25 May 2014
I recently had a meeting with my executive and was requested to put
together a presentation comparing the security posture of our
organization to that of other organizations, particularly those in the
same sector and of similar size.
As a starting point, I used LinkedIn to
identify peers in organizations which matched that criteria. I then set
about approaching each of them to identify their willingness to share
information regarding specific security threats their businesses are
facing and how they are responding to them.
For the most part I have found the sharing of information to be fairly
impressive and there appears to be a real willingness to work together
with a few key individuals going forward.
It is interesting that as security professional we do not do more to
share information between us regarding threats vs. corporates,
particuarly in light of the growing cyber crime threat that businesses
11 May 2014
I've always maintained that Apple has a slight competitive edge when it comes to the iOS App Store, just one of which is the ability for users to download updates once via iTunes and update all their devices from there, rather than having to download updates to each device individually.
However, there is one area that I've always found an interesting omission around application updates, and that is the lack of delta updates. In fact, apart from the OS itself, I've not found a single app that appears to support the use of deltas to minimize download sizes.
Delta updates within applications are supported, as detailed here, but for some unknown reason this just isn't being used. The issue, I believe is that Apple leaves the option open for developers to make this decision themselves, rather than enforcing it across the board.
It's an odd decision, and one that likely costs Apple a fair amount of money. If an app is, for example, 1GB in size (common with some of the games nowadays), Apple could save a significant amount of bandwidth by ensuring that apps use delta updates rather than forcing users to download the full app over and over each time an update is released.
04 May 2014
It's interesting how much things have changed in the past ten years. In
ten years I've grown from being a Sysadmin to managing a small team of
IT Security individuals in a large corporate environment.
Ten years ago, I ran my own server using Apache for web traffic, Postfix
for SMTP traffic, and the awesome mutt mail client. I had a laptop
running FreeBSD and pretty much knew the inside outs of
everything that I needed to from a technical level.
Fast forward ten years. My data is in the cloud, stored on services run
by Google, Dropbox, Apple and various other massive corporates. My
laptop has been replaced by an iPad, my front end mail client with apps
on my iPad or running in a native browser.
The downside? I've ceded control and privacy of my data to faceless
corporates. I've lost technical understanding of the low level
infrastructure powering my life.
The upside? I have greater mobility than ever before. I no longer have
to worry about securing my services and the adversaries of my hosting
providers are typically state sponsored entities who don't give a damn
about me or my data.
Was it worth it? The jury is still out but I can't wait to see what the
next ten years will bring...
22 Aug 2013
The internet is a scary place. When it comes to security, you're never
more than a zero day away from being owned. With sites becoming more
and more dynamic and intricate the potential for damage is exponential.
I guess it's been bugging me for a while that my hosted server uses
MySQL, Apache, PHP and Wordpress. While I certainly don't keep anything
of value on my hosted server I'm also at the point in my life where I
don't want to constantly be applying patches and installing new versions
of software each week.
So, with a bee in my bonnet I took an hour and migrated my site to
Jekyll, which got rid of the requirement for
PHP and MySQL.
Since everything is static now, Apache also seemed like slight overkill,
and so I went with djb's fantastic little static web server
publicfile may not be as feature rich as other web servers, and Jekyll
won't provide me with any fancy bells and whistles, but at least I know
that my site is more secure than it was when I started this morning and
that it will require less effort and time going forward.
Until the next zero day that is.
15 Aug 2013
There's been a lot of discussion lately about the monitoring of internet
communications and the Prism program that is being run by the NSA.
Debate is great, but it's nice to see that some action is being taken
The announcement today of Heml.is is a great step
forward for those of us who feel that the prying eyes of government are
unwelcome, unwarranted and beyond the scope of what is reasonable.
Provided the security and encryption of the app is everything that it's
promised to be, this should be a viable alternative for others who feel
the same way I do.