TaoSecurity Blog

Do you remember the story of the UK-based logistics company that closed due to ransomware and laid off 730 workers?  Today in an article about a warning to UK businesses about cyber incidents, their “director” said they “were throwing £120,000 a year at [cyber-security] with insurance and systems and third-party managed systems.” That’s the cost of one cyber FTE, and it sounds like they didn’t employ ANY cyber people. This is what I mean by the “security 1%.”  https://taosecurity.blogspot.com/2020/10/security-and-one-percent-thought.html This company was in the 99%, and intruders put them out of business, despite apparently having $100 million in annual revenue?  I never blame victims of intrusions, but the underinvestment in security is appalling. Refs: https://www.bbc.com/news/articles/ced61xv967lo and https://www.northantstelegraph.co.uk/news/people/kettering-haulage-company-knights-of-old-group-goes-into-administration-with-730-redundancies-4349040# ...

When someone cites one of my works, I get a notice from Research Gate. Today I got one, from an article from the "IEEE Open Journal of the Communications Society." It cited my first book, which is 21 years old.     The PDF was available.    I noticed the article referenced Prelude, a project I talked about in my first book.        This project has been dead for YEARS. If you visit the link for Prelude in the paper, supposedly visited for research in Feb 2025, it redirects to a gambling site.    If you go to the original Prelude IDS site, it's a disguised gambling site.     I checked with Archive.org and the site was not serving useful content in the timeframe the researchers claimed.   I don't understand how this happens. Stop shoddy academic "research."

I just created another Windows 10/11 application using AI. This is a follow-up to the SquareCap program I posted about a few weeks ago .   The problem I was trying to solve this time was opening and searching extremely large text files.   I used to use the old Mandiant Highlighter program for this, but it was last updated in 2011 and couldn't handle the 26 GB text file I wanted to open.   If you're wondering what that file is, it's a dump of the contents of the main Starfield.esm file from the Bethesda Game Studios game called Starfield. I use the xdump64 program bundled with xEdit.   You can try this program for yourself if you like. It's a stand-alone Windows C# .NET 9 application that runs on Windows 10 and 11.  Like my last program, all I did was work with the model for about 3 hours to get it to where it is now.   I tried for an hour or so to implement a "highlight all search matches" function but could not get that to work.    The screen cap...

I just created a Windows 10/11 application that takes square screen captures. I did zero coding myself but used Visual Studio Code, Cline, OpenRouter, and Claude.   I got the idea by watching a video on so-called Vibe programming by a YouTuber named Memory . I have zero Windows programming experience although I have recently been playing with simple video game development.   After creating the application I was able to use Cline to help me commit it to GitHub. You can find it at https://github.com/taosecurity/SquareSnap/ . Note that if you download the .exe Windows will complain because it is unsigned. If you worry about back doors just look at the code yourself -- or have your own LLM read it!   This was just an experiment to see how these tools work. I decided to try creating a screen capture program that only takes captures in a square or 1:1 format because it's useful for social media, and especially YouTube posts.   I had not found anything prior to this. This i...

Happy birthday TaoSecurity Blog, born on this day in 2003! The best way to digest the key lessons from this site is to browse my four volume Best of TaoSecurity Blog book series , published in 2020. It's available in print as seen here, or as a properly formatted HTML-based digital book -- none of that PDF-based fixed format nonsense. Each book is a theme-centric collection of posts with new commentary for each entry. Some of what I wrote stood the test of time, and some did not. See what you think. Or, just scroll backwards through this site. Thank you to Blogspot and Google for hosting this blog for the last 22 years! This is post number 3,086 by the way.

Probably once a week, I see posts like this in the r/Ubiquiti subreddit. Ubiquiti makes network gear that includes an "IDS/IPS" feature. I own some older Ubiquiti gear so I am familiar with the product. When you enable this feature, you get alerts like this one, posted by a Redditor: This is everything you get from Ubiquiti.   The Redditor is concerned that their system may be trying to compromise someone on the Internet. This is my answer to how to handle these alerts.   == This is another example of this sort of alert being almost worthless for most users. The key is trying to understand what COULD have caused the alert to trigger. CVEs, whatever, are irrelevant at this point. Here is one way to get SOME idea of what is happening. Go to https://rules.emergingthreats.net/open/suricata-7.0.3/rules/ Download the file that is named as the first part of the alert. Here that is EXPLOIT. https://rules.emergingthreats.net/open/suricata-7.0.3/rules/emerging-exploit.rules Find the r...

On this day in 2004, Addison-Wesley/Pearson published my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection . This post from 2017 explains the differences between my first four books and why I wrote Tao .  Today, I'm always thrilled when I hear that someone found my books useful.  I am done writing books on security, but I believe the core tactics and strategies in all my books are still relevant. I'm not sure that's a good thing, though. I would have liked to not need the tactics and strategies in my book anymore. "The Cloud," along with so many other developments and approaches, was supposed to have saved us by now. Consider this statement from a report describing CISA’s red team against a fed agency:  “[A]ttempts to capture forensic data via packet captures occurred directly on the compromised Solaris and Windows hosts, where the red team observed the data being collected and therefore had the opportunity to disrupt collection, tam...