Category Archives: Other blogs

A link to posts on blogs sites outside of

Apple increases encryption of iOS devices

As reported by The Register, Apple released iOS 10.3 today.  Included in the update is a new file system designed specifically for iOS devices.  The Apple File System (APFS) is designed for macOS, iOS, tvOS, and watchOS.

APFS brings strong “full-disk encryption” to protect files and metadata from exposure.  The interesting part is that APFS uses a multi-key encryption.  One key protects the data and a separate key protects metadata.  Separating these keys makes the attacker’s job more difficult.

Last year there was a very public debate around the role of encryption and backdoors for law enforcement investigations.  Apple fought FBI requests to decrypt an iPhone used by terrorists in California.  The FBI eventually found a way to decrypt the phone without Apple’s aid.

Doubling down on encryption, Apple is now making the process to gain access to iOS devices even more difficult.  It seems that relevant XKCD is even more relevant for Apple devices.

Data classification: Attempting to solve for x without knowing a, b, and c. has an interesting post on federal government security classifications and cloud provisioning.  The TLDR is that many federal agencies are paying too much, because they are classifying information incorrectly and vendors are happy to upsell protections.

In my experience in state government, the problem is very different.  To begin with few agencies have strong data classification policies.  In Texas, the Department of Information Resources published a data classification template that agencies can use to develop a classification scheme.  Personally, I think the template (and associate white paper) is a marvelous piece of work :).  It is unclear how many actually used the template, though.

The problem isn’t limited to Texas.  Based on discussion with the CISOs from other states, data classification is a difficult problem for many.

The issue raised is how to determine the appropriate protections for data when classification programs don’t exist.  The result is agencies will either over protect public data or under protect sensitive data.  Several states have a de facto policy of requiring all data to be hosted in the continental United States (conus).  While this is appealing, it also drives up prices for cloud services.

Many of the regulations that affect states (most recently CJIS) have dropped the conus requirements.  Requiring conus storage for “public” data is probably not the best use of taxpayer money.  Without a strong data classification program, though, it is hard to make informed decisions.

Uber keeps driving forward (see what I did there :)

As Peter Vogel blogged about yesterday (24 Jan 2017), Uber added Amit Singhal to its leadership.  Mr. Singhal, formerly the VP for Search at Google, will run the mapping division.  He will also work with the self-driving cars group.

For the security folks reading this, you may remember that Uber hired Charlie Miller and Chris Valasek into the self-driving cars group back in 2015 (after they demonstrated taking control of a vehicle remotely and presented the vulnerability at DefCon.)

The addition of Mr. Singhal’s brain to the team already flush with really, really, really smart people means we are one step closer to the machines rising up and I, for one, welcome our new autonomous driving overlords.

Read Peter’s much more professional and adult blog here:

Uber will likely get smarter since they hired Google’s former head of search!


In the immortal words of Naughty by Nature: are you down with O.P.B.?  O.P.B., how can I explain it… It is Other Peoples’ Blogs!

I know that you are transfixed by the blog, wearing out your F5 key, reloading over and over, waiting for that next nugget of wisdom… Who am I kidding, according to the site analytics both of you that have read this blog are from China and never came back.

Anyway, if you do stumble upon this site and would like to read more intelligent discussions than you will find here I’ve put together a list of the pages that I enjoy visiting.

I’ll start with  Peter Vogel, a Partner at Gardere in Dallas has been involved with IT and Software Law issues for almost 40 years.  In fact, his sole practice area for the past 39 years has been IT, Software, and Internet law.  He teaches (for the past 30 years) e-discovery and Internet law courses at SMU.  (Bias note: Peter and I are good friends and work together.)

Next up is  Doug Isenburg provides a good deal of insight into the law of the Internet.

The Center for Internet and Society at Stanford University always has good information on Internet law and policy.

For a couple non-legal (but provide a good amount of information on policy) I really like Brian Krebs’ Krebs on Security and Bruce Schneier’s Schneier on Security sites.  Krebs’ site is less blog and more news, but I’m including it anyway.

If you open each of these each morning, you get a pretty good idea of any large news stories, new vulnerabilities, or threats.  Either that or check

edit:  I’ve just been informed that the Naughty by Nature song was O.P.P., which has a completely different meaning. And here I thought Treach was a social media pioneer.  Who knew?