Security » TR

Mobile Computing raises a new set of security issues

Digital Life, General, Security No Responses »

Apr 032012

Mobile Computing raises a new set of security issues.

Contains some interesting stats on where enterprises are in readiness for mobile and BYOD. I have no idea if the study is scientifically valid, but any numbers in this area are better than none.

An even more interesting study would be an examination of employee BYOD devices in organizations that believe they’ve blocked BYOD devices to see just how much data is actually on BYOD devices. I suspect between email, EverNote and DropBox and similar services, there’s a lot more supposedly DLPd data out there than such organizations suspect.

The Cloud Makes it: “The 4 A’s of Authentication”… | SecureAuth Blog

Cloud, Identity, Security No Responses »

Mar 302012

The Cloud Makes it: “The 4 A’s of Authentication”… | SecureAuth Blog.

Good stuff from Craig, Garrett and the entire gang over at SecureAuth.

Facebook warns users not to share their password with potential employers, threatens legal action – SiliconValley.com

Digital Life, Identity, Security, Tim's Opinion No Responses »

Mar 262012

Facebook warns users not to share their password with potential employers, threatens legal action – SiliconValley.com.

Another good reason to have multiple FB or other social-network-of-your-choice accounts. Sure have one with your real name so those long lost friends can find you, but for heaven’s sake don’t post anything interesting there. Use your alternate pseudonym account for that.

In this particular case, an employer asking for one may well ask for the other if they’ve done enough homework to know you have multiple accounts. However, many won’t think of such a thing. This gives you the option to comply by giving them access to a completely innocent location that won’t do you any harm. For me, if an employer demanded this as a term of employment, I’d know it was no place I’d want to work and we’d part ways.

Another thing to think about is if you are perusing your social networks on your employer’s network and hardware, are you being careful enough in your security practices to know they don’t have your password? Another good reason to establish and maintain a pseudonym along with using the most stringent authentication such sites make available.

Why Attend BlackBerry World?

Digital Life, Security, Software, Tim's Opinion No Responses »

Mar 232012

Why Attend BlackBerry World?.

Why indeed? This is likely to be one of the most stunning riches to rags stories for the ages. For the life of me, I can’t decide if they have time to turn this around given how hugely embedded they are in enterprises if this is just me kicking an already dead horse? Certainly there are instances of big companies executing big turnarounds, but they are the exception, not the rule.

I just don’t see how they can possibly catch up to Apple and Google in the mobile device / OS space. Security was a big advantage and if the military has figured out they can securely use Android, that means enterprises will probably find that suitable as well. Certainly, consumer adoption is not going their way.

Such are the ravages of the turbulent technology sector.

Disconnect: Ex-Googlers Raise Funding To Stop Google, Facebook & More From Tracking Your Data | TechCrunch

Digital Life, General, Identity, Recommended, Security No Responses »

Mar 232012

Disconnect: Ex-Googlers Raise Funding To Stop Google, Facebook & More From Tracking Your Data | TechCrunch.

I’ve installed this to compare with another Chrome extension I’ve been running with for about a month: Do Not Track Plus. I’m pretty happy with this tool as it allows for micro-overriding on pages where you want the linkage back to G+ or FB to work for spot usage, but leaving tracking off in general.

TSA: Fail

General, Security No Responses »

Mar 222012

gmancasefile: TSA: Fail.

Not a short article, but well worth reading the perspective of how useless the TSA is from the perspective of a person with the following qualifications: pilot, FBI agent, counter-terrorism agent specifically focused on Al Qaeda.

Interesting to note the government knows the TSA is useless:

“listen to a report by congressional investigators released just two months ago:

“Today, TSA’s screening policies are based in theatrics. They are typical, bureaucratic responses to failed security policies meant to assuage the concerns of the traveling public.” Translation? TSA doesn’t know what it’s doing, but is trying to put on a good show to keep the traveling public from catching on. The report, entitled, “”A Decade Later: A Call for TSA Reform” sharply criticized the agency, accusing it of incompetent management. Former DHS Inspector General Richard Skinner dropped this bomb, “The ability of TSA screeners to stop prohibited items from being carried through the sterile areas of the airports fared no better than the performance of screeners prior to September 11, 2001.”

Another interesting tid-bit pointing out the lunacy of government bureaucracy in general and the TSA in particular… thinking is precluded as rules-following is CYA career protection:

“Frankly, the professional experience I have had with TSA has frightened me. Once, when approaching screening for a flight on official FBI business, I showed my badge as I had done for decades in order to bypass screening. (You can be envious, but remember, I was one less person in line.) I was asked for my form which showed that I was armed. I was unarmed on this flight because my ultimate destination was a foreign country. I was told, “Then you have to be screened.” This logic startled me, so I asked, “If I tell you I have a high-powered weapon, you will let me bypass screening, but if I tell you I’m unarmed, then I have to be screened?” The answer? “Yes. Exactly.” Another time, I was bypassing screening (again on official FBI business) with my .40 caliber semi-automatic pistol, and a TSA officer noticed the clip of my pocket knife. “You can’t bring a knife on board,” he said. I looked at him incredulously and asked, “The semi-automatic pistol is okay, but you don’t trust me with a knife?” His response was equal parts predictable and frightening, “But knives are not allowed on the planes.”

Now ponder how this will impact your lives with the obamanation’s health care plans.

Never forget Benjamin’s words, “People willing to trade their freedom for temporary security deserve neither and will lose both.”

Nym Wars aka Hailstorm Revisited

Identity, Security No Responses »

Sep 012011

This is a bit of a follow-up to my earlier post “Google+ Primarily an Identity Service?” though these posts elevate the topic to a more serious level that I did in that post, which was purely from a simple end-user perspective. From a professional, where’s-online-identity-going standpoint, this is a very interesting touchpoint and Doc Searls puts it in great historical and technological perspective in his post, Circling Around Your Wallet. The ultimate online battle for the ultimate killer app is… you. This means your identity in whatever guise identity ends up being defined as, which means who defines it matters. Hailstorm / Passport from Microsoft was dead on launch because no one wanted to trust such a definition and resultant architecture to come from MS. As I finished up my last post on this topic, it comes down to trust.

Do we trust Google to get this definition and resultant architecture right? Just because they have the self-aggrandizing motto “do no harm”, that just isn’t possible once you get to where they and a few others have gotten, where a lot of what you do will inevitably harm some community. Clearly, there are use cases where using a real name will be actually, dangerous to you in the real world. Google, by taking this stand indicates, “accept risk or get lost”. Certainly, their product, their right.

However, do we trust Google, or any other entity to be in a position to enforce their idea of accountability? Hear Eric Schmidt’s own words:

“If we knew that it was a real person, then we could sort of hold them accountable, we could check them, we could give them things, we could you know bill them, you know we could have credit cards and so forth and so on.”

“There are people who do really really evil and wrong things on the Internet, and it would be useful if we had strong identity so we could weed them out.”

Meg Worley in her post, say no to the meat wallet rightly calls out the word “accountability” as “one of the darkest words in the English language”. Combine accountable with “we could weed them out” and you don’t have to be too big a conspiracy theorist to get a bit of a shiver down your spine. Apparently, Google has decided with their real names policy has decided to preemptively weed out those that don’t fit the definition of “you” they see as best commoditized in their business model.

To many, this all sounds like a lot of furor over nothing and trying over-intellectualize the issue, but there is a lot at stake here. Bonnie Nadri does a good job highlighting the real practical issues we should all be thinking about now.

Only the players have changed since the early 2000′s when MS made their bid. Now its Google and Facebook and others. The real point is that one of the players hasn’t changed and isn’t going to change and that’s YOU. Yep, the you that does and should define you in the real world and the virtual and anywhere they intersect.

5 Most-Ignored IT Security Best Practices (InformationWeek)

Digital Life, Rant, Security, Tim's Opinion No Responses »

Aug 182011

5 Most-Ignored IT Security Best Practices — InformationWeek5 Most-Ignored IT Security Best Practices – security Blog.

Not too much to quibble with here except for #2, “Train Users in Best Practices”. Why? Why what?, you may ask. Why is this in the top 5 and certainly if it is a top 5 item, why is it #2?

How much training do users need to be safe on the internet? Other studies have shown that high percentages of IT professionals and even IT Security professionals get hacked. Are they not going to be the trainers of the less savvy? If they are vulnerable are they qualified to be trainers?

How many articles, local and national news broadcasts, radio discussions and gazillions of online articles do users have to see to know:

They should change their password
They shouldn’t use the same password everywhere
They shouldn’t open attachments at all or at least not from anyone they don’t know and expect an attachment from
Clicking links in emails is baaaaad
etc., etc., blah, blah… I can’t type out anymore I’m nodding off thinking through all the “common-sense” items

It is time for us arguably professional IT folks to quit dumping our problems on our users and give them the tools they need to be safe. Most of these “tools” should actually be invisible to users as the more they have to interact with and learn, the more they will actively work to work around us and defeat our efforts.

Yes, these tools and functions aren’t free and yes, some of them won’t be completely transparent to users and they’ll whine a bit. However, if you keep it to a minimum and the pain items actually result in a better, safer, more enjoyable experience, the whining will die off. Imagine if the whining were only around items such as, “this process is different, I liked the previous one” vs. all the phone calls to the help desk beginning with, “I accidentally clicked this link in my email and now my PC does / doesn’t do…”.

I throw this advice out to enterprise IT folks as well as to the consumer players and to the internet infrastructure and standards groups. If we just used the tools, technologies and inventions that already, exist the internet could be secured. Isn’t anyone else weary of being told, “that’s too hard”, and “you can’t boil the ocean”? Big dreams got us this far and only grabbing for the next big one keeps us going at record speeds.

Why Facebook and Google’s Concept of ‘Real Names’ Is Revolutionary – Alexis Madrigal – Technology – The Atlantic

Digital Life, Identity, Security No Responses »

Aug 052011

Why Facebook and Google’s Concept of ‘Real Names’ Is Revolutionary – Alexis Madrigal – Technology – The Atlantic.

Well worth reading and definitely lays out many of my thoughts and rationale for being against “real names”. I’ve held this position since day 1 on the internet and am glad that this gent, Alexis was able to work through all the politically correct hype and come to his own rationale.

What do you think?

Time to Get Out of the Password Business – Janrain

Digital Life, Security No Responses »

Aug 012011

Time to Get Out of the Password Business | Janrain.

Google Identity Toolkit (GITkit) and Janrain Login Helper links included for more information on their play in this space.

Older Entries