http://disqus.com/by/phoneboy/enFri, 09 Aug 2019 19:37:26 -0000http://phoneboy.org/2015/07/29/lies-damn-lies-and-inspecting-ssh-traffic-securely/#comment-4572708093<p>Thanks for sharing that.</p><p>At least the way I read this, it helps when you're connecting to the same trusted server over and over.<br>For random servers, you're still getting temporary keys.<br>For users who know what to look for, it does provide some assurance that it's being man-in-the-middled by the right device.<br>For the average user, I fail to see how this is an improvement.</p><p>But maybe I'm missing something.</p>phoneboyFri, 09 Aug 2019 19:37:26 -0000http://phoneboy.org/2015/07/29/lies-damn-lies-and-inspecting-ssh-traffic-securely/#comment-4551017934<p>My reading of the PANOS 9.x documentation suggests this hasn't changed at all.</p>phoneboyTue, 23 Jul 2019 19:07:58 -0000http://phoneboy.org/2014/09/02/fun-with-check-point-dynamic-ip-gateways-in-r77-dot-20-with-gaia/#comment-3679842216<p>I've changed things a bit since this article... using dnsmasq on my wireless router instead of on Gaia.</p><p>As for why Threat Prevention doesn't work with a DAIP, I'm not sure.</p>phoneboyWed, 27 Dec 2017 02:09:12 -0000http://2ketodudes.com/show.aspx?episode=84#comment-3564117116<p>Have you guys made the new podcast with Dr. Fung available yet? Can't find it in the reputable podcast directories. The pilot episode was a little overproduced for my tastes but good information.</p>phoneboyThu, 12 Oct 2017 12:07:41 -0000http://phoneboy.org/2015/07/29/lies-damn-lies-and-inspecting-ssh-traffic-securely/#comment-3423800956<p>By the way, I actually acknowledged the capability shown in the video. But you'll also notice the issue I pointed out in this post: the host key was different both times he connected with putty. Which, if you care about the security of your SSH sessions, is kind of a big deal. And if you're using SSH non-interactively, you've just broken SSH.</p>phoneboyTue, 18 Jul 2017 23:21:47 -0000http://adam.curry.com/html/NoAgendaEpisode912Bu-1489693776.html#comment-3212525085<p><a href="https://blugs.com/na/index.html" rel="nofollow noopener" target="_blank" title="https://blugs.com/na/index.html">https://blugs.com/na/index....</a></p>phoneboySun, 19 Mar 2017 19:57:03 -0000http://thepointsguy.com/guide/best-and-worst-airlines-2017/#comment-3186336368<p>Best airline for any given person is going to vary based on: where you're flying from and where you're flying to.</p><p>While United's inflight service has thankfully improved over the last several years, their lack of available flights to/from Seattle makes them not a choice a majority of the time. Same with American, who didn't improve in this department with their merger with US Airways.</p><p>The fact I regularly fly International takes Alaska and Virgin America out of the running, even if they are otherwise good airlines and have plenty of flights in/out of SeaTac. Southwest, JetBlue, Frontier, and Hawaiian don't have a ton of flights out of Seattle and are fairly regional in nature.</p><p>That leaves Delta, which has significantly invested in expanding their presence in SeaTac over the last few years, meaning more flights to more places. Their inflight service has also gotten better. Yes, they are sometimes a little more expensive, but convenience is also a factor here.</p>phoneboySat, 04 Mar 2017 12:50:12 -0000https://paul.reviews/dont-let-them-paste-passwords/#comment-3168654992<p>Security measures in general are already intrusive enough. If you're impacting UX in a negative way for additional security, you've failed. "Disabling paste" classifies as impacting UX negatively and will impact people beyond those who use actual password managers, e.g. those who put all their passwords in some sort of document (not the best idea unless that document is encrypted, but people do it).</p><p>If you're gathering information about how people type as an authentication factor, it might be better to use something other than the password field for this purpose and let copy/paste work on the password field.</p>phoneboyWed, 22 Feb 2017 00:53:12 -0000http://phoneboy.org/2015/08/10/theres-a-nintendo-wii-u-sized-hole-in-my-firewall/#comment-3011003905<p>Other than basically turning the firewall off, none that I can really think of.</p>phoneboySun, 20 Nov 2016 01:22:11 -0000http://phoneboy.org/2016/09/01/a-word-about-competition-in-the-information-security-industry/#comment-2900201585<p>I'm an avid reader of the quarterly reports and very aware that stock-based compensation is the primary item widening the gap in GAAP profitability for PANW.</p><p>It's unlikely any company will stick around for 10+ years without having a product with at least some merit to it. PANW clearly has enough for CHKP and others to improve their offerings. This is exactly what should happen with healthy competition.</p><p>All of that said, it doesn't take a ton of analysis to find numerous inconsistencies between PANW's marketing, the product offerings, and the actions taken by the company in matters of security. If these things were more aligned, I would be far less inclined to refer to their marketing as "hype."</p>phoneboyFri, 16 Sep 2016 15:18:02 -0000http://phoneboy.org/2016/09/01/a-word-about-competition-in-the-information-security-industry/#comment-2894054868<p>I don't see how PANW's growth is sustainable. They continue to lose money per GAAP standards year over year at increasing rates. Investors are going to want a return on their investment at some point. Spending will have to be drastically reduced in R&amp;D, sales, and/or marketing to achieve that. Which is going to suffer and how will that impact PANW's future prospects?</p><p>With Gartner in particular, PANW is higher on the "ability to execute" axis, which is somewhat subjective. It is not highest on the "completeness of vision" axis, where Check Point is. Given what Check Point has delivered this past year, I suspect that will result in a better score on "ability to execute" in the next Gartner MQ.</p><p>I wasn't going to bring up NSS Labs, but since you did: PANW had to submit two different configurations to get a single "recommended" rating on the recent BDS report, which it barely got.</p><p>Bottom line: while PANW has superior marketing (which influences both Gartner and Forrester results to an extent), they do not have a technically superior product or platform to back it up.</p>phoneboyWed, 14 Sep 2016 13:07:51 -0000http://phoneboy.org/2016/09/01/a-word-about-competition-in-the-information-security-industry/#comment-2892821553<p>Registering domains in the different, relevant TLDs is all part of protecting your brand and trademarks. I find it odd, given the amount of money they are spending in marketing, that they overlooked this. Regardless, that is not the primary reason I think they are not in the security business. It is only a symptom of the larger issues, IMO.</p><p>I have no doubt that Nir and Company talk about other competitors, too. The vast majority of the conversations mention only one competitor: Check Point. Also, none of the Palo Alto executives (to my knowledge) drive around with license plates mentioning other competitors the same way Nir Zuk has done for more than a decade now.</p><p>In terms of PANW wins resulting in incumbent loses, it's not so cut and dry as you imply. Plenty of organizations run products from multiple competing vendors.</p>phoneboyTue, 13 Sep 2016 19:14:49 -0000http://phoneboy.org/2016/07/15/do-you-really-need-threat-intelligence/#comment-2888719627<p>Whatever source of threat intelligence you use, if you don't have the controls deployed pervasively enough to act on the information in real-time, you've got far bigger issues.</p>phoneboyMon, 12 Sep 2016 01:17:06 -0000http://phoneboy.org/2016/08/15/is-past-security-performance-indicative-of-future-results/#comment-2888709326<p>Show me where in my piece where I implied there was no protection at all. In fact, I even allowed for the possibility that it wasn't a bad enough issue to fix right away, a thought process which could have included the presence of an IPS signature (though I didn't explicitly call it out).</p><p>Even if the logic in that analysis is sound, 6 months to issue a formal OS patch just looks bad.</p>phoneboyMon, 12 Sep 2016 01:03:20 -0000http://phoneboy.org/2016/08/15/is-past-security-performance-indicative-of-future-results/#comment-2885535845<p>An IPS signature prevents remote exploits of the bug.<br>An OS patch prevents local exploits of the bug.<br>One is not a substitute for the other.</p>phoneboySat, 10 Sep 2016 01:33:55 -0000http://phoneboy.org/2016/02/15/why-cant-i-choose-what-to-ssl-inspect-based-on-application/#comment-2533217656<p>Who is to say that SNI request is legitimate and not injected along the way? That's my guess as to why SNI is not used for this purpose.</p>phoneboyWed, 24 Feb 2016 14:40:06 -0000http://phoneboy.org/2016/02/15/why-cant-i-choose-what-to-ssl-inspect-based-on-application/#comment-2531386525<p>The client has to explicitly state which "virtual domain" it is connecting to as part of the TLS negotiation. Likewise, the server has to offer up the correct certificate that supports that virtual domain. Both ends have to support it.</p>phoneboyTue, 23 Feb 2016 15:52:47 -0000http://phoneboy.org/2016/02/18/can-apple-actually-comply-with-the-fbi-request-to-allow-bruteforceing-pin-codes/#comment-2531377191<p>As noted SE isn't even an issue with this iPhone. It's also irrelevant since the chain of custody has already been broken already.</p><p>Also it remains to be seen if Apple can actually produce a result that would stand up to forensic rigor.</p>phoneboyTue, 23 Feb 2016 15:47:36 -0000http://phoneboy.org/2016/02/18/can-apple-actually-comply-with-the-fbi-request-to-allow-bruteforceing-pin-codes/#comment-2528477871<p>I'm still not entirely sure how the Secure Enclave would prevent this anyway.</p><p>As far as I'm concerned the chain of custody is already potentially broken the minute they powered the phone on near a network again.</p>phoneboyMon, 22 Feb 2016 11:06:06 -0000http://phoneboy.org/2016/02/15/why-cant-i-choose-what-to-ssl-inspect-based-on-application/#comment-2528473805<p>As far as I know, SNI isn't used by the HTTPS Inspection part (only in App Control). It's probably just as well since SNI is optional and even Google doesn't use it consistently.</p>phoneboyMon, 22 Feb 2016 11:03:39 -0000https://www.petri.com/apple-comes-out-firing-against-encryption-backlash#comment-2421708058<p>As discussed on No Agenda (if you don't know what it is, Google it), the push for government mandated backdoors has nothing to do with catching criminals, which can still be caught with proper police work. The smart criminals will use clandestine systems to communicate--ones free of government backdoors--or stick to face-to-face communication.</p>phoneboyTue, 22 Dec 2015 11:59:43 -0000http://phoneboy.org/2015/12/10/shouldnt-a-security-gateway-be-secure-by-default/#comment-2411601745<p>It was pulled down shortly after I posted this, sadly.</p>phoneboyTue, 15 Dec 2015 17:25:30 -0000http://phoneboy.org/fun-with-check-point-dynamic-ip-gateways-in-r77-dot-20-with-gaia#comment-2355676051<p>I generally suck at it too, but when I write things to share with others, I tend to do moderately better. :P</p>phoneboyThu, 12 Nov 2015 11:18:26 -0000http://phoneboy.org/2015/08/10/theres-a-nintendo-wii-u-sized-hole-in-my-firewall/#comment-2196613294<p>I'm not sure even Check Point could make uPNP a good idea :)</p>phoneboySun, 16 Aug 2015 03:56:36 -0000http://www.petri.com/lenovo-accused-installing-adware-new-pcs.htm#comment-1864256467<p>Actually using Firefox is no defense against this as Superfish patches that certificate store too.</p><p><a href="http://blog.erratasec.com/2015/02/some-notes-on-superfish.html" rel="nofollow noopener" target="_blank" title="http://blog.erratasec.com/2015/02/some-notes-on-superfish.html">http://blog.erratasec.com/2...</a></p>phoneboyThu, 19 Feb 2015 13:49:50 -0000