Wednesday, September 30, 2015

Whether You Want It To Or Not

from here

Vulnerability disclosure is a simple fact of life. It's going to happen.

  1. If you're a user, watch out for them because you may find yourself temporarily less safe. 
  2. If you're a vendor, keep your users in mind and respond to disclosures in good faith. 
  3. If your a researcher, put the users ahead of your own ego and work with the vendor in good faith. 
  4. If you're an attacker, fuck off and leave users' systems alone.

Catwords Are The New Strong Passwords


found on too much coffee man

I happen to know this is not the only cat-related password comic on Too Much Coffee Man. Check it out and see how many more you can find.

Tuesday, September 29, 2015

Somebody Made A BooBoo

from here (source image)

If anyone tries to steal those signs then that surveillance system will sure come in handy.

I Hope He Enabled Click-To-Play

found on reddit

Wouldn't it be ironic if, when faced with an alien invasion in real life, our computers got infected by the aliens when we tried to infect them? Surely we're not the only intelligent life to have developed malicious code.

Monday, September 28, 2015

Maybe Forcing People To Go Back To Post-It Notes Is Even More Insecure

from here

On Twitter, @munin is trying to figure out where the bullshit idea to block pasting passwords into password fields (thus making the use of password managers much more difficult) came from (so he can kill it with fire, one hopes). If you think you know the origin, drop him a line.

If You Don't Like What You See, Stop Looking

found on google image search

If only there was some way to creep out the people spying on us without creeping ourselves out.

Friday, September 25, 2015

Dear Feds...

from here

Listen, I'm not trying to be mean, but you folks and your 'front doors' are being dumb. Demanding discussion about this in the face of experts telling you it won't work is like bible-thumpers demanding the controversy about evolution be taught alongside evolution.

Must We Share Everything?

found on izismile

Apparently this was a stall at the Sochi Winter Olympic Games. I don't think I want to know what the designer was thinking.

Thursday, September 24, 2015

Design Fail

from here (source image)

Sure, why don't you wear a T-shirt that makes it look like you're carrying a gun that is physically impossible for you to drop when ordered to by police. What's the worst that could happen?

'Logic' Seems Overly Generous

found on funnyjunk

I've experienced airport security logic similar to this but worse. They were concerned about the capacity of my tube of toothpaste - that's right, the capacity, not the fact that it was almost empty but the fact that it once held a lot more than it did when I was actually flying.

Wednesday, September 23, 2015

One Sec While I Lock Up My Bike-Errr-Car

from here (source image)

You can't just mindlessly apply the same security measures over and over again for your entire life. Well, OK, so technically you can apply them, but it's not going to do what you want.

What About General Browsing?

found on quickmeme

I actually use private browsing a lot - no, not because I browse privates a lot, but because I actually use it for most pages I open. The only pages I open outside of private browsing are ones I want to still be open the next time I launch my browser.

Tuesday, September 22, 2015

If Apple Won't Pay For Bugs, Someone Else Will

from here (source image)

In truth, even if Apple did pay for bugs, the folks putting up $1M would probably still be putting up $1M. And no, this isn't going to benefit Apple or their customers at all.

Seems Like A Fair Trade



I'm guessing this was not this thief's best get away, but it might be this woman's best mugging.

Monday, September 21, 2015

For When You Want To Pretend You Know What You're Talking About

from here

Keeping track of how many products can detect a sample while hobbled by VirusTotal's configuration is just about the most meaningless thing you can do.

Let's Talk About SECs

tweeted by @semibogan

Thanks to @semibogan for tweeting this reminder that security doesn't start and end with OpSec (Operations Security). There's also ComSec (Communication Security), InfoSec (Information Security), and PerSec (Personal Security - if you can find a good link describing it let me know, but it's basically like OpSec but for protecting you as a person rather than protecting an operation) . There are others, too, and there's conceptual overlap between them. The point is, being able to formally distinguish between them means you have a better understanding of them and hopefully a better handle on how to apply them.

Friday, September 18, 2015

Congratulations, Your Identity May Already Be Stolen!

from here

One year of free credit monitoring seems to be almost an automatic response to data breaches now, maybe the notification letters should be framed around telling the victims the good news.

Classic Defenders Vs. Attackers

found on reddit

That creepy little graphic is apparently from Emily Carrol's "Through The Woods", and it pretty accurately depicts the asymmetric relationship between attack and defense. Defenders have to be continuously lucky while attackers only need to be lucky once.

Of course, when you introduce the authorities, the attackers suddenly become defenders, and as any number of high-profile convictions demonstrate, their luck does sometimes run out.

Thursday, September 17, 2015

You'll Be Playing The Damsel In Distress

from here (source image)

Well, I've certainly seen sketchier vans. The signs on this one at least are removable, though that might simply help them get away.

I Know That Feel, Bro

found on dumpaday

I may be a pasty white man, but that doesn't mean I don't have a heaping helping of distrust for authorities, because I do.

Wednesday, September 16, 2015

When Clocks Are Outlawed Who Will Serve Time?

from here (source article)

The Internet is abuzz with the story of the 14 year old boy who was arrested, cuffed, and interrogated (apparently without a legal guardian present?) because some idiots in authority felt scared by a clock that he made and only ever referred to as a clock. Check the #IstandwithAhmed hashtag on twitter for more opinions and details.

Repeat after me, people: If it only ever gets called "a clock" and tells time like a clock, then it's a clock - and making clocks is not a crime.

Teach 'Em While They're Young

found on the meta picture

It's all fun and games until someone starts collecting evidence.

Tuesday, September 15, 2015

This Automated Home Defense System Sucks

from here (source image)

There have long been those who insist that only people can be threats. I've always thought they just weren't imaginative enough.

Whose A Good Boy? Not You, Obviously

found on izismile

Oh, the look on that dog's face. Clearly mortified at getting caught.

Monday, September 14, 2015

Give Me My Specs!

from here

The other possibility is that he's one of those people whose eyesight is failing but is too vain to see a doctor about it and thus has no glasses in the first place.

I've Seen Logins You Wouldn't Believe

tweeted by Dave Kennedy

Thanks to Dave Kennedy for dropping some truth on us about how little the threat landscape changes over time, regardless of how some folks may want to redefine things.

Friday, September 11, 2015

What Could Possibly Go Wrong?

from here (source image one and two)

You'd think some people would grasp the concept of "too soon" with regards to terrorist costumes, but of course there are always those who don't.

Privacy, Mom! Do You Know It?

found on izifunny

Perhaps the reason we don't value privacy more is because we see it regularly devalued from an early age.

Thursday, September 10, 2015

Perverse Endorsements

from here

Inspired by this post by @thegrugq.

Aunt Dataflow Is Visiting

found on the meta picture

I have a feeling people are going to give you a funny look when they see that sticking out the side of your laptop.

Wednesday, September 9, 2015

Shoulda Checked On That Beforehand

from here

I kinda feel like it should be some sort of fail to spend the time and energy finding up to 30 vulnerabilities in products from a vendor who isn't prepared to pay for them.

It almost sounds like extortion to demand money from them, but rather than paying for the extortionist's silence, this 'extortionist' is doing things backwards and staying silent until he gets paid. Isn't silence precisely what a bad vendor would want? Is someone doing extortion wrong?

These Boots Were Made For Walking Right Past Them

found on the huffington post

It's absolutely a believable warning sign, but I don't think it's much of a deterrent when even high-top sneakers will get you by unscathed.

Tuesday, September 8, 2015

If Advanced Google Searching Is A Threat...

from here (source article)

Inspired by this Ars Technica story from last year about the feds worrying about malicious uses of Google.

Hope They Wore Their Brown Pants



Never underestimate an adversary, even (or perhaps especially) when it's a member of the animal kingdom. A closed door is good, but a locked door is better.

Monday, September 7, 2015

Some Vulnerabilities Really Shouldn't Come As A Surprise

from here

I'll be honest, I've never even heard of "wireless hard-drives" before (and even now I'm not sure what differentiates them from a wireless NAS), but as soon as I read those words in this vulnerability note I knew what was going on and that consumers had been taken in by the promise of false simplicity.

What's The Secret Password?

tweeted by @TheKnowledge

Thanks to @TheKnowledge for tweeting this security tale. I imagine that tokens, biometrics (where the kid actually knows the person sent to collect them), or even two factor authentication could work, but those all have additional hurdles that make them harder to implement than a simple password system.

Friday, September 4, 2015

Unattended Laptop Warning Card


Do you ever find yourself staring at someone's unattended laptop in an airport lounge or coffee shop or someplace equally public (as Christopher Soghoian apparently did)? Why not give the owner a reason to think twice about leaving it unattended again. Leave one of these business cards beside it.

I tried to create this product at CafePress in addition to Zazzle, but CafePress doesn't seem to allow you to sell business cards. You can make your own business cards there but not sell them for whatever reason. I could have gone with greeting cards or something like that but then the unit price would have been a great deal more, which goes against my aims.

As is my custom, the mark-up is set to the lowest possible value, which is 5% on Zazzle. I'm not sure if $27 for a pack of 100 cards is good or bad but I'm sure if you know someplace cheaper you can have your own printed off there (maybe you can even get a smaller amount since 100 seems a bit like overkill for this application). I don't think I even need to provide the 'artwork' for this design, since it's just text.

Blending In Fail

found on the meta picture

Mindlessly applying security concepts, such as camouflage, almost always has ridiculous results. As if that camouflage design is really going to make that building harder to see. If anything, it makes it stand out more.

Thursday, September 3, 2015

If You Think A Toy Ring Is A Terrorist Threat...

from here (source image one and two)

If you think a toy ring is a terrorist threat, you might be a security idiot.
Inspired by this ridiculousness.

Also I'm changing up the format of the Security Idiot meme a bit. Although it still lends itself well to verbal retelling, the internet in general (and sites like twitter and facebook in particular) seem to lend themselves to captioned images (which is to say that captioned images seem to get more attention than simple text). What do you think of my choice for the security idiot portion? I think this picture @DFIRob pointed out to me ages ago works quite well to represent a security idiot.

Airport Security Vs The Nobel Prize

found on the scientific american blog

Apparently you can be one of the smartest people in the world and still have problems with airport security. I think that means there's a problem with airport security.

Wednesday, September 2, 2015

Anything Can Be A Personnel Carrier If You're Brave Enough

from here (source image)

Whether they're the military, the police, or just the IT department, if we expect them to protect us then they need to be given the resources necessary to do so.

Hack Attack?

tweeted by @jadamcrain

Thanks to @jadamcrain for tweeting this meme expressing frustration over the use of the phrase "hack attack" which has a variety of problems and could probably be better expressed by using the term breach or attempted breach.

Tuesday, September 1, 2015

Now They Won't Even Want To Touch Them

from here (source image one and two)

I'm sure there's some segment of the population that will tell you that the USB ports are actually for recharging your device (then why are there 2?), but I prefer the idea of giving users a more visceral reason to second guess their impulse to pick up strange USB drives they find on the ground.

Try as I might, I couldn't find a picture of that USB toilet without the "Problem SOLVED" caption, but that just forced me to get creative.

Putting Ashley Madison In Perspective

found on the chive

Well, this must be embarrassing for the 'dating' site (hard to call it that when so many of the women were bots - more like a scam site).