LinkedIn: The Breach That Isn't but Is
The definition of a data breach seems to be reasonably straightforward and easy to understand — but that isn’t always the case. LinkedIn is back in the news thanks to a dataset containing profile information for 700 million records being traded among the darker actors on the internet. But LinkedIn is very clear about how they view this situation: This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed.
Read more…Crew Resource Management for Security Teams
Over the last year or so, I’ve become quite a fan of Air Disasters, a television show dedicated to analyzing plane crashes and similar incidents. As I watched the show, I started seeing many ways that the lessons and procedures around aircraft safety also apply to running a security team; this valuable and hard-won wisdom, often born out of tragedy, can be of significant impact if appropriately applied. In this article, I will explore Crew Resource Management and how it can be applied to Information Security to make teams run better.
Read more…Best Practices vs Inane Practices
A Full Vindication of the Measures of Security Practitioners, from the Calumnies of their Enemies; In Answer to A Letter, Under the Signature of A. Gwinn. Whereby His Sophistry is exposed, his Cavils confuted, his Artifices detected, and his Wit ridiculed; in a General Address To the public, And A Particular Address To the dedicated members of the security community. Veritas magna est & prœvalebit. Friends and Colleagues, It was hardly to be expected that any man could be so presumptuous as to openly controvert the equity, wisdom, and authority of the measures, adopted by the practitioners of information security: a group truly dedicated to the protection of business and individuals around the world!
Read more…Insane Ideas: Stock in People
This is part of the Insane Ideas series. A group of blog posts that detail ideas, possible projects, or concepts that may be of interest. These are ideas that I don’t plan to pursue, and are thus available to any and all that would like to do something with them. I hope you find some inspiration – or at least some amusement in this. There are many ways to invest in a variety of things, though there is one hugely promising front that has barely begun to emerge, that could have massive potential for profit, and incredible ramifications: the ability to invest in individuals.
Read more…Proposal: Association of Security Researchers
Security researchers play an important role in the industry, though one that doesn’t always receive the support needed. In this post, I am proposing the creation of a new non-profit entity, the International Association of Information Security Research Professionals (IAISRP), as a supporting group to push research forward, and provide the tools and resources to improve the quality of work, and the quality of life for those involved in this vital work.
Read more…The (Questionable) Future of YAWAST
The last release of YAWAST was on January 1, 2020; while the release history was sometimes unpredictable, the goal was a new release each month with new features and bug fixes. I intentionally took January off from the project. In February, I left the company I was at; the team of penetration testers there had helped to inspire new features while looking for ways to make them more productive. But something else happened in February, an issue was opened – something that appeared to be simple, but in fact, made me realize that the entire project was in doubt.
Read more…Leading Experts
A friend of mine recently asked for my thoughts on leading people who have more experience or expertise in a topic than they do; this is an important question and one that I felt deserved more thought and exploration. Leading people can be difficult, but when leading people that know more than you do about a given topic, it’s a different challenge. This was particularly well-timed, as I’ve found myself in just that situation, as I’ve just hired a specialist in incident response.
Read more…Developers, Developers, Developers
Note: This was written in 2012, but not published at the time. The point is still valid, perhaps moreso than ever and deserves to be made publicly. The content has been updated as appropriate, though the core of this article remains intact from the 2012 draft. I would like to note that this doesn’t apply to every environment, there are some where developers are very knowledgeable about security, and write code with minimal issues – my current employer happens to be one of those rare & exciting places.
Read more…Write Like You Are Running Out of Time
The cultural phenomenon that is Hamilton, brought back to the forefront due to its streaming release, is an artistic feat, but it also serves as an opportunity to refresh our memories on the history behind these characters, and look for opportunities to learn lessons that apply today. This is exactly what I’ve been doing. For all of his flaws, one thing that I have to respect about Alexander Hamilton (as well as his wife, Eliza) is the understanding of the long-term impact of the written word.
Read more…Dezinformatsiya
I recently wrote a review on Active Measures by Thomas Rid – which helped me to solidify my thoughts on social media, and the impact it has on society. While Active Measures is focused on disinformation campaigns, it also speaks to the vulnerabilities in humans that allow these campaigns to work. Disinformation is a substantial issue today, and not just in terms of election interference, public health, or international relations – but also in much smaller scale unorganized efforts to alter perception.
Read more…