I was getting a little fed up with the craziness I kept seeing on the web when it comes to security, so I created this:
That’s right, a great big freakin’ padlock with a straightjacket or more to the point, I created the Twitter account @InfoSecInsanity.
So what exactly is InfoSec Insanity? We’ll let’s take this example from the weekend on restricting passwords which was the catalyst for creating the account:
Oh, so when O2 decided to stop you from putting in a nice strong, random password it was for your own good! Well I’m glad we cleared that up.
Here’s another favourite, this time from British Gas earlier this year. Concerned about the lack of ability to paste in creds from a password manager, a concerned Twitterer mentioned this and got an, uh, “awesome” response:
Now I don’t know what Steveo was smoking here, but I’m guessing it wasn’t legal.
Nutty tweets are one thing and by all means, they’re exactly the sort of thing I’m going to be sharing from this account but let’s not stop there. One of my recent favourites was this post I wrote about Stack Overflow answers to the question of password encryption. The first earnest respondent to the (now deleted) question shared many lines of code that carefully demonstrated how to use Base64 – no, not to encode the resultant cipher, but as the only means of credential obfuscation. Two others chime with basic character rotation schemes – take “a” and replace it with “f” then take “b” and replace it with “g” and so on and so forth.
So here’s the “call to arms” as it were:
Tweet links to crazy security approaches or nut job responses by social media accounts and I’ll get @InfoSecInsanity to give them a shout-out. Mention @troyhunt or @InfoSecInsanity with a link to the page or tweet and it’ll earn a spot on the timeline.
Let’s avoid the “These guys just emailed my password” or “Those guys won’t let me use quotes in my password” kind of stuff because as dumb as it is, we’d be here all day and flood the timeline with them. I’m really interested and the stuff that genuinely makes us go “WTF, are you serious?!?!”. It’ll keep it more interesting for followers.
Last thing is a quick “hat tip” to Plain Text Offenders and the recently launched HTTP Shaming. Both these sites do a great job of calling out infosec insanity in their respective areas (sites emailing credentials and those not implementing a secure transport layer where required). The “naming and shaming” they encourage goes some way to holding sites exercising dodgy practices to account and they’ve provided inspiration for InfoSec Insanity.