Social location privacy - what is the fuss?

Source Flikr. Creative commons

The legendary "what is the fuss" series continues,  adding onto Cloud Computing and Virtualization. Social media location services are all the rage right now, Foursquare and Gowalla both being established players and the big boys like Facebook trying the me too strategy with Facebook places.
There has been discussion and to be fair a lot of FUD about privacy and security concerns about these services mainly from ill informed people on CNN, USA Today and the BBC. About time to have a considered discussion on the real risks......

Implementing email encryption: lessons learned

PGP Universal. 
Source Flickr. Creative Commons
I was involved in an email encryption implementation project towards the end of last year. Here are some of the lessons that I learned as well as some discussion around whether there is any point to email encryption in its current form today. Apologies in advance to my friends at PGP (now Symantec) but got to call it as I see it.

This is a companion lessons learned article to my ones on Removable media control and Data loss prevention. I have written this with quite a few technical PGP terms, I will explain some but get your background at

How real is the insider threat?

0 comments - Incidents by source
I am constantly amazed at how many norms or axioms there are in the information security field that are simply accepted and passed on to new recruits without real challenge or through falsification with data and/or logical argument. Examples include: internal IT is safer than outsourcing, physical servers are more secure than virtual, clear text transfers should be avoided at all costs and the threat from insiders is greater than external.

While there are nuggets of truth in each of these, and the answer is usually “it depends”, they are very rarely backed up by solid statistically significant, non survey based evidence and thinking has not been updated to keep up with industry trends and innovations in information security. They also seem be passed on from one CISSP (talk about a relic that belongs in the 1970’s) to another without really being challenged. I have discussed some of them such as cloud computing, virtualization and transport security in previous posts; in this let’s examine that last one: how real is the insider threat?

A smarter, more social bank

From a customer perspective I find banks extremely frustrating, difficult to deal with and behind the times. With the launch of Metro bank, the first UK high street bank to be launched in something like a 100 years in the UK, surely this was the time to do something different......

Journey of a thousand miles. Trials and tribulations of a tech startup

I thought I would write about what I have been really busy with lately: changing my company to more of a product based business with my software / security as a service application – Simple Security Risk Assessment.

I have had some interesting experiences thus far, mainly dealing with hiring an overseas developer. Hopefully you can learn some lessons from my experiences or at least get a laugh

I will keep adding to this as I go through the development and hopefully launch experience

Virtualization security - what is the fuss?

This is a bit of a companion piece to my Cloud computing security article. Just the other day I was amazed at the fear and trepidation that colleagues viewed putting everything on "one" machine i.e virtulization and the doom and gloom it meant for security. I mean seriously? Are we still here? Virtualization should now be viewed as a mature technology that can save you a lot of money and increase your scalability and speed to market. Again don't believe the FUD just do the basics well and you will be fine. Here is how....

Making DRM practical

I was reading an article today, that said keep your best ideas for your products. This is probably one of those but since I don't have the resources to do it I'm hoping that Adobe, Microsoft, Oracle or Google read this or someone at their companies suggests something similar.

Digital Rights Management (DRM) is broken. As a concept it is brilliant, it allows you to move security away from the infrastructure and to the information. Security travels with the information no matter where it goes. In practice currently it is badly broken, it is too hard to implement and use. I have some suggestions for fixing it....

Why don't Facebook, Twitter and Google support strong authentication?

Social media services such as Twitter, Facebook and Google are quickly becoming the defacto identity providers for the Internet. I signed up to Aardvark yesterday and I could use either my Google and/or Facebook account (I used both). My new web and mobile apps are going to support all of these. I mean why not? It is easier for the user (not another password and identity) and easier for the provider (no hassle of maintaining accounts, security authentication problems, password resets etc).

Can Chrome learn from iPhone jailbreak flaws?

The recent script kiddy jailbreak  (browser based on attacks on the iPhone 4.0 and 4.1 iOs led me to think can Google Chrome learn their lessons? This joins my other posts on iPhone and Android security and on using Chromium OS

How important is transport security really?

There seems to be a pre-occupation in the security industry about encrypting everything in transit (https/sftp/ssh etc), when the reality is there is a good argument that it is just not that important....


Written by