There were a couple of posts on entropy, the first NIST, Passwords and Entropy a review of NIST’s approach to specifying password policies based on entropy and the second On the Entropy of Fingerprints, which found some research to indicate that password entropy is much lower than fingerprint entropy.
I also had a bit to say about a “rant” in Marcus Ranum and the Points of No Return where Ranum stated that the cumulative effect of many business-driven IT decisions taken over the last three decades have rendered a grand IT failure all but inevitable. I followed that post up with The Relegation of Security to NFR Status which examined the weakened position of security, and IT in general, in decision-making processes.
There was a wonderful post by Julian Sanchez on his Climate Change and Argumentative Fallacies blog where he coins the term “one way hash” arguments, by which he means the asymmetric amount of effort required to pose a plausible argument as opposed to the effort required to debunk it. I think we face the same problem in IT risk and security as I said in “One Way Hash” Arguments.
I also reposted The Data Centric Security Model (DCSM) with a link to the full document on Scribd, as the old link stopped working. The document remains very well read with about 3,000 views in total today. Some security documents on Scribd gave links to other documents I uploaded, and you can see all the categories here (called collections by Scribd).
I announced in ENISA and Security Awareness that I would be speaking at an upcoming ENISA conference, which was a very successful get together. My slides can be found here and let me point you to a great awareness presentation from Robert Hadfield of British Airways, which has just over 1700 views on Scribd.
Zero Knowledge Proofs was a longish non-technical introduction to this complex topic, and it has remained one of my posts that has a steady number of readers. I also started Password Roundup #1, with my intention to create a series of posts on password issues, which always figure regularly in security news. I got around to a second round-up about a month later but have stalled since then – not due to lack of material. Instead of waiting for me, please take a look at the Reusable Security blog by Matt Weir which is devoted to password issues and analysis.