The number of security conferences shows no signs of slowing down, feeding an ever-growing appetite for talks, presentations and content. If you’re anything like us, both attending and speaking at conferences is part and parcel of your job, even if it’s one event per year. In the absence of publication channels available in other disciplines such as good quality journals, security researchers have the option of blog posts, ezines such as Phrack, mailing lists or conferences. Many choose to go …
Blog Posts
The Mandiant APT1 report that was released a week ago has been causing some consternation, which makes it a ripe topic for our ThinkstScapes service. This morning, we issued an ad-hoc update to our customers containing our views of the APT1 report. In short, the data is interesting, but does not conclusively point to Unit 61938. There are too many open questions to justify the finger pointing. Take, for example, the markers released for the APT1 group. The report does …
The past few years have provided us with a number of high profile hacks and data breaches. In 2010 Google famously announced that they were hacked and put out details on the compromise (later dubbed the Aurora incident). In the months that followed, it became clear that google were not the only Aurora victims. Companies in almost every sector from DuPont to Disney were also breached (but were less forthcoming on the details). If these companies, widely lauded as having …
This post is about 6 months overdue, but we have been busy with a whole bunch of interesting projects (which always manages to dent blogging time.) One of these projects, is http://signalnoi.se We formed Thinkst to work on difficult, interesting problems, and while working on security problems for a well known media organisation, we bumped into (a surprisingly common) problem organisations have: failing to benefit from the available insights afforded by the real-time social media networks. Signalnoi.se managed to win the Knight Fundation’s News Challenge …
Fred Wilson over at AVC.com wrote a piece on the Etsy offices (in 2010) titled: “The office matters” In it he explained how “They are getting the best talent in NYC to come to their company” and commented on the importance of paying “attention to the office and the culture” of a company. Around the same time I had written a piece titled “Cargo Cult Startups” in which i posited that too many companies were faking startup culture, keeping draconian …
A little while back, a colleague of a colleague approached me with a favour request that was hard to refuse (no, not that kind…) They had one of these external harddrives that supports on-drive encryption and, as you will have guessed, had forgotten the password. No more saved business docs, but also no more saved baby pics. “Could we have a look?”, they asked. A brief search online revealed companies who claim to be able to recover passwords for these …
In 2009 I wrote a post on recruiting and mentioned “the T-shirt Test“. It read: The T-Shirt test is simply to ask yourself: “how will i feel standing at a conference, with this guy next to me wearing my company T-Shirt”. If you don’t like the thought, you shouldn’t make the hire. I still feel strongly about the T-Shirt test, and feel really strongly about the importance of company culture which makes it crazily cool to officially welcome Marco Slaviero …
Early last year we presented at 44con with a talk titled: “Penetration Testing considered harmful today“. 44con have just released the video so we figured it was worth a quick recap (for anyone not willing to tolerate the whiny voice!) The original slides (in PDF) are available (here) The central thesis of the talk is that penetration testing has established itself as a necessary activity for securing a network and is now pushed forward by a multi million dollar industry despite …
(This talk was given at 44Con in London (2010)) Brief details on it can be found here. The point of the next four slides is merely to establish some sort of credibility. Essentially it’s to try and establish that when I talk about pen testing, I do actually have some background in it. This is the central thesis of the talk, and I’ll try to explain why I believe this is true.. In 2010 we wrote a blog post titled …
Last month we released an alpha version of cr-gpg. This is a simple Chrome extension to enable gpg functionality in gmail (or Apps for Domains). (If you don’t know what gpg is, you should first read this and this.) Installation : You can grab the extension from [here] and a double click should install it , after the install is completed you should see the image above if you navigate to chrome://extensions : Options : Once you have installed the …