Skip to content

For and against security checklists, frameworks, and guidelines

We have seen many of those by now. Starting with old ones like FIPS 140, and concluding with more recent additions as the NIST CSF (Cyber Security Framework). The question is: are whose worth my time? What are they good for? Do we need to adhere to them? In a nutshell, I think they have their value, and need to be consulted, but not worshiped.

Continue reading "For and against security checklists, frameworks, and guidelines"

Bruce Schneier on Israeli export control

I usually agree with the opinions expressed by Bruce Schneier. Seldom do I think that he is dead wrong, and yet less often do I think that an essay of his is bluntly unsubstantiated. About a month ago, he published such a post, titled: How Israel Regulates Encryption. He quoted a research that sounds sensible, but ended up interpreting it entirely wrongly, in my opinion.

Continue reading "Bruce Schneier on Israeli export control"

The status of Truecrypt (2nd edition)

It has been a while since Truecrypt was discontinued. While it still works on most platforms, including new Windows machines (except for the full-disk-encryption on some of them), and while there still is no evidence to indicate that it is insecure, users of Truecrypt find the situation bothersome; and for a good reason. By now it seems obvious than an alternative has to be found.

Continue reading "The status of Truecrypt (2nd edition)"

GSA Executive Forum

I will be speaking at the GSA Israel Executive Forum on October 14,2015.

The keynote I will deliver is titled: “Security: the Key Challenge to IoT Adoption”.

For more information visit the event website.

Added on 2015-10-15: You can find the keynote slide-deck attached to this post.

Unsafe IoT safes

I have been saying that one of the challenges with securing IoT is that IoT device makers don’t have the necessary security background, and the security industry does not do enough to make cyber-security more accessible to manufacturers. We should therefore not be surprised that 150 years of experience in making robust safes and transferring money securely, did not help Brinks once they introduced a USB slot into one of their new models.

Continue reading "Unsafe IoT safes"

Discretix Technologies is now part of ARM

Discretix Technologies, a.k.a., Sansa Security, was acquired by ARM, as was now announced. I have been working with Discretix since its day of establishment, 15 years ago. I have been serving as its CTO and as the head of its CTO Office since January 2012.

Discretix is a pure-play security provider in the embedded domain. Over the years it has migrated from producing hardware-only crypto solutions to producing hardware and software solutions for content protection, to providing a client-server solution for provisioning, and finally to launching a provisioning service and operation. Sticking with this company throughout those changes easily counts as one of the most special experiences in my career.

Why secure e-voting is so hard to get

A few days ago I gave a lecture about innovation and one topic that came up was the security of e-voting. It is widely accepted by the security community that e-voting cannot be made secure enough, and yet existing literature on the topic seems to lack high level discussion on the basis for this assumption.

Following is my opinion on why reliable fully digital e-voting cannot be accomplished given its threat and security models.

Continue reading "Why secure e-voting is so hard to get"

Book review: "Creativity, Inc." by Ed Catmull

This is an untypical management book. Aside of the fact that it is very well written, it is full of insights that you can actually relate to and use. It makes sense, and unlike other management books that “make sense” because they preach obvious trivialities, this one brings up points that are truly insightful.

Continue reading "Book review: "Creativity, Inc." by Ed Catmull"

Running an effective security research team

I have been running a security research group at Sansa Security since 2006, and while I think about it often, I never bothered to publish any post about how to run an effective security research team. So here is a first post on this topic, with an anticipation for writing additional installments in the future.

I will address a few random topics that come to my mind this moment, about staffing, external interaction, being in the know, and logging. Feel free to bring up other topics of interest as comments to this post.

Continue reading "Running an effective security research team"