David L. Farquhar, computer security professional, train hobbyist, and landlord
While the legality of Bittorrent, or at least what people typically use Bittorrent for, is questionable, there’s another question. Is Bittorrent safe? Let’s dig into that question, with something more than unsubstantiated claims.
The CIA triad of security has become controversial. I think this is due to a lack of understanding of what it means. The CIA triad remains a good fundamental model of why security exists and what it protects. Here’s what the CIA triad is all about, and what’s wrong with the trendy model some say should replace it.
The CIA triad refers to three things: the confidentiality, integrity, and availability of computer systems and data. Although it is an old model, it is also enduring.
No matter what I say in response to this question, someone’s going to say I’m wrong. But I’ll bite. Are password managers a good idea? I’ll hedge and say they solve more problems than they cause. We need a better idea, but no one has found it yet.
The problem with password managers is there’s always the danger they’ll get breached. But the alternatives are people using weak passwords, reusing passwords, or both–and that’s worse.
There are people who want you to think VPNs are illegal. As a security professional, this is a point of frustration for me. If anyone ever asks, “are VPNs illegal?” the answer most certainly is no. VPNs are a necessity, and protected by various constitutional amendments. Yes, more than one.
I do a lot of statistical analysis in my day job. Though my job title is no longer security analyst, I literally analyze computer security issues and make recommendations for a living. You couldn’t study information security when I was in college, because the field barely existed then. My formal training is in journalism. But my journalism degree means I have more formal training in statistics than most people I know. So let’s look at median vs mean vs mode, and when to use each of them.
Median, mean, and mode are three different approaches to trying to answer the same question. Out of all the numbers you collected, what is typical?
You probably only have to ask the question twice to get two opposite answers. Are password generators safe? As a security professional, I’ll explain the problems with password generators. Then I’ll tell you why I use them anyway. Most importantly, I’ll tell you how I use them safely.
I had a busy day at work today, writing for my current employer about something my previous employer discovered. Qualys discovered a buffer overflow condition in sudo that, well, basically makes all your users root. I joked with one of my coworkers that Qualys could have used this to solve all its permissions problems when scanning Linux and Unix instead of disclosing this, but they did the right thing.
Most any Linux distro released between 2011 and 2020 has this flaw. So, run yum update or apt-get update to clean up those old sudos. Because we all know giving all your users root isn’t a good idea.
Where they rank any given year may vary, but there’s no doubt Qualys and Rapid7 are two of the big three in vulnerability scanning tools. Both tools have their pros and cons. Let’s look at Qualys vs Rapid7 so you can figure out which one is right for you.
For nearly 20 years, I was the guy people asked if an e-mail message they got was real. And if they were interested, I’d show them how I figured out if it was real. To do that, you have to look at the headers. Here’s how to view headers in Gmail.
Gmail doesn’t have an option called view headers–it’s called Show Original. Choosing this obscure option lets you view the headers and investigate a message.
I’ve spent a little more time than I would like studying severity models in vulnerability scanners. One question that comes up occasionally is Qualys severity vs CVSS, or any of its competitors, for that matter. Let’s take a look at how Qualys severity compares against the industry standard.
Qualys’ severity score predates CVSS, which is now the industry standard. The two have similarities but there are various reasons for choosing one over the other.