(Edited 5/8/2022 with some changes to make sure it works on Buster / other linux distributions with sec-linux. The new stuff is in purple.) It took me a while but I finally found someone that had solved this. I am linking the solution. However, typing in a password and following it up with the one-time-password (OTP) is *extremely* user unfriendly. Anything that is hard to do to make better security actually makes worse security. Instead my approach protects the private keys with a password, and you then only use the OTP as the user’s password each login. So, here is the process. Assuming you have pivpn already installed and working with an OpenVPN configuration. Install google authenticator on the pi: sudo apt-get install libpam-google-authenticator Edit[…]

OWASP Top 10 Logo

I have updated my talk that I’ve given internally at our company a number of times to reflect the 2021 version of OWASP Top 10… Normally I can give the whole talk in 10 minutes, but this was presented in Costa Rica, and I really slowed it down. Enjoy!

Concerned CISO

(This post originally appeared on the Cyber Tech Accord’s signatory blog: https://cybertechaccord.org/usability-vs-security-the-myth-that-keeps-cisos-up-at-night/) As I write this, we are halfway through the fifth month of the COVID-19 pandemic. All of us have had some amount of upheaval in our lives including restricting travel and our contact with friends and family. Some have had even more difficulty – loss of jobs, businesses, and the downturn of entire economic sectors. An uncertain future remains before us.  The rapid move by many businesses to support teleworking has caused a boom in technology fields. Some organizations like Amazon, Twitter, Teledoc, and Siemens are treating working remotely as not just a temporary change, but as a more permanent shift. Tech adoption, disruption, and digital transformation are[…]

While I’m glad to see the use of Signal on the rise, I am afraid that current events will cause the “government should have access into all encryption” debate to come up again, and people may think it’s a good idea out of fear. It’s not. Here’s why: As the global pandemic has kept everyone at home, our interaction with everything and everyone has increasingly had more of a digital footprint than ever before. That digital footprint without encryption exposes a lot of information. Encryption is needed due to the way the Internet works. The Internet is a loose confederation of companies, educational institutions, and telecommunication providers. Everything passes through networks owned by others. Without encryption, any party along the[…]

What is the misunderstood, unloved, and overly complicated security technology that underpins most modern digital solutions? #PKI. Public Key Infrastructure. It’s where my career in security began. Digital #certificates protect so many things we use. From this website you’re visiting (check the 🔒 icon on your address bar to be sure), to your ability to use your LinkedIn login to federate to other sites, to the authenticity of the patch just applied to update your browser… And it’s just scratching the surface. PKI has gone from #security technology to #infrastructure. And if you are a user of Microsoft Teams, today you may have seen a failure of that infrastructure. Microsoft Teams, like many modern solutions, has a separate front-end and back-end, connected through an #API. And[…]

Today, at a 10Pearls company event, I was asked a question: “What has been your biggest failure or mistake, and what did you learn from it?” Both Ghazanfar Ghori and I agreed that failure represents permanence. Anything that seemed like a failure at the time becomes a learning opportunity and a chance to do better next time. So instead, I shared a mistake. And my mistake was not coming to visit Karachi sooner! It has been an absolute pleasure getting to learn more about our team and the culture here. You can see my smile in this picture, as I’m hanging on to the front of a rickshaw as we traveled the city! #pakistan#tech