Friday, February 26, 2010

Sikkerhet i spørreundersøkelser

25. Oktober 2007 hadde jeg et innlegg i Aftenposten med tittelen "Er anonyme undersøkelser anonyme?". Dagen etter ga de meg støtte til mine synspunkter på lederplass. Takk til dem for det. Trygve Hegnar kom også på banen med en kommentar, men jeg er fortsatt usikker på om han forstår konsekvensene av det han uttalte der.

Nå er det kanskje på tide å avsløre at mitt innlegg i stor grad var basert på en kundeundersøkelse jeg mottok fra Bergens Tidende, men som også ble benyttet av Aftenposten i sin tid. Interessant da med en leder fra Aftenposten som "slaktet" det opplegget deres eget morselskap benyttet mot sine kunder. Jaja. Om ikke annet så bekrefter det et prinsipielt viktig skille mellom den redaksjonelle og den salgs/markedsmessige siden hos Aftenposten, og det er vel positivt? :-)

Det er på høy tid å gi en liten oppfølger til det innlegget.

Monday, February 22, 2010

Never trust password meters

On February 20th, Mikko Hypponen of F-Secure tweeted this message (click for full size):

He linked directly to this jpg file, while the graphic belongs to this article at CXO Europe. I usually find his tweets to be very interesting, as well as blog posts from the F-Secure team as well, so don't get me wrong here. Being a little obsessed with passwords after researching them for approximately 9 years, I had to take a look at this article. (Most articles on password strength and passwords in general are full of assumptions, a blend of information from various resources, and a bit of personal opinion from the author at the time of writing. At least that is what I think of them.)

The CXO article had tested a bunch of passwords against the password strength meter of Google Mail, which you can find when creating a new account (or changing your existing one). The graphic from CXO summarizes the strength of the passwords. Looking at that for <5 seconds was enough for me, i had to release this blog post which I've been thinking about for quite some time.

Friday, February 19, 2010

Contributing to the official Elcomsoft blog

Just a quick note to inform you that i am now a contributor to the official blog from Elcomsoft:

My very first posting there is entitled "Why you should crack your passwords". Questions and comments are always welcome!

Thursday, February 18, 2010

The one-frame explanation on how to defeat biometrics

Well, seems like at least one person thought my "cartoons" were kind of funny... hm. Well, here's one more, in order to simplify some seemingly advanced technologies. Click the image for full size.

Questions on board liability insurance

Board members in Norway, including the chairman, has the opportunity to purchase board liability insurance (also referred to as Directors & Officers Liability Insurance). This link provides simple background information (in English) on the purpose of such an insurance from a Norwegian insurance provider.

According to the Norwegian Companies Act §17-1,  board members (members of the corporate assembly, CEO, shareholders) will be held liable for the losses they intentionally or negligently cause during the execution of their duties. Every individual board member who is made responsible - eventually in solidarity with one or several others, and not the board as a collective organ. Board members can get insurance against the liability they expose themselves to in their function as members of the board. 

This is a topic I find interesting in relation to maintaining adequate security for any business. What risk does such an insurance represent to the business itself and its employees?

Wednesday, February 17, 2010

Spørsmål om styreansvarsforsikring

(for English readers: this post is about board liability assurance, and will also be available in English)

Styremedlemmer i Norge, inkludert styreformann, har mulighet til å inngå styreansvarsforsikring, noen steder bare referert som styreforsikring. Bakgrunn og formål er enkelt oppsummert hos HSH StyreNorge:

"Etter aksjelovens § 17-1 blir styremedlemmer (medlemmer av bedriftsforsamlingen, daglig leder, aksjeeiere) erstatningsansvarlige for tap de forsettlig eller uaktsomt volder under utførelsen av sin oppgave. Det er det enkelte styremedlem som blir ansvarlig – eventuelt solidarisk med en aller flere andre, og ikke styret som kollektivt organ.Styremedlemmer kan langt på vei forsikre seg mot det ansvaret de eksponerer seg for i sin funksjon som medlemmer i styret."

Dette er et tema jeg finner interessant i forhold til å ivareta tilstrekkelig sikkerhet for enhver virksomhet. Hva innebærer egentlig en slik forsikring av risiko for virksomheten og dens ansatte?

Tuesday, February 16, 2010

Risks when using social networking services

This article is partially based on some text I've written earlier about the risks of using social networking services such as Facebook, Linkedin, Twitter etc. Before you continue to read, remember that this is written from a business perspective where secrets exists, both from competitive as well as from regulatory requirements. In other words, this is your employer speaking.

I decided to put this out as a blog entry here, as I've gotten into several discussions lately on security, or the lack of it, in such services. I'm registered on a wide range of such social networking services myself, using some of them more frequently than others. My mission here is not to scare away anyone from using them, but to encourage a safe introduction and usage of such services to any organization or enterprise. You have to do it correct the first time around, second chances are very rare in this world.

Monday, February 15, 2010

Kudos (and complaint) to Wacom!

I received my Bamboo Fun small pen & touch today. I like it, but enough with the marketing talk.

As I always try to do, i wanted to register my new device, download the newest drivers etc. Visiting, i followed directions and was asked to create an account for myself. Struggling hard with the absence of https and other issues, i decided to register the product anyway. Probably not the very worst information to loose control of anyway.

Friday, February 12, 2010

Svar fra Henriette! :-)

Nedenstående er mottatt pr mail og postet av meg som nytt innlegg (det fortjener det). Litt krøll med Google Accounts i dag + litt tidspress gjorde at det ble gjort slik som dette.  mvh. Per
 Hei Per

Takk for konstruktive innspill. 

Aller først: Jeg ville ikke ha kalt deg det ”security guy” med mindre du selv hadde omtalt deg som det i bioen din på Twitter – og det var ikke vondt ment, ei heller ment for å provosere.  
Du har mange gode poeng. 

Til Henriette, fra Per

Hei Henriette!

Her er blogginnlegg fra meg, ref vår dialog på Twitter. Jeg antar at dialogen fra din side er på vegne av din arbeidsgiver. Mitt svar er mine meninger, punktum.

Uansett, jeg skulle skrive litt i forhold til mine erfaringer, ref din tidligere artikkel "Hvordan selge inn sosiale medier internt". Jeg svarte deg på Twitter med "Nå om dagen er det ikke mye behov for å selge det inn, men å holde det tilbake i kontrollerte former". Jeg følte meg vel litt stemplet da du svarte "the security guy", riktignok med smiley vedlagt. Derfor dette innlegget fra meg. :-)

Thursday, February 11, 2010

What's a wordlist?

"You should not...". An opening phrase commonly used by security people while talking to others, while "Thou shalt not..." is used somewhere else. I've said it myself countless times, still trying to change that.

Maybe we should do a competition; the first security person who can stay away from answering "no" or saying "you should not..." for a month gets an award? I guess it would be a tough challenge to many security administrators out there!

Tuesday, February 09, 2010

"Karsten experiences reality"

I just had to make this cartoon as well. Again to illustrate an important point to all the paranoid people out there. Please note that i made this with an enormous respect for the work conducted by Karsten Nohl , Chris Paget
(and probably many others as well). The work they've done on A5/1 is incredible (to me at least), and I'm still reading the even newer stuff on KASUMI (A5/3). I'll get back on both in later blog posts.
(Click the picture to see it full size).

Monday, February 08, 2010

Handmade graphics!

Enjoying a rather quiet evening, and - boom - a few ideas for a simple comic (?) strip enters my head. Well, not really a comic.. I don't know. Heavily inspired by xkcd I guess. I haven't made a drawing of any kind for ages, as far as i can remember. Can't draw anything really :-) For some reason this one came to mind, I just had to make it. Maybe another will appear as well very soon. Be nice, I'm trying to illustrate a point here (click for full size).

Saturday, February 06, 2010

Question: What about RFID security?

A good colleague of mine asked me if i could write something about RFID security. Sure! :-)

First of all; I'm not an expert on RFID, so if any readers of this blogpost should disagree, please tell me asap at per - at - thorsheim DOT net. Thanks! :-)

Wednesday, February 03, 2010

Criticism of PCI password requirements

In my daily job I work with standards such as PCI and ISO27001, as well as numerous other standards and regulatory requirements. Before proceeding, I'll repeat that the opinions expressed here are my own, period.

I saw Ben Rothke being quoted today (Feb 2nd) in this article at along with Marcus Ranum of Tenable Security. In the same article there's also Bob Russo, general manager of the  PCI Security Standard Council. Bob Russo is quoted as saying "The standard is solid; there is nothing in the standard which needs change or requires to be addressed immediately". I'm not going to challenge any of them on their opinions in the article, since i fully agree with what they are saying, except the quote from Bob Russo here.

The Password Meta Policy

Light CaressPatterns. They're everywhere. The way you get dressed in the morning. The way you brush your teeth. The way you fold your underwear (or in men's case, the way you just toss them in a drawer, unfolded). The way you tie your shoes or neck tie. The way you start your car. The way you drive to work. The way prepare and eat food. The way you make love...

Whenever we do anything more than once, we tend to create patterns that dictate how we perform even the most minuscule task. Patterns are good. In fact, patterns are great! They help us predict how much time and effort each task will take, and they reduce the amount of processing our brains need to do to get a task done. They also makes it easier for others to predict how we will behave in a given situation, which in turn makes cooperation easier.
But sometimes, patterns just suck. Bear with me while I explain...

Tuesday, February 02, 2010

The Password Policy Fallacy

As I am shutting down my mostly inactive blog, I'll start my guest blogging career by reposting the few blog posts I made there. Here goes...

Well, that was funny! At least I thought so back in 1998, when I first saw that Dilbert strip. Like many others, I thought that there was no way we would ever subject ourselves to such a complex and draconian password policy. Little did we know then, that 11 years later, the brutal reality is that we wish our password policies were that simple.

New contributor to this blog

Quick announcement: my friend and colleague Jan Fredrik Leversund (KluZz) is joining my blog as a contributor. He is already helping me out with some really nice coding for password analysis, and we have some other projects as well for future blog posts.