept that our tools and users will be GPS connected and tracked, we take the extreme of labeling it all bad. By doing so we have removed what is a valuable tool to our folks. We can all agree that geolocation unfettered is a bad idea, but can’t we agree that geolocation in and of itself is not? ...

I am not one to get on the blog and add to the argument over some stupid post from another tech pundit, but this one is too much to pass on. The reason I am tossing my hat in here is that I am now seeing SECURITY PROFESSIONALS adding to the crowd with the death knell of OpenID. Seriously? Let me start with this example from my morning routine. I logged into my Facebook account with ClavID instead of the standard Facebook authentication mechanism. A little known Facebook feature is the ability to use OpenID providers to login instead of the email+password. I do this because ClavID supports secure multifactor authentication so instead of a simple user+pass, I have user+pass+token. Many of the websites I frequent support OpenID and in all of those cases I remove their ability to store my authentication information. ...