Recently by John Viega

Today was a shameful day for the Internet security industry, as researchers disclosed information about numerous vulnerabilities in critical US infrastructure systems produced by five different vendors, demonstrating that they are happy to make the world a riskier place in order to market themselves.
On Valentine's Day, I found myself 500 miles away from my two daughters (10 and 7). I'd already decided to get them a gift certificate from Amazon, with an e-greeting. Amazon has so much stuff, both kids could easily get...
I was pretty amused recently when two people I respect went at each other over vulnerability disclosure, quickly devolving into name-calling. It's always fun to watch a flame war (nobody got compared to Hitler, but one person did get compared...
Bruce Schneier has earned his reputation as IT Security's top pundit -- but I'd like to make a plea for Schneierists to not accept every word he has written as utterly factual (even though he does totally rock).
The Internet is still broken, but no more broken than normal. The risk level is acceptable for the average user, even though if a single user were being targeted, there's a good chance an attack would be successful. This is how it's always been. Let's go back to our lives.
In my last post I talked about how anybody with enough money (a small 6-figure sum) could create a rogue certification authority (CA). This would allow them to generate certificates for any web site that seem to be genuine. That...
Any major changes to the way we establish trust are probably too big to actually happen. That leaves the Internet fundamentally broken.
The biggest problem with host-based security has always been what happens when your protection fails. And yes, all traditional host-based protections will have the potential for failure, especially when you consider that it's generally easy to trick users into installing...
Traditionally when security experts talk about snake oil products, they are usually only brave enough to call out products from dubious companies that make claims that are obviously false... almost always around cryptography. Few people call out venture-backed companies with well-known people on the management team.
One of the most pervasive security technologies that doesn't work very well is the intrusion detection/prevention system. To get value out of an intrusion detection system, you need to be able to at least separate out some of the good alerts from the many irrelevant ones.

News Topics

Recommended for You

Got a Question?