Security nihilism: Never good enough.

  burnout crypto frustration information_security nihilism physical_security perfection hardware_security_modules catastrophic_failure victory_conditions failure_modes degrees

In the last couple of years, a meme that's come to be known as security nihilism has appeared in the security community.  In a nutshell, because there is no such thing as perfect security, there is no security at all, so why bother?  Talking about layered security controls that reinforce each other is pointless because they always skip right to the end, which is the circumvention of the nth countermeasure and final defeat.  In the crypto community, cries of "Quantum computer!" are the equivalent of invoking Godwin's Law, leading to the end of all discourse, nevermind trying to separate …

Read more...

My Postmodern Openings paper went live.

  communication_technology cryptocurrency finance paper publication journal creative_commons threats information_security download

My paper on threats to emerging financial entities went live a couple of weeks ago. It's in volume VII, issue 1 of the journal Postmodern Openings and can be read in its entirity here as a downloadable PDF file. I've taken the liberty of uploading a second copy here for archival purposes.

The paper is published under a Creative Commons By Attribution/Noncommercial/No Derivatives license.

My paper about threats to emerging financial entities passed peer review and will be published.

  communication_technology finance cryptocurrency nigeria_ict_fest paper publication journal creative_commons threats information_security

As you may or may not remember, late last year I presented via telepresence at the Nigeria ICT Fest, where I gave a talk about security threats to emerging financial entities. Following the conference I was invited to turn my presentation into an academic paper for an open-access, peer-reviewed journal called Postmodern Openings which is published on a biannual basis. Postmodern Openings seems to publish a little bit about everything, from the ethics of advertising to children to lessons learned from studying the economic systems of entire countries to the anthropological ins and outs of caring for children with chronic …

Read more...

Turtles All the Way Down: Bootstrapping an operating system.

  attacks backdoors bsd compiling computers information_security linux mitigation operating_systems risks software trust

Now we need an operating system for the trusted, open source computer. As previously mentioned, Windows and MacOSX are out because we can't audit the code, and it is known that weaponized 0-days are stockpiled by some agencies for the purpose of exploitation and remote manipulation of systems, and are also sold on the black and grey markets for varying amounts of money (hundreds to multiple thousands of dollars). It has been observed by experts many a time that software being open source is not a panacea for security. It does, however, mean that the code can be audited for …

Read more...

Turtles all the way down: Introduction

  computers hardware information_security news nsa software surveillance

The sum total of the Edward Snowden revelations have pretty conclusively proved one thing: That we can't trust anything. The communications networks wrapped around the globe like a blanket are surveilled so minutely that Russian President Vladimir Putin has openly stated his admiration for the US getting away with it so successfully. Much of the cryptographic infrastructure used to protect our communications and data at rest is known to be vulnerable to one or more practical attacks that, in the end they can't really be called effective if one wants to be honest. The company RSA has all but admitted …

Read more...

Dominant discourse.

  cryptography dialogue exploits information_security nsa

Since the NSA revelations began coming a couple of times a week for the past month, an all too common set of dialogues has been cropping up again and again and again in practically every forum that one would care to visit. While the discussion itself isn't perfectly replicated the overall pattern is. It goes something like this:


  • Brief description of vulnerability. Mitigating tactic.
  • Mention of a vulnerability elsewhere in the user's system.
  • Description of a slightly more esoteric vulnerability.
  • Use another system.
  • Encrypt everything.
  • Quantum computer.
  • Use Tor.
  • Tor can't protect against country-level surveillance.
  • NSA backdoor.
  • The NSA has …

Read more...

ISOC-DC: A White Hat Perspective on Cyber Security & Other Internet Issues

  current_events dc hacdc information_security internet presentation

From the Internet Society of Washington, DC's official announcement:

The term "hacker" is often used pejoratively. In reality, a hacker is someone who finds a clever and creative solution to a programming problem. Hacker culture typically advocates free and open source software and community based thinking. Malevolent hackers or "crackers" or "black hats," are the ones that we need to worry about. Thus, the distinction between white hat and black hat hackers.

HacDC is a community organization in DC dedicated to the collaborative use of technology. HacDC is part of a global trend in amateur engineering clubs that have come …

Read more...