Adama's Rule

Adama's Rule is a design principle for computer systems that, given the increasing prevalence of computers in traditionally non-computerized products, needs significant attention.

It can be stated thus:

Do not network anything that can kill you.

The name derives from the 'Battlestar Galactica' reboot, where the Cylons (malicious robotic ...

more ...

Brown Hat Security - Business practices in the age of the wire fraud scam

The CEO/CFO wire fraud scam has grown increasingly common as of late, and has very successfully bilked businesses out of great quantities of money. This is, fundamentally, an information security problem and should be treated as such.

The scam goes like this: a CEO is traveling to a foreign ...

more ...

Brown Hat Security - Password Recovery Procedures

Password recovery procedures - for when users forget their passwords - are often an excellent way for an attacker to compromise security at an organization. The ability to bypass the normal authentication procedures enables the attacker by allowing them to ignore the usual security measures - sometimes in a way that allows access ...

more ...

Brown Hat Security - Things Published Elsewhere

I wrote a guest-post for AlienVault earlier in the week; it can be found here

more ...

Brown Hat Security - A NetAdmin's Manifesto

This is my network. Anything inside this gateway is mine. Any traffic within this network only exists because I allow it. Any systems connected to this network are only there on my sufferance. Every frame on the LAN, whether wireless or wired, is there only because I have explicitly decided ...

more ...

Brown Hat Security - Phishing the Government

The CISO of the Department of Homeland Security made a statement which the information security world has found to be somewhat controversial.

He is quoted in the above-linked article as saying:

"Someone who fails every single phishing campaign in the world should not be holding a TS SCI [top secret ...

more ...

Dangerous Technologies and the Propagation of Information

A recent article on the tracking of cellphones led to a discussion in my twitter feed about the use of private industry innovation by government, and the potential for its "misuse" by governments and those who are perhaps less ethical than those who are using these tools and techniques for ...

more ...

Brown Hat Security - In Defense of Hard Deadlines

Security researchers inevitably have a conundrum when it comes to disclosure of vulnerabilities. On the one hand, if they try to do the right thing, they may suffer any number of legal penalties as uncooperative vendors or operators, resentful of the researcher's activities, seek to prosecute rather than patch ...

more ...

Brown Hat Security - Moving Targets

Security is a constantly moving target. There is no case where a given system can be presumed to be "secure" - information security is a process, not a goal. Even the best secured system will be vulnerable to new research over time: those who want to attack systems to extract information ...

more ...

Brown Hat Security - Attack Surfaces

To secure a building, you need to lock and alarm windows and doors, and restrict the capability of people to enter and exist to a known, monitored entrance. Information systems require the same kind of care and attention, though they frequently do not receive it.

Many home and business systems ...

more ...