Viewing posts for the category Security

Thanks for visiting!  Opinions are my own, and don't reflect the opinions of my present or past employers.

Viewing posts for the category Security

Mozilla Security @ BSidesVancouver and CanSecWest

This year Mozilla will be sponsoring BSidesVancouver, a free community oriented event on March 10th & 11th in Vancouver, BC. This event is very much in the spirit of the Mozilla community and mission, and several of our security team members will be attending both BSidesVancouver and CanSecWest.

In addition to our team members attending the event, Jeff Bryner and Curtis Koenig will be speaking at the event about some aspects of the security processes and technologies that Mozilla uses and has built. If you are going to be at these events and would like to connect with us at ...

Heartbleed Cheatsheet

Heartbleed Cheatsheet:

  • Upgrade OpenSSL on all of your existing software
  • Propose projects to remove infrastructure that can't be upgraded (if your vendors haven't shipped a patch, get new gear)
  • Force users to update credentials (YMMV depending on what you do, either force a re-auth, or password resets)
  • Apologize to your users for not dealing with this weeks ago.

If your employer won't let you do these four things, the next thing to do is find a new job.

Anything less would be unprofessional.

Since Jim asked, this cheat sheet is licensed under the Mozilla Public License, and ...

Criminalizing Curiousity

First a little background, I work in information security, and have since 2003.  I currently manage a web security team at Mozilla, and work on a range of sites and services, and in the past I have worked in global finance (HSBC Canada, and HSBC Software Delivery), and for the Government of Manitoba.  I have built a career on helping protect and defend exactly the sort of systems that were affected by the Heartbleed sotware bug.

As a bug, Heartbleed was pretty bad (not exactly the 11/10 that Schneier described), but serious.  There have been a ton of write-ups ...

Introducing MARS

This was written as part of a series of blog posts after the founding of MARS that never materialized.  I do wish MARS the best, and decided to post this to capture some of the positivity that was behind the founding of the organization - and the potential that wasn't realized - Yvan Boily, 2016

* a personal perspective from each of you on why you became a board member and what you hope to achieve (I would love for each of us to author one of these)

 That’s a quote from an email I sent to the MARS board as ...

With Politicians Like These... Part II

Today CBC reported that the Canadian Government declined to provide information on which software is banned for use on Canadian Government systems, and open source alternatives.

Peter Van Loan (Government House Leader, MP - York-Simcoe) reported that it was not feasible as it would require a manual inventory.

"In order to produce such information to the level of detail requested, organizations would need to manually verify each and every hardware item maintained by the organization," Government House Leader Peter Van Loan said in his response.  "The collection and compilation of such data would take several months. Therefore, it is not possible ...