| Date | Re-imagined Quote |
|---|---|
| 2010-05-13 | “Your attackers have not failed. They’ve just found 10,000 ways that won’t work.” -Thomas Edison |
| 2010-05-06 | “All hackers by nature desire knowledge.” -Aristotle |
| 2010-05-05 | “I asked for WPA2, I got WEP. How’s that for being born under a bad sign?” -Ferris Bueller (from Ferris Bueller’s Day Off) |
| 2010-05-04 | “I find your lack of antivirus disturbing.” -Darth Vader (from Star Wars) |
| 2010-05-03 | “To succeed in information security it is necessary to make others see things as you see them.” -John H. Patterson |
The infosec QOTD: Famous quotes re-imagined (2010-05)
May 3rd, 2010
3 Comments
The infosec QOTD: Famous quotes re-imagined (2010-04)
April 12th, 2010
4 Comments
| Date | Re-imagined Quote |
|---|---|
| 2010-04-28 | “The best remedy for a short password is a long passphrase.” -Joseph Joubert |
| 2010-04-27 | “Pray that DoS attacks will not come any faster than you are able to endure them.” -Nnamdi Azikiwe |
| 2010-04-26 | “A wise man changes his password, a fool never will.” -Spanish Proverb |
| 2010-04-15 | “The things most people want to know about are usually trivial to find on Facebook.” -George Bernard Shaw |
| 2010-04-14 | “What the world requires of naive users is that they should continue to be naive users.” -Albert Camus |
| 2010-04-13 | “A hacker who is not dangerous is unworthy of being called a hacker at all.” -Oscar Wilde |
| 2010-04-12 | “Fear is pain arising from the anticipation of a data breach.” -Aristotle |
Security Twits NCAA tourney bracket contest – winner!
April 8th, 2010
3 Comments
The Security Twits NCAA tourney bracket contest is over. And the winner is @rogueclown (AKA Nicolle Neulist)! @rogueclown DESTROYED her competitors by correctly picking Duke to win it all. Ugh, Duke. @jfug barely edged out @ramblinpeck for 2nd place. @stevewerby (yours truly) was a measly point behind. And @theharmonyguy and @infosecjerk probably wish I didn’t post this.
So until next year, @rogueclown has bragging rights. And I owe her “a yet-to-be-designed but guaranteed-to-be-awesome t-shirt” (it’s on my to-do list…but it could be several weeks…or more).
Security Twits NCAA tourney bracket contest
March 14th, 2010
3 Comments
I created an NCAA basketball tournament bracket contest on Yahoo for members of the information security community. The winner gets bragging rights until next year, as well as a yet-to-be-designed but guaranteed-to-be-awesome t-shirt.
The scoring format is a traditional 1/2/4/8/16/32 format with a twist – a bonus equal to the difference in seeds for each game in which you pick a lower-seeded winner.
To participate:
- Go to the tournament page.
- After logging, click “Join Group”.
- Enter Group ID 82792.
- Enter the password.
Since you’re a member of the information security community, I can’t just give you the password, right? You’ll have to guess it. It consists of lower case letters and numbers, with no spaces…and all 4 parts of the passwords are information security related.
- Part 1 – Something that’s in the sky
- Part 2 – The 2010 information security acronym du jour
- Part 3 – The mascot of attrition.org
- Part 4 – The number of security risks found in the 2010 OWASP Top 10
In case you’re still scratching your head…and are willing to admit it, DM me on Twitter…or send me smoke signals and I’ll tell you the password.
Password hints added 2010-03-17:
- Part 1 – It’s fluffy and it’s stealing your org’s data
- Part 2 – It’s an anagram for an androgynous fictional character from the 1990s
- Part 3 – Really? Really?
- Part 4 – Really? Really?
Your final picks must be submitted by the scheduled tip-off time of the first game in the tournament on Thursday, March 18 (the play-in game on March 16 isn’t part of the contest).
The fine print:
And did I mention you have to be a member of the information security community to enter? To be eligible to win, I must be able to verify that you’re a member of the information security community. No more than 1 entry per person. Compromising the commissioner’s computer, compromising the commissioner’s account and exploiting vulnerabilities in Yahoo to do anything to affect the outcome of the contest are strictly prohibited. 
The infosec QOTD: Famous quotes re-imagined (2010-03)
March 1st, 2010
3 Comments
| Date | Re-imagined Quote |
|---|---|
| 2010-03-24 | “Nothing is more difficult, and therefore more precious, than to be able to change users’ behavior.” -Napoleon Bonaparte |
| 2010-03-22 | “They’ve done studies, you know. 60% of the time antivirus software works, every time.” -Brian Fantana (from Anchorman) |
| 2010-03-18 | “Data loss happens to everybody sooner or later if there is time enough.” -George Bernard Shaw |
| 2010-03-17 | “A person who never made a mistake never tried writing code.” -Albert Einstein |
| 2010-03-15 | “FUD is the art of convincing people to spend money they don’t have for security solutions they don’t need.” -Will Rogers |
| 2010-03-12 | “We do not quit hacking because we grow old, we grow old because we quit hacking.” -Oliver Wendell Holmes |
| 2010-03-11 | “It’s hard to beat a hacker who never gives up.” -Babe Ruth |
| 2010-03-10 | “It is an unfortunate fact that we can secure critical infrastructure only by preparing for cyberwar.” -John F. Kennedy |
| 2010-03-09 | “What we’ve got here is a failure to remediate.” -Luke (from Cool Hand Luke) |
| 2010-03-08 | “You can avoid security, but you cannot avoid the consequences of avoiding security.” -Ayn Rand |
| 2010-03-05 | “I can’t believe I gave my password to a geek.” -Samantha Baker (from Sixteen Candles) |
| 2010-03-04 | “From there to here, and here to there, vulnerable things are everywhere.” -Dr. Seuss |
| 2010-03-03 | “The elevator to security is out of order. You’ll have to use the stairs…one step at a time.” -Joe Girard |
| 2010-03-02 | “IT security is like war – offensive weapons are developed first and it always takes a while for the defense to catch up.” -Red Auerbach |
| 2010-03-01 | “The pain of the exploit is worse than the pain of the patch.” -Publilius Syrus |
We will, we will RockYou: A list of firsts
February 22nd, 2010
2 Comments
Last December, a hacker acquired the password list for RockYou by exploiting a SQL injection vulnerability which revealed the usernames, email addresses and passwords of a whopping 32.6 million users. And worst of all (besides the company’s attempt to first cover up the incident, then downplay it), the passwords were stored in plain text! Not that hashing would have slowed an attacker down much. Most users’ passwords consisted of short, common words or were all-numeric.
I ranked the 14.3 million unique case-sensitive RockYou passwords by frequency and reviewed the top 2,000 uniques (accounting for 4.7 million users’ passwords) to identify the top passwords by category, some of which are shared below.
Eminem is more popular than Jesus as a password for RockYou users? Who knew? 7,241 uniques of “eminem” versus 5,866 for “jesus”. When case-sensitivity is ignored the same holds true. 7,594 uniques for 7 variations of “Eminem” versus 6,449 for 9 variations of “Jesus”.
| Category | Password | Rank |
|---|---|---|
| Numeric sequence | 123456 | 1 |
| Passphrase | iloveyou | 5 |
| Female name | nicole | 11 |
| Male name | daniel | 12 |
| Animal | monkey | 14 |
| Fictional character | tigger | 25 |
| Food | chocolate | 27 |
| Sport | soccer | 29 |
| Color | purple | 33 |
| Profanity | fuckyou | 39 |
| Palindrome | hannah | 50 |
| Magazine | playboy | 59 |
| Slang | hottie | 62 |
| Entertainer | eminem | 75 |
| Religious figure | jesus | 103 |
| Place | america | 121 |
| Non-English word | sakura | 114 |
| Band | blink182 | 165 |
| Website name | myspace | 182 |
| Non-English passphrase | mahalkita | 198 |
| Month | september | 200 |
| Zodiac astriological symbols | gemini | 211 |
| Company name | samsung | 255 |
| City | barcelona | 273 |
| American city | orlando | 275 |
| Country | portugal | 301 |
| Auto manufacturer | mercedes | 353 |
| Repeating letter sequence | aaaaaa | 374 |
| Sports team | steaua | 400 |
| Drink | cocacola | 471 |
| Sports team (American) | lakers | 480 |
| Musical instrument | guitar | 550 |
| Celebrity (female) | shakira | 569 |
| Drugs | maryjane | 597 |
| ALL-CAPS | PASSWORD | 800 |
| Contains special character | iloveyou! | 984 |
| First letter capitalized only | Password | 1856 |
The infosec QOTD: Famous quotes re-imagined (2010-02)
February 13th, 2010
3 Comments
The world is full of famous quotes…and quotes about information security, but famous quotes re-imagined as information security quotes is an unfilled niche. The Quote of the Day consists of well-known quotes modified ever so slightly to convert them into plausible (maybe?) information security quotes. Hover over a quote to reveal the original.
| Date | Re-imagined Quote |
|---|---|
| 2010-02-26 | “Pretexting is the most beautiful fraud in the world.” -Jean-Luc Godard |
| 2010-02-25 | “Brian Krebs always had a way of explaining things so I could understand them.” -Forrest Gump |
| 2010-02-24 | “He best keeps from danger who remembers the Sysadmin is always looking upon him.” -Plato |
| 2010-02-23 | “The young security pro knows the rules, but the old security pro knows the exceptions.” -Oliver Wendell Holmes |
| 2010-02-22 | “Phishing is a canvas furnished by gullibility and embroidered by fear.” -Voltaire |
| 2010-02-19 | “The IT security field is always in need of new cliches.” -Alan Perlis |
| 2010-02-18 | “As far back as I can remember, I always wanted to be a hacker.” -Henry Hill (from Goodfellas) |
| 2010-02-17 | “The more you explain cryptography, the more I don’t understand it.” -Mark Twain |
| 2010-02-16 | “We are going to have cloud security, even if we have to fight for it.” -Dwight Eisenhower |
| 2010-02-15 | “Never try to teach a user information security; it wastes your time and it annoys the user.” -Robert Heinlein |
| 2010-02-14 | “An information security officer cannot always be popular.” -Harry Truman |
| 2010-02-13 | “I love the smell of malware in the morning.” -Lieutenant Colonel Bill Kilgore (from Apocalypse Now) |
