Information Sharing

I recently had a meeting with my executive and was requested to put together a presentation comparing the security posture of our organization to that of other organizations, particularly those in the same sector and of similar size.

As a starting point, I used LinkedIn to identify peers in organizations which matched that criteria. I then set about approaching each of them to identify their willingness to share information regarding specific security threats their businesses are facing and how they are responding to them.

For the most part I have found the sharing of information to be fairly impressive and there appears to be a real willingness to work together with a few key individuals going forward.

It is interesting that as security professional we do not do more to share information between us regarding threats vs. corporates, particuarly in light of the growing cyber crime threat that businesses face today.

Delta updates on iOS

I've always maintained that Apple has a slight competitive edge when it comes to the iOS App Store, just one of which is the ability for users to download updates once via iTunes and update all their devices from there, rather than having to download updates to each device individually.

However, there is one area that I've always found an interesting omission around application updates, and that is the lack of delta updates. In fact, apart from the OS itself, I've not found a single app that appears to support the use of deltas to minimize download sizes.

Delta updates within applications are supported, as detailed here, but for some unknown reason this just isn't being used. The issue, I believe is that Apple leaves the option open for developers to make this decision themselves, rather than enforcing it across the board.

It's an odd decision, and one that likely costs Apple a fair amount of money. If an app is, for example, 1GB in size (common with some of the games nowadays), Apple could save a significant amount of bandwidth by ensuring that apps use delta updates rather than forcing users to download the full app over and over each time an update is released.

Lack of control

It's interesting how much things have changed in the past ten years. In ten years I've grown from being a Sysadmin to managing a small team of IT Security individuals in a large corporate environment.

Ten years ago, I ran my own server using Apache for web traffic, Postfix for SMTP traffic, and the awesome mutt mail client. I had a laptop running FreeBSD and pretty much knew the inside outs of everything that I needed to from a technical level.

Fast forward ten years. My data is in the cloud, stored on services run by Google, Dropbox, Apple and various other massive corporates. My laptop has been replaced by an iPad, my front end mail client with apps on my iPad or running in a native browser.

The downside? I've ceded control and privacy of my data to faceless corporates. I've lost technical understanding of the low level infrastructure powering my life.

The upside? I have greater mobility than ever before. I no longer have to worry about securing my services and the adversaries of my hosting providers are typically state sponsored entities who don't give a damn about me or my data.

Was it worth it? The jury is still out but I can't wait to see what the next ten years will bring...

Jekyll

The internet is a scary place. When it comes to security, you're never more than a zero day away from being owned. With sites becoming more and more dynamic and intricate the potential for damage is exponential.

I guess it's been bugging me for a while that my hosted server uses MySQL, Apache, PHP and Wordpress. While I certainly don't keep anything of value on my hosted server I'm also at the point in my life where I don't want to constantly be applying patches and installing new versions of software each week.

So, with a bee in my bonnet I took an hour and migrated my site to Jekyll, which got rid of the requirement for PHP and MySQL.

Since everything is static now, Apache also seemed like slight overkill, and so I went with djb's fantastic little static web server publicfile.

publicfile may not be as feature rich as other web servers, and Jekyll won't provide me with any fancy bells and whistles, but at least I know that my site is more secure than it was when I started this morning and that it will require less effort and time going forward.

Until the next zero day that is.

Heml.is

There's been a lot of discussion lately about the monitoring of internet communications and the Prism program that is being run by the NSA. Debate is great, but it's nice to see that some action is being taken too.

The announcement today of Heml.is is a great step forward for those of us who feel that the prying eyes of government are unwelcome, unwarranted and beyond the scope of what is reasonable.

Provided the security and encryption of the app is everything that it's promised to be, this should be a viable alternative for others who feel the same way I do.