Win by Building for Failure
Systems fail; it doesn’t matter what the system is. Something will fail sooner or later. When you design a system, are you focused on the happy path, or are you building with the possibility of failure in mind?
If you suffered a data breach tomorrow, what would the impact be? Does the system prevent loss by design, or does it just fall apart? Can you easily minimize loss and damage, or would an attacker have free rein once they get in? How would your customers or clients be impacted?
Read more…Parasitic & Symbiotic Business Models
Does your business model thrive as your customer thrives, or does it drain the life from your customers? After a recent1 conversation on the impact of improved privacy tools (i.e., the eventual elimination of third-party tracking cookies), I realized that the most significant effect of these improvements would be to companies with a parasitic business model. A business model which I see no problem in disrupting.
For many years, the web has existed as an advertiser’s dream2 — minimal privacy limitations, technical controls that had little impact, and a strong lobbying arm that has been able to derail many efforts to improve the situation. Now, this is not to say that all advertising is evil, but that it’s ripe for abuse by those that get too greedy. In many cases, this has opened the door to parasitic business models that offer no real value, and in fact, only extract value from the end-user.
Read more…1Password 8 Early Access: Security, Comments, & FAQs
A few days ago, 1Password (my employer) released the first preview of the new application for macOS. The response has been rather dramatic. The release was followed by an excellent blog post by Michael Fey explaining the story of how we got here, and some of the decisions that were made in the process.
I’d like to now to a few minutes to answer some questions, provide some insight, and share my thoughts on this release.
Read more…On Apple, Privacy, and Device Control
If you’ve bothered to look at Twitter or any technology news source, you’ve seen that Apple made a major announcement: Expanded Protections for Children. This has been written about by countless outlets, so I’ll assume you’re familiar with the basics.
The announcement covered a few new features being added to the next version of Apple’s operating systems, namely:
- Scanning of inbound and outbound messages for sexually explicit images.
- Scanning images being uploaded to iCloud for CSAM.
- Guidance and warnings in Siri & Search.
The changes to Siri and Search are simple and straightforward, with no notable privacy or security impact, so there’s no need to discuss these here. The changes to Messages to scan for sexually explicit images could be a powerful tool against awful abuses, yet could enable some abuses when misused (especially in abusive relationships). That said, others have explained this in detail, so there’s no need to go into it. Scanning for CSAM on your device though, this has Privacy Twitter in an uproar and has some interesting implications.
Read more…Declaring War on Ransomware
It’s time for everyone from the industry, developers, and the government to declare war on ransomware and make it as hard as possible for them to ply their insidious trade. There have been false starts and baby steps, diligent fighters without enough resources, and vendors that have only given a nod to the issue. It’s time to use every tool reasonably available to stop this scourge.
For so many in the industry that have dedicated so much of their time and effort to this fight, this statement may seem to diminish their efforts, but that is not my intent. The story here is that for too long, this issue hasn’t been addressed seriously by too many, and it’s time for that to change.
Read more…On Automatic Updates and Supply Chain Attacks
Once again, a supply chain attack is in the news; this time, it’s a ransomware attack against Kaseya which has impacted hundreds if not thousands of businesses. According to Kevin Beaumont, the attackers used a 0day vulnerability in the Kaseya VSA appliance to deploy a fake update to all systems it managed; that update is actually the REvil ransomware. As this is a VSA is used by Managed Service Providers (MSPs), this resulted in an attack not just on the MSPs but also their customers.
Read more…LinkedIn: The Breach That Isn't but Is
The definition of a data breach seems to be reasonably straightforward and easy to understand — but that isn’t always the case. LinkedIn is back in the news thanks to a dataset containing profile information for 700 million records being traded among the darker actors on the internet. But LinkedIn is very clear about how they view this situation:
This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed.
Read more…Crew Resource Management for Security Teams
Over the last year or so, I’ve become quite a fan of Air Disasters, a television show dedicated to analyzing plane crashes and similar incidents. As I watched the show, I started seeing many ways that the lessons and procedures around aircraft safety also apply to running a security team; this valuable and hard-won wisdom, often born out of tragedy, can be of significant impact if appropriately applied. In this article, I will explore Crew Resource Management and how it can be applied to Information Security to make teams run better. Hopefully, these insights help you achieve more and fulfill the critical missions we are entrusted with.
Read more…Best Practices vs Inane Practices
A Full Vindication of the Measures of Security Practitioners, from the Calumnies of their Enemies; In Answer to A Letter, Under the Signature of A. Gwinn. Whereby His Sophistry is exposed, his Cavils confuted, his Artifices detected, and his Wit ridiculed; in a General Address To the public, And A Particular Address To the dedicated members of the security community. Veritas magna est & prœvalebit.
Friends and Colleagues,
It was hardly to be expected that any man could be so presumptuous as to openly controvert the equity, wisdom, and authority of the measures, adopted by the practitioners of information security: a group truly dedicated to the protection of business and individuals around the world! Whether we consider the characters of those so dedicated, who developed practices to protect; the number, and the dignity of those they protect, or the important ends for which they serve. But, however improbable such a degree of presumption might have seemed, we find there are some, in whom it exists. Attempts are daily making to diminish the influence of their decisions, and prevent the beneficial effects, intended by them. The impotence of such insidious efforts is evident from the general indignation they are treated with; so that no material ill-consequences can be dreaded from them. But lest they should have a tendency to mislead, and prejudice the minds of a few; it cannot be deemed altogether useless to bestow some notice upon them.
Read more…Insane Ideas: Stock in People
This is part of the Insane Ideas series. A group of blog posts that detail ideas, possible projects, or concepts that may be of interest. These are ideas that I don’t plan to pursue, and are thus available to any and all that would like to do something with them. I hope you find some inspiration – or at least some amusement in this.
There are many ways to invest in a variety of things, though there is one hugely promising front that has barely begun to emerge, that could have massive potential for profit, and incredible ramifications: the ability to invest in individuals. Some schools offer plans that use income sharing instead of requiring students to take out loans to cover tuition - this is just the start of what’s possible though. Imagine a future where you meet a bright young intern, and instead of just wishing them luck on their last day, you buy a few shares of their future earnings. Or when a colleague announces their retirement, you buy shares in the person you think is most likely to get promoted to replace them. Or when a friend’s child graduates from high school, instead of a pen or some other traditional gift, you invest in their future by buying shares.
Read more…
About Me
Security researcher, engineer and software developer with more than 20 years of experience.
Work: I primarily focus on application security, usable security, secure communications, and cryptography. I build and lead strong and dynamic teams, who cover all facets of security and privacy.
Writing: I write about my research, security in general, development and software design, and leadership through my blog, essays, and various publications. I also engage in some creating writing when I can.
Photography: I am a purist fine art photographer, working primarily in black & white, and focused on sharing new perspectives of the world. Limited edition prints of my work are available on my online gallery. I also have a background in photojournalism, and volunteer in this field when I can.