deepsh.it: February 2009

Cigital’s Principals podcast

21st episode of The Silver Bullet Security Podcast.
Interview with Cigital’s Principals

John Steve: helping companies build their own software security capability.
Pravir Chandra: training & helping our customers do strategy all the way down to security assessments.
Sammy Migues: service line management at Cigital and do a lot of monetizing of
intellectual property.

best way for a big company to get started with security: focus on what their strength & what they can do well - giving smart ppl little more security knowledge, playing to their curiosity.

CLASP, M$'s SDL, Cigital's Touchpoints

we need someone to be a practitioner and not just an enabler of bad events

sw security training - tell them how to implement things, give the skill not only make them aware.

the instructor has to have experience & a practitioner

in the past programming language like C, we have to do everything, nowadays building app on the like a J2EE platform, there are so many aspect of the arch that are enforced upon you by the platform itself - it makes a hell of a lot easier to put together a doc of what ur arch does because u r just following the patterns that have been laid out before u.

lenght: 23:35m

Labels: cissp, security

Perfect privacy podcast with Markus Jakobsson

20th episode of The Silver Bullet Security Podcast.

Interview with Markus Jakobsson

In corp research you dont need to worry about funding - compare to academic.

everybody wants to see what's they are doing change the world...
I left academia to see if i can change the world

Thesis: privacy vs authenticity : there is a necessity to balance between privacy & payment.
at that time there was a believe it must be absolute privacy in perfect privacy payment scheme in cryptographic community <- I dont believe this

today the balance is actually on the other side, payment lack of privacy

Scott McNealy: "get over it, You have zero privacy anyway..."

ppl sell their privacy for very low price.

I dont believe fundamental trade off between security vs privacy:
security: you cannot be abused
privacy: your information that you want to be leaked - cannot be abused

it's a naming convention

Hard core cryptography does not change the world - so I'm changing my approach.

if you really want security to happen, you have to realize that it's not enough with algorithm, but you also need to present info to user & make sure they understand.

research, the reaction the user inferface to ppl.. then folded to applied in security...

it's far too common to say: "oh man ppl are dumb, and all dump ppl has to suffer their consequences"

"ppl are remarkably dumb because to them it makes no sense to use SSL cert.... they just need to go on with their life"

that dumb can be your mum or my mum... and I dont want that.

if you can educate ppl, what can u educate?

I care about the effect of security on ppl... the key is the interface...

I have collection of syntactical phishing experiment

synthetical phishing: instead saying this is your last 4 digit, it says this is your first 4 digit - to ppl, this has absolutely no security difference - yes this is the 1st 4 digit of my bank account, then I'm talking to my bank...

actually 1st 4 digit corresponds to the issuer...

this means authentication ppl with the last 4 digits is an insane way to do, because you teach user.. 4 digits it's OK... then when the phisher comes around with 1st 4 phisher, they are hooked.

length: 24:29m
* this is a very good interview

Labels: cissp, security

10+1 things to do before I die

0. basE jump from Parekupa meru
1. Wing suit
2. Wing suit
3. Wing suit
5. Free fly
6. Swimming/diving with Rhincodon typus, Mola mola, Manta birostris, and under the school of Sphyrnidae
7. Inca trail to machu picchu
~~8. See GWAR & Jane's Addiction live concert~~
9. 18000 feet freefall
10. peeing in Everest (dont eat yellow snow!!!)

Labels: evolution

i have no idea what she said..

I'm a huge fan of Danzig...

and of course I'm totally puzzled to see this video...

oooh and it so black and cold deep inside...

if you feel alive
if you got no fear
do you know the name
of the one you save

...
look inside your empty soul there you'll find the noose
...
would you let it go