Leaving twitter And my social media footprint shrinks; I’ve closed my twitter account, mostly ‘cos there’s very little left there to read. Yesterday there were only 5 or 6 new posts on the “Following” feed (I never used the algorithmic feed); 90% of the likes my posts got were bots. It really was the text equivalent of a post-apocalyptic wasteland with howling winds.
I had always been careful about what accounts I followed, so the extreme views that are reportedly on that platform rarely impinged on my consciousness; on the occasions I did click on a tweet it became clear that many of the replies were bots and misinformation or just plain hatred (“never read the comments!
So 5 years ago today was the day I told my boss I wasn’t going to come into the office for a while, and would work from home. Because I didn’t feel comfortable.
The company had made a plan; they were going to split the office into two groups who would come in alternate weeks. The idea was to reduce occupancy. However I’d been seeing more and more in the news how bad COVID could be and I didn’t want to risk being on the train for an hour each way as well as being in the office.
Secure messaging A common question I get asked is “what secure messaging app do you use?” and the answer of “none” gets some surprised looks; how can I be in cyber security if I don’t use secure messaging?
The answer is “convenience”, with a side of “risk analysis”.
Back when Signal (on Android) did both secure messaging and SMS in the same app then I used this. When they removed this (because people might send insecure messages by mistake) I stopped using it.
I recently saw a posting on LinkedIn that said something like “with zero trust we can consider all access as privileged access”.
While this could be considered true, I also made the same argument 15+ years ago before zero trust was a thing people cared about; my argument was “if I can login to a server then I can run commands, impact applications (eg chew up CPU), fork bomb, etc; surely that means all access is privileged”.
This post may seem odd for this blog; after all, why would anyone be interested in my screwdrivers? After all, someone like Project Farm did a scientific(ish) comparison of various things and gives you a lot more data than I ever could.
But we’re all human, and sometimes a subjective opinion is valuable. And as people know, I have opinions :-) This may seem long but if you just want my opinions on the LTT drivers then skip to the bottom.
There’s a theme going around that you should create secure products, not buy security products. And, as far as it goes, this is…
Well, actually it’s not good.
My initial response was “Why not both?” We need to secure the products we develop. There’s no doubt about that. And we need to mitigate mistakes. How do we do this? Spoiler… security products :-)
In response to this I got a message “If you have secure products, you do not need security products.
One thing I’ve noticed, over the years, is the habit of people blaming technology for the problems rather than taking a look at the processes behind the problem.
A personal example A big example, for me, was when I was part of the Unix enterprise authentication team. The technology worked, and it worked well. It was resilient, reliable, fast. We literally turned off the infrastructure in one datacenter and all the clients correctly failed over to the next nearest one.
Google has been threatening this for a while, but now they’re finally getting around to it; they’re starting to remove Manifest v2 (MV2) from Chromium (and thus Chrome, and likely many browsers based on chromium, which is the majority of the browser space, these days!).
What does this mean? Chrome extensions use a set of APIs to talk to the browser engine. The main version that’s been in use for a number of years is “Manifest v2”.
For some reason this year a lot more 9/11 denialism has come across my social media feeds. I wonder if it’s because of the upcoming election.
And I just can’t…
I’d had enough a decade ago and wrote something then; I’m repurposing it here.
I was working on Wall Street the day it happened, just half a mile away. I’d only moved to the US 2 months earlier.
I spoke to people who were at WTC as it happened.
I’d previously written about the Yubikey 5 and how we could use it to solve various use cases and when to trust it. Personally, I think it’s a great device for corporate authentication solutions.
But…
This week, Yubico released an advisory that stated that ECDSA private keys could be stolen from a Yubikey 5 that’s running firmware older than 5.7.0 (or 2.4.0 for the YubiHSM). This is due to a flaw in the cryptographic libraries written by Infineon and discovered by NinjaLab.
