Tag: security

Alex Stamos : AppSec is Eating Security

I’m throwing this into the pile of arguments for “security and privacy are little but myths” discussions.  If top of the top companies, with multi-million budgets and hundreds or thousands of top security professionals get compromised, how realistic is it for the average Joe to protect his business?  I say – not very.

I think 80% of problems can be prevented with the 20% time and effort investment: minimize attack surface by removing and disabling everything you don’t need or use and limiting access to everything else, use layered defense where possible, use encryption where possible and strong passwords if you have to, don’t rely on security through obscurity, have log analyzers and/or intrusion detection system installed, etc.  But most importantly, make peace with the fact that being compromised is not the question of “if”, but “when”.  Prepare yourself.  Have an offsite backup and know how to restore your services in a completely new environment, if necessary.

And as far as your privacy goes, if you put anything private on the Internet, as well, prepare for it to be stolen and leaked.  If it never happens, consider yourself lucky.  Otherwise, just learn to deal with it.  It’s very unpleasant in a variety of ways, but seldom deadly.

Via EtherealMind.

10 Conspiracy Theories That Turned Out To Be True

10 Conspiracy Theories That Turned Out To Be True – some I’ve heard about before, some are new to me.  I’ll keep the list here for further reading and research.

  1. The Gulf of Tonkin Incident
  2. Tuskegee Syphilis Experiment
  3. Project MKUltra
  4. Operation Northwoods
  5. CIA Drug Trafficking
  6. Operation Mockingbird
  7. COINTELPRO
  8. Operation Snow White
  9. Secret Global Economic Policies
  10. The US Government Illegally Spies On Its Own Citizens

On software liability laws

I came across this interesting opinion on software liability.  Just to keep them here for the context, the suggested software liability rules include the following:

  1. Consult criminal code to see if any intentionally caused damage is already covered.
  2. If you deliver software with complete and buildable source code and a license that allows disabling any functionality or code by the licensee, then your liability is limited to a refund.
  3. In any other case, you are liable for whatever damage your software causes when used normally.

Which sounds reasonable from the position of “let’s sort the security issues”.  Even though I’m not a big believer in legal system when it comes to technology issues.  But then, there is this:

The software houses would yell bloody murder if any legislator were to introduce a bill proposing these stipulations

with which I personally disagree.  I think software houses that do quality work wouldn’t mind at all.  The people who would mind are the clients of software houses.  Quality always comes at a cost.  And raising quality of software immediately means rising the cost of software.  And the majority of clients (in my experience) don’t care about quality to the point where they would pay for it.  And there are plenty of examples in other industries – food, automobile, furniture, clothes, etc.

Basically, this all just reiterates my points of security and privacy are mythical and/or dead.  Mostly, because most people don’t care enough.