Matthew's Weblog

Mostly focused on recovery applications, the Slashdot discussion on Live CDs is pretty interesting and added a few new references to my list.

Technorati Tags: live+cd, recovery

In an interesting move that I’m surprised took this long, botnet masters are moving their zombie communications channels to HTTP instead of IRC.  The unfortunate part of this is that now I have to get even more rigorous on what URLs will be allowed through the firewall/proxies I maintain and it will probably impact people.  Blocking IRC was easier… oh well, the good old days never last.

Technorati Tags: botnet, security

referenced in a Slashdot book review:

[I]f you have responsibility for security but have no authority to set
rules or punish violators, your own role in the organization is to take
the blame when something big goes wrong.

This is not just a security principle.  It’s equally applicable to other fields.  The corollary given in the review?

Any security group or security manager placed in such a situation should likely start working on their resume.

An interesting point.

Technorati Tags: security, authority, responsibility, resume

A great essay talking about the US Government’s proclivity to create terror through its warnings instead of preventing terror with its actions – and an interesting observation of who is benefiting the most.

Technorati Tags: terrorism, airlines, airline+security

A creepy bunch of patent clips show marketing dreams and echo consumer nightmares.

Technorati Tags: rfid, privacy

So ‘hackers’ read and clone a passport’s RFID tag… fine.  The part that bugs me more is that the so-called “security measure” of a wire mesh in the passport cover doesn’t work if the passport opens half an inch.  And this is with today’s technology – tomorrow, the readers will be more advanced and it’s going to require a 3/4″ of solid steel to mess up the read.

Passports should be readable with contact only!  If I can’t touch the pages, I shouldn’t know what is on them.

Technorati Tags: passport, rfid, security

Once again, social engineering and halfway-configured systems provide an illusion of security without any actual securing going on.  Not only do you have to train your security staff correctly and completely (and make sure they have brains and use them!) as well as audit regularly, your other employees have to be part of the solution… or they’ll be part of the problem.

Technorati Tags: security, social+engineering

Another gem via Bruce Schneier… a mathematical analysis of the NSA data-mining of our (yes yours and mine) phone calls and internet access. The AT&T stuff that got folks in an uproar.

Surely the NSA folks are smarter than this…

Here’s a good article (through Schneier) that feels a lot like my recent search for a lost document.  I spent hours trying to find the soft copy and never did find it, though I could find a version I had printed out within 10 minutes.  With that experience, I would not doubt that it would take months to try and build a terrorism case… and sometimes be completely fruitless.

Technorati Tags: terrorism, security, data+overload

An insightful post from Paul Boutin about the wonders of the (presumably) impending Google PC… with the point at the end about the dangers of other people holding my data.  The only way I’d do that is if I could be assured beyond a shadow of a doubt that (a) it was backed up and (b) that everything I sent was encrypted before sending with a key that only I control.  They could convince me of (a) if Google worked at it.

(B) means that Google won’t like me.  To be useful, they would need to see my data and suggest helpful items through advertising… and I’m not OK with that.  It’s the same reason I won’t use my gmail account (or any other free, hosted, account) for anything important.  Confidential means confidential, even from my hosting provider.

Technorati Tags: google, google+pc, gmail, security, encryption