We have seen many of those by now. Starting with old ones like FIPS 140, and concluding with more recent additions as the NIST CSF (Cyber Security Framework). The question is: are whose worth my time? What are they good for? Do we need to adhere to them? In a nutshell, I think they have their value, and need to be consulted, but not worshiped.
I usually agree with the opinions expressed by Bruce Schneier. Seldom do I think that he is dead wrong, and yet less often do I think that an essay of his is bluntly unsubstantiated. About a month ago, he published such a post, titled: How Israel Regulates Encryption. He quoted a research that sounds sensible, but ended up interpreting it entirely wrongly, in my opinion.
It has been a while since Truecrypt was discontinued. While it still works on most platforms, including new Windows machines (except for the full-disk-encryption on some of them), and while there still is no evidence to indicate that it is insecure, users of Truecrypt find the situation bothersome; and for a good reason. By now it seems obvious than an alternative has to be found.
I have been saying that one of the challenges with securing IoT is that IoT device makers don’t have the necessary security background, and the security industry does not do enough to make cyber-security more accessible to manufacturers. We should therefore not be surprised that 150 years of experience in making robust safes and transferring money securely, did not help Brinks once they introduced a USB slot into one of their new models.
Discretix Technologies, a.k.a., Sansa Security, was acquired by ARM, as was now announced. I have been working with Discretix since its day of establishment, 15 years ago. I have been serving as its CTO and as the head of its CTO Office since January 2012.
Discretix is a pure-play security provider in the embedded domain. Over the years it has migrated from producing hardware-only crypto solutions to producing hardware and software solutions for content protection, to providing a client-server solution for provisioning, and finally to launching a provisioning service and operation. Sticking with this company throughout those changes easily counts as one of the most special experiences in my career.
A few days ago I gave a lecture about innovation and one topic that came up was the security of e-voting. It is widely accepted by the security community that e-voting cannot be made secure enough, and yet existing literature on the topic seems to lack high level discussion on the basis for this assumption.
Following is my opinion on why reliable fully digital e-voting cannot be accomplished given its threat and security models.
This is an untypical management book. Aside of the fact that it is very well written, it is full of insights that you can actually relate to and use. It makes sense, and unlike other management books that “make sense” because they preach obvious trivialities, this one brings up points that are truly insightful.
I have been running a security research group at Sansa Security since 2006, and while I think about it often, I never bothered to publish any post about how to run an effective security research team. So here is a first post on this topic, with an anticipation for writing additional installments in the future.
I will address a few random topics that come to my mind this moment, about staffing, external interaction, being in the know, and logging. Feel free to bring up other topics of interest as comments to this post.