Manditory web client scripts analogous to CDOs

by Russell on December 7, 2009

The widespread and often mandatory use of client scripts in websites (e.g., JavaScript) are like CDOs [Collateralized Debt Obligations}. They both are designed by others with little interest in your security, they leverage your resources for their benefit, they are opaque, complex, nearly impossible to audit, and therefore untrustworthy.

Time to update your threat model to include “friendly fire”

by Russell on December 7, 2009

If you work in InfoSec outside of the military, you may be thinking that “offensive cyber capability” don’t doesn’t apply to you. Don’t be so sure. I think it’s worth adding to the threat model for every organization. New “hacking gadgets” could be put in the hands of ordinary soldiers, turning them into the equivalent of “script kiddies”. But what if the potential target knows that such attacks may be coming. They could sets up a deceptive defense and redirect the attack to another network

All in the Presentation

by Chandler on December 5, 2009

America’s Finest News Source teaches an excellent lesson on how to spin data: Labor Dept: Available Labor Rate Increases To 10.2% WASHINGTON—In what is being touted by the Labor Department as extremely positive news, the nation’s available labor rate has (…)

Read the rest of this entry »

Engineers vs. Scammers

by Chandler on December 5, 2009

Adam recently sent me a link to a paper titled, “Understanding scam victims: seven principles for systems security.”  The paper examines a number of real-world (i.e. face-to-face) frauds and then extrapolates security principles which can be applied generically to both (…)

Read the rest of this entry »

Can quantitative risk estimation serve as a guide for every-day policy decisions?

by Russell on December 5, 2009

A methodology is presented for guiding individual policy decisions from a risk management perspective, using a form of “abduction validation”. An example is presented using the case of password change policy, drawing from recent blog discussions.

Quick Link for Risk, Visualization & Meaning

by alex on December 4, 2009

From the awesome Understanding Uncertainty blog: 2845 ways to spin the Risk

The stupidest post of the year?

by adam on December 3, 2009

George Hulme nominates this as the stupidest blog post of the year. I’m tempted to vote, although we have 30 more days. Business leaders need to understand there is no more need for proper security to justify itself over and (…)

Read the rest of this entry »

Miscommunicating risks to teenagers

by Russell on December 2, 2009

A lesson in miscommunication of risk from “abstinence only” sex education aimed at teenagers. The educators emphasize the failure rate of condoms, but never mention the failure rate of abstinence-only policies when implemented by teenagers.

Awesome Vendor-Speak

by alex on December 1, 2009

I received an unsolicited ( I’ve tried to unsubscribe several times there, techtarget ) email today, that I actually happened to open because it advertised an “integrated maturity model for governance and security”.  Yeah, I’m a sucker like that.  This (…)

Read the rest of this entry »

Chris Soghoian’s Surveillance Metrics

by David Mortman on December 1, 2009

I also posted about this on Emergent Chaos, but since our readership doesn’t fully overlap, I’m commenting on it here as well. Chis Soghoian, has just posted some of his new research into government electronic surveillance here in the US. (…)

Read the rest of this entry »