Category: Infosec

All secrets leak sooner or later. Ozzie’s Clear proposal does not limit damage when they leak.

Ray Ozzie, of Lotus Notes fame and more recently a Microsoft executive, has made a proposal–called Clear–to allow governments to get access to the contents of encrypted phone handsets and other mobile devices. It tasks the device manufacturers with operating a key escrow system and responding to government warrants to give out keys to individual devices. His proposal has been… Read more →

Yubico FIDO U2F key quick review

A few days ago I ordered some Yubico FIDO U2F security keys, after reading that they are a useful way to help secure various online accounts and keep intruders out. These cost US$18 each, either singly or in 50-unit bulk packaging.  They arrived, packaged inconspicously, promptly after I placed my order. They’re cheap enough that they can be used for… Read more →

Should I encrypt columns in my web application’s database?

Somebody asked whether it’s a good idea to encrypt database columns in a web application. My answer: “It probably won’t help much.” Why? Figure out your threat model Best practice: figure out your threat model before you spend time and money securing your system. If you build complex security measures without a clear idea of your threat model, you’ll trick… Read more →

Cybercrooks stole my data from Equifax! What now? Credit freezes.

On September 7th, 2017, the credit bureau Equifax announced that cybercriminals broke in to its company servers sometime in mid-May 2017 and stole copies of information like Social Security Numbers, driver’s license numbers, birth dates, and home addresses for as many as 143 million residents of the US. The total population is about 329 million, counting children, so there’s a… Read more →