Tuesday, April 26, 2011

Dynamic Prevention of Common Passwords

Remember the 370 passwords you were not allowed to use on Twitter? If not, here's the story, as told by @TechCrunch. You have probably experienced - maybe even implemented - the same kind of static blacklisting in other online services, in your corporate network or at your personal workstation. I have. Doesn't really help much in the long run, unless blocking Conficker from gaining access (List by Sophos - @gcluleyis your ultimate goal. Here I suggest another and more dynamic approach to the problem of commonly used and eventually also bad passwords.

Friday, April 22, 2011

Consolidate my posterior...

While I was asleep...
As I'm sure many of you are aware of by now, Apple iOS 4.x contains a database file named consolidated.db, in which your every move (or at the very least, the movements of your device) are recorded. This, according to conspiracy buffs and privacy advocates, is done to make life easier for Gil Grissom or whoever your local CSI representative is. As an international black market arms dealer security professional, I've been curious about how useful the collected data really is, especially since a lot of the comments on the subject claims that the coordinates and time stamps are wildly inaccurate. So I decided to figure this out for myself, and proceeded to crank up Google Earth...

Wednesday, April 13, 2011

Security Think Tank

On Monday April 4, I did a presentation at the Scandinavian ISACA conference, held in Oslo, Norway. The title was "Board Member Security" (Link to Slideshare), and were part of the governance track. I will get back to the contents of the presentation later, first of all I would like to introduce the people behind the presentation.

Saturday, April 09, 2011

Passwords^11 - REGISTER NOW!

Twitter hashtag: #passwords11

We are getting ready. You can now register for participation at Passwords^11, a 2-day conference on passwords & PINs. Free for all, at the University in Bergen (Norway), on June 7-8. Limited seats available. Quite possibly the very first-ever conference *only* about passwords & PIN codes! :-)

Saturday, April 02, 2011


Jeg er litt overrasket over at Janne Hagen i FFI på siste FFI-FORUM skal ha påpekt at vi har "...et fragmentert statlig ansvar for IT-sikkerhet" (NSM bloggpost, 1 April 2011. Tviler på det er noen aprilspøk). Jeg regner med hun da uttaler seg om den reelle etterlevelsen av sikkerhet i det offentlige, plasseringen av ansvar bør det da ikke være noen tvil om? Styrelederen heter Harald, adm.dir heter Jens, og generalforsamlingen heter Stortinget. De har ansvaret for sikkerheten.

Friday, April 01, 2011

The end of passwords

After more than 9 years of research on passwords, there is no doubt anymore: we should get rid of them. No, not by implementing any so-called alternatives such as biometrics or 2-factor token authentication. Be smart, use a blank password on your account. It's much easier, we can downsize customer support with at least 50%, it's completely free and every CFO will be ecstatic. Who would ever think that you would be so stupid to not use any passwords at all? Based on this, I will discontinue my research into passwords, as it is neither fun, interesting or useful anymore.