How a bad password policy at Bank of America reduces security
When you force people to use hard-to-remember passwords, you’re actually forcing them to use bad passwords.
Category Archives: Computer Security
LastPass still hasn’t learned the first rule of being in a hole
LastPass sent out an email and published a blog posting today to go with the support article they published earlier this week. They keep making things worse.
Newly released details about the recent LastPass security incident are bad
The newly released details about last fall’s LastPass breach and their response to it are bad, and LastPass should feel bad, and you should stop using LastPass.
Why you should not use RegScale
Companies that engage in slimy marketing practices tend to be slimy companies. RegScale fits that description, so you should avoid doing business with them.
How to protect your anonymity online when the services you use could be breached
Twitter is in the news again with another security breach in which 235 million users’ email addresses, phone numbers, and Twitter handles were exposed. These seems like a good opportunity to talk about what you can / should do to protect yourself if you need to maintain anonymity online. The basic rule is this: if… Read More »
Scripts for using Shamir’s Secret Sharing Scheme securely
The open-source package Shamir’s Secret Sharing Scheme, or “ssss” for short, allows a relatively short secret, for example, a password or passphrase, to be split into a specified number of shares in a way that allows the entire secret to be reconstructed from only a subset of the shares. For example, you can split a… Read More »
My one indispensable infosec management tool: a simple recurring task dashboard
There is one problem that every single information security / governance / risk / compliance (GRC) organization at every company has to deal with, and that’s keeping track of all the recurring tasks that you need to do to maintain your security and compliance and ensuring that they are done on time. I’m sure that… Read More »
Reliable 1Password backup written in Python
I’ve done a pretty deep dive comparing the features of various password managers, but one feature I didn’t cover in that analysis was backup for business customers. What commitments does the vendor make in terms of backup/restore? Do they promise to be able to restore data that is accidentally or maliciously modified or deleted by… Read More »
Hack of the day: easily configure Linux hosts to reboot once or always without requiring a decryption key
I have LUKS encryption configured on all of my Linux desktops and laptops, which is a pain when I need to reboot one remotely, since it prompts for the decryption key and won’t finish rebooting until the key is entered. To solve, this, I’ve written keyless-entry, which allows the user to easily configure a LUKS-encrypted… Read More »
Adding malicious IPs in DNSBLs to iptables automatically
[This is an updated version of Adding malicious IPs in DNSBLs to hosts.deny automatically which uses iptables instead of tcpwrappers, since tcpwrappers has been deprecated.] I run my own mail server, which means that there are hackers trying 24×7 to break into the server by connecting to my SMTP or IMAP server and trying to guess… Read More »