Steve's posterous

Great Onion Video

The mock news site, "The Onion" has a video that skewers facebook
privacy. Well worth watching, and thinking about from a security
perspective

understanding the discontent

Lauren Weinstein is a prolific writer on issues of trust, privacy and
open government. His blog is well worth reading and he's certainly
worth following on google+. The entry linked here is one of the best
analyses of the discontent that's fueling "occupy wall street" and a
congressional approval rating of under 10% (first time ever).

Stop what you're doing. Go read this. Now.

http://lauren.vortex.com/archive/000907.html

which social engineering technique works best

The folks at www.social-engineer.org have published the results of a
poll that answers the title question. Worth a look.

Read the rest of this post »

Typo-squatting and doppelganger domains

Great article at Wired about typosquatting email domain names to grab
corporate email.

Researchers found that about a third of Fortune 500 firms have
legitimate domains that are easily typosquatted, and that some of them
have already been registered.

They registered a few and collected 20GB of data in a few months time,
with plenty of confidential reports, usernames, passwords,
configurations, etc.

More details here:
http://www.wired.com/threatlevel/2011/09/doppelganger-domains/

Steve Jobs: three stories

This link will take you to Steve Jobs' commencement address at
Stamford. In it, he tells the graduates three stories of his life that
apply to all of them and to all of us (at any age). It is well worth
the 18 minutes.

http://www.ted.com/talks/steve_jobs_how_to_live_before_you_die.html

Fall Foliage Workshop

Completely off topic, but just to let you all know that I signed up
for a very inexpensive photo workshop in one of my two most favorite
national parks (and we might hit the other one if the weather holds).
This tour goes to Zion and maybe Bryce. It is during Fall Foliage time
there (Starts Oct 30. Details at
http://www.ddnlw.com/pdf_itinerary.pdf

The two enclosed photos are mine, from Bryce and Zion, taken many
years ago on slide film and scanned to digital. Much better examples
can be found on the workshop leaders' website.

(download)

Click here to download:

Fall_Foliage_Workshop.zip (436 KB)

Risk and blame: prioritizing real risk vs personal risk

This is a quote lifted directly from Bruce Schneier's blog. He quotes
an article cited here, and the TSA comments at the end are his words.

"A. Peter McGraw, Alexander Todorov, and Howard Kunreuther, "A Policy
Maker's Dilemma: Preventing Terrorism or Preventing Blame,"
Organizational Behavior and Human Decision Processes, 115 (May 2011):
25-34.
Abstract: Although anti-terrorism policy should be based on a
normative treatment of risk that incorporates likelihoods of attack,
policy makers' anti-terror decisions may be influenced by the blame
they expect from failing to prevent attacks. We show that people's
anti-terror budget priorities before a perceived attack and blame
judgments after a perceived attack are associated with the attack's
severity and how upsetting it is but largely independent of its
likelihood. We also show that anti-terror budget priorities are
influenced by directly highlighting the likelihood of the attack, but
because of outcome biases, highlighting the attack's prior likelihood
has no influence on judgments of blame, severity, or emotion after an
attack is perceived to have occurred. Thus, because of accountability
effects, we propose policy makers face a dilemma: prevent terrorism
using normative methods that incorporate the likelihood of attack or
prevent blame by preventing terrorist attacks the public find most
blameworthy.

Think about this with respect to the TSA. Are they doing their best to
mitigate terrorism, or are they doing their best to ensure that if
there's a terrorist attack the public doesn't blame the TSA for
missing it?"

Bruce's excellent, must-read blog is at: http://www.schneier.com/

Future references to his work will merely include the link and a short
description.

Un-erasable cookie

Browsers use something called eTags to see if a graphic has already
been downloaded, and if so, if it is still unchanged. If so, then it
will be recalled from your local cache rather than downloaded again.
So far, so good.

This is built in behavior and very difficult, if not impossible to
stop in a business environment.

However, some advertisers are now using eTags to see if you have been
to their site or have ordered certain products; this is certainly not
the use intended, but that's beside the point. It exists and it is
being used to thwart user's privacy expectations.

The solution is legislation, fines and maybe jail (extension of
anti-hacking laws).

Defending the Net, A TED Talk by F-Secure's Mikko Hyponnen

Many of the blog posts here reference F-Secure materials. Here's one
of the best, a talk in July 2011 by Mikko Hyponnen, CTO of F-Secure.
He got a standing ovation at TED, which is quite an accomplishment.
Highly recommended.

http://blog.ted.com/2011/07/19/fighting-viruses-defending-the-net-mikko-hyppo...

Google +

I'm now on Google+. Add me to your circles if you wish, via this link:

https://plus.google.com/114038564293324338054/posts

This is the short version: http://goo.gl/PJ8of

I have a few invitations, if you need one.