Category Archives: Security

Security

WebApp Security Survey

3 Comments

A small (21 professionals) and informal survey by Jeremiah has some interesting results, including the fact that noone appears to be “utilizing” the OWASP top ten, while a majority say the PCI standards are going “in the right direction”:

6) What do you think about the updated PCI Data Security Standard v1.1?
a) Huh? (0%)
b) It’s stupid and means nothing to me (0%)
c) Step in the right direction (57%)
d) Great for the web application security industry! (0%)
e) Other (43%)

Would be nice to know how the following numbers can be broken down. For example, is the lion’s share of time spent on a review due to size/complexity of the average commerce site (more than a week’s worth of hands-on testing), or a lack of prior reviews or documentation that stretch out the front-end preparations and back-end reporting? Or are the folks who answered just not the types who work with the small-site reviews…

4) Average number of man-hours required to perform a thorough web application vulnerability assessment on the average commerce website?
a) None (0%)
b) 0 – 10 (5%)
c) 10 – 25 (10%)
d) 25 – 40 (0%)
e) 40+ (86%)

The BBC has a related article with some interesting insights:

The hackers lack the skills to do anything with the data they steal and the old-time criminals lack the technical skills to get the data. This is where they meet.

I came across Ess4 hawking login data for the web shops he has hacked, the credit card numbers he has plundered from those sites and a how-to-guide that shows others how to do it.

He said: “i got many shops + tons of daily orders. i hack a shop in 3-4 hours and sell it for 100-500$.”

He thanked “stupid admins” for making basic mistakes that let him break in.

Roze, one experienced hand and a spammer, said he exploited “human stupidity” rather than poor security.

[…]

And, he said, when he was not relying on stupidity, he had a cadre of smart hackers working for him to break into networks. Curiously, most of these people were from Romania – a country that comes up again and again on these channels.

He said: “romanian guys are very smart. All the time they come with something new ;) they are the best hackers on earth i think.”

[…]

The big problem that these criminals face is not the police but each other and they are in constant fear of being ripped off by their brethren. There is little honour among these thieves.

Poetry, Security

A poem of kinship

Leave a comment

Author Unknown

Many, many years ago when I was twenty-three,
I got married to a widow who was pretty as could be.
This widow had a grownup daughter
Who had hair of red.
My father fell in love with her,
And soon the two were wed.

This made my dad my son-in-law
And changed my very life.
My daughter was my mother,
For she was my father’s wife.

To complicate the matters worse,
Although it brought me joy,
I soon became the father
Of a bouncing baby boy.

My little baby then became
A brother-in-law to dad.
And so became my uncle,
Though it made me very sad.

For if he was my uncle,
Then that also made him brother
To the widow’s grownup daughter
Who, of course, was my stepmother.

Father’s wife then had a son,
Who kept them on the run.
And he became my grandson,
For he was my daughter’s son.

My wife is now my mother’s mother
And it makes me blue.
Because, although she is my wife,
She’s my grandmother, too.

If my wife is my grandmother,
Then I am her grandchild.
And every time I think of it,
It simply drives me wild.

For now I have become
The strangest case you ever saw.
As the husband of my grandmother,
I am my own grandpa!

Try to fit that on an identity card…

History, Security

Armrests, availability, and shifting risks

Leave a comment

I remember a time when park benches in London were exactly that, benches. What I mean is that a controversy once brewed in GB over people sleeping on public benches and I read in the papers (long ago) that armrests were to be installed to end the issue. I do not know if this reaction is the source of all armrests on long bench-like seating areas, but armrests certainly do seem to be more common now (airports, movie-theaters) than in older seating areas (e.g. Cathedral pews). Are people more worried today about personal space than in the past?

From where I sit, armrests are an interesting type of behavior regulation. I wonder if it self-imposed (we need some way to divide spaces evenly for us, especially as weight/size averages grow, and/or want someone to keep us from lying down) or whether it is a result of some kind of offensive use or abuse that we wish to be stopped (homeless taking up residence on the benches and claiming it as permanently theirs). Movable armrests would be a good idea to solve the former problem. I suppose the reason movable armrests are not more common, however, is because the cost justification for the armrests has more to do with the latter problem. Wonder if anyone has researched the history of armrests…

From an opposite perspective, since public benches have off-peak access during the night, perhaps they should be intentionally designed and maintained to be a form of homeless accomodation. Otherwise, as this report points out, the armrests might just end up forcing the homeless to sleep somewhere even less palatable to the regulators:

“Sure it says (the city) is unfriendly to homeless,” said Andy Baines, a formerly homeless 36-year-old who is working hard at the Winston-Salem Rescue Mission to get his life right. “But you know what? There’s always somewhere else to go. We’ll find another place. It might be a couch, an abandoned building or an abandoned car.

The term “abandoned” gives a hint to the nature of the problem. The armrests raise the stakes of what is to be considered abandoned enough to be suitable for a nap. In airports, apparently the base of the seats with armrests has become the preferred spot. So instead of napping on the bench, people put their bags on the seats and sleep just below them, which seems like an unnecessary and unfortunate consequence of behavior regulation.

History, Security

Fake priests

1 Comment

The BBC suggests Japan has a “new” problem:

“Being a fake priest is big business in Japan – I’ve done a TV commercial for one company,” [Mark Kelly] added. “In Sapporo, there are five agencies employing about 20 fake priests. In a city like Tokyo, there must be hundreds.”

The fake Western priests are employed at Western-style weddings to give a performance and add to the atmosphere. These are not legal ceremonies – the couples also have to make a trip to the local registrar.

“In the past almost all weddings in Japan were Shinto, but in the last few years Western-style weddings have appeared and become very popular,” said one Japanese priest.

It is important for the bride and groom to have a proper wedding, and they are not getting it from these foreign priests. “People like the dress, the kiss and the image. Japanese Christians make up only 1% of the country, but now about 90% of weddings are in the Christian style.”

Without trying to be too controversial about this, who really gets to decide whether someone is a real priest, and what constitutes a real/proper wedding? The infrastructure and regulations seem to always be under some kind of challenge as denominations fracture and feud. As a famous anthropologist once said, “marriage is as relative as time has zones”. After all, how different is this than the infamous Vegas weddings and (Elvis) priests?