Sunday, February 12, 2012

Activesync and FIPS 140-2 part 1

Perhaps the best Dilbert/Mordac ever...?
I am not Mordac. I can admit being a bit similar to Mordac once upon time, but that is a looong time ago. I'll bet I can get somebody to confirm it, at least if I get to "talk" to them a little bit before you do. ;-)

Seriously, I've been doing some testing with Microsoft Activesync in order to find some common ground across iOS & Android for setting a "good practice" password policy level. After spending some time on this, I think Mordacs work at Apple & Google. I also think that Mordac was involved in the creation of FIPS 140-2, at least when somebody thought it would be a good idea for mobile devices.

I'll explain that later on, but first 2 simple things to remember here:
1. A default policy, no matter which product, should never be considered "secure" or "good enough".
2. I say Good Practice. "Best practice" cannot be proven legally, period. There is a legal difference here.

Monday, February 06, 2012

STARTTLS & the Police

[Kids say the darndest things...]
The FBI got "hacked" by Anonymous (NYTimes), eavesdropping an international telephone conference regarding criminal activities by Anonymous. The hack wasn't all that sophisticated (...), since they probably got access to the meeting invitation sent by e-mail (pastebin), which contained all the necessary info. Just a few tips here for those interested:

Simple Security Usability part 1

[Grabbed from Microsoft. Too lazy to make my own. Sorry.]

Try searching Google for pictures related to "security usability". You will find quite a few pictures similar to the above.

Is that really the simple - and stupid - truth? Does it always have to be like that? I'd like to fight against some misconceptions in the area of security vs usability. Here's a very simple example; improving security by simplifying usability.

Friday, February 03, 2012

Minimum Password Length POO

(Picture from, showing U+1F4A9]
Looking at the wonderful new character named "Pile of Poo" in Unicode 6.0 (not 6.1, as re-tweeted by many...), I think my spontaneous competition on Twitter Jan 31 became even more fun to write about now. While I still owe you to write loads of opinions for/against periodic password changes, I'll drop this one as an input to the "minimum length" discussions as well.