Thursday, October 28, 2010

Go Follow the Wh1t3 Rabbit

Hey readers - if you haven't figure it out yet, I'm not updating this blog as often as I'd like to due to the day-job taking up most of my time.  I still post here but it's not every day like it used to be ...

So if you're looking for content ...go and Follow the Wh1t3 Rabbit on my HP Web Application Security blog:

Following the Wh1t3 Rabbit -

Thanks for reading ...keep it here, I'll keep posting!

Saturday, October 23, 2010

"Not Valid Until Signed"

I feel the need to blog this because it has everything to do with the state of security these days...

I went to my local post office the other day, and along with the normally grumpy man at the window in this one-room shanty I got a little extra attitude.  As many of you reading this, I never sign the backs of my credit cards as a rule.  I know it's really not buying me all that much in terms of security or fraud protection - but I figure if I lose my card I really don't want the jackass who tries to use it to also have my signature to copy later.

That being said, I bought a small book of stamps because there are still companies that require you to mail things in the post and went up to the window to pay with my credit card.  The man at the window takes my card, swipes it, and then looks at the back of the card where instead of a signature it says "Require Photo ID" ... then hands the card back to me and says "Sign this or I can't take it".

I looked back at him curiously for a moment, then said in a polite tone "no".  His answer to me was to hand me back the card and ask for a different form of payment.  When I asked why - he told me it's because the "law requires me to sign my credit card ...see, it says so right there".  Actually, he's wrong, there is no such law that I know of, and I've used that card a million times without ever being told to sign it.

So I took the card back, paid cash and left ... but now I have this burning question in my brain - can a merchant really refuse my card because it's not signed?

The answer, according to my Bank of America rep ... is absolutely NO.  For the record, as far as I can tell, you are NOT required to sign the back of that card, and there is nothing that legally says you must ...

Of course, my local mailperson was just following the rules ...or trying to be the grumpy bastard he normally is ... or just doesn't know better.  I don't know which of those (or all?) are true but the bottom line is I'm not going to sign my card, and you shouldn't either.

Thursday, October 14, 2010

Paranoia: Everything is broken, revert to text

I had to blog this, since I saw a post come across Twitter earlier from a friend of mine commenting on how some PR people are sending around press releases on PDFs to him.


Oh, that's right ... PDFs are now considered tainted or potentially malicious attachments.  So that means that you shouldn't ever open a PDF again?  Or you COULD just run it through one of these online PDF conversion services, such as this one ( ...right?

But my point is a little deeper.  Has the pendulum gone so far to the highly complex technologies side that we're now seeing a backlash against things like PDFs?  Are PDFs now inherently untrusted attachments?  If so ... do we revert back to text-only email?

Where does this end?  What do you consider malicious attachments or technologies ...such that you'll avoid their use altogether?