Leonard Nelson http://www.leonelson.com Personal blog of Leonard Nelson talking about technology, education, customer relationship management, customer service and Africa. Tue, 09 Feb 2016 18:45:29 +0000 en-US hourly 1 Privacy Definition http://www.leonelson.com/2016/01/25/privacy-definition/ http://www.leonelson.com/2016/01/25/privacy-definition/#respond Tue, 26 Jan 2016 03:17:01 +0000 http://www.leonelson.com/?p=2608 An excellent definition of privacy in the context of autonomy and security:

  • Autonomy Privacy is an individual’s ability to conduct activities without concern of or actual observation (i.e., surveillance).
  • Information Security is the protection of information resources from unauthorized access, which could compromise their confidentiality, integrity, and availability.  This includes, but is not limited to networks, hardware, software and information (some of which is confidential).
  • Information Privacy is the intersection of autonomy privacy and information security — it is the appropriate protection, use, and dissemination of information about individuals

Source: Autonomy Privacy, Information Privacy and Information Security

]]>
http://www.leonelson.com/2016/01/25/privacy-definition/feed/ 0
Shodan Search Shortcuts http://www.leonelson.com/2016/01/25/shodan-shortcuts/ http://www.leonelson.com/2016/01/25/shodan-shortcuts/#respond Tue, 26 Jan 2016 03:08:48 +0000 http://www.leonelson.com/?p=2610 Use Shodan to discover which of your devices are connected to the Internet, where they are located and who is using them.

Listed below are some popular search shortcuts/search keywords to help with narrowing your search results:

Keyword Values Description Example
port Any Numeric Value Specific Ports port:554
has_screenshot True/False Has Screenshot has_screenshot:true
org Organization Value Organization org:”Microsoft”
ssl Organization Value SSL Certificates for Organizatio ssl:edellroot
ssl:Some University
ssl.version SSL Version Value SSL Version ssl.version:sslv2 -ssl.version:sslv3,tlsv1,tlsv1.1,tlsv1.2

Search Examples

Example Search Query Used For
port:9100 product:”LaserJet” Finding HP LaserJet printers on the network
ssl:edellroot Finding devices with SSL certificates issued by eDellRoot

 

]]>
http://www.leonelson.com/2016/01/25/shodan-shortcuts/feed/ 0
Top 10 IT Issues in 2016 http://www.leonelson.com/2016/01/12/top-10-issues-2016/ http://www.leonelson.com/2016/01/12/top-10-issues-2016/#respond Tue, 12 Jan 2016 18:25:25 +0000 http://www.leonelson.com/?p=2629 Educause has released their Top 10 IT Issues in 2016. What’s really impressive is the visual difference in IT priority changes over the last 16 years. For this year, the top 10 issues are:

  1. Information Security
  2. Optimizing Educational Technology
  3. Student Success Technologies
  4. IT Workforce Hiring and Retention
  5. Institutional Data Management
  6. IT Funding Models
  7. BI and Analytics
  8. Enterprise Application Integrations
  9. IT Organizational Development
  10. E-Learning and Online Education

Source: Top 10 IT Issues, 2016: Divest, Reinvest, and Differentiate

]]>
http://www.leonelson.com/2016/01/12/top-10-issues-2016/feed/ 0
Explicit vs. Transparent Proxy http://www.leonelson.com/2016/01/07/explicit-vs-transparent-proxy/ http://www.leonelson.com/2016/01/07/explicit-vs-transparent-proxy/#respond Thu, 07 Jan 2016 15:34:03 +0000 http://www.leonelson.com/?p=2592 A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity. Proxies were invented to add structure and encapsulation to distributed systems. Today, most proxies are web proxies, facilitating access to content on the World Wide Web and providing anonymity.1

In an explicit proxy configuration, the client (e.g. browser, desktop application etc.) is explicitly configured to use a proxy server, meaning the client knows that all requests will go through a proxy. The client is given the hostname/IP address and port number of the proxy service. When a user makes a request, the client connects to the proxy service and sends the request. The disadvantage to explicit proxy is that each client must be properly configured to use the proxy.

In a transparent proxy configuration, the proxy is typically deployed at the Internet gateway and the proxy service is configured to intercept traffic for a specified port. The client (e.g. browser, desktop application etc.) is unaware that traffic is being processed by a proxy. For example, a transparent HTTP proxy is configured to intercept all traffic on port 80/443. The typical benefits of a transparent proxy include a standard enterprise configuration where all clients routed to the internet will always be filtered and protected no matter what the end users do, or change, on their machines and the added benefit of reduction in typical user’s client-proxy configuration troubleshooting.

]]>
http://www.leonelson.com/2016/01/07/explicit-vs-transparent-proxy/feed/ 0
A better way to ask the “What do I want?” question http://www.leonelson.com/2016/01/05/a-better-way-to-ask-the-what-do-i-want-question/ http://www.leonelson.com/2016/01/05/a-better-way-to-ask-the-what-do-i-want-question/#respond Tue, 05 Jan 2016 12:21:50 +0000 http://www.leonelson.com/?p=2585

At the core of all human behavior, our needs are more or less similar. Positive experience is easy to handle. It’s negative experience that we all, by definition, struggle with. Therefore, what we get out of life is not determined by the good feelings we desire but by what bad feelings we’re willing and able to sustain to get us to those good feelings.

Source: You probably know to ask yourself, “What do I want?” Here’s a way better question

]]>
http://www.leonelson.com/2016/01/05/a-better-way-to-ask-the-what-do-i-want-question/feed/ 0
Top 25 Software Errors http://www.leonelson.com/2015/12/28/top-25-software-errors/ http://www.leonelson.com/2015/12/28/top-25-software-errors/#respond Mon, 28 Dec 2015 13:46:47 +0000 http://www.leonelson.com/?p=2532 SANS has produced the list of top 25 software errors:

Insecure Interaction Between Components

CWE ID Name
CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’)

Risky Resource Management

CWE ID Name
CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE-494 Download of Code Without Integrity Check
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CWE-676 Use of Potentially Dangerous Function
CWE-131 Incorrect Calculation of Buffer Size
CWE-134 Uncontrolled Format String
CWE-190 Integer Overflow or Wraparound

Porous Defenses

CWE ID Name
CWE-306 Missing Authentication for Critical Function
CWE-862 Missing Authorization
CWE-798 Use of Hard-coded Credentials
CWE-311 Missing Encryption of Sensitive Data
CWE-807 Reliance on Untrusted Inputs in a Security Decision
CWE-250 Execution with Unnecessary Privileges
CWE-863 Incorrect Authorization
CWE-732 Incorrect Permission Assignment for Critical Resource
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
CWE-307 Improper Restriction of Excessive Authentication Attempts
CWE-759 Use of a One-Way Hash without a Salt
]]>
http://www.leonelson.com/2015/12/28/top-25-software-errors/feed/ 0
How Bad Would Things Have to Get? http://www.leonelson.com/2015/10/09/how-bad-would-things-have-to-get/ http://www.leonelson.com/2015/10/09/how-bad-would-things-have-to-get/#respond Sat, 10 Oct 2015 00:54:47 +0000 http://www.leonelson.com/?p=2508

How bad would things have to get, for you to spend all of your money so your family could cram into a small, flimsy, rubber boat with 40 other people? Imagine you can’t swim, and nor can anyone else in your family. It’s night, you have no lights, and you must travel six miles across choppy seas. There is no captain. A man who has never even been on a boat will navigate. They tell you to sit on the dinghy’s inflated edge with your son on your lap. Your husband must stand, and you cannot see your brother near the back, because it’s so dark. How bad would things have to be, before you put your family in that boat? How bad would things have to get, before you actually felt lucky to get a spot on that boat?


Source: How Bad Would Things Have to Get?

]]>
http://www.leonelson.com/2015/10/09/how-bad-would-things-have-to-get/feed/ 0
Symbols Matter http://www.leonelson.com/2015/09/30/how-we-changed-the-facebook-friends-icon-facebook-design-medium/ http://www.leonelson.com/2015/09/30/how-we-changed-the-facebook-friends-icon-facebook-design-medium/#respond Thu, 01 Oct 2015 03:07:28 +0000 http://www.leonelson.com/?p=2497 Semiotics, or the study of symbols and sign processes and meaningful communication, has recently been on my radar because of a class I’m teaching.

Earlier this morning I stumbled on a post by Caitlin Winner on how she pushed forward with a small but meaningful change with the Facebook icon set used to display the now universally recognized Facebook Friends icon.

I shared my complaint with a designer friend and she helpfully pointed me to the poster next to mine which proclaimed, “Nothing at Facebook is someone else’s problem.” The lady icon needed a shoulder, so I drew it in — and so began my many month descent into the rabbit hole of icon design.

It turns out that others at Facebook have pursued similar changes. For e.g., the globe.

It turns out this kind of self initiated project is not unique at Facebook. Last year, designer Julyanne Liang worked with engineer Brian Jew to give the non-American half of the globe an accurate world view from the notification icon. Since then they’ve added an Asia-centric globe, too.

Symbols are important. The context in which they are used, the global recognition for certain symbols and the misuse of symbols shape our daily interactions. More importantly, this write up is a great example of how taking personal responsibility and ownership for changing things that seem small to some, but when implemented make a world of difference to others.

Source: How We Changed the Facebook Friends Icon

]]>
http://www.leonelson.com/2015/09/30/how-we-changed-the-facebook-friends-icon-facebook-design-medium/feed/ 0
Using DNA for Access Control http://www.leonelson.com/2015/09/27/using-dna-for-access-control/ http://www.leonelson.com/2015/09/27/using-dna-for-access-control/#respond Sun, 27 Sep 2015 15:58:26 +0000 http://www.leonelson.com/?p=2492

You’ve probably heard of the genetic testing site, 23andMe. The site allows users to send in a swab covered in their saliva for genetic decoding. When that code is translated, it’s viewable online as a pie chart of ancestry. 23andMe even offers an API that allows you to share your genetic information with the REST of the world. Genetic information is some powerful stuff: It can countermand information that’s been passed down through a family, provide a clue to lost relatives, and even offer unexpected insights into one’s origins. But did you ever think that genetic information could be used as an access control? Stumbling around GitHub, I came across this bit of code: Genetic Access Control. Now, budding young racist coders can check out your 23andMe page before they allow you into their website! Seriously, this code uses the 23andMe API to pull genetic info, then runs access control on the user based on the results. Just why you decide not to let someone into your site is up to you, but it can be based on any aspect of the 23andMe API. This is literally the code to automate racism. The author offers up a number of possible uses, many of which sound fairly legitimate, however. Imagine a women’s support group online that restricts access to women only. What if JDate didn’t just take your word for it that you were Jewish, and actually checked your DNA to make sure?

Source: Using DNA for Access Control

]]>
http://www.leonelson.com/2015/09/27/using-dna-for-access-control/feed/ 0
Web Security Fundamentals http://www.leonelson.com/2015/09/24/web-security-fundamentals/ http://www.leonelson.com/2015/09/24/web-security-fundamentals/#respond Thu, 24 Sep 2015 17:44:56 +0000 http://www.leonelson.com/?p=2582 Varonis has published a list of introductory web security videos at Web Security Fundamentals.

]]>
http://www.leonelson.com/2015/09/24/web-security-fundamentals/feed/ 0