The Master and a Student were conducting a PCI gap analysis for a Client.
The Master asked the Client's Server Administrator if they encrypted their backups, to which the Administrator replied "No, but surely the database team encrypts the data, so I do not worry about such things."
In the next meeting, the Master asked the DBA if they encrypted the PAN field in the tables, to which the DBA replied, "No, but surely the backups are encrypted, so I do not worry about such things."
The Master took the Administrator and the DBA to the roof and politely asked them to to climb into wooden boxes. When the they complied with his request, the Master pushed the boxes off the roof.
Shocked, the Student asked the Master why he would do such a thing.
The Master replied "Surely the DBA and the Administrator brought pillows with which to cushion the fall, so I do not worry about such things".
And thus was the Student enlightened.
Tuesday, September 17, 2013
Monday, January 30, 2012
Dear Developers/Programmers,
If you have been putting passwords and keys into your source code, you CANNOT hide it from me by using .NET Obfuscator. If it is usable to you, it is findable by me.
ANY Developer found including passwords, initialization vectors, keys or other sensitive cryptographic material shall be summarily fed to the C'Thuhulu beast in the catacombs of the corporate offices.
Sincerely,
The Security Lab
If you have been putting passwords and keys into your source code, you CANNOT hide it from me by using .NET Obfuscator. If it is usable to you, it is findable by me.
ANY Developer found including passwords, initialization vectors, keys or other sensitive cryptographic material shall be summarily fed to the C'Thuhulu beast in the catacombs of the corporate offices.
Sincerely,
The Security Lab
Thursday, June 16, 2011
The usefulness of objects - A Zen Security Koan
One sunny afternoon, the Master and his Students were reviewing the results of a security assessment with the Villagers.
After discussing one result, a Villager spoke up and said,
"But Master, that interface was not designed to be used that way!"
The Master picked up a nearby umbrella and poked the Villager hard enough to draw blood.
Thus was the Villager Enlightened
禅
After discussing one result, a Villager spoke up and said,
"But Master, that interface was not designed to be used that way!"
The Master picked up a nearby umbrella and poked the Villager hard enough to draw blood.
Thus was the Villager Enlightened
禅
The Journey - A Zen Security Koan
A Villager came to the Master and said,
"Every year I pay your disciples large sums of money to test my security. Why must I do this?"
The Master replied,
"Each day, the Shepard walks along the perimeter of his fence with his dog. Does the dog only journey home?"
The Master then struck the Villager upon the head with a large invoice.
Thus was the Villager Enlightened.
"Every year I pay your disciples large sums of money to test my security. Why must I do this?"
The Master replied,
"Each day, the Shepard walks along the perimeter of his fence with his dog. Does the dog only journey home?"
The Master then struck the Villager upon the head with a large invoice.
Thus was the Villager Enlightened.
The Master Explains Compliance - A Zen Security Koan
The Student came to the Master and asked,
"Master, why is it that I am compliant, yet I am not secure?"
The Master replied, "Compliance is not security."
The Student then asked, "If I become secure, will I be then compliant?"
The Master hit the Student over the head with a large invoice.
Thus was the Student Enlightened.
"Master, why is it that I am compliant, yet I am not secure?"
The Master replied, "Compliance is not security."
The Student then asked, "If I become secure, will I be then compliant?"
The Master hit the Student over the head with a large invoice.
Thus was the Student Enlightened.
Friday, November 26, 2010
More Security Theater
EFF has a great piece about the whole stir regarding the new TSA whole body scanners or Advanced Imaging Technology (AIT) as it's formally called. In essence TSA has moved aggressively to deploy the scanners at an enormous cost without validating whether the scanners address the threat they are meant to find - namely easy to conceal, hard to detect powder-type explosives. As EFF reports in their post, it turns out that the scanners are fairly easily confused - even by folds of clothing. Additionally these scanners were developed to detect more traditional threats - weapons, liquids, and more traditional explosives like C4 and plastique. Powder was not one of the drivers in the development of these scanners. EPIC has filed a lawsuit against TSA demanding that the deployment of the AIT scanners be halted pending an independent review of their effectiveness.
It's interesting that the EFF article quotes a former chief security officer of the Israel Airport Authority who calls the scanners "expensive and useless . . . That's why we haven't put them in our airport." Yes, and TSA should pay attention to the Israelis experience...they have had a successful track record at Ben Gurion airport and of keeping terrorists off of planes - and they don't need to "touch your junk"!
It's interesting that the EFF article quotes a former chief security officer of the Israel Airport Authority who calls the scanners "expensive and useless . . . That's why we haven't put them in our airport." Yes, and TSA should pay attention to the Israelis experience...they have had a successful track record at Ben Gurion airport and of keeping terrorists off of planes - and they don't need to "touch your junk"!
Wednesday, November 17, 2010
A snowball of traveler outrage
The whole TSA grope fest is gaining a bit more press than I think they'd like...
This is just messed up...
http://gizmodo.com/5688087/the-tsas-sense-of-humor-makes-me-nervous
Follow the money...
http://gizmodo.com/5689759/tsa-full+body-scanners-protecting-passengers-or-padding-pockets
Want to know where the new technology is set up and running?
http://www.flyertalk.com/forum/travel-safety-security/1138014-complete-list-airports-whole-body-imaging-advanced-imaging-technology-scanner.html
This is just messed up...
http://gizmodo.com/5688087/the-tsas-sense-of-humor-makes-me-nervous
Follow the money...
http://gizmodo.com/5689759/tsa-full+body-scanners-protecting-passengers-or-padding-pockets
Want to know where the new technology is set up and running?
http://www.flyertalk.com/forum/travel-safety-security/1138014-complete-list-airports-whole-body-imaging-advanced-imaging-technology-scanner.html
Subscribe to:
Posts (Atom)