Notes on Build Hardening
https://blog.erratasec.com/2018/12/notes-on-build-hardening.html [blog.erratasec.com]
2018-12-16 05:19
tags:
c
defense
development
security
In the last two decades, we’ve improved both hardware and operating-systems around C/C++ in order to impose safety on it from the outside. We do this with options when the software is built (compiled and linked), and then when the software is run.
source: L
California's bad IoT law
https://blog.erratasec.com/2018/09/californias-bad-iot-law.html [blog.erratasec.com]
2018-09-11 22:38
tags:
ioshit
policy
security
It’s based on the misconception of adding security features. It’s like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips. The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add “security features” but to remove “insecure features”. For IoT devices, that means removing listening ports and cross-site/injection issues in web management. Adding features is typical “magic pill” or “silver bullet” thinking that we spend much of our time in infosec fighting against.
A Thanksgiving Carol: How Those Smart Engineers at Twitter Screwed Me
http://blog.erratasec.com/2017/11/a-thanksgiving-carol-how-those-smart.html [blog.erratasec.com]
2017-11-24 23:03
tags:
email
social
ux
So here’s the thing, and there’s no getting around it: my mom was right, on all particulars. She had done nothing, the computer had done it to her. It’s Twitter who is at fault, having continued to resend that confirmation email every couple months for six years.
State of MAC address randomization
http://blog.erratasec.com/2017/09/state-of-mac-address-randomization.html [blog.erratasec.com]
2017-09-06 03:20
tags:
android
iphone
networking
random
wifi
tldr: I went to DragonCon, a conference of 85,000 people, so sniff WiFi packets and test how many phones now uses MAC address randomization. Almost all iPhones nowadays do, but it seems only a third of Android phones do.
Query name minimization
http://blog.erratasec.com/2017/08/query-name-minimization.html [blog.erratasec.com]
2017-08-07 16:14
tags:
admin
networking
opsec
The reason this is important is that everyone is listening in on root name server queries.
Some notes on Trump's cybersecurity Executive Order
http://blog.erratasec.com/2017/05/some-notes-on-trumps-cybersecurity.html [blog.erratasec.com]
2017-05-12 16:21
tags:
development
opsec
policy
security
The NIST Framework simply documents all the things that organizations commonly do to secure themselves, such run intrusion-detection systems or impose rules for good passwords.
Password rules are a good example. Organizations typically had bad rules, such as frequent changes and complexity standards. So the NIST Framework documented them. But cybersecurity experts have long opposed those complex rules, so have been fighting NIST on them.
You don't need printer security
http://blog.erratasec.com/2017/02/you-dont-need-printer-security.html [blog.erratasec.com]
2017-02-21 17:49
tags:
factcheck
hardware
ioshit
printer
security
The features HP describes are snake oil. If they worked well, they’d still only address a small part of the spectrum of attacks against printers. And, since there’s no technical details or independent evaluation of the features, they are almost certainly lies.
That "Commission on Enhancing Cybersecurity" is absurd
http://blog.erratasec.com/2016/12/that-commission-on-enhancing.html [blog.erratasec.com]
2016-12-06 08:20
tags:
factcheck
ioshit
policy
security
Requirements that don’t solve problems and requirements that create more problems. Rob has his own politics, but I think he’s not wrong to question what an implementation would look like and how this could possibly help.
In which Rob again debunks DNS story
http://blog.erratasec.com/2016/11/in-which-i-have-to-debunk-second-time.html [blog.erratasec.com]
2016-11-03 17:57
tags:
factcheck
networking
Slate doubles down on DNS analysis of Trump server, requiring double debunking.
No, that’s how Listrake (who is the one who actually controls the server) configures all their marketing servers.
Is Slate unfamiliar with the idea of disproving the null hypothesis?
https://twitter.com/tqbf/status/794148944532111361
The IP record route option is “Internet arcana”. WHOIS lookups are something they explain in For Dummies books.