Monday, September 23, 2013

Touch ID and Blackberry

Apart from the never ending transit debate in Toronto, the news dominating my twitter feed today are related to the Apple’s Touch ID hack and the Fairfax bid for Blackberry. My quick comments on those two:

-          Touch ID hack: of course it was only a matter of time, but let’s face the facts. There are far more expensive and complex fingerprint sensors that are also vulnerable to similar attacks (Gummy bear fingers, anyone?); just keep in mind that the threats Apple is considering for this technology (very good Threat Modeling blog post from Daniel Miessler – just keep in mind he is an Apple fanboy :-)) are opportunistic attackers, not determined ones (such as NSA…). Not only that, the main business goal for the technology might be more on making the life of the user easier than to make things more secure. And to introduce shiny “futuristic” gimmicks too, of course :-)

-          Blackberry: and here it finally goes private…it’s a sad thing to see a company with that lead blowing things up so miserably. The interesting perspective of this situation is that it increases the speed organizations will have to move towards (or at least consider) the BYOD model. But don’t completely write off Blackberry yet; it can very well rebrand itself as the go to options for the technology required for a good BYOD strategy – BES10 has a huge potential to be the killer MDM tool.

-          Blackberry (2): Until now BES and the Blackberry network were like those undersea cables: a very nice point to massive eavesdropping. Now it’s gone. I believe we can expect a heavy shift of research resources moving to find more effective ways for massive monitoring of mobile devices, now that those convenient choke points will no longer be used.

Friday, September 20, 2013


Hi. I’m still here.

This is another attempt to revive this blog. If you’re still with me (i.e., you still have this blog on your RSS feed, you still use RSS feeds or you follow me on twitter and clicks on links from my twitter feed) you’ve probably noticed the I dramatically reduced my posting frequency here. I realized it happened for a multitude of reasons:

- Other channels – just like other security folks, I was also dragged to other communication channels, specially Twitter.

- Personal life – Yeah, I’ve got a kid now. That sucks all possible free time that eventually appears on my schedule. That’s not a bad thing, by the way; I rather play with him that writing about security on my free time :-)

- Security burn out – Never thought it would happen to me, but it did. Our field is a huge echo chamber and eventually our cynicism level is so high that we just can’t see any value on anything and nothing sparks interest enough to make us write about it. Ok, a few things are interesting, but there’s a point when the inertia is so big that the only thing we manage to do about it is to send a tweet.

- Work confidentiality – I cannot say that I don’t see anything exciting about security. If that was the case I would probably move to something else; unfortunately, a lot of those nice things are related to my current employer and I wouldn’t be able to write about it without putting to much information that is not supposed to be public. The effort to spin in a way to sanitize it is just too much and contributes to my current inertial state.

I’ve been thinking about all this and what I could do to come back. A had a few notes on my “ideas to pursue” list, but nothing exciting enough to make me write about. So I decided to try a different approach: I’ll try to write constantly, but with less structure and with no clear objectives. It would be almost like tweeting without working on the 140 chars limit. So, there will be a lot of incomplete thoughts, half baked ideas and ramblings. But I expect that the effort might be able to revive the habit of writing, putting me out of the inertial state. So, even if things look a bit odd, please, stay with me - I promise I’ll try to at least make it a little more than meaningless stuff :-)