Security Tone Deafness
We, as security professionals, have to raise our game. We have to be respectful and helpful. We have to know our audience and speak their language. If we are seen as the guys who will pounce on a mistake and publically humiliate the organization who makes a mistake, we will only make enemies among those we want to help. If we take the attitude of "every mistake is a catastrophy," we will be ignored by management who will hear us saying "the sky is falling" and they will look out their window and see that the sky very plainly is not falling.
I will let Hunt's own words express it best (modified slightly by me).
there [is] a bit of an opportunity here – an education opportunity for [security people] who like to learn from anti-patterns, i.e. seeing how those who have gone before them have done it wrong
Over the weekend, a whole storm spun up over Tesco's web site security. I made a bit of a storify of it. They store passwords in the clear, they violate a bunch of SSL best practices, etc. Troy Hunt gets credit for the seminal tweet. Prompted by the flurry of interest, Hunt goes on to do a bit of investigating and blogging. What I think is noteworthy about his blog is the tone of voice. It undermines the (true and important) message and it represents a failure I think is common among security people. My favourite tweet was from matthewhughes: when he says "I think tone is less important than being right. And Troy was spot-on, IMHO." That is exactly what I mean by "security tone deafness."
Randomness: London BSides
I gave a talk at the Security B-Sides in London entitled "Randomness: Too Important to Leave to Chance". You can catch it on Youtube now.
iOS5 Security Restrictions
The restrictions feature of iOS 5 are pretty weak. Here's what's wrong and what someone needs to do to fix it.
Location Security in iOS 5
Like many people, I upgraded to iOS 5 on my iDevices very soon after it came out. I noticed that Location Services has a lot more options than previously. What is interesting is that they have made the icon for Location Services in the status bar off by default, and they buried the option to enable it. Once you enable it, you'll discover lots and lots of services looking at your current location. I find this a bit too much of an invasion of privacy. Here's how to tone it down some.
What my iDevices need
I've got a few iDevices (iPad
I need a "guest mode" on my device. If I want to hand it to a friend to browse the web, or give it to my kids to play games, I don't want it running in the same mode as when I use it. That is, I don't want my kids to be able to to make phone calls, read my emails, send text messages or any of that. They can play Angry Birds
There are some firms where the executives have iPads and they're able to read their very confidential emails from that device. Maybe it's through Outlook Web Access and the device's web browser, maybe it's the actual mail application. We in the security industry worry about the device getting stolen and we're slowly seeing the necessary features being introduced to handle that situation. There's a long way to go, though.
What we're not covering is what happens when the owner intentionally hands it over to someone who shouldn't have access to some of the stuff on it. Like her kids, his wife, or a friend at a bar who wants to see that funny youtube video. They're only a few (innocent or not innocent) taps away from seeing confidential information.
Now, I don't have all that much proprietary information, but I have lots of different circles of colleagues, friends, and family. Some of them should not see certain things on my iDevices, but it's a risk I take every time I hand it over.