From Living On An Exponential Curve Of Breaches:

The knowledge that a major networking gear manufacturer’s product has been compromised will raise the question: just how does one trust that products one has purchased are not compromised by a government or sophisticated hacker? Are vendors prepared to submit their products to 3rd party testing labs for assurance purposes? At the very least that assurance should come from complete code reviews and broad spectrum fuzzing. This is an expensive proposition, one that will have to be incorporated in every vendor’s release schedules. At the end of the day will that level of assurance be enough?

Of course, we’re talking about the recent Juniper and Fortinet vulnerabilities that allow unauthorized administration access, and of course made the news.

I don’t know that you’ll get any security company to submit their source code to an external third party code review, but third party validation and assurance testing seems perfectly reasonable. In fact, vendors already do this with NSS Labs and Common Criteria testing.

Meanwhile, you have vendors with restrictive EULAs that forbid this kind of activity. Which, given that this particular vendor spends more than half of their revenue on marketing, makes you wonder if they’re in the security business or the marketing business.

Ye Olde PhoneBoy FireWall-1 FAQ is Back…In A Manner of Speaking

Many of you probably remember the Check Point FireWall-1 FAQ I ran for many years. Many have told me it was their “go-to” source of infor...… Continue reading

How Long is Long Enough for a Password?

Published on February 27, 2017

Cloudflares with a Chance of Goatse

Published on February 24, 2017