I’ve been consistently amazed by human behaviours for many years, and through many employers. One of the behaviours that always astonishes me is when I let someone know that they’re violating security policy, or simply behaving in an insecure manner, and rather than changing their behaviour or defending their own actions per se, they respond with some variation of “sure, but such-and-such team/person is already doing that and far worse”. Maybe it’s my grammar school upbringing, in which it was clear

Immutable Security Law number 1 : If a bad guy can persuade you to run his program on your computer, it's not your computer anymore I love the Immutable Security Laws – they strike a chord deep within me, and they’re a “go to” resource every time I want to decide if I’m making a good security decision. I also like my Windows Sidebar Gadgets. Not a whole lot of them, mind you, just one or two that I’ve written myself. And I can’t say that I’ve gone very deep in developing them. So I’m deeply conflicted

OK, so that’s a horrible stretching of a song to cover a point, but it’s kind of the way I feel right now – torn between a rock and a hard place. Some time ago now, I let you readers know that I’d won an iPad at the Black Hat security conference, and that I’d be trying it out to let you know what I thought. First, let’s consider my usage case, and what I am comparing it against. The iPad is, to my mind, a potential killer device for a few things I like to do: Watching movies and TV shows on the bus

I hate it when the Internet doesn’t know the answer – and doesn’t even have the question – to a problem I’m experiencing. Because it was released during the MVP Summit, I was able to download the Visual Studio 11 Beta and run it on a VS2010 project. There’s no “conversion wizard”, which bodes well, because it suggests that I will be able to use this project in either environment (Visual Studio 2010 or the new VS11 beta) without any problems. And certainly, the project I selected to try worked just

My MVP award expires on March 31 So, I've submitted my information for re-awarding as an MVP - we'll see whether I've done enough this year to warrant being admitted again into the MVP ranks. MVP Summit Next week is the MVP Summit , where I visit Microsoft in Bellevue and Redmond for a week of brainwashing and meet-n-greet. I joke about this being a bit of a junket, but in reality, I get more information out of this than from most of the other conferences I've attended - perhaps mostly

I’d like to thank ISOC (the Internet Society) for making my birthday later this year into World IPv6 Launch Day . This year is a special one for anniversaries – my 45th birthday, 20 years since I arrived in the USA, 10 years since beating cancer – seems like the perfect time for ISOC to honour me by switching everyone to IPv6. Now, if only I could persuade Comcast to deliver IPv6 to my house, where we are still using Hurricane Electric’s Tunnel Broker .

It’s been quite some time since I wrote about changing passwords on a Windows service , and then provided a simple tool written in Visual Basic to propagate a password among several systems sharing the same account. I hinted at the time that this was a relatively naïve approach, and that the requirement to bring all the services down at the same time is perhaps not what you want to do. So now it’s finally time for me to provide a couple of notes about how this operation could be done better. 1. If

Black Hat, and its associated sideshow, DefCon, consists of a number of different components. Training, Briefings, Exhibition and Contests, all make up part of Black Hat, and DefCon is a looser collection of Workshops, Events, Parties, Talks, Villages, Contests and numerous other things besides(*). Perhaps the thing that gave me the most fun this year was the contest that I entered at Black Hat and at DefCon. The contest was run by Core Labs , a part of Core Security Technologies , and featured the

For my last post in the National Cyber Security Awareness Month, I’d like to expound on an important maxim for security. Failure is always an option – and sometimes the best If you can’t handle a customer’s credit card in a secure fashion, you shouldn’t be handling the customer’s credit card. If a process is too slow when you add the necessary security, the process was always too slow, and can not yet be done effectively by modern computers (or the computers you’re using). If you enable a new convenience

It seems like a strange question for me to ask, given that in a number of my National Cyber Security Awareness Month posts to date, I have been advising you to use SSL or TLS to protect your communications. [Remember: TLS is the new name for SSL, but most people refer to it still as SSL, so I will do the same below] But it’s a question I get asked on a fairly regular basis, largely as a result of news articles noting that there has been some new attack or other on SSL that breaks it in some way.