Logo

musing at the confluence of data, software and security

by Earl Chen

  • Raising the Bar, NIST Password Updates
    September 2024

    The latest NIST SP800-63B draft has two password behaviors that have finally moved from subway turnstile jumping SHOULD NOT to third rail touching SHALL NOT.

  • NIST SP800-63B and WHY! CapitalOne?
    September 2024

    Here we are on the eve of the publication of the updated NIST Digital Identity Guidelines. This has been in progress since 2020 and will update the guidelines last published in 2017. The most recent draft was released at the end of August and the final comment period comes to a close in October. The new official version is anticipated soon after. This happens to coincide with an disappointing experience trying to reset my credentials for online access with CapitalOne.

  • Timeless Lecture by Grace Hopper
    August 2024

    The NSA has released a famous lecture given by Rear Admiral Grace Hopper to an NSA audience in August of 1982 titled "Future Possibilities Data, Hardware, Software and People."

  • Security by Design Redux 2024
    August 2024

    Lawfare just released a paper discussing the continuing evolution of the concepts and approaches of ensuring digital security. Seeing the “Security by Design” headline turned the clock back 16 years, to when we first used the term to headline our new security program.

  • Delta dis(Continuity)
    August 2024

    Thanks to CrowdStrike, a little help from Microsoft, and maybe even some assistance from the European Union, Delta Airlines recently suffered an embarrassing systems outage, leading to thousands of flight cancellations and an estimated cost of over $500 million.

  • CrowdStrike - Is It Code?
    August 2024

    There has already been considerable discussion about the CrowdStrike incident on 19 July 2024. There is finger pointing by CrowdStrike customers. Finger pointing between Microsoft and CrowdStrike.... On that fateful day in July, was the update that crashed 8.5 million Windows devices content or was the update code?

  • NIST Post-Quantum Encryption Standards
    August 2024

    Quantum computers are often covered in the news with a doomsday message about how their computing power will render encryption obsolete and break the internet. The cryptographic community has been working diligently toward developing new algorithms and standards to provide encryption even as quantum computing capabilities continue to advance.

  • Common (non)Sense - Ticketmaster & Change Healthcare
    August 2024

    Another day, another Notice of Data Breach. Though these notices are arriving with increasing frequency.... These breaches can be prevented by using multi-factor authentication. Yet organizations continue to subject us to this all too common nonsense.