Unscrewing Security

RSSSubscribe to this blog
About Author

Alec Muffett is a veteran security geek who believes strongly in common sense, full disclosure, defence in depth, privacy, integrity, simplicity and open source. He is an independent consultant, writer, and speaker specialising in security education.

Contact Author

Email Alec

Twitter Profile

Linked-in Profile


Recent Posts

Certificate Authorities and SSL: building on cracked foundations

A hierarchical model of trust requires trustworthiness. Oops.

by

SSL (strictly named SSL/TLS) is the encryption layer commonly used in HTTPS, IMAP, Instant Messaging and other common Internet protocols, and is supposed to provide at least three benefits to the developer and users. In approximate order of importance these...

March 24, 2011 5:29 PM Read Full Post

Tags: certificates, crl, cryptography, ocsp, security, ssl, x.509

What happens when hardware authentication tokens get 0wned?

How bad can it be? Can two-factor authentication turn into an open door?

by

This is not an RSA SecurID story - there are plenty of those, you can find them all over, or read some extraordinarily timely advice shipped by US-CERT to US Government agencies about (ahem) best practices in systems assurance. Instead...

March 23, 2011 2:37 PM Read Full Post

Tags: authentication systems, hardware, passwords, security

Things to do in London if you're a Security Geek

DEF CON's London chapter has a new venue

by

DEF CON is one of the world's largest hacking conventions - it's beyond my description so if you're not already aware of it then do read the Wikipedia page and go browse some of the talks from last year, both audio...

March 23, 2011 1:14 AM Read Full Post

Tags: defcon, geek, hacking, london, security

Ignoring national and international cyber security frameworks

The Internet is only a dubious reflection of geography; regulation and structure harms it or may simply be ignored.

by

Seeking inspiration for a post I came across this posting by Prescott Winter at ArcSight - on this very website. I find the perspective from which he writes - and the direction of his arguments - to be rather unrealistic....

March 15, 2011 4:44 PM Read Full Post

Tags: cookies, cybersecurity, policy, security, wikileaks

Why should you ever trust your hardware?

Supposedly the last computer fully comprehensible to a single person was the VAX 11-780; your phone is much worse...

by

Last night I attended a small un-conference run by the Tor Project - specialists in providing access to websites that your repressive Government regime probably doesn't want you to see. They don't exactly provide anonymity because it's still entirely possible...

March 8, 2011 1:18 PM Read Full Post

Tags: civilrights, government, security, spying, tor

Zen and the Art of Data Destruction

Why trash your hard disks? Good question...

by

This morning a friend pointed me to the following blog article by David Bradley On the BBC TV news this morning, there was video footage of a man in overalls feeding hard drives, one after the other, into an incinerator....

February 11, 2011 12:48 PM Read Full Post

Tags: dban, destruction, scrubbing, security, shredding, storage

How a Screwdriver teaches us something fundamental about Security

There are some very key lessons in security; one is that "security through obscurity" cannot be relied upon in any form

by

If you were paying attention last week you should have been reading "Reducing Systemic Cybersecurity Risk" by Ian Brown (not him) at OII and Peter Sommer at LSE. This 1.5Mb, 136-page epic PDF got splashed somewhat, mostly for its defanging...

January 25, 2011 3:29 PM Read Full Post

Tags: apple, cybersecurity, obscurity, oecd, security

Open Source has no bearing upon Software Security - Community does

Sorry, Eric: "many eyes" goes only so far; but at least open source engenders community...

by

Time again to annoy a bunch of my peers, but only the ones who skim articles rather than take time to read fully: Security quality is disjoint from openness. Free and Open Source Software (FOSS) is clearly and famously not...

January 14, 2011 11:09 AM Read Full Post

Tags: development, open source, security, trendmicro

Password Security, Forevermore

Passwords suck. But there will never be a better non-niche solution.

by

There ought to be a word - there probably is a word - to describe concepts and ideas which work great in theory, have major flaws in practice, and for which either there exists no viable alternative, or any...

January 10, 2011 5:07 PM Read Full Post

Tags: authentication systems, cambridge, cryptography, identity, passwords, security

Why should there be only one DNS?

In dead-tree-space we have Yellow Pages, Thompson Directory and more; why should we have only one DNS?

by

Maybe my infrequency of posting has been due to the chaos of overhauling my kitchen for the past eight weeks; or perhaps it's the quantum barrier imposed by trying to write a bit like a journalist when in actuality this...

December 3, 2010 12:03 PM Read Full Post

Tags: dns, dotp2p, nameservice, peer-to-peer, security, wikileaks

[ Previous ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ continued on page 5 >> ]

Powered by the Pagination plugin for Movable Type