Random musings on whatever subject strikes my fancy, published every other day.

Category: InfoSec and IT Page 2 of 29

The Eye

The power of The Eye compels you to click through!

The surveillance state is here and the government didn’t even have to impose it. We welcome into our own lives and homes everything from smartphones (to track our every move) to Alexa who listens in all your conversations and reports them to who-knows-where. Ring cameras keep all the video of what’s going on around your home indefinitely, just in case the police happen to want it. This convenience is also available to criminals, because building reasonable security into things like this is not something their manufacturers have ever cared about.

Elf On The Shelf trains tots to accept all this as perfectly normal. By the time your tots are in university, the school will require them to install a Panopticon app on their phones to monitor, well, everything. (The data breach from that little gem is going to be really fun!)

Sauron was just ahead of his time.

posting delayed

back on the weekend

Honesty

Today’s post is about password discipline, and how most companies that we entrust with passwords don’t really have much!

See it over at Safer Computing.

Over/Under

Today’s post is over at Safer Computing, about over- and under-estimating risk.

Orange Book

I did a talk today about the Orange Book. The Orange Book lays out some very well-structured, very stringent principles for the construction of truly secure systems. The audience for it was DoD and other government procurement officers who needed to buy reliably secure systems for classified processing.

This turns out to be a very personal topic for me. Around the time the Orange Book came out, I was working on a Multics system doing database work for a pharmaceutical company. Multics became one of the first systems to successfully be evaluated under the Orange Book criteria — at level B2. Honeywell, the maker of Multics, was quite pleased!

They gave these buttons away to all and sundry, and I got one.

I found the fact of a framework capable of assuring a secure computer system fascinating. It has always inspired me to find ways to make systems simpler and so more secure. Vendors to the commercial market today will insist that there’s no way to make systems both secure and affordable. Since the primary method of improving a product in its evaluation for an Orange Book rating is to make it simpler, I smell a rat.

One can probably say that my Multics experience in the 1980s inclined me toward getting my CISSP in 2005, and the whole progression of my career since then.

Page 2 of 29

Powered by WordPress & Theme by Anders Norén