For the last little while, Christopher Soghoian has attempted to highlight the dangers of the zero-day exploit market. The basics are that some vulnerability researchers are selling exploits to make money, without vetting who the end user will be, and in some cases knowingly selling them to militaries (he phrases it as governments, but the implication is that they aren't using them for defence). Soghoian, as I read it, is trying to highlight this trade, and get some sort of legislation passed to regulate it. (A darker reading would make it seem that he has a more, aggressive agenda, but let's leave that aside for a moment.)
The worrying thing here is neatly summed up by Haroon:
The scariest thing about you, is how certain you are that you are right. Regulation is a scary instrument
Continue reading "0-Day Exploit Sales and Pushing for Legislation"
Today marks the 8th anniversary of my blog, and my official entry into infosec.
Continue reading "Happy Birthday Dear Blog"
When managing teams of "information workers", I believe the use of time sheets is indicative of a management failure. Here's why:
- If you have to rely on a timesheet to know what your staff are doing - you're doing it wrong
- If you can't trust your staff to work hard - you have problems a timesheet won't fix
- If you believe you have too many staff to manage - get more managers
- If you think anyone completes them accurately - you drank the kool aid
- If you think the time it takes to actually complete them accurately is worth it - you hate your staff
- If you manage your business from these inaccurate stats - you're making bad decisions
- If your senior people have PAs complete their timesheets for them - you're a hypocrite
- If you spent millions on a new timesheet system, but didn't make it any easier for the staff using the system - you just suck
Continue reading "Security Vendor Bingo"
Last night we lost power to all electrical outlets in our house. On checking the board, I saw that it was the earth leakage, which I was unable to turn back on. This is a story about AAA Electrical (also know as AAA Plumbing, or AAA Electrical or AAA Plumbing & Electrical), and how they tried to defraud me, and appeared to have done it to many others. Don't use them. If you need a reliable & honest electrician use:
Andrew: +27 82 443 7762
Continue reading "Fraudsters: AAA Plumbing & Electrical"
Continue reading "Orwell vs Huxley, Amusing Ourselves to Death"
It seems my work on privacy has garnered some attention of late. Whether earned or not, I will be presenting at the Computer Security Institute's Virtual Conference CSIVX on the 28th of September. I will be on hand to answer questions, even though it will be some silly hour ZA time. This is technically the first "international" event I've ever "presented (see pre-recorded video for)" at, and it includes the likes of Ira Winkler, Amit Klein and Jeff Williams.
I'll also be presenting on privacy at IS' Internetix2010 conference in both Jozi & Cape Town. Internetix is a rocking conference organised by IS, and I'm chuffed to have been invited. It will be a nice chance to test the privacy stuff with a large non-sec crowd.
Next up, I'll also be presenting a workshop on Threat Modelling off the back of quite a lot of work we (my employer SensePost, and I) have done on it recently. If you want to get an idea of the content, have a look at the last set of slides. It's hosted by the ISF and will be held in Jozi on the 28th.
Finally, I'll most likely be giving the SensePost training at BlackHat Abu Dhabi in Nov. If we get over around 15 people I can justify someone smarter than me from SensePost joining us, so if you're keen for some training, please sign-up :)
Continue reading "Planet Fitness & Temporarily Legal Near-Extortion"
For the week of 7-14 April
2010, we undertake to talk about this country, its challenges, its
promise, its news, and to ignore Julius while doing so. Join us in this
initiative. If you blog, join the roll. If you Tweet, add the hashtag
#ignoreJulius to your daily output.
However you communicate, take a week off from Julius.
Continue reading "The Ignore Julius Initative"
Today my blog turned six, and I tweeted that fact with the following:
My blog http://singe.za.net/ turned 6 today. The fact that I'm tweeting this rather than blogging it is probably significant.
While blogging remains more a more satisfying and useful means of exploring a thought, twitter let's you skip the work and move onto the conversation (sometimes) a bit sooner, but without any decent record of that conversation occurring (twitter's searchable memory is too short). I'm certainly going to continue blogging, but I don't see my throughput increasing much. Luckily, subscribing to an RSS feed is only a cost if there are too many updates ;).
That being said, I think there's been some fun stuff on the blog in the last year, my favourite posts have been:
- Using Maltego to Data Mine Twitter
- Conficker Claims it's first Human Life
- My first guest post - Efficient extraction of data using binary search and ordering information
- Deloitte -> SensePost for a personal milestone (there was another personal milestone, my marriage, but that wasn't much of a blog entry).
Continue reading "First Week at SensePost"
Five years ago I started this blog to keep my then supervisor up to date on my academic progress. It's interesting that at the same time five years ago Facebook was launched, and I think the last five years have been particularly interesting for computer security, and it's been fun. I've also grown a lot over the years, and it's funny to read my early entries with hindsight.
I've never had a massive readership except for the odd case of big blogs linking to me (SANS, F-Secure and Washington Post were my most memorable). Although, the feedback I've received over the years has really helped to refine some of my stances and ideas, and hopefully a few of yours dear reader. For example Ben Nagy once scared me into a whole new tack leading from this to this. Last year was particularly fun with Roberto Preatoni and Dan Kaminsky both getting involved in some discussion. It also marked a return to more active blogging for me, after a drop off in the move from academia to consulting. I hope to keep it up.
To my regular readers, thanks for reading, to any new readers welcome. My goal has always been to encourage debate and discussion, so if you've never argued with me before but always wanted to, know that I welcome the chance.