Piracy is not Theft
For many years now groups like the MPAA and RIAA have tried to convince the public that piracy (that is, copyright infringement) is theft – and many people have come to believe this, but it’s not true. In reality, copyright infringement is far more analogous to trespassing than it is to theft in its core concepts – and even moreso in the digital world. To make it clear, I am looking at this from a largely historical perspective, looking at the origins of copyright and how it was intended to be used.
Read more…Slipping Past LastPass
Update: LastPass has confirmed that they’ll address this issue in the next release. Update 2: LastPass has addressed this issue in their new v2.0 release. There is still a way to bypass the password prompt in Chrome, but they will address that in the next release. Overall, it looks like we can close the books on this one. I’m a big fan of LastPass – it’s a great service that has impressed me every step of the way.
Read more…MiniPwner
I recently finished building my first MiniPwner – a tiny OpenWrt-based system for pen-testing. At only 2.25 x 2.25 inches, the device plus battery is still extremely small – it easily fits in a pocket, and could be hidden anywhere. The device is based on the TP-LINK TL-WR703N, which uses a 400Mhz Atheros AR7240 CPU – not exactly a power-house, but enough power for standard pen-testing (or even just as a super-portable linux box).
Read more…Gpg4win & IDEA
Huge PGP files, an ancient version of PGP, and errors every time they tried to decrypt a file – that was my completely unexpected challenge on Friday. Dealing with file processing issues really isn’t part of my job description, but I’m the closest thing my company has to an expert when it comes to encryption, so the task fell to me. After looking at the options and issues to get the server upgraded to a non-stone-age version of the PGP software, the easiest answer looked like decrypting the files with GPG – it wasn’t as easy as expected, but I did get some useful information that may help others.
Read more…Detecting .NET 4.0 Remotely
While preparing to deploy an internal application I started to wonder if all of the workstations were properly configured – after a quick search I found a number of methods for detecting the .NET framework locally, but I didn’t find any clean options that worked remotely. Thankfully I found a post with a few detection methods, one of which was using WMI from VBScript – which gave me the inspiration I needed:
Read more…A month with DuckDuckGo
It wasn’t long after Google went live that they became my search engine of choice – with the only other (somewhat) viable option being Yahoo, it was an easy choice. In the years since then, I’ve not questioned that choice, but now that Google is focusing on killing features and building little-used social features, the time seemed right to see if there are better options. So a month ago I began an experiment, I committed to using DuckDuckGo for a month – here’s what I’ve found.
Read more…Absolute Deniability
ZeroBin (code) is a new and interesting piece of software to compete with services such PasteBin – largely in response to PasteBin’s new aggressiveness in removing objectionable posts. For PasteBin, it’s easy to see why their policy changed – currently they can’t deny knowledge of what they are hosting, it’s plain-text and easily scanned (look at this if you don’t believe me). ZeroBin on the other hand has taken a very different approach – to not just have plausible deniability, but absolute deniability.
Read more…HP Folio 13
When Intel and various industry partners started talking about “ultra-books” as competition against Apple and tablets, I was more than a little skeptical. Ultra-books are small and light weight – but not cheap (average price being around $1,000) and rather underpowered compared to what you can get for the same money with a more traditional laptop (they are basically MacBook Air knock-offs). I had written them off almost as soon as they were announced.
Read more…Moving to Octopress
As you might be able to tell from looking, something is different around here. So what’s changed? Octopress I’ve switched from WordPress to Octopress, a Jekyll-based blogging platform that generates a completely static site. So there’s no database, no dynamic code (i.e. PHP), minimal memory footprint (which is great, given my recent hosting change) and best of all – it’s fast and secure. Using Octopress, it greatly reduces the security surface of the server, which means I spend less time worrying about updates and more time writing.
Read more…QuickPacket Hosting
Continuing my long tradition of frequent host changes, this site has been moved to yet another host. In the last few years I’ve used a number of hosts (and there’s a couple more not on that list), and this time I’m taking a bit of a risk – so it’ll be interesting to see how this one works out. I’ve switched to a company called QuickPacket, but this time instead of a fairly beefy VPS, I’ve went in the opposite direction – absolute minimum.
Read more…
About Me
Security researcher, engineer and software developer with more than 20 years of experience.
Work: I primarily focus on application security, usable security, secure communications, and cryptography. I build and lead strong and dynamic teams, who cover all facets of security and privacy.
Writing: I write about my research, security in general, development and software design, and leadership through my blog, essays, and various publications. I also engage in some creating writing when I can.
Photography: I am a purist fine art photographer, working primarily in black & white, and focused on sharing new perspectives of the world. Limited edition prints of my work are available on my online gallery. I also have a background in photojournalism, and volunteer in this field when I can.