Tabor’s Maxim #2 (Cost Maxim): Security is practically achieved by making the cost of obtaining or damaging an asset higher than the value of the asset itself. Comment: Note that “cost” isn’t necessarily measured in terms of dollars. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Tabor’s Maxim #1 (Narcissism Maxim): Security is an illusionary ideal created by people who have an overvalued sense of their own self worth. Comment: This maxim is cynical even by our depressing standards—though that doesn’t make it wrong. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Organized by the National Telecommunications and Information Administration (NTIA), a division of the US Commerce Department, the six-hour meeting marked one of the government’s first forays into the controversial world of bug reporting. But not all of the participants entirely welcomed the government’s involvement—some of them pointed out that a government that withholds information about zero-day vulnerabilities from software vendors in order to exploit them in the systems of adversaries is not exactly in a position to tell researchers and vendors how to handle the vulnerability disclosure process. - via Kim Zetter, writing at Wired's Security blog
Mitigating the reflection component of the attack is one way of addressing the problem. As reported by the OpenResolver project, in the last two years the amount of open DNS resolvers has dropped almost by half — from 29M to 15M. However, there are other types of amplifying reflectors — NTP and SSDP are among them, and even TCP-based servers (like web servers, or ftp servers) can reflect and amplify traffic. Andrei Robachevsky - writing at CircleID
SSLv3 has been obsolete for over 16 years and is so full of known problems that the IETF has decided that it must no longer be used. RC4 is a 28 year old cipher that has done remarkably well, but is now the subject of multiple attacks at security conferences. The IETF has decided that RC4 also warrants a statement that it too must no longer be used. - via Adam Langley writing at the Google Online Security blog.
Redundancy/Orthogonality Maxim: When different security measures are thought of as redundant or “backups”, they typically are not. Comment: Redundancy is often mistakenly assumed because the disparate functions of the two security measures aren’t carefully thought through. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Depth, What Depth? Maxim: For any given security program, the amount of critical, skeptical, and intelligent thinking that has been undertaken is inversely proportional to how strongly the strategy of "Security in Depth" (layered security) is embraced. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
A Friday Classic just for you, this time, plucked with demonstrable glee from the ad-ridden pages of Wired (to be fair, I am a print and digital subscriber as well...), and written by Matt Honan. In which, the eponymous Mr. Honan reveals his troubled relationship with passwords (and those that wish to abscond with same). Today's Must Read Classic post from November of 2012.