Comments for SecurityCurve

Comment on Antisec. Full disclosure. Rethinking my position. by Anonymous

Anonymous — Thu, 26 Jan 2012 14:33:00 +0000

Yeah, I enjoyed this article. I’ve been following Pete’s position on this for a while. I haven’t always agreed with him, but the more time goes by the more I’m thinking that the world is shifting and that full disclosure makes less sense than it used to.

Although… that being said, it’s hard to put the genie back in the bottle…

Comment on Antisec. Full disclosure. Rethinking my position. by Desperate Olive

Desperate Olive — Thu, 26 Jan 2012 09:39:00 +0000

It feels a bit like necrobumping, but on this subject Pete Lindstrom wrote a very interesting article on Full Disclosure here: http://securityblog.verizonbusiness.com/2012/01/24/considering-vulnerability-disclosure-in-the-realm-of-scada-systems/

Comment on Credit unions: be careful what you wish for by Chatting with an auditor about credit unions | SecurityCurve

Chatting with an auditor about credit unions | SecurityCurve — Thu, 15 Dec 2011 01:21:57 +0000

[...] So if you recall, I received an inquiry the other day to take a bit further my post where I was quacking about credit unions. [...]

Comment on Credit unions: be careful what you wish for by Jeni_lloyd

Jeni_lloyd — Thu, 08 Dec 2011 20:55:00 +0000

Great post– I work for Symantec, and we’ve found that regardless of the regulation, confidential data is still at risk if a financial institution, merchant or any organization focuses on doing the bare minimum to meet compliance requirements. Until they understand that security is a key driver for improving their business, nothing will change. We’ve seen companies of all sizes using regulations as a goal rather than a starting point. Like we tell our customers, whether they are a financial institution or a merchant, protecting their data should be a top priority.

Comment on Administrivia: Comment foolishness at critical mass. Moving to Disqus by Anonymous

Anonymous — Thu, 08 Dec 2011 13:42:00 +0000

OK, this should be fixed. Thanks again for letting me know. Cutting/pasting from PDF is always a dangerous exercise.

Comment on Administrivia: Comment foolishness at critical mass. Moving to Disqus by Anonymous

Anonymous — Thu, 08 Dec 2011 13:33:00 +0000

Thanks for the heads up. I’ll go fix that right now.

Comment on Administrivia: Comment foolishness at critical mass. Moving to Disqus by Desperate Olive

Desperate Olive — Thu, 08 Dec 2011 12:49:00 +0000

Well why you’re at it perhaps you could also fix the feed?
“An invalid character was found in text content.
Line: 207 Character: 5

Something you have, such as a token device or smart card”

Seems like there is a charcter 0×01, which is not valid in XML 1.0

Comment on So what’s the deal with ‘Droid security anyway? by Anonymous

Anonymous — Wed, 07 Dec 2011 12:46:28 +0000

I see a different problem. One reason why many people run old versions of Android is because it is up to the phone vendor to determine whether it will support the latest and greatest version. Given that new phones come and go so frequently, what incentive is there for a phone vendor to port that update to “legacy phones?” I assume that only the higher end phones will get updates – and maybe only one or two at that. So many people buy new phones at the end of their contracts anyhow so the older phone becomes a throwaway since it is no longer “cool” and the vendor doesn’t care about it any more.

Comment on Firefox “autofix” feature creating quite a stir by Ed

Ed — Tue, 06 Dec 2011 00:46:12 +0000

Not too late at all! Appreciate the comments…

So for a user like yourself, I’d agree. Meaning, for the security-savvy user who can understand the details of a change and make an intelligent decision, knowledge of the incoming change *does* have security value. But for the non-technical user, I think it’s the opposite… because those non-technical folks aren’t able to decide based on a reasoned analysis. They won’t know what a legitimate patch should look like vs. an illegitimate one. They might choose not to patch, which could put them at more risk than if they hadn’t been given the choice in the first place.

Ideally, it seems to me like they could make this customize-able: for security-savvy and technical users, let them choose… because they have the ability to respond in a way that makes sense. By default (for the non-technical user), build an integrity-validation process into the distribution process to ensure reasonable confidence in the update stream and don’t ask the user.

Comment on Firefox “autofix” feature creating quite a stir by bluesheep

bluesheep — Mon, 05 Dec 2011 10:26:41 +0000

I’m probably late to the game for this article, but I think that awareness of what’s going on is a legitimate security feature.

I’ll admit I don’t check the patch details before I apply them, but if it happened significantly more frequently than I was used to, I’d wonder what was going on. Its not much of a control, but its got to be something, right?