A better WannaCry advisory for schools

The Ministry of Education sent out a very poor advisory to schools about “WannaCry” today, based primarily (from what it seems) on the poor information coming from CERT-NZ. The advisory contains several factual errors, which the Ministry should not be spreading to schools.

I’ve written an improved advisory (I’ll update it as required).

Continue reading →

Why “3 tries and you’re locked” *weakens* security

Some organisations have a security policy that after three failed authentication attempts an account is locked (requiring manual unlocking by an IT support person) – the goal is to strengthen security, but this actually decreases the security of the organisation. Continue reading →