Category Archives: Security

Who watches the watchers?

From the Orlando Sentinal is this report about police abusing the FL DMV database. The is more about it at the Reason blog.

Government databases will always be abused. That’s the nature of man and there is no use fighting it. Which is why massive government databases should not be created to begin with, unless there is no alternative.

Advertisements

Next war on passwords

Google is the latest vendor to try to slay the password beast. I wish them the best, I really do. But password authentication hasn’t been the defacto security for this long without a reason.

Still, if any vendor has a shot it’s Google.

Did you get DC source code for Christmas?

Just in time for Christmas Samba 4.0 was released. This big news here is Samba 4.0 adds Active Directory Domain Controller emulation, including Kerberos, LDAP, DNS, and a bunch of other services.

While this is an impressive technical achievement, I don’t really see many enterprises adopting it. Samba 4 is fighting against one of the biggest IT pressures, headcount reduction. Most enterprises are now willing to pay more for the license cost of the software if it saves them administrative man hour costs.

So unless Samba 4 is going to be easier to install and maintain than Windows servers, it’s not really going to have an impact. Who knows, maybe it will be that easy. If you have Samba 4 in production drop me a comment and let me know what you think.

Meanwhile, Jackson Shaw is … unimpressed.

We have met the security team and they is us!

John Fontana writes about a new idea called People Centric Security. The idea is to loosen enterprise security policies so that security decisions are made by those directly responsible for business area rather than a central security team.

To paraphrase the immortal words of Pogo: We have met the security team and they is us!

For better or worse I think this actually reflects the current state rather than some new idea. For all the work security teams do, users just work around them to do what they need to do.

Who many times have you heard these conversations:

  • The mail server blocked your attachment. Can you send it to my gmail account?
  • I can’t reach your website. Let me disconnect from the VPN and try again.
  • Our machines disallow USB storage devices, but I can upload the files to DropBox.

Your company’s security already depends on your users. They are just pretending it doesn’t.

Office365 announcement

OptimalIdM announced its new Office365 offering this morning. You can read the announcement here.

This has been an great project to work on. OptimalIdM can now enhance Office365 with a great set of new features and can do so for both the WS-Federation Passive and Active profiles. The Active Profile is used for Office365 Lync and Outlook support.

The new features we add to Office365 include easy multi-forest support, support for non-AD users, support for users with non-addressable UPNs, two-factor authentication, auditing, and a whole bunch of other features.

Exciting times!

Security via obscurity failed… in 1903

This is a wonderful story about the hacking of Marconi’s wireless system in 1903. Marconi touted the security of his system based on a tight (and presumably not publicly disclosed) frequency bandwidth. Of course it was hacked in a public and humiliating fashion.

Security via obscurity, as effective in 1903 as it is today.

Hat tip to Bruce Schneier.

Rise of SaaW?

There are a couple of interesting articles on Stuxnet out recently. This article poses the astonishing possibility that it was a directed attack at the Iranian Bushehr nuclear plant. The arguments given, however, are highly circumstantial.

This article also puts forth the notion that Stuxnet was likely created by some government.

Is this the first instance of SaaW, software as a weapon?