A few years ago, a friend of mine served in Afghanistan. It was, as he described it, a long and mostly dull duty. When not busy with soldierly duties, he wrote on his blog and took pictures, often of the rather picturesque – to those who didn’t have to traverse it – scenery. At one point, however, he was informed that these landscape pictures were, in fact, an operational security violation. Not the ones taken in-camp, but the gorgeous panoramas of Afghani mountains and valleys. The theory was that, using those pictures, insurgents could find their position. My friend’s response was succinct: “I think they already know about the mountains, sir.” In a previous job, I was charged with creating[…]
Category: rants
As you’ve doubtless heard, Sony’s PlayStation Network has been down for several days now. The exact cause of this outage, being apparently affected by hackers of some stripe, is doubtless worth investigating. However, since those details haven’t been fully divulged yet, it’s best to wait on that front. But this brings to light an increasing problem: the erosion of standalone functionality. PSN customers have not been able to access online content since April 20th. This is, of course, to be expected – if you shut off the network, the network is not available. Unfortunately, this extends to content which isn’t actually hosted on Sony’s network, since PlayStations use the PSN to connect to outside servers. Still, though, not surprising. Vexingly,[…]
Earlier today, news began to spread about an exploited certification authority (CA) spotted in the wild. The Tor project blog has an excellent write-up on how they detected the presence of patches blocking particular SSL certificates and worked backwards to determine that a Comodo issuer had been compromised. The folks at Tor suppose (rightly) that if people who monitor the patches for Firefox and Chrome hadn’t noticed, this entire incident might have been swept under the rug. Since that time, Comodo has come clean with an incident report which describes in detail the certificates that were issued and even states All of the above leads us to one conclusion only:- that this was likely to be a state-driven attack.[…]
Last week, we received a fax at the office from a branch of Virginia Commerce Bank. It was addressed to “Katie” and had our fax number clearly written on the cover sheet. The cover sheet had this interesting quote: This facsimile, which may contain confidential or legally privileged information, is intended for the use of the individual to whom it is addressed only. If you are not the intended recipient (or authorized delegate for the recipient) of this message, please telephone the number listed above to advise us, so that we can arrange for its proper destruction and resend it to the correct recipient. Thank you. It probably goes without saying that there isn’t a “Katie” working here at Gemini[…]
I received the following email on Monday morning: You don’t know me. I’m nobody. My name is Steve. I came across a database dump from Gawker.com earlier this evening. It’s making its rounds around the internet. Besides just the code dump from gawker.com among other sites, it also contains email addresses and passwords for over 1.3 million accounts. I’m sending this email to the 200,000 or so people who’s passwords were included, in plain text, in this archive. I have your password. However, I have 0 interest in it. Obviously i’m anonymous so how can you trust me – you can’t. But trust me, if I had interest in your password, I wouldn’t be emailing you saying I have it. That’s just[…]
A number of our employees are currently spending a fairly large amount of their time helping a customer with a task. In a perfect world, this task would be completely unnecessary. Suffice it to say that there is some maintenance that must be performed on a number of systems before the year is out, and they are having trouble getting responses from the system administrators who are responsible for the systems. When we perform assessments, we often ask our customers about whether they have a configuration management database (CMDB) or something similar. While CMDB systems may be useful for performing a physical inventory of your systems, that isn’t the real benefit. The real power of a CMDB comes in being[…]