Kahomono - It Means Lucky

Random musings on whatever subject strikes my fancy that day.

Category: InfoSec and IT (Page 1 of 12)

Real Security is Boring

Anyone who thinks that they want to go into Information Security for the excitement has been watching way too many of those dramatic TV shows where they throw around the prefix “cyber-” too much.  Then the slick-dressed hero, the pudgy bearded guy and the gothy teen prodigy huddle around a laptop while the giant red LED Countdown Clock of Doom makes its way toward this week’s digital Armageddon, brought to you by Travelocity.

This is how I look at work.    Exactly… never.

What a big ol’ bucket of Nope!  I could never take the stress.  Real security work looks boring.  Tracking threats, applying mitigation, then watching with satisfaction as… nothing happens.

If I have trained my user community right, every backup is running.  Nobody is clicking on dodgy email links or attachments.  Every password is unique and strong.  It’s stored in a password manager, and fortified by two-factor authentication.

It only looks boring, and it’s much easier on my blood pressure.



I’m really enjoying Cyberwar on the Viceland network.  It’s rare to see this level of reporting on information security issues.  Usually, in media, it’s “HACKERS! BAAAD!  BE AFRAID!  BUY WINDOZE!”

But this is being done by a crew who recognize that there’s more to it than that.

Here, check out a recent episode:


Gimme a K!

When I got off of Mint earlier this year, I switched to Debian.  Well, having been through Cinnamon and MATE, I have given up on a desktop ever integrating very well with this fundamental server OS.

kubuntu_logo So now, I am trying out Kubuntu.  All of the GNOME/Unity drama leaves me cold.  So I figured, why not sacrifice familiarity for polish one time?

It’s “early days” yet, but I have to say, so far, so good.  More on this in days to come, because you know I can’t resist.

Try a new OS for the holidays!

Digital Hygiene

As a follow-up to Get Ready (part 1, part 2), I want to make sure you have some basic digital hygiene steps to follow for your data at home, not just what you send out over the ‘Net and into the world.

c_003_richelieuIf there’s a theme to all of this, you’ve probably noticed by now that it’s, “Encrypt, Encrypt, Encrypt!”.  Your phones, your tablets and your computers’ hard disks should all be encrypted.  This might add a spot of inconvenience: you’ll have to enter a passphrase to boot your computer, you’ll have to switch to a reasonably strong PIN or password to unlock your phone.  Well, make like a Nike customer, and Just Do It.  I hope you never have to find out how important it is.  What’s that?  You say you have nothing on your phone or laptop worth hiding?

If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.

–Cardinal Richelieu

So let’s not hear any more of that, okay?

Also, get a password manager so that you can have decent passwords.  Whatever goofy workarounds you may have seen recommended in the past by some guy, there’s really no substitute for a good strong 20+ character string of truly random characters.  The convenience/inconvenience factor here should be a net positive, because good password managers do the login action for you.  Check out and start using one today!  LastPass 1Password or KeePass.  I don’t care.  insert Nike slogan here


We can do this.  My offer stands – contact me via “private” message on Google+ and I will help you any way I can, no questions asked.


Get Ready (part 2 of 2)

free-encryptionYesterday, I started giving you some suggestions for how to encrypt your Internet communications, in order to give cover to people who may be at risk from the impending reign of the Pumpkin.

The first thing I want to address is email.  When it comes to sending any sensitive communications via email, my only real recommendation is: DON’T.  Email was not designed to be secure and email security will probably never be anything more than a bolt-on.  That said, if you’re going to bolt something on, consider (in the order I prefer them): Enigmail, GnuPG and PGP.  None of these is easy to implement.  But all of them will secure email communications well if correctly installed and used at every endpoint, for every email.

Now, “if correctly installed and used at every endpoint, for every email” probably sounds like a trivial disclaimer, but consider this: if there is only a 0.1% chance that someone will mess up, and there are 100 people who each send 50 emails…. then the chances of your emails being exposed sit at 99.3%.  And that’s rounded down.

So how to communicate?  Text messaging.  But don’t just pick up your phone and start Swyping: first get Signal from Open Whisper.  Some guy named Ed Snowden has let it be known that this is his messaging platform of choice.  Talk about skin in the game!  Signal handles secure texting and voice calling, and it is free.  It runs on iOS and Android.  Again, every party to the communication has to have it, but the good news here is, once you have it running and you’re using it, there’s nothing left to screw up.

There’s also nothing for the manufacturer, whose servers help you make connections, to tell the government about you when the subpoenas arrive.  Signal is one of the elite set of communications platforms whose operation is Zero-Knowledge.  To over-simplify, this means that they know nothing about you and they do not ever handle the keys that can decrypt your messages.  Therefore, when the government asks (and they did!), they get nothing (which they did!).   And speaking of zero-knowledge, SpiderOak is your choice for file-sharing.

Finally – a word about social media.  If you know me by now you will not be surprised to learn that my word about social media is, NO.  There is exactly zero privacy on social media.  Closed groups are open.  Private messages are public.  There may be messages you would place on a bulletin board in Times Square: those belong on Facebook and Twitter.  Everything else, keep it inside solid messaging applications as discussed here.

Anyone seeking help with this can contact me via “private” message on Google Plus (yes, I use bulletin boards in Times Square, too).  My profile link is on this page.  I will respond to you personally and help any way I can, and I will presume that all your interest is in encrypting thousands and thousands of grocery lists.

Suggested further reading, at the EFF website



Get Ready (part 1 of 2)

The legendary spiteful streak of President-Elect Pumpkin is about to be combined with command over the greatest surveillance apparatus in human history.

Worried yet?

Here’s why you should start encrypting everything… abso-frikkin-lutely everything!  Even if your plans for the next four years are to keep your head down, stay out of trouble, you can help the people planning massive protests or civil disobedience.

free-encryptionBy encrypting all your email, text messaging, and web traffic, you add to the volume of encrypted internet matter that the surveillance apparatus has to crack to figure out what needs its loving attention.  Even if your own messages never rise above the “excitement” level of telling your partner to add milk to the grocery list, it’s helpful.  Amping up the volume they have to deal with is what gives the people a chance to flip the script on surveillance.  The apparatus is huge, but it’s finite.

That’s part of the idea behind HTTPS Everywhere from the Electronic Frontier Foundation.  If you use Firefox, Chrome or Opera you can add this extension to your browser.  (If you don’t use Firefox, Chrome or Opera, pick one and start!)

In part 2, tomorrow, I will give some recommendations for encrypting your messaging, and safety ideas to practice on social media.


Shooting Yourself in the Foot

Shooting yourself in the foot, it turns out, can be done in many different programming languages.  Or, once the vendors actually had to mass-market them, “application development frameworks”.  (Programming language + runtime libraries + syntax cues for a text editor = application development framework.  But that’s a rant for another day.)

Somehow, despite the fact that I am considered an aficionado of the geekier time-wasters, I only became aware of this gem early this morning.

A few samples:

370 JCL
You send your foot down to MIS and include a 300-page document explaining exactly how you want it to be shot. Two years later, your foot comes back deep-fried.

If you are dumb enough to actually use this language, the United States Department of Defense will kidnap you, stand you up in front of a firing squad, and tell the soldiers, “Shoot at his feet.”

You shoot yourself in the foot with a Civil War-era musket. The musket is aesthetically fascinating, and the wound baffles the adolescent medic in the emergency room.

You hear a gunshot and there’s a hole in your foot, but you don’t remember enough linear algebra to understand what happened.

You try to shoot yourself in the foot only to discover that you must first invent the gun, the bullet, the trigger, and your foot.


Using only 7 bytes of code, you blow off your entire leg in only 2 CPU clock ticks.

Shoot self in foot with water pistol. On big systems, continue until entire lower body is waterlogged.

You accidentally create a dozen instances of yourself and shoot them all in the foot. Providing emergency medical assistance is impossible since you can’t tell which are bitwise copies and which are just pointing at others and saying, “That’s me, over there.”

Go visit the page but be prepared to spend about half an hour giggling madly and trying to suppress it so you won’t have to try to explain why you’re giggling to parent, SO’s, children, or less-geekified co-workers.


Page 1 of 12

Powered by WordPress & Theme by Anders Norén