Writing


Security Blog

  • Nine Years After: From Aurora to Zero Trust

    How the first documented nation-state cyberattack is changing security today.It’s January 12, 2010. In a blog post, Google publicly discloses that it has been the victims of a targeted attack originating in China. The attack resulted in the theft of intellectual property, but the attackers didn’t stop with Google — they targeted at least 20 different…

  • Composing Defences

    In the realm of information security, terms like “defence in depth” and “layered defences” are often used superficially. However, it’s crucial to delve into their evolution and reconsider defensive architectures in a network-centric world. Understanding how defences integrate, stack, or present choices to adversaries is vital for creating effective and cohesive security measures. Approaches such…

  • A Perimeter of One

    In the era of graphite-and-paper enterprises, control over information assets was tangible. With the introduction of computers, the security mindset remained rooted in physical perimeters, failing to adapt to the untrustworthiness of interconnected systems. As smartphones and laptops become extensions of users, the modern enterprise must shift to a model where trust is not implicitly…

  • Zombie Vivification

    The state of cybersecurity is worsening, with breaches becoming commonplace and vulnerabilities increasing in number. However, this trend is a reflection of our pace of innovation and development in networked technologies. Startups, akin to zombies, operate in a high-risk environment and make daring choices for survival. We inherit the cybersecurity risks born out of these…

  • The Future of The Internet — and how to secure it

    In a world where the Internet was once limited to a select few, security concerns were nonexistent. However, today’s reality is far from that. High-profile vulnerabilities like Heartbleed and Shellshock have exposed the flaws in the web’s security infrastructure. HTTPS, while offering some protection, still faces numerous vulnerabilities that adversaries can exploit. Trusting certificate authorities…

  • Dancing Poodles

    The POODLE attack, a chosen-plaintext attack, exposes vulnerabilities in SSLv3 block ciphers, compromising encrypted session data. This highlights the need to transition to TLS. Additionally, the SSL/TLS version selection fallback mechanism poses risks of protocol downgrades, but TLS Signaling Cipher Suite Value (SCSV) provides a solution to prevent such attacks.

  • The Brittleness of the SSL/TLS Certificate System

    The Heartbleed vulnerability highlighted the limitations of the current certificate revocation process. Revocation models like certificate revocation lists (CRLs) and online certificate status protocol (OCSP) face scalability and performance challenges. One alternative is DANE (DNSSEC Assertion of Named Entities), which places trust in DNSSEC instead of the CA hierarchy. The current system does not meet…

  • Closing the Skills Gap

    Recruiters often misunderstand the “skills gap,” confusing it with their own difficulties in writing accurate job descriptions. Security professionals should focus on bridging the gap between security and the business, helping decision-makers understand the risks involved. Thinking systematically, problem-solving, effective communication, and kindness are vital skills in the field. Certification alone does not guarantee mastery;…

  • Whither HSMs (in the cloud)

    Hardware Security Modules (HSMs) are widely used to protect cryptographic material and handle cryptographic functions. However, when it comes to protecting SSL certificates in the cloud, it is essential to consider the specific goals and adversaries. While HSMs can inhibit key copying, they may have limitations in distributed data centers where the API remains exposed…

  • Assessment of the BREACH vulnerability

    The BREACH vulnerability exploits HTTP-level compression to extract secret information from SSL-enabled websites. Applications that echo user-injected data, contain static secrets, and use HTTP compression are vulnerable. Disabling compression and altering response dynamics can help mitigate the risk, but there are performance and feasibility considerations. Evaluating cipher usage, rate-limiting requests, and modifying chunked encoding are…


Leadership Newsletter

  • Merry Christmas!
    Merry Christmas!

    Leadership Moment: Happy Holidays I got a flurry of last-minute holiday greetings last week. Almost universally, they said things like, “Happy Holidays” or “Greetings this holiday season.” The challenge, of course, is that they waited until after Hanukkah was over, and most of the time, the accompanying imagery was quite evocative of Christmas. Receiving those… Read this …

  • Trainwrecks and Universities
    Trainwrecks and Universities

    Leadership Moment: Overlawyering It feels like I’ve been commenting on university leadership a lot lately, and maybe that’s because MIT, Harvard, and Penn have been providing a masterclass in how not to lead large organizations. Those three university presidents were in front of Congress last week (which is always a circus), and were repeatedly asked… Read this …

  • Move Fast and Break Teams
    Move Fast and Break Teams

    Leadership Moment: No Teams Left Behind It’s always interesting news when a company’s board fires its CEO, as OpenAI did with Sam Altman. When a large chunk of the company threatens to resign, and then Microsoft swoops in with a job offer too good to be true – no need to use Teams! – and… Read this …


Fiction