Posted on 2019-08-11Categories Basics 1 Comment on Honesty

Wouldn’t it be good if all applications and websites let you know this? Because it’s true for almost all. Password storage is where many companies do not do all the right things, and do not do all the things right. There are many ways to mess it up and you only need one miss to enable someone who can steal the data to know all the passwords their users use. It doesn’t have to be that way. And it doesn’t … Continue reading “Honesty”

Risk Analysis at the AT&T Store

Posted on 2019-06-162019-06-16Categories Privacy 3 Comments on Risk Analysis at the AT&T Store

Smartphone shopping. More fun than a root canal, isn’t it? I needed a new phone to bring to my employer’s BYOD program. I decided not to use my personal phone number with that, so my existing device was not under consideration. Also our BYOD program puts the device I bring onto the AT&T network, and my existing account with Google Fi would have to be dropped. For a wide variety of reasons, including my ability to have text-message conversations from … Continue reading “Risk Analysis at the AT&T Store”


Posted on 2019-05-192019-05-19Categories Breaches and Other News 1 Comment on Over/Under

Starting Friday, Salesforce.Com had a fifteen-hour outage due to their having to “pull the plug” after a script went rogue and gave all comers full access to the database. Anyone logged in could do anything to anyone’s data. Not cool. Restricting access was the right thing to do. The interesting question in my mind is how people will evaluate this incident as it relates to their future judgment on the safety of SaaS platforms like Salesforce. I think people will … Continue reading “Over/Under”


Posted on 2019-04-012019-04-01Categories Basics 1 Comment on Lessons

What’s old will be new again.  Or, as in the old Jewish proverb: “Who is wise? One who learns from every person.“ My next infosec conference talk will be at the ISACA Western New York Controls & Compliance conference, on May 7.  Lessons from the Orange Book will be a talk about how the “old” first principles of computer security still apply in the era of the Cloud and IoT. After I deliver the talk I will blog a summary … Continue reading “Lessons”

So That Was BSides

Posted on 2019-03-242019-03-24Categories Basics 1 Comment on So That Was BSides

As cool as it was being at BSides Rochester yesterday, because of my role in it I did not get to attend any of the talks! Lucky for me, almost all the talks are now or will soon be online! See the whole raft of videos here. And then there’s #hatchan. It’s not just a hat, it’s an institution. It’s a WiFi hotspot. It’s a server. It’s hackable. At the end of the day, when he shut it down, there … Continue reading “So That Was BSides”


Posted on 2019-02-102019-02-10Categories Encryption, Malware 1 Comment on Ransomware

You have probably seen news of businesses and institutions being attacked by ransomware, and having to pay tens of thousands of dollars to get rid of it. Names like CryptoLocker, Fusob and WannaCry have floated by. But, what is ransomware? How does it work? How can I avoid being stung? Simply defined, ransomware is a specific type of malware that denies its victims the use of their data until a ransom is paid. Ransomware attacks typically operate as follows: The … Continue reading “Ransomware”

Ads Just Keep Getting Worse

Posted on 2018-12-282019-01-02Categories Malware, Privacy 1 Comment on Ads Just Keep Getting Worse

“Relevant” is the ad industry’s current excuse for all the spying, tracking and intruding on our lives that they are currently tormenting us with. They “need” to suck down every aspect of our personal lives and habits and idle thoughts… so they can show us better sneaker ads. Sneaker ads that creepily show up the minute we register to run in a 5K. Or walk past a Foot Locker. This is why I block all ads, everywhere on the Internet. … Continue reading “Ads Just Keep Getting Worse”


Posted on 2018-12-042018-12-04Categories Privacy 1 Comment on Breaches

Ah yes, breaches.  Not really a much better movie, I’m afraid, yet we keep seeing it over and over.  Big splashy headlines touting eye-popping numbers, followed by unsolicited offers of credit monitoring from companies who are really, really hoping their arbitration clauses hold up. They do seem to arrive in clusters, also.  The latest one-two punch is Marriott, then Quora.  Marriott managed to get hacked and then not detect it for four years, finally now disclosing that half a billion-with-a-B guest … Continue reading “Breaches”

IT v Security

Posted on 2018-11-262018-11-26Categories Vulnerabilities 1 Comment on IT v Security

One of my best friends is an IT guy, with about the same amount of career experience as I have.  (We’re old, get it?) When we get together, I notice that we each show the distinctive mindset of our specialties: he’s always thinking, How can I get this to work?  And I’m always thinking, How can I break this? And yet, it was he who sent me this: