Of hackers and musicians

What qualities do you look for when you're hiring information security professionals, and in particular ‘hackers'? I won't pretend to be an expert at this, and certainly would prefer you read material from both Cory Scott and Thomas Ptacek on hiring talent if you haven't already. But I think I have a fairly good radar for identifying people that have the knack for being great hackers. Similar to Parisa's post, I don't think this has anything to do with certifications, and in fact, in many circumstances I don't think university degrees matter much either. I find that two of the most important indicators are creativity and scrappiness. Two different attributes that aren't the easiest to measure. While creativity is not all that surprising (you think people breaking software aren't leverage tremendous amounts of creativity?), scrappiness is a little bit more obscure. Don't worry though, I'm not talking about scrappy or inconsistent work, I'm talking about getting shit done with limited resources. The idea of scrappiness is not all that unique to security, and has been referred to in a number of different contexts, for instance it's often seen as a critical attribute for successful entrepreneurs as
Read more

Reflections on 2015 and LinkedIn

If I were to capture 2015 with a single word it would be: transform. The family and I had started the year celebrating our daughter’s 1st birthday, always amazed and in awe watching her continue to grow. Tenille was still re-integrating into her work-life pattern as a working mum, and we were surrounded by our best friends who were also undertaking incredible life changes, such as marriages, having kids and so on. Outside of family, things were getting very exciting at Asterisk as we were drawing more highly skilled talent to the team in our continued vision to bring pragmatic, passionate security results to our clients. All in all, life was humming along perfectly. When the opportunity arose to join the application security team of LinkedIn my initial reaction was: this is a spam message. When I realised it was legitimate, my next immediate thought was that there was no way us, as a family-unit, would want to go through this sort of upheaval. But the opportunity was too exciting to not discuss with the family. To my surprise, Tenille was more excited about moving to California than I was! Even to this day I’m blown away with...
Read more

Facebook iOS App Scrapes Your Clipboard?

I noticed yesterday that the Facebook iOS app appears to scrape your clipboard for URLs, offering to paste the URL into your next Facebook status update. You can see an example of this at the bottom of this post. I wasn't alone in thinking that this felt a little creepy, similar sentiment appears to have popped up on reddit. So what does this mean, and what can we do? Well, firstly, there isn't a permission to control access to the clipboard. The NSPasteboard Class is used to access the pasteboard server in AppKit used on OS X apps, while iOS uses the UIPasteboard Class. In iOS, this class can be used to access the General pasteboard used for copy-cut-paste operations (and has existed since iOS 3.0). What this means is that any app has a means to access items in your clipboard. This itself is not as much of as a surprise compared to the likelihood that I've never seen this functionality used in such a creepy way before. Apparently Pocket and Chrome have similar behaviors, just not that I've seen. Why is it creepy? Well, for the App to know what is in the clipboard...
Read more