Bad Relationship, Technical Debt →
Technical Debt, and it's consequences... Illuminated for us - mere mortals - by Chris Hockings - IBM Master Inventor. Todays' MustRead.
In the worst-case scenario, an enterprise continues to invest in platforms that are no longer sufficiently effective, resulting in more personnel delivering currency rather than capability. Security debt is a term that has been coined to describe application vulnerabilities that result from such laggardly behavior. - via by Chris Hockings writing at SecurityIntelligence
Russia's NAVY →
via the high talented Louis Martin-Vézian writing and designing at CIGeography, for Offiziere.ch and Cimsec.org. What a diffirence a quarter of a century can make... Good to see Cimsec.org mentioned!
Finnigan's Take, New Oracle Security Presentations
Pete Finnigan, targeting Oracle Security on his site PeteFinnigan.com, in beautiful and Merry England, has released his latest tour de force of Oracle Security presentations: Oracle Security Design and Oracle Database Password Security. A little light reading as you contemplate where you have been with Oracle security configs this year, and where you need to be in 2016. Enjoy!
Sunday Security Maxim
Nietzsche’s Maxim: It’s not winning if the good guys have to adopt the unenlightened, illegal, or morally reprehensible tactics of the bad guys. Comment: "Whoever fights monsters should see to it that in the process he does not become a monster.” - Friedrich Nietzsche (1844-1900), Beyond Good and Evil. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.
Saturday Security Maxim
It’s Too Quiet Maxim: “Bad guys attack, and good guys react” is not a viable security strategy. Comment: It is necessary to be both proactive in defense, and to preemptively undermine the bad guys in offense. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.
WiFi, Interred →
via the AFP, comes this amusing little tidbit, enumerating the networks of the dead - in Москва, Российская Федерация...
'If the wireless Internet service proves popular then the authorities will look about expanding it to the rest of the sprawling capital’s 133 cemeteries.' via the AFP
License Plate Tracking Open Sourced →
Michael Byrne, writing at Vice's Motherboard, details the Open Sourcing of License Plate Tracking bits...
OpenALPR works well and fast, at least judging by the demo. It's also legal for the most part. As EFF lawyer Jennifer Lynch tells Ars Technica, "While a handful of states have passed laws explicitly restricting private citizens and companies from using ALPR technology, outside of those states, there is not much in the law that would prevent someone from using the technology unless its use rises to the level of stalking or harassment. License plates are exposed to public view, and ALPR companies like Vigilant consistently argue they have a First Amendment right to photograph plates and retain the data they collect." - via Michael Byrne, writing at Vice's Motherboard
IoT, The Nightmare on Every Street →
Lorenzo Franceschi-Bicchierai's outstanding screed, over at Vice's Motherboard, tells it (apparently) like it shall be (in the IoT realm, that is). Quite obviously, todays' Must Read.
Self-Perpetuating information Strings, The Equation of Life
Kevin Hartnett, writing at Quanta, enters into a Q&A with Chris Adami, Ph.D. - Professor, Microbiology and Molecular Genetics; Physics and Astronomy at Michigan State, discussing the notion of life as self-perpetuating information strings. Today's Must Read.
Sunday Security Maxim
D(OU)BT Maxim: If you think Design Basis Threat (DBT) is something to test your security against, then you don’t understand DBT and you don’t understand your security application. Comment: If done properly—which it often is not—DBT is for purposes of allocating security resources based on probabilistic analyses, not judging security effectiveness. Moreover, if the threat probabilities in the DBT analysis are all essentially 1, the analysis is deeply flawed. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.
Saturday Security Maxim
Gunslingers’ Maxim: Any government security program will mistakenly focus more on dealing with force-on-force attacks than on attacks involving insider threats and more subtle, surreptitious attacks. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory.
"Unauthorized Code" In Juniper Firewalls, The Decryption Litany →
via the inimitable Dan Goodin and writing at Ars Technica, wherein the good Mr. Goodin, in a display of remarkable restraint, tells the tale of the discovery of code (in this case not 'authorized') making itself at home in Juniper network componentry. In this case, firewall network componentry. Ooops
DANE, Huque's Take →
Verisign Principal Research Scientist Shumon Huque, discusses the merits and functionality of DANE (DNS-based Authentication of Named Entities) on CircleID. If you read anything today about DNS, make sure you take a modicum of your precious moments to examine Shumon's outstanding post at CircleID.