It's time to give the blog a little push. It's been 7 years with spurts of on again off again contributions all over the spectrum of security, from information security and privacy to physical security with smatterings of things like writing code and picking locks ... maybe even a theme of how politics can affect security policy decisions from time to time as well.Here are some of the top computer/information/application/software security highlights, many of which are top Google search hits as well:
- Tried to explain the difference between Trust and Trustworthiness, for which the article is still a top Google hit.
- That article wasn't as good as Ken Thompson's classic speech in 1984, though.
- There was the time PGP Corp didn't document a little feature that allowed a complete bypass of the whole disk encryption. That got slashdotted. Then there was some dialog with their CTO, Jon Callas about it. Back and forth.
- Shortly after that, Ed Felten's PhD students smashed many whole disk encryption products and Jon Callas got involved again.
- All that disk encryption talk got everyone thinking about the realities of evil maids!
- RSA's SecurID soft tokens got picked apart, since they're not really tokens after all.
- Years later, came the "told you so" about the RSA SecurID tokens.
- Remember that nifty way to trick Active Directory into snoozing the password expiration for an account?
- Waxed eloquent (or so was tried) on the principles of separating code from data, and why exactly that is such a pivotal problem with software security.
- Wondered what happened to Phil Zimmerman then found him at Silent Circle.
- There was the time a PCI QSA did not understand how to manage encryption keys (DEK/KEK) with the slight of hand tricks that hinder ecommerce's operational efficiencies.
- In an effort to "give back a little" gave some code to interact with Active Directory in C#, like adding MS Exchange objects, programmatically managing attributes on AD users and groups, even doing some very unique and complicated things like programmatically proxying Active Directory users into AD-LDS.
- One time, Little Bobby Tables went to the moon.
- Discussed brute forcing credit card numbers when PCI allows you to keep a large percentage of the digits.
- Against Web Application Firewalls before it was cool.
- And maybe some people chose not to get computer security jobs. (Probably not ...)
It's been fun. Here is to 7 more years!
