Blog
17 - How do normal users make good security decisions?
Most security products exist in what economists call a Market for Lemons (https://en.wikipedia.org/wiki/The_Market_for_Lemons), which means that purchasers lack the ability to tell a good product from a bad product.
16 - Blockchain has a history
NOTE: This email was sent out without this introduction, it's preserved here as I wrote it, rather than how I sent it out. Sorry for everyone who missed this
15 - Who holds data on you, and what do they do with it?
This newsletter comes to you from a chilly field in the wilds of the UK, where hackers and makers of all forms have gathered to share news, tips and techniques. The amount of future tech on show that is bodged together with tape, glue and exposed wires is quite fun and always eye opening.
14 - How many breaches will it take?
It sometimes feels like the news in cybersecurity is an endless slew of breaches, with security professionals standing to one side saying "I told you so". This attitude of enjoying disasterporn, or Schadenfreude, doesn't make us look very good as a profession, but it is understandable. We should be trying to understand from breaches, trying to work out what happened and what was involved, and what steps we could take that would prevent it next time.
13 - Making sense of a complex world
It's a quiet week this week as I prepare for family holiday and try to get all my work done before I leave, but here's a selection of the best reading I've seen in the busyness of the week.
12 - Should we trust cyber security stats?
Several articles this week about various statistics in cybersecurity, which makes me question the mechanism by which we gather these statistics and how they are presented.
11 - Two factor or not two factor, that is the question
This week has all been about two factor authentication. For me, I read the Motherboard article first, but then the Reddit incident and the claim last week from Google made me perk up my ears, and then the internet exploded with comment about two-factor authentication. In my original comments against these articles I kept asking the question "It might not be brilliant, but isn't it worse if we don't use it?"
10 - That’s edition 8 in octal
So this week we reach two milestones at more or less the same time. This is the 10th newsletter, that's 10 weeks in a row compiling and sending this out, as well as reaching 100 subscribers this week, so huge thanks to everyone who subscribes, who is passing it onto friends, and the several hints this week for things to add.
9 - Better late than never
NOTE: This letter was mistakenly sent with the subject #8 - Better late than never
8 - Where are you spending your security budget?
What do we spend our time and money set aside for security in companies doing? Lots of CISO's and security managers I talk to exclaim that they need significantly bigger budgets, that they can't do all of the stuff that is asked of them.
7 - Security has to be usable to be any good
This week there has been a swathe of articles covering usable security in various forms. I'm loving seeing more and more organisations come up with ways to balance usability and security. We're never going to get this perfect, but we have to try.
6 - Whose fault is a breach anyway?
This week saw an interesting breach of the Ticketmaster payment processing system. A third party, Monzo, noticed the breach months before Ticketmaster were able to confirm it. Ticketmaster claim it wasn't their breach, but one of their suppliers, the supplier admits being hacked but claims it wasn't their responsibility as they didn't recommend putting the javascript onto the payment processing pages.