* Posts by dd88ddd

11 publicly visible posts • joined 30 Mar 2015

Israeli military techies cook up security alerts software


This piece feels like advertorial.

Facebook CSO slams RSA Conf for repping 'the worst parts of the security industry'


Re: Pardon me


the only way to get paid is bug bounties? what?

This is utter tripe. Plenty of people get hired to do security research of all kinds, not just finding vulns in websites (seriously, why do amateurs think this makes them 'rockstar hackers'?)

"Working InfoSec is a fools game in every corporation I've dealt with"

Sure, if you don't like money. Otherwise, now is a very good time to work in infosec.

"Last to get hired, first to get fired/layed-off."

Perhaps that's something to do with you? I've never experienced this.

"No one even bothers to pretend to support your job properly (funds, people, and especially tooling). Hell, they don't even bother to read your memos."

It's your job to educate people about security.

"So excuse me if I'm a bit confrontational. Asshole."

This is probably the reason for your job struggles. Fix your attitude.

Drop the obsession with Big Data, zero days and just... help the business


Re: how's that?

It's a big straw man, which implies that all businesses are doing high level stuff, and ignoring the low level stuff. The truth of the matter is that there are thousands of companies, each at different levels of maturity, doing different things, prioritising things in their own unique way.

Some are neglecting the basics and chasing the advanced. Some are doing the basics well and ignoring the advanced stuff.Some are doing nothing. Some are doing everything badly. Some are doing everything well. Some are in the process of maturing, starting with the basics, with an eye to moving on to the advanced stuff when appropriate.

Business exist and operate at all points on the 3-dimensional spectrum of what security activities they undertake, when, and to what level of quality. For example; I have no doubt that TalkTalk had pentests; however, maybe they ignored the results; maybe they delayed patching; maybe the pentest was bad, and missed the vuln that was exploited? All these are possibilities; and the suggestion that maybe, focusing on threat intel was the reason, is just one other possibility, which is clearly not going to be true for all orgs who's security is suffering.

GCHQ director blasts free market, says UK must be 'sovereign cryptographic nation'


Re: What?

If a third party has all of my keys, that is essentially a 'back-door'. It's a way for someone to have exceptional access, circumventing the protection provided by the encryption. I call that a back-door. Besides, you can't stop people from using systems/cipher-suites that have perfect forward secrecy.


Re: We want you to have encryption, we don't want back doors, but we do want access?

And if the key was ephemeral, generated on the fly, by the computer, and discarded when the session ended, and I don't know it, and even if I did it would be useless?

Stupid law.


Re: What?

It doesn't, it's now clear that the intention is for keys to be retained, and he thinks that makes sense.

someone should tell him about perfect forward secrecy, he'll blow his lid!


What you think is irrelevant. Encryption is either compromised, or not compromised. If law enforcement can access my data with a warrant. Then someone can also access it without a warrant. Hackers, disgruntled employees, unscrupulous individuals.

If they have the keys, they have the keys. It doesn't matter if they're supposed to have a warrant, hackers/criminals don't care, by the very definition, these are people who are breaking the rules.

Besides, it's not technologically feasible. It's extremely commonplace to use ephemeral session keys, and systems with perfect forward secrecy.

TalkTalk claims 157,000 customers were victims of security breach


Re: Even Jeremy Clarkson could tell them they're wrong

You've made a rather unfair argument. Direct debits are a way to get money out of your account, but you've excluded it from consideration.

What's to stop me from setting up fake companies to which talktalk customers suddenly have direct debits?

TalkTalk downplays extent of breach damage, gives extra details


They've said openly that is was a SQL injection attack

reported by el reg no less:


Popular crypto app uses single-byte XOR and nowt else, hacker says


Re: What claims?

A technically true statement. You can only view them IN THE APP with the right password. Outside of the app you can get at everything without a password.

Frayed British Airways plays down mega hack attack on frequent flyer accounts


On reporting to the ICO

"Under the Data Protection Act (DPA), although there is no legal obligation on data controllers to report breaches of security, we believe that serious breaches should be reported to the ICO."

When companies report their own breaches to the ICO, I have little mini heart attacks from the sheer surprise