Gânduri Eclectice – Eclectic Thoughts

Time flies when you're having fun. Measure spiders when you're not.

Tag: cybersecurity

  • Peeling the Censorship Onion

    Lots of people have been having fun with DeepSeek, a fascinating new AI from China. Whilst many have been probing its censorship – try asking about Tianamen Square 1989, some have been managing to bypass its output filters by requesting the output in forms such as like leetspeak or similar encodings. Input and output filtering

    Read more

  • Whatever happened to “Defence in Depth”?

    Today starts with reading about a couple of very old fashioned exploits from earlier in the week. So very old-fashioned that one is left thinking “Really?” Hard coded default credentials. Are we back in the 1990s again suddenly? A short, maybe slightly rant-y item here today. Critical default credential bug in Kubernetes Image Builder allows

    Read more

  • Password Guidance from NIST

    At the end of August 2024, NIST issued some new guidance documentation (SP-800). Of specific interest is their recommendations around passwords (in SP-800-63B) – because it conflicts with what many organisations actually do, and addresses a few bugbears of mine. Even with widespread adoption of Multi-Factor Authentication (MFA), passwords are not dead & buried yet.

    Read more

  • Complexity: enemy of Security

    There is a lot to be said for the old maxim of KISS: “Keep It Simple, Stupid”. The complexity of modern systems often masks flaws that the creators of those systems do not notice, especially when several separate systems interact in complex ways. But someone may find them eventually, and if you’re lucky then it

    Read more

  • Novel Training Techniques: Public Key Exchanges

    I’ve run a few training courses with novel techniques for getting memorable lessons across. Here’s another. Nancy Pierpan: You trust me. Why on earth would you trust me? Johnny Worricker: Because that’s the job. Deciding whom to trust. That’s what the job is. — Page 8 Knowing whom to trust is difficult. If it wasn’t,

    Read more

  • Supply-Chain Subversion

    How well do you know your supply-chains? It was only a couple of days ago that I was commenting online about supply chain assurance. And now, today, we have a real and dramatic demonstration of what a supply-chain attack can achieve. Maybe it will encourage some better consideration of supply-chain risks throughout industry. All sorts

    Read more

  • Novel Training Techniques: The “Remember” Command

    “Experience varies directly with equipment ruined” was a useful mantra for getting through undergraduate physics labs. And it can be applied in other areas too. Back in the 1990s I ran a few classes to teach people about Linux. They needed to rapidly understand that with power came immense destructive capability, so with each student

    Read more

  • PQC Planning: Don’t Put It Off Any Longer…

    …but it might not be as onerous as you imagine. Let’s dive right in; there is no time like the future! Why plan now if we cannot implement yet? This is the crux of the matter. And the answer isn’t necessarily obvious. However, consider data that you hold now for which the C&I requirement may

    Read more

  • Extension of CVSS-B

    Extension of CVSS-B

    The CVSS “Base” Scores (identified since v4 of the definition), or CVSS-B, range from 0 to 10 with 10 being the most severe. Until today, that is.

    Read more

  • Quis custodiet ipsos nubem?

    Microsoft is not having a very good time right now. Their not-so-recent breach (2024-01-19 report) turned out to be a mega-breach (2024-03-08 report), and now seems to have been even more serious (2024-03-11), without clear assurance that the intruders really have been evicted completely, uncertainty over what might have been exfiltrated, and uncertainty over what

    Read more