Meanwhile, in Blatant Stupidity news, ArsTechnica's Dan Goodin writes of the latest Uber mistep. This time, Uber decided to store an encrypted database's PRIVATE KEY (anecdotally, the DB contained sensitive data for at least fifty thousand of the company's drivers) on a GitHub public page. Apparently, there may have been a wee bit of confusion as to what a PRIVATE KEY is, in relation to a PUBLIC KEY within Uber's apaprently crack IT department... Oops.
In which, we are enthralled by Le Bon Professeur Jules Verne. Via a typically superb post - crafted by Nick Pelling at his Tremendous Cipher Mysteries site; further, by way of a fascinating article in the United States Army Signal Corps Bulletin of April to June 1940 detailing Monsieur Verne's prediliction for both transpositional and Vigenère ciphers. Outstanding.
Infinity Maxim: There are an unlimited number of security vulnerabilities for a given security device, system, or program, most of which will never be discovered (by the good guys or bad guys).
Comment: This is probably true because we always find new vulnerabilities when we look at the same security device, system, or program a second or third time, and because we always find vulnerabilities that others miss, and vice versa. - as compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
The overnight Daily Digest from Securosis (visit here to sign up - always a good read) contains an interesting theme on ticker symbols, and posits the effect that previous security breaches exert on company stock price. In this case, a positve effect...
And, while on the previous subject, the ticker symbol HACK is presented, and speculation of adding other security related tickers. The HACK ticker symbol represents an Exchange Traded Fund (ETF) (in this case, an investment vehicle targeting the so-called cyber-security realm and originally created by PureFunds).
Superbly minimalist posting via Uncrunched by the inimitable Michael Arrington, detailing the VCs, board members and others behind Superfish. As interesting, but for different reasons, are the information security (in this case anti-virus flogger Lavasoft) businesses also utlizing the SSL MITM module (aka Redirector) from Komodia. Ooops.
NIST, the National Institute of Standards and Technology, has released a new internal report targeting replication device risk management (Replication devices reproduce images, objects or documents from an electronic or physical source, et cetera).
Entitled NIST Internal Report 8023 Risk Management for Replication Devices, the report provides clear and correct guidance to establish in-house methods, policies and procedures in the effort to provision the data stored within replication systems using the well-used infosecurity triad (Confidentiality, Integrity and Availability) as a baseline.
Replication devices are the perfect example of the so-called 'soft-underbelly' in many (if not all) organizations. These systems are quite often utilized for intelligence gathering activities due to on-board storage and other facilities that enable footprinting of historical data, thereby establishing timelines, and of course, all important raw data to accompany those timelines.