The widespread and often mandatory use of client scripts in websites (e.g., JavaScript) are like CDOs [Collateralized Debt Obligations}. They both are designed by others with little interest in your security, they leverage your resources for their benefit, they are opaque, complex, nearly impossible to audit, and therefore untrustworthy.
If you work in InfoSec outside of the military, you may be thinking that “offensive cyber capability” don’t doesn’t apply to you. Don’t be so sure. I think it’s worth adding to the threat model for every organization. New “hacking gadgets” could be put in the hands of ordinary soldiers, turning them into the equivalent of “script kiddies”. But what if the potential target knows that such attacks may be coming. They could sets up a deceptive defense and redirect the attack to another network
America’s Finest News Source teaches an excellent lesson on how to spin data: Labor Dept: Available Labor Rate Increases To 10.2% WASHINGTON—In what is being touted by the Labor Department as extremely positive news, the nation’s available labor rate has reached double digits for the first time in 26 years, bringing the total number of [...]
Adam recently sent me a link to a paper titled, “Understanding scam victims: seven principles for systems security.” The paper examines a number of real-world (i.e. face-to-face) frauds and then extrapolates security principles which can be applied generically to both face-to-face and information or IT security problems. By illustrating these principles with examples taken from [...]
A methodology is presented for guiding individual policy decisions from a risk management perspective, using a form of “abduction validation”. An example is presented using the case of password change policy, drawing from recent blog discussions.
From the awesome Understanding Uncertainty blog: 2845 ways to spin the Risk
George Hulme nominates this as the stupidest blog post of the year. I’m tempted to vote, although we have 30 more days. Business leaders need to understand there is no more need for proper security to justify itself over and over again. It saves you time and money (period). My take? Anytime someone says that [...]
A lesson in miscommunication of risk from “abstinence only” sex education aimed at teenagers. The educators emphasize the failure rate of condoms, but never mention the failure rate of abstinence-only policies when implemented by teenagers.
I received an unsolicited ( I’ve tried to unsubscribe several times there, techtarget ) email today, that I actually happened to open because it advertised an “integrated maturity model for governance and security”. Yeah, I’m a sucker like that. This is what I read: …a practical maturity model with illustrative use cases that can be [...]
I also posted about this on Emergent Chaos, but since our readership doesn’t fully overlap, I’m commenting on it here as well. Chis Soghoian, has just posted some of his new research into government electronic surveillance here in the US. The numbers are truly astounding (Sprint for instance provided geo-location data on customers eight million [...]