Bruce Schneier: Every time you use encryption, you’re protecting someone who needs to use it to stay alive. This is the clearest statement I’ve seen of the case for ubiquitous, on-by-default encryption.
Ars Technica: The UK government has quietly passed new legislation that exempts GCHQ, police, and other intelligence officers from prosecution for hacking into computers and mobile phones.
I’m experimenting with a new kind of post, where I simply make a connection between two or more ideas, usually with little or no commentary. Here’s the first one: Ed Felten, yesterday: CALEA II: Risks of wiretap modifications to endpoints Today I joined a group of twenty computer scientists in issuing a report criticizing an FBI plan toContinue reading “Connection: Wiretap Laws”
When Steve Gibson talked on Security Now 398 about how few users’ Java plugins are actually up-to-date, this question hit me: Should browser plug-ins have built-in expiration dates? The problem with having all of these old Java versions running around is that attacks always get better. How much more sophisticated are the attacks of todayContinue reading “Time Limits on Browser Plugins?”
If you have a LinkedIn account, stop what you’re doing and change your LinkedIn password immediately. I’m not kidding–just do it. Once you’re logged in, click on your name near the upper-right corner, click Settings from the menu, click the Account tab near the lower-left corner, and click Change password. Now that you’ve changed yourContinue reading “Heads-Up for LinkedIn Users”
Charlie Savage reported Monday in the New York Times that the Obama administration is seeking legislation that would require “back-doors” in all encryption products and services in the US. Of course, they cite terrorism as a primary motivation. How best to balance the needs of law enforcement (and of government in general) with the privacyContinue reading “Internet Wiretap Bill Misses the Mark”
We’ve been thinking about developing a quick application to replace a paper HR process—should be a simple state machine with four possible states: Submitted, Accepted, Rejected, and Completed. But then we realized we would need email notifications and a coherent security model. These requirements—workflow, notification, and security—happen reasonably well in the old paper model. NotContinue reading “When Low Tech Is the Best Tech”
It used to be that network infrastructure was one of an organization’s most valuable assets and security was geared toward protecting the infrastructure; but costs are falling, and the network has become a commodity. Meanwhile, the volume and value of information stored electronically are growing rapidly. For this reason, Dan Greer advocates a paradigm shiftContinue reading “The Enterprise Information Protection Paradigm”
All of my company’s inbound and outbound email goes through a security service that scans for spam and viruses. From time to time I get an email from someone saying that they got a message that they consider spam. I see that as a good sign. Here’s why: Spam filters are machines, with some humanContinue reading “The Spam That Got Through”