Usable Security: SOUPS Blog posts

There are about twenty good posts talking about the Symposium on Usable Security and Privacy (SOUPS) over at Ka-Ping Yee’s Usable Security blog.

If you’re reading this in the archives, start here and go forward, or here and go back.

Some favorites:

Security, Privacy and A Digression into Copyrights


(Via Caspar and Nicko.)

I hesitated before posting this. I’m pretty sure it’s a Dr. Fun cartoon, but the jerks in “my confined space” have obscured the signature.

I try hard to attribute all the images I use here. I’ve given credit to Galerie which we use to produce the frames. (They even added a feature to make that easier. I’d say buy it, but, umm, it’s free.) I digress. I may not always manage to attribute the photos, but I certainly don’t take others work and intentionally obscure its origins for my own aggrandizement.

If anyone knows of the proper author, I’d love to provide credit where it’s due. In the meanwhile, enjoy the cartoon. [Update: Saar Drimer ran this a few days ago, and found an un-edited version which includes the credit to Clay Bennett, and the publisher, the Christian Science Monitor.

I find myself really irked at the jerks who covered up credit for the work. They’re not only taking the work without paying, they’re preventing readers from finding more great work like Clay’s. It’s enough to almost make me think about the possibility of maybe one day reconsidering my hatred of the RIAA.]

[Update 2: I thought about replacing the picture with a properly signed one, but then readers wouldn’t understand what I’m ranting about.]

Are You Human or Not?

three-hot-women.jpgAn reader who wants to remain anonymous points us to “Another CAPTCHA — But I failed (partly)” and “”

I cracked up when I saw this. It uses “the hotornot API” (Web 2.0 is getting out of hand!) to offer up pictures of nine women (or men) and asks you to prove you’re human by selecting the three “hot” ones. Politically incorrect, funny and thought-provoking, and potentially flawed by sexual bias to boot.

Incidentally, this is proof that Google is not human, because Master Cheng Yen is their #1 hit for “three hot women” (with Safesearch on.)

Meet the Bugles

Check out Bugle, a collection of google searches that look for known general classes of vulnerabilities in source code such as buffer overflows and format string issues. The list is far from complete and is no replacement for real static analysis but will should get you a lot of low hanging fruit.
[Via FIRST News.]

I smell a movement

No, not that kind, silly.
I just read over at Bejtlich’s blog, that he has decided to start NoVA Sec, having been inspired by Chisec, which was begun by Matasano honcho Thomas Ptacek.
ChiSec is fun, and has been rapidly imitated by other Matasano folks, yielding Seasec and NYsec (I’m hoping it will go next to Paris, just so there can be a Parsec).
My sense is that many in the security biz are disappointed with some of the “establishment” groups, such as ISSA. I let my ISSA membership lapse because it had no payoff for me. I can network with people on-line and at conferences more tailored to my interests, anyway. The “local connection” was missing, however. Chisec has eliminated that problem handily. I wonder if the success of these other regional {foo}secs is due to a similar disatisfaction or sense that something is missing? If I had to guess, I’d say yes.
I’m glad to see Rich taking this step, which I am certain will be popular.

Church 2.0

Check out Benjamin Sternke’s “Church 2.0: Emergence/Chaos theory.” Itn’s an interesting examination of how churches need to evolve to respond to a different type of parishoner:

Church 2.0 will leave room for the Holy Spirit in its planning and structuring and strategizing. She’ll leave room for happy accidents to emerge. She’ll be patient with chaos, knowing that even though things are all tohu bohu (“without form and void” in Hebrew), the Spirit is probably hovering over the waters, bringing order and life out of chaos.

When I started this, I had no idea that I’d be being quoted in a blog that focuses on .. well, heck, I don’t have enough understanding of religion to put the right words on it. Benjamin Sternke has some interesting and well written things to say about modernity and religion. Take a minute and read something different from this.

Buggy Advice from Adam

So in the “Code Review Guidelines” which I wrote a long time back, I quote a bit of code by Peter Guttmann, on how to open a file securely. Last week, Ilja van Sprundel got in touch with me, and said that the lstat/open/fstat chain is insecure, because you can recycle inodes by creating a lot of files. He pointed to an Olaf Kirch bugtraq post.

Bad advice lifetime, seven years:

Revision 1.10  1999/06/01 19:25:49  adam
added open comments from Peter

Although, really, I shouldn’t say bad. I should add “What should the programmer do?”

We Have A Favicon!

Because Emergent Chaos cares about your privacy, we employ industry standard measures to protect the security of our site, and convince you to provide us with personal data we don’t need, which we shall carelessly sling around. Our compliance is monitored by Ernst and Young, we ship backups via UPS to Iron Mountain, and our employees are background checked…no, I can’t even say it.

What I can say is that we’ve shamelessly stolen Jean Camp’s awesome hack of using the SSL lock as a favicon, making it show up in the URL bar.

Right now, this is only for the HTML version. If anyone knows how to edit Moveable type config files so this gets into the RSS, please let me know.

Actual Data Sharing!

Cruising through my blogroll this morning over the morning coffee, I came across an article from BeyondSecurity, which walks through a forensics analysis of an on going security incident. This is a good read and it’s great to see folks in the industry talking about what they actually do and how they do it.
Thanks to TaoSecurity, who originally pointed me to the article. Check out Richard’s analysis of the actually incident response techniques. I’m with Richard, why didn’t they just disable the switch port?
[Edit: Link to TaoSecurity fixed. Thanks Nitpicker.]

SMS to Email?

I’m looking for a service that will give me a US phone number capable of accepting SMS messages, and forwarding those messages to an email account. I’m happy to pay for the service, but my searches have come up blank. I don’t want a service where the user has to add the destination email manually. Any advice from readers?

Job Hunting for Security Executives

Like everyone, there comes a time in every CSOs career where they need to look for a new job. I’ve reached that point in my career and in looking around, I’ve run into several challenges. The first problem I’ve found is that there are a lot of different titles for the person who owns all of information security at a company. It could be anything from CSO or CISO to Director/VP of Information Security. Regardless of what these jobs are called, it turns out that most of these jobs are posted publicly anywhere and you just need to know the right recruiters and to leverage your contacts heavily to get leads and introductions.
Then there is the biggest problem of all, that being that no-one actually knows what a CSO does or what their scope of responsibility should be, or where they should sit within the corporate structure. If you put five CSOs in a room and interview them, you’ll end up with six different job descriptions. Responsibilities may be nothing more then owning the operational aspects of network security to owning privacy, compliance, and both information and physical security. Organizationally, the CSO may report into IT Operations, directly to the CIO, to the CFO, the CTO, Audit, or in rare cases the CEO. Some CSOs will have hundreds of people in their organizations and some will have none.
If we as security folks can’t get some agreement over what our jobs are supposed to be, how the heck are we supposed to sell ourselves to prospective employers? And since employers have no concept of what we do, how are they supposed to figure out who is qualified and what is a reasonable scope of responsibility?
[Edit: Thank you to the folks who have been sending Adam job leads for me! They are greatly appreciated.]