• Filippo Valsorda: I’m giving up on PGP: “After years of wrestling GnuPG with varying levels of enthusiasm, I came to the conclusion that it’s just not worth it, and I’m giving up.” I’m not sure I know where my private key is any more, mostly because I haven’t used it in at least two years.

  • If you’re looking to understand how email security works, Scott Helme (who you may know from securityheaders.io and report-uri.io) dives deep in a series of three articles: Email Security - DKIM, Email Security - DMARC, and Email Security - SPF.

  • I think many security practitioners have intuitively felt that U2F was a great idea. Now there’s data to prove it. In Security Keys: Practical Cryptographic Second Factors for the Modern Web [PDF], several Google researchers present the results of a two-year study on FIDO U2F security keys. Unsurprisingly, they find that “Security Keys lead to both an increased level of security and user satisfaction.”

  • ​Cybersecurity insurance is increasingly becoming part of the infosec landscape. One issue I’ve struggled with is that I’m afraid increasing use of insurance will lead to worse outcomes: why bother protecting your users when your insurance will just pay for the obligatory year of credit monitoring?

    Here’s an interesting proposal that seems like it could tie cybersecurity insurance to better outcomes: have the government underwrite cybersecurity insurance, with requirements that incentives better practices: Creating a Federally Sponsored Cyber Insurance Program.

    The part that makes me excited is this bit:

    The federally backstopped cyber insurance program should mandate that companies allow full breach investigations, which include on-site gathering of data on why the attack succeeded, to help other companies prevent similar attacks. This function would be similar to that performed by the National Transportation Safety Board (NTSB) for aviation incidents. When an incident occurs, the NTSB establishes the facts of the incident and makes recommendations to prevent similar incidents from occurring. Although regulators typically establish new requirements upon the basis of NTSB recommendations, most air carriers implement recommendations on a voluntary basis. Such a virtuous cycle could happen in cybersecurity if companies covered by a federal cyber insurance program had their incidents investigated by a new NTSB-like entity, which could be run by the private sector and funded by insurance companies.

What’s this?

This is a weekly roundup of interesting infosec related links, inspired by Geek Feminism’s linkspam tradition.

If you’d like to suggest a link for a future roundup, post it to Pinboard tagged with securitylinkspam and I’ll find it there.