krypted.com

Tiny Deathstars of Foulness

My latest piece on Huffington Post:

OMG the cloud! Everything must go to the cloud, and now! And sometimes finding a tool is about workflow. And the workflow should make sense and be awesome.

But there’s an argument that you shouldn’t even keep a lot of data unless it’s kept confidential and therefore properly secured. The liability of keeping information about other people and what they do is just too great to outweigh what you might otherwise use that data for.

Security matters. Workflow matters. And with the number of services out there that you can use for any given task, if any aren’t secure enough then there are probably ten others you could use that are. So why might you choose to use a given service:

To read more, check out http://www.huffingtonpost.com/entry/58e26367e4b0d804fbbb7501

April 3rd, 2017

Posted In: Articles and Books

Tags: , , , , , ,

A number of systems require you to use complex characters in passwords and passcodes. Here is a list of characters that can be used, along with the name and the associated unicode:

  •    (Space) U+0020
  • ! (Exclamation) U+0021
  • ” (Double quotes) U+0022
  • # (Number sign) U+0023
  • $ (Dollar sign) U+0024
  • % (Percent) U+0025
  • & (Ampersand) U+0026
  • ‘  (Single quotes) U+0027
  • ( (Left parenthesis) U+0028
  • ) (Right parenthesis) U+0029
  • * (Asterisk) U+002A
  • + (Plus) U+002B
  • , (Comma) U+002C
  • – (Minus sign) U+002D
  • . (Period) U+002E
  • / (Slash) U+002F
  • : (Colon) U+003A
  • ; (Semicolon) U+003B
  • < (Less than sign) U+003C (not allowed in all systems)
  • = (Equal sign) U+003D
  • > (Greater than sign) U+003E (not allowed in all systems)
  • ? (Question) U+003F
  • @ (At sign) U+0040
  • [ (Left bracket) U+005B
  • \ (Backslash) U+005C
  • ] (Right bracket) U+005D
  • ^ (Caret) U+005E
  • _ (Underscore) U+005F
  • ` (Backtick) U+0060
  • { (Left curly bracket/brace) U+007B
  • | (Vertical bar) U+007C
  • } (Right curly bracket/brace) U+007D
  • ~ (Tilde) U+007E

April 29th, 2016

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , ,

Recently I’ve read a lot of things about the attacks against Sony. I’ve read that they’re nothing more than extortion attempts by hackers that probably live in their parents basements (based on the fact that the initial demands didn’t mention North Korea at all). I’ve read they were orchestrated by China by people who felt North Korea was being picked on and couldn’t stand up for themselves. I’ve read highly unconvincing reports from the FBI that they were orchestrated by North Korea. No one really knows. I can send traffic to servers from anywhere in the world. Anyone can anonymize their web traffic as easily as using a ToR plug-in with Firefox. I’ve also spoken to friends at Sony that told me that they’re concerned about the future viability of Sony due to the business impacts of these attacks. I’ve also spoken with people at other studios freaking out about not wanting to “be the next Sony.”

But in all of it, there’s something kicking in the back of my head. You see, if someone tried to blackmail me, I’d go to the press (or government) and allow the public to judge me for whatever it is, not cave to demands that are only likely to recur. Not giving into extortion demands is the right thing to do. If someone threatened the safety of people to go to a movie, I’d pull it as well, so that’s the right thing to do as well. There have been enough shootings in theaters and while financially potentially devastating it’s not worth the loss of a single human life to show The Interview in theaters. Of course, now that the attackers have backed off their stance, The Interview will be shown in hundreds of theaters. And it will likely be viewed online by millions of people over the next few days. And if this was carried out by North Korea, they couldn’t visit all of our homes to pull it (although the awful remake of Red Dawn by MGM might indicate differently).

I believe that the good, American thing to do is show our support to Sony for all the brain candy they’ve given us in the past. More than that, our support for doing what’s right. And what’s more capitalistic of us than spending $6 on a movie (other than spending more)? What’s better for Sony than to make a little money? In America, we tend to root for underdogs. We love Rocky (which btw cost less than a million to make and brought in a breathtaking $225M – 1:225 ROI there). We wanted Rudy to score a touchdown for the Irish (TriStar – part of Sony). We practiced our kicks like the Karate Kid (Columbia Pictures – part of Sony). We watched Jerry Maguire (TriStar – part of Sony again) even though we couldn’t stand Tom Cruise and rooted for the guy who risked it all to do the right thing (Money, baby). We threw up in our mouth a little when we watched Dodgeball (Fox but a fun movie anyways). We adore Gandhi (Columbia – again part of Sony) because it won an Oscar and taught us the story of one of the greatest men of all time. We loved Charlie Sheen when he was Winning in Major League (Mirage). And we loved Kick-Ass (Lions Gate), one of the unlikeliest heros of all.

Sony made Bond great again. Sony brought us Spiderman to the big screen. Sony told us about The Social Network (and were still allowed to have Facebook accounts. Sony gave us Eat Pray Love. Sony killed zombies awesome sauce in Zombieland. Sony gave us Superbad. Sony taught us a history lesson with The King’s Speech. Sony brought The Da Vinci Code to the big screen. Sony made a great movie in the Lords of Dogtown. Sony brought us Hell Boy, Adaptation (as a writer, a movie I love), Ali, Black Hawk Down and countless other movies. Some great, some not. That’s the game.

Now, we have a chance to do a very small part by helping Sony escape financial ruin. And yes, they make more movies that suck than are awesome. Because that’s what all studios do. And yes, the film industry seems like a bunch of rich people being silly sometimes. But there are real people that work there. Normal people. With boys and girls and installations at burning man. Some of the best people I know. And they do great work. And sometimes the studio makes brilliant movies. And whether this was spearheaded (yes, bad pun on spear phishing) by a dictator with a bad fade, the remaining communist hardliners in China, another studio or something else, it’s up to the market to dictate the outcome. That’s capitalism. ‘Merica

PS – It’s hilarious.

December 26th, 2014

Posted In: Business, Mac Security, personal

Tags: , , , , , ,

I almost called this article “Aliens Can Listen To Calls on Your iPhone” or “How To Hack Into Every iPhone Ever (Even When They’re Powered Off)”. But then I thought that maybe it would be a bit too much. I’ve been a little melodramatic at times, but that’s when I was younger and needed the rupees. But TechTarget isn’t young (although I don’t know if they need the rupees). I’d like to point out two recent articles of theirs:

I remember reading an article awhile back claiming that the first virus for the iPhone had hit. This was a pretty big site (not TechTarget btw), but they had jumped on Apple and jumped quick, for a lack of good security on the iOS platform. Why? Because Apple’s huge, popular and a frickin’ easy target. But every security researcher knows that if they can hack an iPad or an iPhone that they’re going to be famous. Still, only one has managed to do anything remotely close to cool and you had to download his app, which got him banned, for the “exploit” to work (the “exploit” was actually javascript taxies). Security researchers do most everything they do for fame. Therefore, if there were going to be serious flaws with iOS, they’d have come up by now.

Let’s look at these headlines and vs the content of the articles. The first, Apple iOS Security Attacks A Matter Of When, Not If, IT Pros Say. The title isn’t actually that bad, (although I don’t know that the IT Pros quoted are worthy of punditry). It’s the headers within the article that set me off a little. “A false sense of iOS security” was the first: Here they said that iOS users are going to run something if it comes out because there haven’t been any vulnerabilities to iOS. Counter argument would be that since a vulnerability *will* (or would) be on CNN, MSNBC, NPR, every web site, every magazine and possibly a PSA on flights, I think they’ll figure it out pretty quick… The next header, “Responding to iOS security attacks” goes on to explain that (to summarize) iOS virus protection blows. OK, we should develop more FUD-based apps to check for viruses of data that those apps would actually have no access to due to sandbox controls.

The next header, “Entry points for iOS security attacks” tells us that someone will exploit HTML5 or post an app with a Trojan or Logic Bomb on the App Store in order to destroy your iPhone as if it were a planet slated for demolition. Each app can only communicate with resources outside of that app using an API Apple allows, an API that doesn’t cause combustion of the phone. If the app goes through the app store then that has to be a public, not private API. It is possible that someone could run a fuzzer against every possible variable exposed by every possible method and come up with a way to do something interesting, like cause the phone to reboot. But that kind of thing is going to be true of every platform and isn’t worthy of the pretense that it’s security consulting. I can dig on the possibility of that kind of vulnerability, but the author then indicates that Apple’s security is 7th worse in the IT industry with a 12% growth in vulnerabilities. Thus an insinuation that people are actually exploiting holes in iOS rather than Google monitoring iPhone user data a bit more than they should…

The second headline is much better though: How an iOS virus can infect the enterprise and what to do about it. Reading it, my first impression was that there was an iOS virus; you know, one written for iOS. But no, they’re talking about a virus that someone sends through your corporate Exchange server that is then copied to your Windows XP computer through the magical XP Virus Stream (like Photo Stream but more specific features for XP) and executes the virus that wipes your computer. I like it. I can dig that virus, but regrettably that virus doesn’t exist. And apparently no good anti-virus exists, according to the article. Why not? Because Apple has overly secured the OS and anti-virus has to be invoked manually.

Over-security is what makes iOS so great for phones. I’m one of those people that likes to hack stuff. And iOS isn’t for hacking around in unless you have jailbroken the device. That’s why my phone always works and I’m able to actually get stuff done on a consistent basis. There are certainly things Apple could do better. But iOS security is a hard one to point the finger at. I would like to see security researchers more warmly welcomed and for the Apple community to see those researchers as people who are building a stronger product rather than the enemy. I would like to see some technical features added or centralized control over features added.

It isn’t just Apple. It’s any company big enough to care about. The tech sites are mostly what I look at, and every time there’s something they think they can hop on with Google or any of the other big names in the tech industry they hop right on that to drive readers, whether well founded or not. Not all tech sites/magazines mind you, just some. And when the company is famous enough (Google, Apple, Microsoft) for mainstream media to care about, all the better…

At the end of the day though, the way to get action is to file a feature request with vendors, not to make up crazy headlines aimed at selling FUD as a means of getting someone to go to your website…

February 18th, 2012

Posted In: cloud, iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, sites, Social Networking

Tags: , , , ,

I’ve been asked by a number of people whether or not we will be updating the Mac OS X security book I did a couple of years ago for Apress to Snow Leopard.  The answer is yes.  We are currently working on the updates and hope to have it available by December.  The book will undergo a number of changes/improvements, as all second editions should.  I’ll update when it’s available on Amazon & of course, in stores.

August 22nd, 2009

Posted In: Articles and Books, Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , ,