Wednesday, December 19, 2007 7:22 PM/EST
There are plenty of shortages of things in the world today. Right now parents are out there desperately trying to get their hands on the hot gifts like the Nintendo Wii.
But there is one thing that we (unfortunately) aren't running out of. And that's people who don't put any thought into how they use their computers and the Internet, and who through their actions expose themselves and others to potentially dangerous security threats.
These people have been the subject of multiple columns by myself and other security writers. I owe two of my most popular articles to these security dunces: my 2003 column "Idiocy Imperils the Web" and my slide show from early 2007 entitled "12 Ways to Be a Security Idiot".
In some ways, security idiots are the gift that keeps on giving. So in the spirit of the holidays, with the good work of illustrator extraordinaire Brian Moore, we've taken that "12 Ways to Be a Security Idiot" slide show and converted it into a 2008 calendar. It's our gift to you, our readers. Feel free to download the calendar and print it out for personal use in your office or home. And don't be afraid to send it to some of the "security idiots" in your life.
Click here to download eWEEK's 2008 Calendar of 12 Ways to Be a Security Idiot
Tuesday, December 18, 2007 10:02 AM/EST
If you're looking for the download of the calendar of 12 Ways to Be A Security Idiot, I'm still waiting on the final approved copy from our production department. I've been told it should be ready no later than Wednesday morning.
Sorry for the delay.
Friday, September 21, 2007 12:33 PM/EST
Everybody loves lists. Magazines love lists, TV shows love lists, websites really like lists. But possibly no one loves lists more than security vendors.
When you break down a lot of the core elements of security products, it often comes down to big lists. Lists of known viruses and spyware, lists of vulnerabilities, lists of access controls, and lists of programs that we want to run and programs that we don't want to run.
This obsession with lists most recently came up in reports from one of the largest security vendors out there, namely Symantec. In interviews related to the most recent release of the Symantec Internet Security Threat report, Symantec executives have said that because of the growing security threats and the increased sophistication of the bad guys, it may be time to move from the classic black list approach to security and go to a white list approach.
This means that instead of determining which programs running on someone's computer might be bad guys, future security tools would instead only let known, "good" programs run and block out all other programs.
Now the idea of white lists isn't a new one, most good security implementations involve some combination of white listing and black listing. And I do think that white listing is a good idea, when done on an individual or company basis (meaning that I as a person or a company choose which applications I want to let run).
But this isn't the kind of white listing that is being talked about. Instead it sure seems that Symantec is talking about managing a centralized white list of good applications and if an application isn't on it, it won't run.
And if this is Symantec's idea, then in my opinion it is a really bad one.
First of all, how would one get an application onto this list? Would it be free and easy for any developer or would there be regular fees and hurdles that would leave many open source and small developers out in the cold?
And what about programs I myself or my company writes? Would I be able to circumvent the Symantec white list controls and easily get these to run or would I have to jump through a series of complex hoops just to run my own applications?
One other thing. Doesn't this whole idea sound an awful lot like Trusted Computing, you know, that great thing where Microsoft would protect us from running bad programs and using our own computers in the way we wanted to? I don't know about you but if I don't trust Microsoft to tell me what I can and can't do with my own computers I really don't trust Symantec to do the same.
Finally, the really big weakness behind the whole white listing idea is that it doesn't really work from a security standpoint. Just because some central authority says that a certain application is safe or trusted, doesn't mean that that application itself can't be used as an attack point by the bad guys. A large number of security problems don't result from some rogue application getting on a system, they come about because an application already on the system has a hole in it than can be abused.
So thanks but no thanks. When it comes to making lists of what can and can't run on my system, I'm going to make the call on what goes on that lists, not some third party security firm.
Hey, here's a new list idea for you! How about bad security ideas? Sounds like we have a candidate for the list.
Thursday, June 07, 2007 2:42 PM/EST
Finished editing really long podcast file, need to take a break. About 17 hours ago.
Drove to band practice, listened to Minutemen CD in the car. "Tour spiel!" About 14 hours ago.
Gotta write my column. But what to write about? Wait, I know! Less than 20 seconds ago.
Well that's enough Twittering for now. Oh, you don't know what Twittering is? It's the latest in utterly self-indulgent Web 2.0 fun.
At Twitter.com, millions of people are constantly answering one question: What are you doing right now? It's sort of like a blog but without all of that, you know, actual content.
As I look at Twitter.com right now, some of the fascinating content includes a person going to get Indian food, someone waiting to get into a breakfast joint and a guy who has just signed up for DirecTV. Wow! What will happen next?
I have to admit that Twitter is one of those things that makes me feel like an old fogy. Even though I'm a cutting-edge, tech kinda guy, the whole constant-connection thing is one that just doesn't connect with me.
But I can definitely understand why this is a hit with the younger crowd. Every sub-25-year-old that I know is constantly on his or her cell phone, and the subject of 99 percent of the calls is similar to Twitter's content: "Hey, whatcha doin?" "Nothing, what are you doing?" "Watching Futurama." "Cool, talk to you later."
Heck, if Twitter cuts down on even half of the calls like that, it's doing society a great service.
Click here to read the full article
Friday, April 20, 2007 3:02 PM/EST
I recently posted a list of my 12 Ways to Be A Security Idiot. This list was inspired by an older column (OK, rant) of mine where I bemoaned the stupid things that people do that cause most of the security problems that companies have to deal with. When I wrote that old column I got some great suggestions and comments both on stupid things that people had seen users do and also some creative methods that IT departments used to expose the worst offenders at their company. So now I'm asking you my readers. How do you deal with the security idiots at your company? And are there stupid things that I should add to my list? Comment Here and let me know....
