Unscrewing Security

RSSSubscribe to this blog
About Author

Alec Muffett is a veteran security geek who believes strongly in common sense, full disclosure, defence in depth, privacy, integrity, simplicity and open source. He is an independent consultant, writer, and speaker specialising in security education.

Contact Author

Email Alec

Twitter Profile

Linked-in Profile


Recent Posts

Certificate Authorities and SSL: building on cracked foundations

A hierarchical model of trust requires trustworthiness. Oops.

SSL (strictly named SSL/TLS) is the encryption layer commonly used in HTTPS, IMAP, Instant Messaging and other common Internet protocols, and is supposed to provide at least three benefits to the developer and users. In approximate order of importance these...

Tags: certificates, crl, cryptography, ocsp, security, ssl, x.509

What happens when hardware authentication tokens get 0wned?

How bad can it be? Can two-factor authentication turn into an open door?

This is not an RSA SecurID story - there are plenty of those, you can find them all over, or read some extraordinarily timely advice shipped by US-CERT to US Government agencies about (ahem) best practices in systems assurance. Instead...

Tags: authentication systems, hardware, passwords, security

Things to do in London if you're a Security Geek

DEF CON's London chapter has a new venue

DEF CON is one of the world's largest hacking conventions - it's beyond my description so if you're not already aware of it then do read the Wikipedia page and go browse some of the talks from last year, both audio...

Tags: defcon, geek, hacking, london, security

Ignoring national and international cyber security frameworks

The Internet is only a dubious reflection of geography; regulation and structure harms it or may simply be ignored.

Seeking inspiration for a post I came across this posting by Prescott Winter at ArcSight - on this very website. I find the perspective from which he writes - and the direction of his arguments - to be rather unrealistic....

Tags: cookies, cybersecurity, policy, security, wikileaks

Why should you ever trust your hardware?

Supposedly the last computer fully comprehensible to a single person was the VAX 11-780; your phone is much worse...

Last night I attended a small un-conference run by the Tor Project - specialists in providing access to websites that your repressive Government regime probably doesn't want you to see. They don't exactly provide anonymity because it's still entirely possible...

Tags: civilrights, government, security, spying, tor

Zen and the Art of Data Destruction

Why trash your hard disks? Good question...

This morning a friend pointed me to the following blog article by David Bradley On the BBC TV news this morning, there was video footage of a man in overalls feeding hard drives, one after the other, into an incinerator....

Tags: dban, destruction, scrubbing, security, shredding, storage

How a Screwdriver teaches us something fundamental about Security

There are some very key lessons in security; one is that "security through obscurity" cannot be relied upon in any form

If you were paying attention last week you should have been reading "Reducing Systemic Cybersecurity Risk" by Ian Brown (not him) at OII and Peter Sommer at LSE. This 1.5Mb, 136-page epic PDF got splashed somewhat, mostly for its defanging...

Tags: apple, cybersecurity, obscurity, oecd, security

Open Source has no bearing upon Software Security - Community does

Sorry, Eric: "many eyes" goes only so far; but at least open source engenders community...

Time again to annoy a bunch of my peers, but only the ones who skim articles rather than take time to read fully: Security quality is disjoint from openness. Free and Open Source Software (FOSS) is clearly and famously not...

Tags: development, open source, security, trendmicro

Password Security, Forevermore

Passwords suck. But there will never be a better non-niche solution.

There ought to be a word - there probably is a word - to describe concepts and ideas which work great in theory, have major flaws in practice, and for which either there exists no viable alternative, or any...

Tags: authentication systems, cambridge, cryptography, identity, passwords, security

Why should there be only one DNS?

In dead-tree-space we have Yellow Pages, Thompson Directory and more; why should we have only one DNS?

Maybe my infrequency of posting has been due to the chaos of overhauling my kitchen for the past eight weeks; or perhaps it's the quantum barrier imposed by trying to write a bit like a journalist when in actuality this...

Tags: dns, dotp2p, nameservice, peer-to-peer, security, wikileaks