Security - All Comments

re: Pharmaceutical spam hides under Google mask

vintage jewellery — Mon, 23 May 2011 07:40:42 GMT

i've bought hand made jewellery on www.vintagejewellerys.com vintage jewellery online shop before and it's been good quality and i returned to the store time and time again as i knew she made really nice things.

i think as long as you do some classic pieces as well as www.vintagejewellerys.comnecklace-c-14.html vintage necklaces ones, then you'll be fine. if you also say that you're happy to try and make things that people would like, then you might get some more business. sometimes i search for unique things, but may not always like what i find, so it'd be useful to know if someone could make what i wanted. www.vintagejewellerys.com www.vintagejewellerys.comnecklace-c-14.html

re: The new MSRC is a good thing

Steve Syfuhs — Mon, 30 Aug 2010 23:18:05 GMT

I am a little baffled by your understanding of security patches. The average out-in-the-wild exploit of a security vulnerability is released/found a few months after a patch is released by vendors, such as Microsoft. The reason behind this is because it is far easier to reverse-engineer an already packaged solution, such as security hotfixes. It is also far easier to write code to exploit a known bug if vector data is released long before a fix can be created.

The liklihood of multiple people (or groups of people) finding the same exploitable bug is actually relatively slim if they don't know where to look, especially if the bug was found by a respectable researcher. Respectable in the sense that they wouldn't be dumb enough to disclose such a bug to would-be attackers.

Therefore, it is very rarely a good thing to disclose to the public long before a patch can be written.

While I am all for proper disclosure of bugs, it is a fine line between disclosing a bug prematurely and too late. Did Microsoft drop the ball on this one? It depends. Each bug submission goes through an extensive vetting procedure, as Microsoft defines in their Security Development Lifecycle. Each bug is ranked by severity. How exploitable is it? What is the liklihood of someone using this as an attack vector (relative to other bugs)? What do we break by fixing this bug? Do we introduce new security bugs as a result? And so on. What are the odds that the world's largest software company missed their mark on these questions? My guess is that the odds are low.

So I guess my question is: Do you actually understand how serious this flaw is?

re: The upside of G8/G20 for security pros

Dileepan — Thu, 03 Jun 2010 13:51:14 GMT

test without sign in

re: Want to know the life expectancy for malware?

Stephan — Wed, 30 Sep 2009 13:23:44 GMT

The real problem is that the Windows software ecosystem has realized how profitable "enumerating badness" is.

(www.ranum.com/.../dumb for where most people learn the term)

If you just use "default deny" and say "These programs doing these things are OK. Everything else is forbidden," it's an order of magnitude more difficult to make user-friendly, but security becomes several orders of magnitude easier because you have what amounts to a system call firewall.

I just wish Linux GUI programmers weren't so immune to calls for more novice-friendly security. (eg. Security profiles that can be distributed with the applications and are simpler than things like SELinux for developers to support)

At least the kernel devs are blocking attempts to get virus-scanning hooks into the mainline kernel on the grounds that the AV companies keep sidestepping requests for a rationale to the set of hooks they keep asking for.

re: Two-factor showdown at RSA Welcome Reception

Coverage from RSA Conference 2009 « Cogitatio Privatim — Wed, 30 Sep 2009 13:19:34 GMT

[...] those who are interested, I have some posts over at ITWorld Canada from RSA Conference 2009 about two-factor authentication vendors, collaboration, and general impressions of the [...]

re: Security vendors and their obsession with celebrity deaths

Mary Sampsonite — Wed, 30 Sep 2009 13:17:33 GMT

Are you kidding me?

First of all, I don't think many of us are stupid enough to fall for an online scam and download bogus software just because it talks about Swayze...well, maybe I am! ;)

So don't stress about any vendor warnings...

Second of all..Dirty Dancing is Swayze's best movie. What's roadhouse?

if you haven't seen dirty dancing..i suggest you check it out because he will melt your heart.

re: Auditing to avoid IS icebergs

Keane Security Alarms Riverside — Wed, 30 Sep 2009 12:57:53 GMT

Security alarms are needed for an organization in order to protect themselves from external problems if any. There are many other sources to get security alarms.

re: Learnings from BlackHat - New attacks on SSL

Ian — Thu, 30 Jul 2009 04:00:00 GMT

Thanks for this overview! I've been reading the updates from blackhat and as usual the SSL hits are in the spotlight. Still, it seems like at least this season some existing solutions are being suggested rather than SSL being deemed "broken" or anything of that nature. Tim Callan of the aforementioned VeriSign posted a great response regarding what certs use null characters and how extended validation is still the best way to prevent phishing, provided that it's implemented appropriately.

blogs.verisign.com/.../busy_day_at_black_hat.php

re: Not everyone loves MS Office 2010

Mitch Logan — Tue, 21 Jul 2009 04:00:00 GMT

Also what about Neon signs! They need to have a programmable timer attached, so that they will go off after the store owner has gone home.

What if someone is driving and they see a neon sign that says OPEN, but when they get there, the place is actually closed. Someone forgot to turn the sign off! This will result in vast numbers of misunderstandings, confusion, and maybe worse.

re: No, really, I like vanilla.

Dave Morgan — Tue, 30 Jun 2009 04:00:00 GMT

OK, maybe not quite vanilla... I just came from this evening's hospitality suites where I almost won a Smart Car. That had zing.

re: Panda Security debuts cloud-based anti-virus

techfan — Fri, 01 May 2009 04:00:00 GMT

I tried it on my netbook using Atom and it works perfectly. Very, very, very light.

Scan in my case was not long at all and I have over 40gb of data ... it may depend on hte people doing scans at the same time?

re: Two-factor showdown at RSA Welcome Reception

John Zurawski — Wed, 22 Apr 2009 04:00:00 GMT

Also - Thanks for the mention Dave. As this is Authentify's 9th appearance at the annual RSA event, it's surprising to hear Mr. Dispensa

compare PIN based and voice based technologies as though Authentify doesn't offer PIN based authentication.

Authentify offered a PIN based demo for the first time at RSA 2001 (still does on the Authentify Web site.) In fact, if you buy an SSL server certificate online from one of the leading certifcate vendors, the activation PIN is delivered via phone, in a process powered by Authentify. A process that has been deployed since 2003. Biometrics can be appropriate in many situations, but is not the only thing that differentiates Authentify from recent market entrants like Phone Factor.

Hope to see you tomorrow!

John Zurawski

Vice President

Authentify

on site: 847-313-5531

re: Kicking RSA Conference 2009 into action

Kelly Wanlass — Wed, 22 Apr 2009 04:00:00 GMT

Hi Dave,

Stop back at the Venafi booth, if you get a chance (#2345). You can meet "Simon the IT Dummy" (likely not the one who was practicing his presentation, though) and get a look at the new version of the Venafi encryption management product.

Have fun!

re: Two-factor showdown at RSA Welcome Reception

Steve Dispensa — Tue, 21 Apr 2009 04:00:00 GMT

Thanks for the mention! On the voice biometrics point, it's an interesting idea, but we simply haven't had market interest for the feature. After, it's already two-factor authentication, and voice ID on a mobile in a crowded, noisy space is problematic. Besides, you're not always somewhere you can talk out loud, but you can always answer a call on vibrate and press a button.

In the end, it's certainly an interesting idea, but there are much more powerful and useful things you can do on an authentication call.

Let me know if you're interested in a deeper dive on the technology.

-Steve Dispensa

Chief Technology Officer

PhoneFactor

re: Dan Swanson: Security leaders

John Delaney — Wed, 25 Mar 2009 22:03:48 GMT

Dan, I miss your e-mails - What happened and how can i receive them again?

John Delaney

jdelaney@ns.sympatico.ca