Google Wave! It's been eagerly anticipated by many, and finally the beta is open to the lucky few who managed to bribe, beg or steal an invite. With thanks to a very good friend who has immediately rocketed their way up my Christmas list, I logged into my Wave account for the first time this week. I'm fairly impressed, with one caveat.

I'm not going to recap all the various clever bits of functionality Wave provides. Many other sites have done this to death, and there's that incredibly long Google IO video that shows you everything you could possibly want to know. What I will do is offer a couple of words of advice and caution. I have to do that, otherwise you'd realise I'm just posting screenshots of Wave to make you jealous.... (Read More)

Presumed security is an interesting thing. Although not something that's commonly discussed, it's actually the other side of "security through obscurity". Security through obscurity refers to a system that's made so deliberately complex that it (in theory) deters attacks simply due to that complexity. In other words, it's so difficult to understand that an attacker doesn't have a chance of finding a security flaw in it. Hopefully. However any decent security professional will immediately pop up and tell you that security through obscurity is actually no security at all, because you're relying on smoke and mirrors to keep you safe. And that's fair enough. Because it's true.

Presumed security, on the other hand, is almost never talked about in IT security circles. It's very simple to understand and is best demonstrated by this recent BBC News article: Illegal immigrant stows away on Sandhurst coach. Sandhurst, for those of you not aware, is the premier military officer training academy, renowed worldwide for the calibre of officers it produces. As the BBC article explains, an Afghan illegal immigrant was able to simply jump on a coach in Germany, enjoy a trip to the UK, and get off the other end actually inside Sandhurst before being discovered. Straight through security, no questions asked. This was possible because of one simple fact: the presumed security of Sandhurst is so great it actually doesn't need much security at all.... (Read More)

Over recent years it seems that employers and organisations are increasingly looking towards standardised testing to dig into people's capabilities and personalities. Companies often ask prospective interviewees to take a verbal reasoning test before even getting an interview, and at the other end of the scale MENSA is beloved of the IQ test to control membership (although one might wonder why people with high IQs need to pay a £45 membership fee to access a social network).

What does all this have to do with security? That's a very good question.... (Read More)

Standards are a wonderful thing. They keep everything.... well.... standard. And as we security specialists flit from job to glamourous job, living the rock and roll consultant lifestyle, we can take comfort from knowing that any half decent IT department will stick to using industry standards to solve problems and build IT infrastructures. Corporate IT is a complex beast and, by laying down a generally accepted way of robustly designing systems, standards make it more manageable and secure. Pity the poor techie who has to create every single solution from scratch every time, for he maketh the IT security consultant rich.

Last week an odd thing happened. I decided I hated standards.... (Read More)

Phishing is a very real, very annoying pain for security professionals. It's exceptionally easy for a would-be scammer to set up a fake website and send out a few million spam emails, catching a few unlucky victims in the process. Fortunately these days most Internet users know what a phishing scam is even if they can't always spot them every time. 100% accuracy is always a difficult thing to aim for, but when you sit back and consider the problem it's quite an interesting issue. From a security point of view it should be absolutely possible for every Internet user being to spot 100% of the phishing scams 100% of the time.

A contentious claim? Perhaps, but it's clear what's preventing us from even getting close. It's the fault of legitimate companies, who are making it far too easy for the phishers to scam us all. ... (Read More)

Do you own a wireless router? Yes? Good. I'd like you to do something for me. Go into your wireless network configuration and check your security settings. The encryption option is probably set to WPA or WPA2 depending on the model of router you own. Can you set it to WEP for me please?

Careful - don't choke on your cappuccino. Yes, I am asking you to switch your encryption from the strong WPA setting to the, well, not strong at all WEP setting. And yes, I know WEP encryption is easy to crack. With some freely available software and a spare 15 minutes someone can easily break into your WEP-secured wireless network. Still, we should all live dangerously from time to time so go ahead and do it. There's no magic trick coming. You're not about to discover a revelation in wireless network security. I really am asking you to decrease the security posture of your wireless network. There's a very good reason for it, too. It will keep you safe.... (Read More)