HP Folio 13
When Intel and various industry partners started talking about “ultra-books” as competition against Apple and tablets, I was more than a little skeptical. Ultra-books are small and light weight – but not cheap (average price being around $1,000) and rather underpowered compared to what you can get for the same money with a more traditional laptop (they are basically MacBook Air knock-offs). I had written them off almost as soon as they were announced.
Read more…Moving to Octopress
As you might be able to tell from looking, something is different around here. So what’s changed? Octopress I’ve switched from WordPress to Octopress, a Jekyll-based blogging platform that generates a completely static site. So there’s no database, no dynamic code (i.e. PHP), minimal memory footprint (which is great, given my recent hosting change) and best of all – it’s fast and secure. Using Octopress, it greatly reduces the security surface of the server, which means I spend less time worrying about updates and more time writing.
Read more…QuickPacket Hosting
Continuing my long tradition of frequent host changes, this site has been moved to yet another host. In the last few years I’ve used a number of hosts (and there’s a couple more not on that list), and this time I’m taking a bit of a risk – so it’ll be interesting to see how this one works out. I’ve switched to a company called QuickPacket, but this time instead of a fairly beefy VPS, I’ve went in the opposite direction – absolute minimum.
Read more…My 5 minutes of infamy
October 28, 2004 is a day I’ll remember for the rest of my life. I was coding away on the next version of a small product called GSuite that I was building for a tiny (and now nonexistent) software company called Imspire Software. It was a simple tool that provided some goodies for Gmail users, and had a few thousand users (it eventually died as a result of rapid API changes and new tools directly from Google).
Read more…CCSRCH v1.0.7
I’ve released a new version of CCSRCH, the open-source PAN (a.k.a credit card number) search tool to help companies maintain PCI compliance. This is a fairly minor release, primarily focusing on reducing false positives. The scanner has been updated to exclude the following: Results made up of the same two digits repeating (i.e. 5454545454545454). Results that have seven or more of the same digits repeating (i.e. 5555555555554444). I also fixed a bug that I introduced in v1.
Read more…IIN (BIN) Database
An Issuer Identification Number (IIN, more commonly called a BIN) is the first 6 digits of a credit or debit card, and it identifies the bank that issued it – and if you want to know if a number is a real credit card or just a bunch or random digits, it’s a huge help. While credit card numbers do use the Luhn algorithm (mod 10 check) to see if the number is valid, it still produces a huge false-positive rate.
Read more…Poking Mykonos
While checking on the latest updates in the start-up world from TechCrunch, I came across their article on Mykonos; the important part of their article (at least for me), is this: Mykonos’s Web Security product uses deception to “detect, confuse, slow down and prevent attackers” in real-time in order to help companies protect their websites and Web apps from malicious hacker and proactively prevent fraud and theft. A couple of minutes of reading, and my interest was piqued – to say the least.
Read more…Google Chrome Leaking Credit Card Data?
While testing ccsrch I noticed a number that looked familiar – my debit card number. Now, being just a little paranoid, I don’t leave such information on my system unencrypted – so seeing it was a real surprise. But, here’s the real kicker: it was on my work PC, where it never should have been. But there it was, plain as day, in clear text. I spent a couple of minutes staring at the log trying to figure out why it would be there.
Read more…CCSRCH v1.0.5
During my employers annual PCI audit, our auditor requested that we perform a search of all of our servers for credit card data. He recommended a tool called “ccsrch” – which like many open source projects had a couple of issues, and hadn’t been updated in years. So, I fixed it. CCSRCH is a cross-platform, command-line application that reads every file from the starting point passed in, and scans them for what looks like credit card numbers (and using the Luhn algorithm to check each possible result).
Read more…SOPA Is Inevitable
SOPA, while it’s not likely to be passed as-is, I would be willing to bet money that something SOPA-like will be passed. It may be watered down with many of the most offending parts removed, but for those backing SOPA it’ll still be a real victory. For them getting it on the books, even in a weakened form means it can be tweaked (and extended) later. There’s been an amazing resistance to SOPA, from the boycott of GoDaddy to public statements from celebrities such as Adam Savage – the public outcry against this horrid piece of legislation has been quite inspiring.
Read more…
About Me
Security researcher, engineer and software developer with more than 20 years of experience.
Work: I primarily focus on application security, usable security, secure communications, and cryptography. I build and lead strong and dynamic teams, who cover all facets of security and privacy.
Writing: I write about my research, security in general, development and software design, and leadership through my blog, essays, and various publications. I also engage in some creating writing when I can.
Photography: I am a purist fine art photographer, working primarily in black & white, and focused on sharing new perspectives of the world. Limited edition prints of my work are available on my online gallery. I also have a background in photojournalism, and volunteer in this field when I can.