vrijdag 4 oktober 2013

What US-Cert should have said about the Adobe hack

This is what US-Cert said in a rather pointless advise: "US-CERT advises that Adobe customers be aware of possible fraudulent account activity."
What US-Cert should have said instead: Advise for Adobe customers: If you have an account at Adobe: Change your password.

But that's not all: If your Adove account has a username/password combination and/or emailaddress that you use for other websites services as well, change your password on all the other sites too.

And perhaps, if US-Cert could spare some time and effort (thank you #shutdown) they could have added this:
Advise for all service providers: Get rid of password management by moving to federation protocols like OAuth or OpenID Connect. If you don't store passwords, you can't lose them.
And an advise for Adobe and all other providers: Please don't ignore secure programming guidelines.

dinsdag 1 oktober 2013

Get your #ditchcyber #wegmetcyber certification

You may have read my rant about the misuse of the word cyber, but I am not the first nor the only person to condemn the cyber misuse. Chris Baraniuk posted an interesting article about the history of the misuse of Cyber. Recommended! And of course, as mentioned in Chris' article not every use of Cyber is bad. Cyberspace, cybercafé, cybersex, cyberpunk, I don't mind you using those combinations. Trouble starts when politicians use the term without a knowledge about or vision towards security. In those cases the purpose of using cyber is to create FUD, fear, uncertainty and doubt. It's also a great recipe for really saying nothing: "Cyber is such a perfect prefix. Because nobody has any idea what it means, it can be grafted onto any old word to make it seem new, cool -- and therefore strange, spooky. ["New York" magazine, Dec. 23, 1996]" (source).
I call onto the responsible politicians, military and police officials to not use the word cyber anymore. You should address the risks that you can ifdentify. If you can't identify a risk or a threat it's just not there. And if you live by fearing the unknown, you will be a threat to others. As we witness everyday.
If you feel the same, join the #ditchcyber or #wegmetcyber campaign. It looks like the blog entry that I posted earlier last week had an interesting spin-off. The post is now being used a manifesto for the @cyberxpert community. This new Twitter account is the official speaking voice of cyber experts who support the #ditchcyber (or #wegmetcyber in Dutch) campaign. In a few days the @cyberxpert Twitter account attracted several dozens of followers. Nothing special perhaps, that happens a lot these days. But these followers are allowed to add one of the @cyberxpert titles to their Twitter handle to show that they are the real cyber experts. We use 2 different titles: people can add RCX and/or CCX to their name. RCX is the abbreviation of Registered CyberXpert, CCX means Certified CyberXpert. One can use the title only by following the @cyberxpert twitter account and by supporting the #ditchcyber or #wegmetcyber campaign. So join the #ditchcyber campaign, follow @cyberxpert and show your support!