Richard Bandler discussed mimicry or "mirroring" back in the seventies as a way to successfully communicate and as a more efficacious way persuade a subject in the context of a discussion. Honestly - I thought it was a load of bull. Apparently not; or at least not according to what this study would have us believe.
Alright, apparently Winn Schwartau has decided that he can no longer tolerate the centrality of Windows in the marketplace, and he is deciding to run a hypothetical company using Mac to see where that gets him. Now, I try to be non-biased about operating systems - I use a few of them here: Solaris, Windows 2003 Server, XP, and as my typical desktop operating platform, OS X Tiger on a Macintosh iBook. I'm not a bigot about operating systems - seriously.
I am, however, also a fan of objectivity. Scientists use "double blind" techniques and other approaches to attempt to reduce bias on the part of the observer in analyzing the way that things behave. It seems to me that Winn initiating an anlaysis with the phrase, " an experiment predicated on the hypothesis that the WinTel platform represents the greatest violation of the basic tenets of information security and has become a national economic security risk" he might be approaching the issue with a touch of bias...
Seriously, is there any question what his "results" will be at the end of this? Why even bother doing the experiment if the bias is so strong. I'm not expecting the press to be warded off based on the flawed nature of his science; in fact, I'm sure it'll be a press extravaganza. However, I'm hoping that the folks in the field actually making security and business decisions are smart enough to see through this transparent stunt.
How much do I love this? Phishers getting trounced by defacing groups; all in all, I think it's probably less about defacers turning away from the "dark side" as giving them a ripe target on the open Internet that they can't get busted for defacing and that will get them media attention. Unlike the reporter covering this, I think this activity is likely to increase given that fact.
Wow - this is disconcerting. Apparently, using an encryption program is evidence enough that you are up to something shady. A judge deciding that encrypted files (privacy of my data) directly supports evidence of criminal activity basically translates to the determination by the legal system that "only criminals need privacy." I'm concerned not only because of the implications in the digital world, but the implications in the physical one - think for a moment what the ramifications of "only criminals need privacy" would be in a physical context... Scary, right?
A must read article about compliance with plenty of useful and intelligent commentary from Diana.
Well, it's here: paid information security product placement inline with television content. Perhaps to counteract the "TiVo effect" - where viewers like myself employ technology to skip over advertising content, savvy companies are placing products more and more frequently.
Security is probably one of the best markets to product-place in, also. After all, think of all the "cop shows" out there. Can't you just imagine CSI Grissom sitting down and cranking open an instance of EnCase to look for evidence to nail a shady perp? For some green, EnCase could get this message out:
Grissom: Any progress on the Jacobson case?
Stokes: The data's all on the victim's computer. Typically, it would take weeks to go through and analyze the files, but we've sped up the process with EnCase and hit paydirt. Looks like he was into all kinds of underworld dealings.
Grissom: Good work, Nick.
Or for the right price, Harlan Judd (Eyes) could be stymied by an "unbreakable" Oracle database while trying to gain access to critical data on a case:
Judd: Get me access to that data! Now!
PI Lackey: No can do, boss. It's all in an Oracle DB. We can't hack it; it's just plain "unbreakable".
Judd: What about the clients. Can we hack them?
PI Lackey: Well, I guess so.. they're all running Windows, so yeah... they're vulnerable.
Judd: Get on it.
Anyway, it's obvious someone over at Cisco is clued-in. Not that I necessarily trust the message, mind you. But it is interesting to see happening.
Wow, wow, and double-wow! This post really cuts to the heart of the matter on outsourced development. Like Einstein's search for the unified theory of physics, this is the "unified theory of software development." In a concise and targeted way, Mr. Shapiro makes a fantastic case for rearchitecting software patents, improving software security, and otherwise changing the economics of software development. Hats off to a brilliant argument.
I gotta hand it to MS on this one. This is a step in the right direction and an innovative way to approach the vulnerability problem.
A vulnerable browser, an exposure with no patch, a catastrophe for FireFox? And this is a surprise? Hey, since when did any of us believe security by obscurity is a good thing?
What do attackers tend to target? The most "props" (or financially) worthy 'sploits. Think FireFox or Mac OS X are secure? Think again.
Sorry to beat a drum here - but weaving security into the SDLC, understanding the requirements, use cases, production environment, and checking for potential defects early in (and throughout) the process, is the only way we're going to get a real handle on software faults and subsequently application failures. For anyone who thinks using a marginally adopted application or OS, one that wasn't designed by the "machine" over in Seattle, is going to get us all a free pass to the land of security. Think again.
This is about thinking about security from the ground up - it's not about blindly accepting any thing, or application, without question.
According to one developer, the OS X Tiger dashboard has an exploit whereby a widget can do nasty things to the underlying OS. Of course, this is all fully documented by Apple (e.g. widget.system("rm -rf /", null) would be nasty, but is fully permitted if the right security entry is made in the widget's Info.plist file.)
The ability to run software is not a vulnerability - it's the goal of a general-purpose operating system. No less so with OS X Tiger's dashboard. Users running executable content need to know that this software content can, well, execute.
You've probably all heard by now that anybody can run code on a remote system running FireFox. This would be nasty enough if it wasn't for the fact that there is no patch as yet. This is one of the nastier browser vulnerabilities we've seen in quite a while. I don't think the recommended solution of "turn off Javascript" is going to work for the "average Joe" either.
I'm sick of seeing statistics about how likely users are at giving out their passwords. This is the kind of survey where interviewers at the mall or a crowded train station interview a "statistically large sample" of people and ask them to give up their password for a fancy pen, or a chocolate, or some other trivial good. Of course, some people say they will, and news outlets write articles like "92% of users will swap password for --insert item here--."
Everybody knows (or ought to know) that these surveys are bogus. A little empathy with the interviewee should tell us why. For example, if I'm getting off a crowded bus and someone comes up to me and says, "will you tell me your password for a free bit of cheese," I'm almost 100% likely to give them a password in exchange for the cheese (depending of course on the type of cheese in question.) Note that I say, "a password" in that statement and not "my password." After all, how will the interviewer know if it's a real password or not? Is there follow-up to see which passwords are real and which are bogus? Of course not. So, basically, I could tell the interviewer anything in exchange for the cheese with absolutely no ramifications or chance that they won't follow through on the exchange due to my little "white lie". Of the small percentage that are unwilling to even tell a "little white lie", do the interviewers discrimate between the users' "yahoo groups" password and their network password; what about a password they used 6 years ago that they haven't used since? Once again, no. I think users are smarter than people realize with respect to passwords, and more likely to keep their important data safe. That doesn't mean that they won't take advantage of someone's offer to give them something "for free" if they can get away with it, though. If people were really trading their banking passwords for inexpensive goodies, would we really see phishers going to all the trouble they do to get that same data? I quite doubt it.
This is just yet another example of a poor methodology used for the sole purpose of generating hype and FUD. Of course, this particular survey was sponsored by Verisign... has anyone stopped to question if they maybe have a commercial interest in purveying password hysteria?
It's official, The Register confirms what I've been saying all along: malware on the phone just isn't something people are writing. I've gone on record saying phone virus scanning is a "solution in search of a problem", and here's a consenting opinion. A good read.
A freeware C code analyzer; software security is all the rage right now, and this project seems like a particularly interesting one. I'll watch this project alertly for further developments and maybe do some preliminary testing with it once I get some free time. C Code Analyzer