Simple Universal Authentication

From one of my favorite blogs, GNU Citizen, comes this simple and elegant proposal for authentication. It is only suitable for lower value transactions, but it could form the basis for stronger authentication, and it sure beats complicated registration processes. I have come to regret some of the heavier processes I've put on some sites I maintain, and this might do the trick.

Red Hat / Fedora Server Compromise

Sorry for the long blogging vacation!

If you run Fedora or Red Hat, you owe it to yourself to read about the compromise of their package servers, and run the checker script to ensure you don't have compromised packages. See the blacklist package page here.

Data Leakage Prevention

DLP is all the rage. It ranks as one of the most sought after product sets in corporate security arenals these days. The motivation is obvious: state data breach laws are driving controls around sensitive information, particularly consumer information, in an effort to reduce the likelihood of reportable events. Management needs to know what to expect from all the hype surrounding these products.

The key fact about DLP products that is emerging under this scrutiny is that they are not particularly good at stopping intentional loss driven by malice or greed. The determined attacker has a number of methods for foiling most leak prevention products including encryption, obfuscation, or non-network based egress vectors.

While DLP products may not stop criminals, they can be pretty effective at policing your normal egress points.

As I've heard it said best. "These products can stop stupid." And that may be worth the price of admission.

Black Hat USA 2007 / DEFCON15

I am just back from Vegas. Black Hat was unique for me this year in that I had the opportunity to give a Turbo Talk on Social Networking Sites. Black Hat continues to grow, and the networking opportunities are always unparallelled. I know I'll be spending plenty of time with the presos outside of sessions since there are more worthy topics than time to attend them.

I'm always amazed at the exploits and research presented at Black Hat. I wished I could have travelled with more colleagues this year, but I did get introduced to some great people by former co-worker Mike Murray. Given the "sploitage" this year, hopefully we will all follow our better angels.

Here I am with Mike at the Black Hat Speaker's Party. There were a lot of security luminaries to rub elbows with. It was a nice time at the top of the Centurion Tower Penthouse. Lots of folks were in a talkative mood, and I think a good time was had by all. It was a great way to start the briefings.

DEFCON was awesome. I think more solid presentations came from DEFCON than from Black Hat this year. Also, DEFCON runs a tight ship with their goons keeping order under many a challenging circumstance. How they run 50% more attendees than Black Hat in one third of the space is beyond me. I told Mike he was a DEFCON rock star, with two SRO presos.

Public or Private?

This event at Oxford is a clear reminder that what social networking site users think is private usually isn't. Sometimes I wonder how many incidents it will take for the average user to avail themselves of the privacy settings at these sites. I do see an uptick in the use of privacy settings, but it still isn't the majority of users.

Social Networking Sites in the blogosphere

I love to see coverage of Social Networking Site security issues, such as this post at GNU Citizen.

Black Hat

I'm looking forward to giving a Turbo Talk at Black Hat this year on Social Networking Sites.