Category: Technology
-
Remote VideoConferencing Setup
If you’ve heard me on a podcast, or seen me at a virtual conference, maybe you’ve been surprised at the audio and video capabilities I bring. Enough people have asked me to write them up, so here you go.
-
A Perimeter of One
In the era of graphite-and-paper enterprises, control over information assets was tangible. With the introduction of computers, the security mindset remained rooted in physical perimeters, failing to adapt to the untrustworthiness of interconnected systems. As smartphones and laptops become extensions of users, the modern enterprise must shift to a model where trust is not implicitly…
-
Take Over, Bos’n!
Eleven years ago, Danny Lewin was tragically killed. But this story takes us back twelve years prior, when Danny’s relentless spirit inspired me to revolutionize the web. Despite initial doubts, Danny’s unwavering belief in our product led us to create a groundbreaking security model. It took time, but eventually, we transformed e-commerce, e-government, and business…
-
Enterprise InfoSec Lessons from the TSA
The TSA’s security practices serve as a valuable analogy for enterprise information security. Like the TSA, security teams often focus on metrics that don’t align with the business’s goals. Weak authentication, limited logging, and reliance on outdated technologies are akin to enterprise practices that hinder effectiveness. Instead, a shift towards flexible security techniques that align…
-
The Unreliability of the Domain Name Service
DNS (Domain Name System) is a critical protocol that translates hostnames into IP addresses, enabling the functioning of the Internet. Its simplicity and ability to handle failures make it a model for building other resilient infrastructures. Using UDP for transport and incorporating features like time-to-live (TTL), DNS ensures high availability despite the inherent unreliability of…
-
Credit Card Tokenization
PCI audits are an annual burden for merchants, but new technology offers a potential solution. Tokenization replaces credit card data with tokens, reducing the risk and value of stored card information. Merchants exchange credit card details for tokens through payment gateways, improving security and enabling various operations while reducing the need to handle sensitive card…
-
Skynet or The Calculor?
Technology-based companies can be organized around silicon or carbon, leading to different security practices. Silicon-based organizations rely on predefined rules and systems, while carbon-based organizations are more fluid and human-centric. Each requires tailored security solutions, and deluding ourselves into a one-size-fits-all approach is flawed. Understanding the business and designing unique solutions is crucial, as no…
-
Why don’t websites default to SSL/TLS?
HTTP is designed for web administrators to host multiple sites on fewer systems, while HTTPS (SSL/TLS) focuses on security-conscious users. SSL’s design creates scalability issues, although solutions like wildcard and SAN certificates, as well as SNI, aim to mitigate them, pending widespread SNI support.
-
The Designed User
Understanding the “Designed User” is crucial in assessing technology risks. Apple’s technology, in particular, is known for its tailored design, resonating more with individuals who closely align with their target audience. For security professionals, comprehending the intended users helps evaluate security tradeoffs made during development. For instance, the new Twitter retweet functionality caters to celebrities…
-
The Problem with Password Unmasking
There is a disagreement regarding whether passwords should be shown in clear text or masked while being typed. One perspective argues that password masking reduces usability and offers limited protection against snoopers. However, the opposing view emphasizes the importance of security and raises questions about the effectiveness of unmasking passwords. The ultimate solution lies in…