| |
| Current Topic: Technology |
|
RE: Seeking your Opinon, Are 1/3 of security practices worthless? |
|
|
|---|
| Topic: Technology |
1:26 pm EST, Feb 18, 2008 |
Tsudohnimh wrote:
Interesting article describing a talk given by "Peter Tippett-- who is vice president of risk intelligence for Verizon Business, chief scientist at ICSA Labs, and the inventor of the program that became Norton AntiVirus -- said that about one third of today's security practices are based on outmoded or outdated concepts that don't apply to today's computing environments." Tippet uses several analogies concerning outdate vuln research and disclosure and the discarding of hackable technologies. On the surface this sounds good but I'm curious to hear the opinion of some of the security professionals in Memestreams. Is he entirely off base? Does he make some valid points? Are his analogies far fetched? I'd love to hear what you think.
Perennially, some self promoter, often a well credentialed and widely respected person, but a self promoter nonetheless, will stand up and claim that everything that everyone in the information security industry is doing is wrong and it all needs to change. These people are frequently discussed here. They usually don't have anything constructive to offer. I do my best to debunk them when they come up but people seem to want to hold onto these things. Its a bit like the fair tax... People want to feel like they are privy to a different perspective which offers easy answers to complicated problems and they don't want to hear that life isn't that simple. As for this collection of points, you can rest assured that patch management people are more concerned about vulnerabilities that might actually be exploited than they are about issues that are esoteric, and scoring systems like CVSS take this into account. Is he proposing a change to that scoring system? No, we're on to another topic. I'm not sure that I follow his point about passwords. You have to have them. I've always advocated proactive cracking instead of policies about length because that gets you closer to the actual threat you are combating. Rules about length are just an approximation. Does he explain what he thinks people should do instead? No, we're on to another topic. I agree with his point about imperfect solutions still being helpful, and the analogy about seatbelts is a good one, but show me a perfect security solution and I'll quit this job, move to France, and learn to bake bread. He goes on to make an aloof reference to "studies" that show that patch management doesn't reduce the risk of exploitation. What studies? There are no such studies! At the bottom he offers us his silver bullet: "For example, only 8 percent of companies have enabled their routers to do 'default deny' on inbound traffic." What a silly comment. They do default deny on their firewalls, where the security policy is manageable, rather than on their routers, which aren't designed as packet filters and only offer that feature as an aside. Firewalls, and routers, are in fact the s... [ Read More (0.1k in body) ] RE: Seeking your Opinon, Are 1/3 of security practices worthless? |
|
UNIX tips: Learn 10 good UNIX usage habits |
|
|
|---|
| Topic: Technology |
11:16 am EST, Feb 7, 2008 |
When you use a system often, you tend to fall into set usage patterns. Sometimes, you do not start the habit of doing things in the best possible way. Sometimes, you even pick up bad practices that lead to clutter and clumsiness. One of the best ways to correct such inadequacies is to conscientiously pick up good habits that counteract them. This article suggests 10 UNIX command-line habits worth picking up -- good habits that help you break many common usage foibles and make you more productive at the command line in the process. Each habit is described in more detail following the list of good habits.
More here.
I only knew three of these. UNIX tips: Learn 10 good UNIX usage habits |
|
New Unit of Reviewed Code Quality |
|
|
|---|
| Topic: Technology |
11:00 am EST, Feb 6, 2008 |
Now I can finally tell my non-technical friends and family what my company does.
New Unit of Reviewed Code Quality |
|
Slashdot Founder Questions Crowds Wisdom - Bits - Technology - New York Times Blog |
|
|
|---|
| Topic: Technology |
7:42 pm EST, Jan 30, 2008 |
“A lot of these community news sites are all about Ron Paul,” he said. “Ron Paul may be a valid candidate. But what that is really demonstrating is that you are seeing 1 or 2 percent of a community shaping where the whole community is going. A small dedicated group of people can manipulate these sites very easily.” Mr. Malda said that Digg must move to deemphasize that vocal minority in the overall voting. But then it would inevitably alienate its core user base. “All these sites start with a nucleus of dedicated people. Then as the gawkers join in you see a dilution. People who were there originally feel alienated and feel that the thing they helped created is being perverted.”
This is a problem MemeStreams addresses with it's agent. If gawkers were to join the site, the original community would still be interconnected through the agent. Unfortunately, the gawkers aren't joining, and I'm not quite sure how to fix that problem. Slashdot Founder Questions Crowds Wisdom - Bits - Technology - New York Times Blog |
|
Shape-shifting robot forms from magnetic swarm - tech - 29 January 2008 - New Scientist Tech |
|
|
|---|
| Topic: Technology |
2:48 pm EST, Jan 30, 2008 |
Swarms of robots that use electromagnetic forces to cling together and assume different shapes are being developed by US researchers. The grand goal is to create swarms of microscopic robots capable of morphing into virtually any form by clinging together.
Watch the video! Shape-shifting robot forms from magnetic swarm - tech - 29 January 2008 - New Scientist Tech |
|
Risking Communications Security: Potential Hazards of the Protect America Act |
|
|
|---|
| Topic: Technology |
12:44 am EST, Jan 29, 2008 |
This paper by Bellovin, Blaze, Diffie, Landau, Neumann, and Rexford will appear in a forthcoming issue of IEEE Security and Privacy. A new US law allows warrantless wiretapping whenever one end of the communication is believed to be outside national borders. This creates serious security risks: danger of exploitation of the system by unauthorized users, danger of criminal misuse by trusted insiders, and danger of misuse by government agents.
Noteworthy first told you about this paper in October, when he recommended an early draft. It is a follow-up on Landau's op-ed in August of last year. Risking Communications Security: Potential Hazards of the Protect America Act |
|
IP Addresses Are Personal Data, E.U. Regulator Says - washingtonpost.com |
|
|
|---|
| Topic: Technology |
8:11 am EST, Jan 23, 2008 |
IP addresses, strings of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union's group of data privacy regulators said Monday.
Hear, Hear IP Addresses Are Personal Data, E.U. Regulator Says - washingtonpost.com |
|
|
|---|
| Topic: Technology |
4:28 pm EST, Jan 19, 2008 |
01.18.08 : desktop zen
web zen |
|
Ajax Security Book Out! Awesome buzz! |
|
|
|---|
| Topic: Technology |
10:48 am EST, Dec 21, 2007 |
Acidus writes:
Ajax Security is out and the feedback I'm getting is incredible.Andrew van der Stock The Executive Director of OWASP reviewed a draft of Ajax Security and here is what he had to say about it: If you are writing or reviewing Ajax code, you need this book. Billy and Bryan have done a stellar job in a nascent area of our field, and deserves success. Go buy this book. Is it just a re-hash of old presentations? No. The book breaks some new ground, and fills in a lot of the blanks in all of our presentations and demos. I hadn’t heard of some of these attacks in book form before. The examples improved my knowledge of DOM and other injections considerably, so there’s something there for the advanced folks as well as the newbies. I really liked the easy, laid back writing style. Billy and Bryan’s text is straightforward and easy to understand. They get across the concepts in a relatively new area of our field. The structure flows pretty well, building upon what you’ve already learnt ...
there is advanced stuff, but the authors have to bring the newbie audience along for the ride. Billy and Bryan spend a bit of time repeating the old hoary “no new attacks in Ajax” meme which is big with the popular kids (mainly because their products can’t detect or scan Ajax code yet and still want money from you), and then spend the rest of the book debunking their own propaganda with a wonderful panache that beats the meme into a bloody pulp and buries it for all time.
Web security guru dre offers up this review of Ajax Security: It’s quite possible that many Star Wars Ajax security fans will be calling Billy Hoffman, the great “Obi-Wan”, and pdp “Lord Vader” to represent the “light” and “dark” sides that is The Force behind the power wielded by Ajax. The book, Ajax Security, covered a lot of new material that hadn’t been seen or talked about in the press or the security industry. The authors introduced Ajax security topics with ease and provided greater understanding of how to view Javascript malware, tri... [ Read More (0.2k in body) ] Ajax Security Book Out! Awesome buzz!
|
|
FuseOverAmazon - s3fs - Google Code |
|
|
|---|
| Topic: Technology |
11:19 am EST, Dec 11, 2007 |
Is this the right way to get persistent storage in EC2? FuseOverAmazon FUSE filesystem backed by Amazon S3
Overview s3fs is a fuse filesystem that allows you to mount an Amazon S3 bucket as a local filesystem. It stores files "natively" in S3 (i.e., you can use other programs to access the same files). Maximum file size=5G. Its quite useful and stable, e.g., can be used to easily copy daily backup tarballs to s3. To use it: 1. get an amazon s3 account!
2. download the source, compile it (I've used fc5/ppc and f7/i386) and slap the binary in, say, /usr/bin/s3fs
3. do this: /usr/bin/s3fs mybucket -o accessKeyId=aaa -o secretAccessKey=bbb /mnt That's it! the contents of your amazon bucket "mybucket" should now be accessible read/write in /mnt
FuseOverAmazon - s3fs - Google Code |
|
