On this page…

    Regular Columns

    Security Analogies
    “Scott Granneman discusses security analogies and their function in educating the masses on security concepts.”
    29 May 2007

    Nothing to Fear… ?
    “Scott Granneman looks at the use of fear in computer security, from misleading media reports and gross exaggeration by industry leaders to the use of fear in order to sell new computers and software.”
    8 February 2007

    Wishes For 2007
    “Scott Granneman takes a look at the technologies he found useful in 2006 and offers some wishes relating to security, privacy and DRM that he’d like to see fulfilled in 2007.”
    10 January 2007

    Cross-posted at The Register as “Security, privacy and DRM: My wishes for 2007"

    A Hard Lesson in Privacy
    “Scott Granneman looks at a hard lesson in personal privacy and security through the lens of a very public and well-known female television show host in Europe.”
    27 November 2006

    Cross-posted at The Register as “A hard lesson in privacy
    Picked up by Digg as “European TV Star sold her iMac with naughty pictures and her password” (1505 diggs) & by Reddit as “TV presenter sells her iMac, forgets to erase her hard-core home movies: Unbelievable"

    Surprises Inside Microsoft Vista’s EULA
    “The draconian limitations I’ve discussed could only be enacted by a monopoly unafraid of alienating its users, as it feels they have no other alternative. Microsoft may yet learn, however, that there are limits to what its users will bear.”
    27 October 2006

    Cross-posted at The Register as “Surprises inside Microsoft Vista’s EULA”, with letters in response available at"EULAs, RFID tagging and other Halloween horrors
    Picked up by Digg as “Surprises Inside Microsoft Vista’s EULA” (904 diggs), Slashdot as “Surprises in Microsoft Vista’s EULA” (382 comments), & Boing Boing as “Vista license improves, but still broken"

    A question of ethics
    “Ethics are of incredible importance in the security field. Scott Granneman looks at recent examples of poor security decisions made at HP, Diebold, Sony, and Microsoft.”
    15 September 2006

    LinuxWorld, virtually speaking
    “With all the free virtual machines out there running security software or acting as virtual security appliances, you’d think VMWare is on everyone’s mind. Scott Granneman offers some thoughts at the close of this year’s LinuxWorld.”
    17 August 2006

    Cross-posted at The Register as “LinuxWorld, virtually speaking"

    A month of browser bugs
    “Scott Granneman looks at the virtues and pitfalls of browser fuzzing and the overwhelmingly positive impact it has on the security community.”
    24 July 2006

    Cross-posted at The Register as “Moore’s the modern Weegee: ‘Credit hole by HD Moore the famous’"

    MySpace, a place without MyParents
    “The company can hire all the security officers it wants, and it could replace every ad with a flashing banner that says DO NOT TRUST RANDOM STRANGERS!!!, and send fliers to every parent in America … and bad things would still happen to kids connected to MySpace.”
    30 June 2006

    Cross-posted at The Register as “Why phishing catches punters”, with letters in response available at “MySpace, kids today and the NHS

    Browsers, phishing, and user interface design
    “Answer me this truthfully: do you really trust Aunt Sally or Steve in Accounting or your kid sister Brooke to carefully read an anti-phishing warning, ponder the ramifications, and then make a wise choice? If you answer in the affirmative, then you haven’t read Why Phishing Works.”
    5 June 2006

    Cross-posted at The Register as “Why phishing catches punters"

    Innovative ways to fool people
    “Recent security examples where people have been fooled in increasingly innovative ways: from keyloggers used in a massive bank heist and new Trojans that encrypt data and request ransom money, to real financial rip-offs that extend out from online virtual gaming worlds like World of Warcraft.”
    4 May 2006

    Cross-posted at The Register as “Innovative ways to fool people"

    Virtualization for security
    “It appears obvious to me that users of all three of the major operating system families—Windows, Mac, and Linux—are one day going to find virtualization software and support installed as a matter of course.”
    12 April 2006

    Cross-posted at The Register as “Virtualization for security"

    Security Czar
    “In this column Scott Granneman takes the role of dictator of the security world and presents his ideas about mandatory reforms that would improve security for millions of people.”
    23 March 2006

    Cross-posted at The Register as “As Emperor of Security, I hereby decree…
    Letters to The Register printed at “All hail Grannemanus—Emperor of Security!"

    The big DRM mistake
    “Digital Rights Managements hurts paying customers, destroys Fair Use rights, renders customers’ investments worthless, and can always be defeated. Why are consumers and publishers being forced to use DRM?”
    1 March 2006

    Picked up by Digg as “More People Realizing That Copy Protection Is Just Bad” (1341 diggs), Techdirt as “More People Realizing That Copy Protection Is Just Bad”, & Boing Boing as"SecurityFocus on DRM"

    Coffee shop WiFi for dummies
    “The average user has no idea of the risks associated with public WiFi hotspots. Here are some very simple tips for them to keep their network access secure.”
    9 February 2006

    Cross-posted at The Register as “Securing network access while on the run"

    Tech support woes
    “If I was a member of SCOACC, or my stepfather, or any average computer user, I would have given up long before this, or continued to languish on the phone speaking to people I couldn’t understand.”
    20 January 2006

    Users inundated with pop-ups
    “The question comes down to, ‘What is the best way to inform your users without overwhelming them?’”
    12 December 2005

    Cross-posted at The Register as “Users inundated with pop-ups"

    “I’d like to share a few questions that have arisen due to the Sony BMG rootkit.”
    22 November 2005

    Cross-posted at The Register as “Sony fiasco: More questions than answers"

    Balancing surveillance
    “With camera and network surveillance now commonplace, and database abuse continuing to appear, how do we balance the positive side of security along with its potential for abuse?”
    1 November 2005

    ICANN on center stage
    “ICANN and the U.S. government reach center stage next month in Tunisia, as the future of IP address assignments and U.S. control of the root DNS turns into a hotbed of debate.”
    13 October 2005

    Skype security and privacy concerns
    “It’s a questionable act to trust your personal and business phone calls, instant messages, and file transfers to Skype already, but it seems almost the height of foolhardiness to do the same now with a Skype owned by eBay.”
    22 September 2005

    Cross-posted at The Register as “Beware eBay bearing Skype
    Subject of a Slashdot story

    The great firewall of China
    “What needs to come first: the needs of the web servers my friends run, or the needs of a guy sitting in Shanghai that wants to view the content of that web site?”
    30 August 2005

    Cross-posted at The Register as “On blocking Chinese IP addresses"

    Greasing the wheel with Greasemonkey
    “Which would you rather have? An open process like that practiced by Greasemonkey, or a closed process like that chosen too often by major vendors?”
    8 August 2005

    Cross-posted at The Register as “Greasemonkey wobbles but it doesn’t fall down
    Referenced by mozillaZine’s “SecurityFocus on Handling of Greasemonkey Security Flaw"

    Microsoft and Claria, together at last?
    “Microsoft is looking to buy Claria, the nefarious spyware company that created Gator, and it’s an absolute slap in the face to all Windows users concerned about security.”
    13 July 2005

    Cross-posted at The Register as “Microsoft and Claria: together at last?"

    Your fingerprints are everywhere
    “How much do you trust your government? That’s a question that all of us have to ask, perhaps the more often the better.”
    15 June 2005

    Cross-posted at The Register as “Your fingerprints are everywhere"

    White Hat or White Whale?
    “Sometimes an obsession over any one security approach, whether it’s policy or a specific technology, can be a very unhealthy thing overall.”
    26 May 2005

    Live CD Paradise
    “Whether you need to sniff for wireless networks or carry Nessus, Nmap and the Metasploit Framework with you in your pocket, there’s a security-based Live CD out there for you.”
    5 May 2005

    Cross-posted at The Register as “Live CD paradise"

    Privacy From the Trenches
    “The recent string of high profile security breaches doesn’t even hit the radar of the average user worried about the privacy of his personal information.”
    14 April 2005

    Cross-posted at The Register as “Privacy from the trenches"

    Owning A New Phone
    “Recent mobile phone and Bluetooth hacks, and the public’s response to them, show us how the average person really looks at security.”
    24 March 2005

    Cross-posted at The Register as “How shall I own your mobile phone today?"

    Where is Google Headed?
    “As the bad guys start using Google more and more, the company wrestles with some new security and privacy issues with AutoLink.”
    2 March 2005

    Cross-posted at The Register as “Google AutoLink: enemy of the people?"

    Unexpected Attack Vectors
    “A new round of attacks and phishing attempts use some unexpected attack vectors that we should have been paying attention to, but weren’t.”
    9 February 2005

    Cross-posted at The Register as “Beware the unexpected attack vector"

    Unintended Consequences
    “The law of unintended consequences shows us how many innocent innovations like email, anti-virus and DRM can become something far worse than the inventors had ever imagined.”
    19 January 2005

    Cross-posted at The Register as “Exploring the law of unintended consequences
    Referenced by Dave Farber’s Interesting People listserv

    Trojan Horse Christmas
    “Here are some suggestions on how to help your family members safely use that new trojan horse they received under the Christmas tree this year.”
    30 December 2004

    Cross-posted at The Register as “Trojan Horse Christmas"

    Online Extortion Works
    “Online extortion is quietly affecting thousands of businesses, for a very simple reason: it works. The big question then becomes, how will you and your company decide to respond?”
    13 December 2004

    Cross-posted at The Register as “Online extortion works"

    Bill Gates Is Right?
    “Bill Gates is right about one thing: asking people to use a two-factor form of authentication would go a long way toward alleviating a lot of the password problems that plague computer security today.”
    19 November 2004

    Cross-posted at The Register as “Stunned pundit agrees with Gates over passwords"

    Phishing For Savvy Users
    “Recent ‘phishing’ episodes, and two new browser vulnerabilities, show how the bad guys are tricking people into exposing their passwords and bank accounts. Couldn’t happen to tech-savvy users, right? Unless you consider how entire nations have been fooled.”
    1 November 2004

    Cross-posted at The Register as “Phishing for dummies: hook, line and sinker"

    Fueling the Fire
    “The latest Symantec Threat Report can provide us with information, knowledge, and even a little bit of wisdom – about what has truly become an epidemic and an avenue for organized crime.”
    7 October 2004

    Cross-posted at The Register as “Fighting the army of byte-eating zombies"

    Academia Headaches
    “Academic institutions who have to add, manage, and secure thousands of new users within a period of just a few days face political and social issues on top of the immense technical ones.”
    15 September 2004

    Cross-posted at The Register as “Academia battles forces of IT anarchy"

    Infected In Twenty Minutes
    “What normally happens within twenty minutes? That’s how long your average unprotected PC running Windows XP, fresh out of the box, will last once it’s connected to the Internet.”
    19 August 2004

    Cross-posted at The Register as “Infected in 20 minutes"

    Email Privacy is Lost
    “As if the common use of ‘web bugs’ inside spam was not enough, companies are using new techniques to watch and track the private emails you read, forward, print, and more.”
    29 July 2004

    Cross-posted at The Register as “The battle for email privacy"

    Service Pack Deux?
    “Microsoft should make SP2 available to all users and backport the changes to older operating systems, or they risk putting profits ahead of security yet again.”
    8 July 2004

    Time to Dump Internet Explorer
    “It’s time to tell our users, our clients, our associates, our families, and our friends to abandon Internet Explorer.”
    17 June 2004

    Pass the Chocolate
    “For the 70% of the population that will trade their computer password for a bar of chocolate, this one’s for you.”
    26 May 2004

    Cross-posted at The Register as “Would you trade your password for chocolate?"

    Destructive Influence
    “Everyone needs a good data destruction policy, and a lawyer standing by, to dispose of their sensitive media and devices.”
    14 April 2004

    Cross-posted at The Register as “Working up an appetite for destruction"

    Security Patches by Modem? Forget It!
    “Let’s face it—there is no way for dial-up users on any major operating system to keep their computers up-to-date and patched. OK, maybe ‘no way’ is an exaggeration. How about, ‘a difficult, burdensome, time-consuming, very prone to failure way?’”
    24 March 2004

    Cross-posted at The Register as “Security patches via modem? Forget it!"

    Googling Up Passwords
    “Google is in many ways the most useful tool available to the bad guys, and the most dangerous Web site on the Internet for many, many thousands of individuals and organizations.”
    9 March 2004

    Cross-posted at The Register as “The perils of Googling
    Referenced by Jon Udell’s Weblog(Infoworld) and Dan Gillmore’s eJournal

    A Home User’s Security Checklist for Windows
    “Most people don’t secure their computers or act in a secure manner, and the main reason is that the average user just doesn’t know what to do. Here is a checklist on security for home computer users that you can share with your friends, family, churches and clubs.”
    13 February 2004

    Referenced by the LangaList

    A Visit from the FBI
    “The easiest way to illegally acquire money now is through the use of online tools like Trojans, or through phishing: set up a fake Web site for PayPal or eBay or Amazon …”
    21 January 2004

    Cross-posted at The Register as “A visit from the FBI
    Subject of a Slashdot story& a MacSlash story
    Referenced by Dave Farber’s Interesting People list

    Debian’s Response
    “The Debian team is to be commended for how they handled this incident: quickly, openly, and honestly.”
    4 December 2003

    Electronic Voting Debacle
    “Grave concerns over the security of electronic voting machines in the United States means the heart of American democracy is at risk.”
    12 November 2003

    Cross-posted at The Register as “Electronic Voting Debacle
    Referenced by some of the following blogs: Things I’ve Seen,

    Joe Average User Is In Trouble
    “Security is just not a concept that ‘normal’ folks focus on. It’s not even on the radar screen. It’s just not thought about at all.”
    22 October 2003

    Cross-posted at The Register as “Joe Average User Is In Trouble
    Referenced by some of the following blogs: City of Bits, Dinokarl(in German)

    Linux vs. Windows Viruses
    “To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it.”
    2 October 2003

    Cross-posted at The Register as “Linux vs. Windows Viruses
    Subject of a Slashdot story
    Subject of a rebuttal by Virus Bulletin, but then the rebuttal was rebutted by PlasticBoy
    Referenced by Linux Today
    Subject of interesting discussion threads at ActiveWin and Promote-OpenSource
    Linked to by these blogs: Universal Mac, Lockergnome, Universal Rule,Kookaburra
    A quotation from the column is used by some folks as an email signature: Linux Questions, Linux Questions
    That same quotation has been translated into French: Cyril’s Blog

    Rumblings On IT Jobs Moving Overseas
    “When your skillset becomes a commodity, then all of a sudden those offshore workers start looking quite a bit more attractive to your employers.”
    10 September 2003

    Blogs: Another Tool in the Security Pro’s Toolkit (Part Two)
    “The blog, and especially the RSS feed, are some of the newest tools available to the security professional.”
    6 August 2003

    Referenced by the following blog: SilverStr’s Blog

    Blogs: Another Tool in the Security Pro’s Toolkit (Part One)
    “Here’s the problem: security delayed is security denied. There is more information than you can read or absorb. That means you might miss some key points, trends, warnings, or fixes. And the price for missing them can be enormous.”
    16 July 2003

    RFID Chips Are Here
    “RFID chips are being embedded in everything from jeans to paper money, and your privacy is at stake.”
    26 June 2003

    Cross-posted at The Register as “RFID Chips Are Here
    Subject of a Slashdot story

    Learning to Love Big Brother
    “Microsoft’s digital rights management (DRM) may have implications for security professionals.”
    4 June 2003

    Referenced by some of the following blogs: Dangers of Digital Rights Management, Radio Baily

    A List of Security Essentials: From Mermaids to Suckling Pigs
    “The recent Nmap-hackers survey provides a glimpse of what security professionals are packing in their tool-belts these days.”
    14 May 2003

    Al-Jazeera, the First Amendment, and Security Professionals
    “While attempts to disrupt Web broadcasts of Al-Jazeera may seem like a distant concern, they reflect the problems that should concern security professionals everywhere.”
    23 April 2003


    Virus Hoaxes and the Real Dangers They Pose
    25 March 2003

    Securing Outlook, Part Two: Many Choices to Make
    23 December 2002

    Securing Outlook, Part One: Initial Configuration
    10 December 2002

    Securing Privacy, Part Four: Internet Issues
    29 May 2002

    Securing Privacy, Part Three: E-mail Issues
    14 May 2002

    Securing Privacy, Part Two: Software Issues
    25 April 2002

    Securing Privacy, Part One: Hardware Issues
    11 April 2002

    WebSanity Top Secret