(Full disclosure: This article firmly plays to my personal skill sets and career progression. Wherever possible, I have attempted to correct for my own bias) There has been a great deal of swirl lately regarding the topic of Chief Information Security Officers and what skills and/or qualifications are needed to position the organization for the best chance of success. On one end of the continuum, the existing pool of executives is brought in with highly-attuned business acumen. Perhaps the person has a Big4 consulting pedigree, [...]

I have recently attended a number of information security presentations. I honestly admire a presenter’s willingness to state a position in a public construct, regardless of whether I agree or disagree with the position or contents of the presentation. I will be honest… I have seen good presentations (watch Johnny Long’s Hackers for Charity Update at Derbycon for an example), and I have seen total train wrecks. At the end of each of them, the initial reaction is the same: applause from the audience. What [...]

Why do we continually blame the “user” for a lack of security awareness? Coming back from one of the most successful information security conferences in quite some time, it was difficult (but not impossible) to find something that needed improvement. I was confused and disappointed in the number of presentations that I attended that made statements to the effect of: • Users are dumb! • We need to tell our users to stop clicking ! • There is no patch for user stupidity! All of [...]

This morning I was reading a new report that seems to have provided additional evidence of some of my suspicions regarding the total cost of offshoring decisions for information technology initiatives. Written by the Intelligence and National Security Alliance, the new report suggests (while in the context of the U.S. Government) that there may be hidden consequences of outsourcing and offshoring decisions, where “potential adversaries can easily insert themselves into our logistical chains” (Intelligence and National Security Alliance, 2011, p. 6). Overlaying the backdrop of [...]

This morning, I was listening to the Social-Engineer.org podcast with a special interview with Kevin Mitnick. It has been suggested that I was trolling Kevin, that I had a personal problem with Kevin, or that I hated Kevin and/or was jealous of him. This is simply not accurate. In my blog post, I state that, “Unfortunately, some people feel they are simply far too important to pay it forward, too busy to bother with the little fish that wants to learn, too intelligent to ever [...]

Today, I am a little off-center, and some have questioned why I have so much venom in my words on Twitter regarding Kevin Mitnick. Since explaining my actions in 140 character morsels is less than effective, I thought that I would take some time and explain my rationale. For starters, I do not have a personal axe to grind with Kevin Mitnick or anyone else in the information security profession for that matter. Kevin has never directed any words or actions my way in an [...]

Today, I am going to switch gears a little bit regarding my blog entries, and take a look at vulnerability scanners from an end user perspective. As you are no doubt aware, there are several to choose from. Rather than pander to a specific product, I would like to keep it general and list out some of the features that I would love to see integrated into the product that may not get as much attention, but important nonetheless. I apologize in advance if $product [...]

Lately I have received some curious responses to a tweet I posted to Mr. Gregory D. Evans expressing an interest in helping the accused charlatan in a path to legitimacy. “@GregoryDEvans If you enjoy getting beat on, continue on. If you want a path to legitimacy, DM me. It’ll be bumpy, but this is legit.” Responses have ranged from rage and disappointment to questions on whether my account was compromised. As I will try to explain in this post, the emotions that have been expressed [...]

Researchers in Germany say they’ve been able to reveal passwords stored in a locked iPhone in just six minutes and they did it without cracking the phone’s passcode. » Comments By Martyn Williams February 10, 2011 — IDG News Service — Researchers in Germany say they’ve been able to reveal passwords stored in a locked iPhone in just six minutes and they did it without cracking the phone’s passcode. The attack, which requires possession of the phone, targets keychain, Apple’s password management system. Passwords for [...]

When you are bemoaning the success or victory of others, you are generally seeking to achieve a sort of victory yourself. Let’s call this a moral victory. Moral victories are addicting. You can achieve them at will. They magically appear whenever you need a boost. Moral victories do one thing: they make losers feel like they’ve gotten some victory. Moral victories are popular with people when they feel like they have no real power to make changes in the world. This makes some sense to [...]