Saturday Security Maxim
Better to be Lucky than Good Maxim: Most of the time when security appears to be working, it’s because no adversary is currently prepared to attack. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Better to be Lucky than Good Maxim: Most of the time when security appears to be working, it’s because no adversary is currently prepared to attack. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
James Cook, writing at Business Insider, reports on the new Apple Inc. (NasdaqGS: AAPL) filing for a USPTO patent covering the so-called Panic Mode on iPhones. Outstanding.
Dan Goodin, writing at Ars Technica shares the tale of user data leakage of the most egregious* sort. Read it and weep.
Now nearly eight years old, MAC Freeware Suspicious Package, the tightly focused security tool for Apple Inc's (NasdaqGS: AAPL) OS X hit another milestone this year (in February) now at version 2.0.1.
Crafted by Mothers Ruin, Suspicious Package takes a deep view into installer packages (in the Finder). The bits utilize Quick Look to display the contents of the package, popping up a preview in the Quick Look window. A superb, single purpose security tool for your toolkit.
"Shouldn't I be suspicious of the Suspicious Package package? Yes, we're aware of the ... irony of distributing Suspicious Package as a package, but it's very awkward to distribute it any other way. If you want an alternative, though, there are instructions here. The Suspicious Package package is signed with an Apple-issued “Developer ID” certificate, and so will be recognized as valid by the Gatekeeper feature of OS X. The signer, as displayed by Suspicious Package itself, will be “Randy Saldinger,” which is the real name of the person who writes in the first person plural for Mothers Ruin Software." - via the Mothers Ruin Suspicious Package FAQ
Evidence of recent evolutionary modifications in Homo Sapiens Sapiens, first published in 2014, is gaining traction in a fascinating reposted article, at Nautilus. Sacrebleu! Most certainly today's Must Read.
Blind-Sided Maxim: Organizations will usually be totally unprepared for the security implications of new technology, and the first impulse will be to try to mindlessly ban it. Comment: Thus increasing the cynicism regular (non-security) employees have towards security. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Accountability 2 Maxim: Organizations that talk a lot about holding people accountable for security will never have good security. Comment: Because if all you can do is threaten people, rather than developing and motivating good security practices, you will not get good results in the long term. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Ars Technica's Megan Geuss reports the apparent defeat of security technologies associated with so-called 'secure chip-and-pin' credit cards. Today's Must Read.
Google, Inc. (NasdaqGS:GOOG) has warned Symantec Corporation (NASDAQ:SYMC) of imposed requirements applied to the Symantec Certificate Authority due to apparent malfeasence in managing the company's Certificate Authority infrastructure and specifically Certificates issued without notifying the holders of same.
The implications of the action are range far both in scope (related to the specific certificates under scrutiny ("Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered. - posted by Ryan Sleevi, Software Engineer at Google, Inc.)), and in Google's efforts to enforce the WebTrust in the Digital Certificate realm. This is why I say, Trust - But Verify...
"It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner." - Posted by Ryan Sleevi, Software Engineer at Google, Inc.
Apparently the European Union has nearly canonized Edward Snowden (in a non-binding piece of legislation). That is, of course, if the EU Parliament could annoint sainthood on a living person. Astounding.
Like many ideas, lessons and viewpoints, this nearly six year old description of the foibles of security at that time remain as baggage we labor to carry 72 months later...
Join Chris Hoffman, writing at How-To Geek, as he leads us through the voluminous maze of Android information security and it's failures. Read It and Weep, My Friends. Deemed Todays' Must Read.