Perspective

Posts ∙ 63 posts

Posts

The Devil’s Information Security Dictionary

Just saw the very funny Devil’s InfoSec Dictionary on the CSO site. Of course, I had to add a few definitions of my own: Blended threat: a hemlock smoothie Process, Security Is A: a throw-away line that explains why security measurement is impossible Risk management: a repeated process around the Hamster Wheel of Pain that vendors use to enumerate vulnerabilities you didn’t know you had, followed by serial remediation of same.

1 min read ∙ November 14, 2005

Andrew Jaquith

Making the Wrong Development Choices

I hate to be a curmudgeon about this, but this fellow needs a beat-down: Fixing AJAX: XmlHttpRequest Considered Harmful I offer this as exhibit A (as in AJAX) about why application security may well be intractable, in part because we’ve got mainstream technical outlets teaching techniques to evade well-founded security principles.

3 min read ∙ November 9, 2005

Andrew Jaquith

Graphical Integrity, Part I

The folks at the NY Times have put together a nifty interactive graphic that diagrams the various data breach cases that have been disclosed since January.

2 min read ∙ November 7, 2005

Andrew Jaquith

Fun with Spam

Collecting Hamster Wheels of Pain is certainly a fun hobby. So is collecting the rather amusing e-mail addresses chosen by spammers to evade e-mail filters. Here are some good’uns from the 305 spam-grams from the past week:

2 min read ∙ November 1, 2005

Andrew Jaquith

The Cybertrust Zotob Study: Read Between the Lines

Rudolph Araujo, a contributor to the securitymetric.org mailing list, forwarded on a link to a Red Herring article about a new Cybertrust study on the impact of the Zotob worm by Russ Cooper.

Cybertrust has an interesting model… when major security incidents happen, they make a habit of canvassing a wide group of companies that have agreed to participate. Looks like they are up to about 700 or so participants, not all of which are their customers. I actually really like and appreciate that Cybertrust takes the time to do this, although in this particular example I think they raised more questions than they answered.

4 min read ∙ November 1, 2005

Andrew Jaquith

Security Metrics: Scorecard Design

Author’s note: the chapter is not finished. It has some organizational and structural flaws that won’t be ironed out until later in the editing process. There are also some parts that need additional fleshing out.

1 min read ∙ October 19, 2005