Simon Willison’s Weblog

Facebook Adds Code for Clickjacking Prevention. Clever technique: Facebook pages check to see if they are being framed (using window.top) and, if they are, add a div covering the whole page which causes a top level reload should anything be clicked on. They also log framing attempts using an image bug. 13th March 2010, 10:42 am

Some People Can’t Read URLs. Commentary on the recent “facebook login” incident from Jono at Mozilla Labs. I’d guess that most people can’t read URLs, and it worries me more than any other aspect of today’s web. If you want to stay safe from phishing and other forms of online fraud you need at least a basic understanding of a bewildering array of technologies—URLs, paths, domains, subdomains, ports, DNS, SSL as well as fundamental concepts like browsers, web sites and web servers. Misunderstand any of those concepts and you’ll be an easy target for even the most basic phishing attempts. It almost makes me uncomfortable encouraging regular people to use the web because I know they’ll be at massive risk to online fraud. 2nd March 2010, 10:16 am

Don’t Hash Secrets. A well written explanation from 2008 of why you must use hmac instead of raw SHA-1 when hashing against a secret. 24th January 2010, 1:30 pm

Timing attack in Google Keyczar library. An issue I also need to fix in the proposed Django signing code. If you’re comparing two strings in crypto (e.g. seeing if the provided signature matches the expected signature) you need to use a timing independent string comparison function or you risk leaking information. This kind of thing is exactly why I want an audited signing module in Django rather than leaving developers to figure it out on their own. 4th January 2010, 3:23 pm

Design and code review requested for Django string signing / signed cookies. Do you know your way around web app security and cryptography (in particular signing things using hmac and sha1)? We’d appreciate your help reviewing the usage of these concepts in Django’s proposed string signing and signed cookie implementations. 4th January 2010, 1:24 pm

Intercepting Predator Video. Bruce Schneier’s take on the unencrypted Predator UAV story. A fascinating discussion of key management and the non-technical side of cryptography. 24th December 2009, 9:26 pm

The Dangers of Clickjacking with Facebook. theharmonyguy compiled a list of actions that can be triggered on Facebook by a single click, and hence are vulnerable to clickjacking attacks. The list includes authorising malicious applications, posting links to profiles, sending friend requests and sending messages to other users. Why don’t Facebook include frame busting JavaScript on every page? 23rd December 2009, 10:20 am

New Facebook clickjacking attack in the wild. I’m not sure why Facebook don’t use frame-busting JavaScript to avoid this kind of thing. The attack is pretty crafty—a Facebook page is positioned with everything obscured bar part of the blue “share this” button, and a fake “Human Test” asks the user to find and click the blue button to continue. 22nd December 2009, 6:52 pm

Another leak, the worst so far (via) “Arweena, a spokes-elf for Santa Claus, admitted a few hours ago that the database posted at WikiLeaks yesterday is indeed the comprehensive 2009 list of which kids have been naughty, and which were nice.” The first comment is great too. 22nd December 2009, 10:42 am

Insurgents Hack U.S. Drones. The video feed rather than the control protocol, but still.... “Fixing the security gap would have caused delays, according to current and former military officials. It would have added to the Predator’s price. Some officials worried that adding encryption would make it harder to quickly share time-sensitive data within the U.S. military, and with allies.” 17th December 2009, 7:36 am

Notes from the No Lone Zone. A computer scientist with a background in cryptography visits a Titan II ICBM launch complex. 16th December 2009, 10:02 am

IE 6 and 7 hit by hack attack code. IE6 and 7 have what looks like a buffer overflow vulnerability caused by a strange intersection of CSS, innerHTML and large JavaScript arrays. No exploits in the wild yet but it’s only a matter of time. 22nd November 2009, 3:38 pm

Major IE8 flaw makes ’safe’ sites unsafe. IE8 has an XSS protection feature which rewrites potentially harmful code in HTML pages—I think it looks for suspicious input in query strings which appears to have been output directly on the page. Unfortunately it turns out there’s a flaw in the feature that can allow attackers to rewrite safe pages to introduce XSS flaws. Google are serving all of their pages with the X-XSS-Protection: 0 header. Until the fix is released, that’s probably a good idea. 22nd November 2009, 3:34 pm

Verified by Visa is training people to get phished. Searching for “Verified by Visa” on Twitter produces an endless stream of complaints. I don’t think I’ve ever heard anyone say anything good about it—and it certainly doesn’t make anything more secure. Presumably there’s some kind of legal liability benefit to it, though I imagine it benefits the card issuers rather than the consumer. 11th November 2009, 10:47 am

Cross-domain policy file usage recommendations for Flash Player. One of the best explanations of the security implications of crossdomain.xml files I’ve seen. If you host a crossdomain.xml file with allow-access-from domain=“*” and don’t understand all of the points described here, you probably have a nasty security vulnerability. 5th November 2009, 4:24 pm

Facebook and MySpace security: backdoor wide open, millions of accounts exploitable (via) Amazingly, both services had wide open holes in their crossdomain.xml files. Facebook were serving allow-access-from-domain=“*” in the crossdomain.xml file on one of their subdomains (a subdomain that still had access to the user’s profile information) while MySpace were opting in farm.sproutbuilder.com, a service which allowed anyone to upload arbitrary SWF files. 5th November 2009, 9:47 am

Django security updates released. A potential denial of service vulnerability has been discovered in the regular expressions used by Django form library’s EmailField and URLField—a malicious input could trigger a pathological performance. Patches (and patched releases) for Django 1.1 and Django 1.0 have been published. 10th October 2009, 12:24 am

XSS Protection by Default in Rails 3.0. Fantastic news—congratulations, Rails core team. 8th October 2009, 4:35 pm

Adding signing (and signed cookies) to Django core. I’ve been increasing my participation in Django recently—here’s my proposal for adding signing and signed cookies to Django, which I’d personally like to see ship as part of Django 1.2. 24th September 2009, 7:31 pm

Why Python Pickle is Insecure. Because pickle is essentially a stack-based interpreter, so you can put os.system on the stack and use it to execute arbitrary commands. 9th September 2009, 11:04 pm

apache.org incident report for 8/28/2009. Various apache.org sites were down for a while last week—here the Apache Infrastructure Team provide a detailed description of what happened (a security breach on a minor server, which provided non-priveleged SSH access to mirror servers via an SSH key used for backups) and how they are responding. Useful for neophyte sysadmins like myself. 3rd September 2009, 8:56 am

Facebook Hacked By 4chan, Accounts Compromised. It wasn’t Facebook that got hacked: 4chan members got hold of a list of usernames and passwords from an insecure Christian dating site and started using them to raise complete hell. Yet another demonstration that storing your user’s passwords in the clear is extremely irresponsible, and also a handy reminder that regular users who “don’t have anything worth securing” actually have a great deal to lose if their password gets out. 23rd August 2009, 10:02 am

You Deleted Your Cookies? Think Again (via) Flash cookies last longer than browser cookies and are harder to delete. Some services are sneakily “respawning” their cookies—if you clear the regular tracking cookie it will be reinstated from the Flash data next time you visit a page. 17th August 2009, 3:23 pm

Django: Security updates released. A fix for a directory traversal attack in the Django development server (the one with the big “never run this in production” warnings in the documentation). Also reminds that the release of 1.1 means that 0.96, released over two years ago, has reached end of life and will not receive any further bug fixes after the just-released 0.96.4. 29th July 2009, 1:45 pm

The Anatomy Of The Twitter Attack. Long-winded explanation of the recent Twitter break-in, but you can scroll to the bottom for a numbered list summary. The attacker first broke in to a Twitter employee’s personal Gmail account by “recovering” it against an expired Hotmail account (which the attacker could hence register themselves). They gained access to more passwords by searching for e-mails from badly implemented sites that send you your password in the clear. 20th July 2009, 12:55 am

Why an OAuth iframe is a Great Idea. Because users should a) learn to be phished and b) not even be given the option to avoid being phished if they know what they’re doing? No, no and thrice no. If you want to improve the experience, use a popup window so the user can still see the site they are signing in to in the background. 16th July 2009, 8:29 pm

NaCl: Networking and Cryptography library. A new high level cryptography library. “NaCl advances the state of the art by improving security, by improving usability and by improving speed.” Ambitious claims, but DJB is one of the core maintainers. 16th July 2009, 8:24 pm

Nmap 5.00 Release Notes. Released today, “the most important Nmap release since 1997”. New features include Ncat, a powerful netcat alternative, Ndiff, a utility for comparing scan results so you can spot changes to your network, and a new Nmap Scripting Engine using Lua. 16th July 2009, 7:40 pm

Google asked people in Times Square:“What is a browser?”. Stuff like this makes me despair for creating a secure web—what chance do people have of surfing safely if they don’t understand browsers, web sites, operating systems, DNS, URLs, SSL, certificates... 20th June 2009, 1:25 am

Cryptographic Right Answers. Best practise recommendations for cryptography: “While some people argue that you should never use cryptographic primitives directly and that trying to teach people cryptography just makes them more likely to shoot themselves in their proverbial feet, I come from a proud academic background and am sufficiently optimistic about humankind that I think it’s a good idea to spread some knowledge around.” 11th June 2009, 10:16 pm

Critical Mac OS X Java Vulnerabilities. There’s a five month old Java arbitrary code execution vulnerability which hasn’t yet been patched by Apple. Disable Java applets in your browser until it’s fixed, or random web pages could execute commands on your machine as your user account. 19th May 2009, 7:07 pm

moot wins, Time Inc. loses. The Time.com poll hack was more sophisticated than I first thought... Time implemented reCAPTCHA half way through the voting period, but the 4chan community fought back with a custom interface that crowdsourced the job of voting and let individuals submit up to 30 votes a minute. 29th April 2009, 11:13 am

OAuth Security Advisory 2009.1. It’s a show-stopper: an attacker can start an OAuth permission request flow from a consumer site, then trick another user from the same site in to completing that flow and hence authorising the attacker to act on their behalf. A fix to the spec is forthcoming; in the meantime, don’t start an OAuth flow from an untrusted location. 23rd April 2009, 3:06 pm

Inside the precision hack. How 4chan members subverted a Time.com online poll to reorder the options and spell out their own message. Partly poor application design from Time (the first version used a GET request without input validation), but I challenge anyone to design an anonymous online poll that can’t be fixed using the more sophisticated techniques 4chan eventually deployed based on HTTP proxies. 20th April 2009, 8:36 pm

Reducing XSS by way of Automatic Context-Aware Escaping in Template Systems (via) The Google Online Security Blog reminds us that simply HTML-escaping everything isn’t enough—the type of escaping needed depends on the current markup context, for example variables inside JavaScript blocks should be escaped differently. Google’s open source Ctemplate library uses an HTML parser to keep track of the current context and apply the correct escaping function automatically. 14th April 2009, 9:26 am

Amazon Says Listing Problem Was an Error, Not a Hack (via) “A friend within the company told him that someone working on Amazon’s French site mistagged a number of keyword categories, including the ’Gay and Lesbian’ category, as pornographic, using what’s known internally as the Browse Nodes tool. Soon the mistake affected Amazon sites worldwide.” 14th April 2009, 8:32 am

How to cause moral outrage from the entire Internet in ten lines of code. Looks legit—the author claims to have sparked this weekend’s #amazonfail moral outrage (where Amazon where accused of removing Gay and Lesbian books from their best seller rankings) by exploiting a CSRF hole in Amazon’s “report as inappropriate” feature to trigger automatic takedowns. EDIT: His claim is disputed elsewhere (see comments) 13th April 2009, 7:48 pm

17-year-old claims responsibility for Twitter worm. It was a text book XSS attack—the URL on the user profile wasn’t properly escaped, allowing an attacker to insert a script element linking out to externally hosted JavaScript which then used Ajax to steal any logged-in user’s anti-CSRF token and use it to self-replicate in to their profile. 12th April 2009, 7:22 pm

Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari. You just can’t trust browser security: Current versions of Safari, IE8 and Firefox all fell to zero-day flaws at an exploit competition. None of the vulnerabilities have been disclosed yet. 19th March 2009, 3:30 pm

Understanding Bidirectional (BIDI) Text in Unicode. It turns out you need to sanitise user input to ensure there are no unicode characters that switch your site’s regular text to RTL. 15th March 2009, 4:37 am

Twitter Don’t Click Exploit. Someone ran a successful ClickJacking exploit against Twitter users, using a transparent iframe holding the Twitter homepage with a status message fed in by a query string parameter. Thiss will definitely help raise awareness of ClickJacking! Twitter has now added framebusting JavaScript to prevent the exploit. 12th February 2009, 7:56 pm

Ehy IE8, I Can Has Some Clickjacking Protection? (via) IE8 has built-in protection against clickjacking, but it’s opt-in (with a custom HTTP header) and IE only. It turns out the usual defence against clickjacking (using framebusting JavaScript) doesn’t work in IE as it can be worked around with a security=“restricted” attribute on an iframe. 29th January 2009, 1:39 pm

OWASP: XSS Prevention Cheat Sheet. Comprehensive set of rules for avoiding XSS—there’s a bit more to it than just escaping all output variables, since you have to take markup context in to account. 24th January 2009, 11:58 pm

Weak Password Brings “Happiness” to Twitter Hacker. The full story on the Twitter admin account hack. I bet there are a LOT of web applications out there that don’t track and rate-limit failed password attempts. 7th January 2009, 12:04 pm

The Twitter administrator hack was a dictionary attack. I quoted Blaine earlier suggesting that the recent Twitter mass-hack was due to a Twitter admin password being scooped up by a rogue third party application—this was not the case, as Alex Payne explains in a comment. 6th January 2009, 11:56 pm

Antipatterns for sale. Twply collected over 800 Twitter usernames and passwords (OAuth can’t arrive soon enough) and was promptly auctioned off on SitePoint to the highest bidder. 2nd January 2009, 10:48 am

Researchers Show How to Forge Site Certificates. Use an MD5 collision to create two certificates with the same hash, one for a domain you own and another for amazon.com. Get Equifax CA to sign your domain’s certificate using the outdated “MD5 with RSA” signing method. Copy that signature on to your home-made amazon.com certificate to create a fake certificate for Amazon that will be accepted by any browser. 30th December 2008, 3:27 pm

Microsoft: Big Security Hole in All IE Versions. Looks like a 0-day that’s being actively exploited. 16th December 2008, 8:26 pm

Now You Can Sign Into Friend Connect Sites With Your Twitter ID. Great. Now even Google is asking me for my Twitter password. Slow clap. How’s that Twitter OAuth beta coming along? 15th December 2008, 5:20 pm

Warcraft account security. Apparently Blizzard have been selling two factor authentication key fobs for World of Warcraft for about six months. 6th December 2008, 9:52 am

Secret Geek A-Team Hacks Back, Defends Worldwide Web. Wired’s take on the story of Dan Kaminsky’s breaking-the-internet DNS vulnerability. Horrible headline. 3rd December 2008, 11:10 am

The March of Access Control. The W3C Access Control specification is set to become a key technology in enabling secure cross-domain APIs within browsers, and since it addresses a legitimate security issue on the web I hope and expect it will be rolled out a lot faster than most other specs. 19th November 2008, 8:40 am

Worst. Bug. Ever. Android phones were executing every keystroke typed in to the phone in an invisible root shell! Text “reboot” to a friend and your phone rebooted. Wow. 10th November 2008, 10:51 pm

Yahoo, Caja, OpenSocial. Yahoo!’s new application platform uses OpenSocial, and protects itself from malicious JavaScript using Google’s Caja secure JavaScript engine. I hadn’t realised that Caja was ready for production use—this is excellent news. 30th October 2008, 5:14 pm

Web Security Horror Stories: The Director’s Cut. Slides from the talk on web application security I gave this morning at <head>, the worldwide online conference. I just about managed to resist the temptation to present in my boxers. Topics include XSS, CSRF, Login CSRF and Clickjacking. 26th October 2008, 12:15 pm

From Scandinavia with Love. Finnish security company F-Secure conduct testing of wireless cell phone viruses in a walk-in Faraday cage. 20th October 2008, 11:47 pm

Response Splitting Risk. Important reminder that you should always ensure strings used in HTTP headers don’t contain newlines. 19th October 2008, 11:58 pm

Clickjacking and NoScript (via) NoScript CAN protect against clickjacking, but only if you enable the “Plugins|Forbid IFRAME” option. 7th October 2008, 11:05 am

Dealing with UI redress vulnerabilities inherent to the current web (via) The best explanation of clickjacking I’ve seen yet, complete with discussion of a number of non-ideal potential solutions. It looks like frame busting JavaScript will defeat it, but only for users who have JavaScript enabled—which means that in this case extensions like NoScript actually make you less safe. UPDATE: NoScript is smarter than I thought; see the comments. 7th October 2008, 9:59 am

FB App Canvas Pages: I Think I’d Use IFrames. Facebook’s Charlie Cheever explains the difference between FBML canvas pages, iframe pages and XFBML when building Facebook apps. I’m always surprised at APIs that load untrusted content in an iframe, as it seems like an invitation for frame-busting phishing attacks. 2nd October 2008, 2:39 pm

This Week in HTML 5—Episode 7: Clickjacking. Clickjacking is when a third party site is embedded in an iframe with opacity 0 and positioned such that a click on the page actually hits a button on the now invisible third party site. Mark Pilgrim explains how the NoScript site uses this in a non malicious way to for the “install now!” button. 1st October 2008, 1:48 am

Popular Websites Vulnerable to Cross-Site Request Forgery Attacks. Ed Felten and Bill Zeller announce four CSRF holes, in ING Direct, YouTube, MetaFilter and the New York Times. The ING Direct hole allowed transfer of funds out of a user’s bank accounts! The first three were fixed before publication; the New York Times hole still exists (despite being reported a year ago), and allows you to silently steal e-mail addresses by CSRFing the “E-mail this” feature. 29th September 2008, 1:08 pm

html-whitelist (via) DeWitt Clinton’s web service wrapper aroud the html5lib HTML sanitiser, hosted on AppEngine. 24th September 2008, 11:54 pm

Logout/Login CSRF. Alf Eaton built an example page (this link goes to his description, not the page itself) that uses a login CSRF attack to log you in to Google using an account he has created. Scary. 24th September 2008, 10:18 pm

Secure mashups with dojox.secure (via) dojox.secure is brilliant and terrifying at the same time. It provides a full featured API for running untrusted JavaScript in a sandbox, by parsing and validating that code against a variant of Douglas Crockford’s ADsafe JavaScript subset. It could be fantastically useful, but it’s difficult to judge how secure this approach really is. 24th September 2008, 4:08 pm

csrf_protect.php. A PHP class for applying CSRF protection to existing PHP applications, using output buffering to rewrite any POST forms on a page. Heavily inspired by Django’s CSRF middleware. Tell me if you spot any bugs! 24th September 2008, 2:52 pm

Robust Defenses for Cross-Site Request Forgery [PDF]. Fascinating report which introduces the “login CSRF” attack, where an attacker uses CSRF to log a user in to a site (e.g. PayPal) using the attacker’s credentials, then waits for them to submit sensitive information or bind the account to their credit card. The paper also includes an in-depth study of potential protection measures, including research that shows that 3-11% of HTTP requests to a popular ad network have had their referer header stripped. Around 0.05%-0.10% of requests have custom HTTP headers such as X-Requested-By stripped. 24th September 2008, 9:40 am

Is your Rails application safe? (via) update_attributes(params[:foo]) in ActiveRecord is an anti-pattern. 22nd September 2008, 8:28 pm

When Ajax Attacks! Web application security fundamentals. Slides and notes from my talk on web application security at @media Ajax last Tuesday. 20th September 2008, 4:16 pm

Frame-Busting Gadgets. I’ve always been slightly suspicious of the Google Gadgets / OpenSocial idea of sandboxing untrusted third party content in an iframe. Sure enough, it turns out iframe busting scripts work in Gadgets, meaning a seemingly harmless gadget could potentially launch a phishing attack. 17th September 2008, 11:23 pm

Google wants your Hotmail, Yahoo and AOL contacts. And they’re using the password anti-pattern to get them! Despite both Yahoo! and Hotmail (and Google themselves; not sure about AOL) offering a safe, OAuth-style API for retrieving contacts without asking for a password. This HAS to be a communications failure somewhere within Google. Big internet companies stand to lose the most from widespread abuse of the anti-pattern, because they’re the ones most likely to be targetted by phishers. Shameful. 15th September 2008, 10:39 am

OAuth on the iPhone. Mike from Pownce explains their superbly implemented OAuth flow for the Pownce iPhone app, and how much push-back they got on it from regular users. One interesting point is that an iPhone application could “fake” a transition to mobile safari using core animation as part of a sophisticated phishing attack. This is a flaw in the iPhone OS itself—it does not offer a phishing-proof chrome as part of the OS. 12th September 2008, 9:47 pm

Django: Security fix released. The Django admin used to save partially-submitted forms if your session expired, and continue the submission when you logged in. It turns out that’s actually an unblockable CSRF exploit and is hence broken as designed, so it’s now been removed. Thanks Ed Eliot and other GCap colleagues for helping me flesh out the potential attack. 3rd September 2008, 12:14 am

Coding Horror: Protecting Your Cookies: HttpOnly. Jeff Atwood discovers the hard way that writing an HTML sanitizer is significantly harder than you would think. HttpOnly cookies aren’t the solution though: they’re potentially useful as part of a defense in depth strategy, but fundamentally if you have an XSS hole you’re going to get 0wned, HttpOnly cookies or not. Auto-escape everything on output and be extremely cautious with things like HTML sanitizers. 29th August 2008, 2:01 am

Django snippets: Sign a string using SHA1, then shrink it using url-safe base65. I needed a way to create tamper-proof URLs and cookies by signing them, but didn’t want the overhead of a full 40 character SHA1 hash. After some experimentation, it turns out you can knock a 40 char hash down to 27 characters by encoding it using a custom base65 encoding which only uses URL-safe characters. 27th August 2008, 10:18 pm

Tip: Configure SAX parsers for secure processing. Explains the billion laughs attack, among others. 23rd August 2008, 11:12 am

DoS vulnerability in REXML. Ruby’s REXML library is susceptible to the “billion laughs” denial of service attack where recursively nested entities expand a single entitity reference to a billion characters (kind of like the exploding zip file attack). Rails applications that process user-supplied XML should apply the monkey-patch ASAP; a proper gem update is forthcoming. 23rd August 2008, 11:11 am

Reviews of the Pownce app on the iPhone app store on Flickr. I had to stitch together a screenshot because you can’t actually link to content in the App Store (unless you don’t care that people without iTunes won’t be able to follow your link). Three out of the four reviews complain about the OAuth browser authentication step, which is frustrating because Pownce have implemented it so well. 12th August 2008, 11:05 am

Exposure (iPhone app) behaves suspiciously. Exposure on the iPhone does OAuth-style authentication incorrectly—it asks the user to authenticate in an embedded, chromeless browser which provides no way of confirming that the site being interacted with is not a phishing attack. Ben Ward explains how the Pownce iPhone app gets it right in the comments. Exposure author Fraser Spiers also responds. 12th August 2008, 7:47 am

Facebook Security Advice: Never Ever Enter Your Passwords On Another Site, Unless We Ask You To. Nice to see TechCrunch highlighting the hypocrisy of Facebook advising their users to never enter their Facebook credentials on another site, then asking them for their webmail provider password so they can scrape their address book. 9th August 2008, 10:18 am

Changeset 8162. “Implemented a secure password reset form that uses a token and prompts user for new password”—also sneaks base36 encoding and decoding in to Django. 31st July 2008, 10:54 pm

The Truth about Web Navigation. Jeremy Zawodny on regular users understanding the browser address bar: “They don’t. And they never will.” Then they’re going to get phished, and there’s absolutely nothing we can do to help them. 19th July 2008, 11:42 pm

Apple just gave out my Apple ID password because someone asked. “am forget my password of mac,did you give me password on new email marko.[redacted] @yahoo.com”. Classy. 8th July 2008, 10:10 am

quipt (via) Extremely clever idea: Cache JavaScript in window.name (which persists between page views and can hold several MB of data), but use document.referrer to check that an external domain hasn’t loaded the cache with malicious code for an XSS attack. UPDATE: Jesse Ruderman points out a fatal flaw in the comments. 4th July 2008, 3:49 pm

ratproxy. “A semi-automated, largely passive web application security audit tool”—watches you browse and highlights potential XSS, CSRF and other vulnerabilities in your application. Created by Michal Zalewski at Google. 3rd July 2008, 2:35 pm

IE8 Security Part IV: The XSS Filter (via) IE8 will include an XSS filter to identify and neutralise “reflected” XSS attacks (where malicious code in a query string is rendered to the page), turned on by default. Sounds like a good idea to me, and site authors can disable it using Yet Another Custom HTTP header (X-XSS-Protection: 0). 3rd July 2008, 9:37 am

eval() Kerfuffle. The ability to read supposedly private variables in Firefox using a second argument to eval() will be removed in Firefox 3.1. 2nd July 2008, 9:24 pm

Ruby’s Vulnerability Handling Debacle. The critical Ruby vulnerabilities are over a week old now but there’s still no good official patch (the security patches cause segfaults in Rails, leaving the community reliant on unofficial patches from third parties). Max Caceres has three takeaway lessons, the most important of which is to always keep a “last-known-good” branch to apply critical patches to. 2nd July 2008, 10:39 am

Poking new holes with Flash Crossdomain Policy File. This is an old article from 2006 which describes the crossdomain.xml hidden in a GIF exploit I referred to in an earlier post (scroll down to the appendix for an example). As far as I know the Flash Player’s crossdomain.xml parser has been tightened up since. 1st July 2008, 4:12 pm

Evil GIFs: Partial Same Origin Bypass with Hybrid Files. First there were PNGs that had crossdomain.xml files embedded in them, now there are GIFs that contain Java applets (as JAR files). At this point I’d say don’t even bother trying to validate uploaded files, just make sure they’re served off an entirely different domain instead where XSS doesn’t matter. 1st July 2008, 8:58 am

Javascript protocol fuzz results. If your HTML sanitizer uses blacklisting rather than whitelisting here are a few more weird ways of injecting javascript: in to a link that you need to worry about—but you should really switch to whitelisting http:// and https:// instead. 30th June 2008, 3:57 pm

BUG: XSS Security flaw in BaseCamp Messages (via) BaseCamp lets users include HTML and JavaScript in messages, on the basis that anyone with a BaseCamp account is a trusted party. I’m not convinced: you could use this to circumvent BaseCamp’s access control stuff and read messages you’re not meant to. On the flip side, you could also use this to add brand new features to BaseCamp by using JavaScript in a message as a server-side equivalent to Greasemonkey. 26th June 2008, 9:39 am

mod_rpaf for Apache. A more secure alternative to Django’s equivalent middleware: sets the REMOTE_ADDR of incoming requests from whitelisted load balancers to the X-Forwarded-For header, without any risk that if the load balancers are missing attackers could abuse it to spoof their IP addresses. 24th June 2008, 5:02 pm

Arbitrary code execution vulnerabilities in Ruby (via) Sounds nasty—integer overflows and unsafe allocs leading to memory corruption. Definite DoS and possible code injection as well. Upgrade to Ruby “1.8.5-p231, or 1.8.6-p230, or 1.8.7-p22” ASAP. 21st June 2008, 8:44 am

the tls report (via) Clever service that analyses a web server’s SSL implementation and grades it based on things like the protocols, certificates, ciphers and key lengths it supports. Includes public reports on the top and bottom 20 sites. 10th June 2008, 11:49 pm

Yahoo! Address Book API Delivered. At last, now there’s no excuse to ask your users for their Yahoo! username and password just so you can scrape their address book. 4th June 2008, 6:03 pm

Scaring people with fullScreen. Unsurprisingly, you can work around the “Press Esc to exit full screen mode” message in Flash by distracting the user with lots of similar looking visual noise. This opens up opportunities for cunning phishing attacks that simulate the chrome of the entire operating system. EDIT: Comments point out that text entry via the keyboard is still disabled, limiting the damage somewhat. 2nd June 2008, 10:18 pm

OpenID phishing demo (via) A demonstration of the OpenID man-in-the-middle phishing attack. idproxy.net OpenIDs are immune to this particular variant due to the landing page not asking for your password (the phishing site could still provide their own redesigned landing page and hope users don’t notice though). 28th May 2008, 8:09 am

Crossdomain.xml Invites Cross-site Mayhem. A useful reminder that crossdomain.xml files should be treated with extreme caution. Allowing access from * makes it impossible to protect your site against CSRF attacks, and even allowing from a “circle of trust” of domains can be fatal if just one of those domains has an XSS hole. 15th May 2008, 8:06 am

Django: security fix released. XSS hole in the Admin application’s login page—updates and patches are available for trunk, 0.96, 0.95 and 0.91. 14th May 2008, 7:49 am

Session variables without cookies. Brilliant but terrifying hack—you can store up to 2 MB of data in window.name and it persists between multiple pages, even across domains. Doesn’t work with new tabs though, and storing JSON in it and eval()ing it is a bad idea—a malicious site could populate it before sending the user to you. 13th May 2008, 9:59 pm

How one site dealt with SQL injection attack (via) Horrifying story of developer incompetence from Autoweb: “The contractor had no idea how to find and fix the Web page vulnerability that allowed the SQL injection attack code to execute successfully.” 2nd May 2008, 9:01 pm

Mass Attack FAQ. Thousands of IIS Web servers have been infected with an automated mass XSS attack, not through a specific IIS vulnerability but using a universal XSS SQL query that targets SQL Server and modifies every text field to add the attack JavaScript. If an app has even a single SQL injection hole (and many do) it is likely to be compromised. 26th April 2008, 9:12 am

ISPs’ Error Page Ads Let Hackers Hijack Entire Web (via) Earthlink in the US served “helpful” links and ads on subdomains that failed to resolve, but the ad serving pages had XSS holes which could be used to launch phishing attacks the principle domain (and I imagine could be used to steal cookies, although the story doesn’t mention that). Seems like a good reason to start using wildcard DNS to protect your subdomains from ISP inteference. 21st April 2008, 6:51 am

PayPal Plans to Ban Unsafe Browsers. At first I thought they were going to encourage real anti-phishing features in browsers, which would be a big win for OpenID... but it turns out they’re just requiring EV SSL certificates which have been proven not to actually work. 19th April 2008, 10:45 am

Flirting with mime types [PDF] (via) Different browsers have different rules for which content types will be treated as active content (and hence could be vectors for XSS attacks). IE uses a blacklist rather than a whitelist and hence rendered active content for 696 of the tested content types. 14th April 2008, 8:18 am

CSRF presentation at RSA 2008. It terrifies me how few people understand CSRF, years after it was discovered. I’ll say it again: if you’re a web developer and you don’t know what that acronym means, go spend an hour reading about it—because the chances are your applications are vulnerable. 12th April 2008, 10:52 am

Hash Collisions (The Poisoned Message Attack). Demonstrates the MD5 weakness by providing two deliberately engineered PostScript documents with the same MD5 hash but radically different rendered output. 4th April 2008, 7:24 pm

Dangers of remote Javascript. Perl.com got hit by a JavaScript porn redirect when the domain of one of their advertisers expired and was bought by a porn company. Nat Torkington suggests keeping track of the expiration dates on any third party domains that are serving JavaScript on your site. 20th January 2008, 9:49 am

8 More Design Mistakes with Account Sign-in (via) Second of a two part series by Jared Spool. I agree with all of them with the possible exception of #15 which advocates providing a non-email password recovery solution. Security “questions” are usually dreadfully insecure, and introduce the need to lock users out of their accounts after just a few tries. 17th January 2008, 4:35 pm

openid.yahoo.com. Yahoo!’s human readable guide to OpenID, complete with tour. It looks like they’re relying on the “sign-in seal” to protect against phishing. 17th January 2008, 2:35 pm

Is your Rails app XSS safe? SafeErb is an interesting take on auto-escaping for Rails: it throws an exception if you try to render a string that hasn’t been untainted yet. 10th January 2008, 6:46 pm

XSS Vulnerabilities in Common Shockwave Flash Files. Is the word “shockwave” still relevant to Flash? Regardless, it turns out Flash can be a serious vector for XSS attacks, and many commonly used components have recently fixed holes (and hence should be updated ASAP). 6th January 2008, 9:35 am

The backdooring of SquirrelMail. A SquirrelMail developer’s account was compromised and used to insert a backdoor: the other developers initially missed the hole because it used $_SERVER[’HTTP_BASE_PATH’], which can be set with a Base-Path: HTTP header. 28th December 2007, 11:40 pm

David Airey: Google’s Gmail security failure leaves my business sabotaged (via) Gmail had a CSRF hole a while ago that allowed attackers to add forwarding filter rules to your account. David Airey’s domain name was hijacked by an extortionist who forwarded the transfer confirmation e-mail on to themselves. 26th December 2007, 12:16 pm

IPy. Handy Python module for manipulating IP addresses—use IP(ip_addr).iptype() == ’PUBLIC’ to check that an address isn’t in a private address range. 24th December 2007, 1:19 pm

Why the h can’t Rails escape HTML automatically? It would be a pretty huge change, but auto-escaping in Rails 2.0 could close up a lot of accidental XSS holes. 1st December 2007, 8:34 pm

Why Virtual Theft Should Matter to Real Life Tech Companies. Interesting trend: sites that profit from sales of virtual goods (such as Habbo Hotel) are seeing users use phishing attacks to steal those goods from each other. 18th November 2007, 11:21 am

Django Changeset 6671. Malcolm Tredinnick: “Implemented auto-escaping of variable output in templates”. Fantastic—Django now has protection against accidental XSS holes, turned on by default. 14th November 2007, 5:05 pm

A Roundup Of Leopard Security Features (via) Thomas Ptacek’s overview of the new security features in Leopard. Guest Accounts are worthless from a security P.O.V., but I still plan to use one for our PowerBook that’s now just a media player. 31st October 2007, 5:30 pm

Django security fix released. Django’s internationalisation system has a denial of service hole in it; you’re vulnerable if you are using the i18n middleware. Fixes have been made available for trunk, 0.96, 0.95 and 0.91. 26th October 2007, 9:47 pm

Site-specific browsers and GreaseKit. New site-specific browser tool which lets you include a bunch of Greasemonkey scripts. For me, the killer feature of site-specific browsers is still cookie isolation (to minimise the impact of XSS and CSRF holes) but none of the current batch of tools advertise this as a feature, and most seem to want to share the system-wide cookie jar. 25th October 2007, 7:56 am

MyOpenID adds Information Card Support. First client SSL certificates, now Information Cards. MyOpenID is certainly taking browser-based phishing solutions seriously. 18th October 2007, 9:10 pm

Gozi Trojan. The full security paper on the Gozi trojan: how it was discovered, how it was traced and details of the “customer interface for on-line purchases of stolen data” at the other end (which, incidentally, was ridden with security holes). 17th October 2007, 10:03 pm

Global Hackers Create a New Online Crime Economy (via) Fascinating, detailed look at the evolution of the hacker service economy. Of particular interest: a web application that sells access to hacked machines to identity thieves on a timeshare basis. 17th October 2007, 9:46 pm

Two months with Ruby on Rails. Good rant—covers both the good and the bad. The first complaint is the lack of XSS protection by default in the template language. Django has the same problem, but the solution was 90% there when I saw Malcolm at OSCON. 9th October 2007, 12:23 pm

The Storm Worm. Bruce Schneier describes the Storm Worm, a fantastically advanced piece of malware that’s been spreading for nearly a year and is proving almost impossible to combat. Its effects are virtually invisible but infected machines are added to a multi-million machine botnet apparently controlled by anonymous Russian hackers. 6th October 2007, 12:25 am

Rails 1.2.4: Maintenance release. “Session fixation attacks are mitigated by removing support for URL-based sessions”—I’ve always hated URL-based sessions; I’d be interested to hear if their removal from Rails causes legitimate problems for anyone. 5th October 2007, 11:42 pm

Amazon makes you lie to log off (via) Amazingly, the only way to sign out of Amazon these days is to use the “If you’re not XXX, click here” link—the traditional “sign out” link has quietly vanished. 2nd October 2007, 1:19 pm

Cronto. I saw a demo of this the other day—it’s a neat anti-phishing scheme that also protects against man in the middle attacks. It works using challenge/response: an image is shown which embeds a signed transaction code; the user then uses an application on their laptop or mobile phone to decode the image and enters the resulting code back in to the online application. 2nd October 2007, 1:14 am

WebRunner 0.7—New and Improved. A simple application for running a site-specific browser for a service (e.g. Twitter, Gmail etc). This is a great idea: it isolates your other browser windows from crashes and also isolates your cookies, helping guard against CSRF attacks. 27th September 2007, 1:55 pm

Google GMail E-mail Hijack Technique. Apparently Gmail has a CSRF vulnerability that lets malicious sites add new filters to your filter list—meaning an attacker could add a rule that forwards all messages to them without your knowledge. 27th September 2007, 10:29 am

HTTPOnly cookie support in Firefox. Five years after the bug was filed, HTTPOnly cookie support has gone in to the Mozilla 1.8 branch. This is a defence in depth feature that has been in IE for years—it lets you set cookies that aren’t available to JavaScript, and hence can’t be hijacked in the event of an XSS flaw. 6th September 2007, 6:27 am

E-Voting Ballots Not Secret; Vendors Don’t See Problem. “You know things are bad when questions about a technical matter like security are answered by a public-relations firm.” 20th August 2007, 3:19 pm

VeriSign’s SeatBelt OpenID plugin for Firefox. The first good example of browser integration for OpenID. It catches phishing attempts by watching out for rogue OpenID consumers that don’t redirect to the right place. 17th August 2007, 5:37 pm

Bruce Schneier interviews Kip Hawley. The head of the Transportation Security Administration in conversation with one of his most eloquent critics. 7th August 2007, 3:23 pm

DNS Pinning Explained. With diagrams. 7th August 2007, 11:01 am

(somewhat) breaking the same-origin policy by undermining dns-pinning. This is the best technical explanation of the DNS rebinding attack I’ve seen. The linked demo worked for me in Safari but not in Camino. 2nd August 2007, 12:53 pm

Your browser is a tcp/ip relay. Thoroughly nasty new(ish) attack that breaks the same-domain policy and allows intranet content to be stolen by a malicious site. Using virtual hosts (hence requiring the Host: header) is the best known protection. 2nd August 2007, 12:53 pm

Side-Channel Attacks and Security Theatre. “In order to mount most of these attacks the attacker must be local [...] every good security person knows that if your attacker has the ability to run stuff on your machine, it is game over, so why are we even caring about these attacks?” 2nd August 2007, 12:30 pm

CSRF Redirector. Smart tool for testing CSRF vulnerabilities, by Chris Shiflett. 18th July 2007, 7:45 am

Anyone who recently downloaded GreaseMonkey scripts from userscripts.org should check their scripts. I haven’t confirmed this, but this Jyte claim suggests that userscripts.org was hacked and cookie stealing code inserted in to some of the scripts. UPDATE: Not hacked; just bad scripts submitted through the regular process. 7th July 2007, 10:43 pm

Safari Beta 3.0.1 for Windows. A nice fast turnaround on fixes for security flaws in the beta. 14th June 2007, 9:56 am

Safari for Windows, 0day exploit in 2 hours (via) Once again, down to handling of alternative URL protocol schemes. 12th June 2007, 1:30 pm

Security Breach. A statement from Dreamhost. 8th June 2007, 8:16 am

Firefox promiscuous IFRAME access bug. Lets malicious sites “display disruptive or misleading contents in the context of an attacked site” and intercept keystrokes! The demo worked in Camino 1.5 as well. Avoid using Gecko-based browsers until this is patched? 6th June 2007, 10 am

Gaping holes exposed in fully-patched IE 7, Firefox (via) Michal Zalewski released a new Firefox 2.0 vulnerability in addition to the IE cookie stealing one. 6th June 2007, 9:57 am

IE vulnerability allows cookie stealing. Full exploit against the same-domain cookie origin policy, so malicious sites can steal cookies from elsewhere. Avoid using IE until this is patched. 6th June 2007, 9:53 am

Unsettling. Sounds like there might be a massive scripted hack going on against out of date WordPress installs on Dreamhost. Check your site. See also discussion in the comments attached to this post. 5th June 2007, 9:16 pm

Top XSS exploits by PageRank. Yahoo!, MSN, Google, YouTube, MySpace, FaceBook all feature. 29th May 2007, 10:07 pm

XSSed. Cross-site scripting resource and vulnerabilities archive, including reported (unpatched) holes ordered by PageRank. 29th May 2007, 10:03 pm

The Twitter API Respects Your Privacy. Not Twitter’s fault: The users who exposed their data through Twittervision had given that site their username and password; Twittervision was failing to hide protected updates. 24th May 2007, 11:37 pm

There’s a hole in your Twitter. If you’ve been using friends-only messages on Twitter they may currently be exposed via the API. 24th May 2007, 5:03 pm

Introducing http:BL (via) Project Honey Pot announce a new blacklist service for blocking comment spammers and e-mail spiders using information from their network of honey pots. 25th April 2007, 11:39 pm

Most HTML templating languages are written incorrectly. “If you ever find yourself in the position of designing an html template language, please make the default behavior when including variables be to HTML-escape them.” I couldn’t agree more. 15th April 2007, 8:28 pm

JSON and Browser Security. Douglas Crockford suggests using secret tokens to protect JSON content, and avoiding wrapper hacks to protect unauthorised JSON delivery as they may fall foul of undiscovered browser bugs in the future. 11th April 2007, 12:52 am

Fortify JavaScript Hijacking FUD. Bob Ippolito points out the flaws in the recent widely disseminated JavaScript Hijacking paper. While the paper does miss some important details, it’s good that more people are now aware of the security implications involved in serving JSON up wrapped in an array. 5th April 2007, 10:51 pm

Chris Shiflett: My Amazon Anniversary. Chris Shiflett discloses an unfixed CSRF vulnerability in Amazon’s 1-Click feature that lets an attacker add items to your shopping basket—after reporting the vulnerability to Amazon a year ago! 16th March 2007, 10:16 am

XSS. Sanitising HTML is an extremely hard problem. The sanitize helper that ships with Rails is completely broken; Jacques Distler provides a better alternative. 12th March 2007, 12:34 am

Security; AJAX; JSON; Satisfaction. The JSON attack I linked to earlier only works against raw arrays, which technically aren’t valid JSON anyway. 6th March 2007, 8:06 am

JSON is not as safe as people think it is. Joe Walker reminds us that even authenticated JSON served without a callback or variable assignment is vulnerable to CSRF in Firefox, thanks to that browser letting you redefine the Array constructor. 5th March 2007, 10:51 pm

PHP 4 phpinfo() XSS Vulnerability. Another reason not to run an open phpinfo() page on your server. 4th March 2007, 9:24 pm

WordPress 2.1.1 dangerous, Upgrade to 2.1.2. Helping to spread the word. You’re affected if you’ve downloaded WordPress 2.1.1 in the last three or four days. 3rd March 2007, 8:06 am

Safe JSON (via) Subtle but important point about JSON APIs: you shouldn’t use a callback or variable assignment for JSON incorporating private user data, especially if it’s at a predictable URL. 2nd March 2007, 1:11 pm

The Psychology of Security. I haven’t even started on this yet, but I bet it’s worth reading. 9th February 2007, 1:27 am

Microsoft confirms Vista Speech Recognition remote execution flaw. “I have verified that I can create a sound file that can wake Vista speech recognition, open Windows Explorer, delete the documents folder, and then empty the trash.” 1st February 2007, 5:19 pm

MySpace Allegedly Kills Computer Security Website. No need for the allegedly; it’s been confirmed. MySpace got GoDaddy.com to redirect DNS for seclists.org after a list of phished user accounts posted to the full disclosure mailing list list was archived there. 26th January 2007, 9:57 am

The NHL’s All-Star voting disaster. The NHL ran an online poll to decide which players are picked for their All-Star Game. The only authentication was a poorly implemented CAPTCHA. Unsurprisingly, it got gamed. 19th January 2007, 9:50 am

MySpace: Too Much of a Good Thing? CSS customization really was just the result of forgetting to strip HTML. They “eventually” decided to filter out JavaScript(!) 17th January 2007, 9:09 am

Details of Google’s Latest Security Hole. For a brief while you could use Blogger Custom Domains to point a Google subdomain at your own content, letting you hijack Google cookies and steal accounts for any Google services. 14th January 2007, 1:36 pm

The Adobe PDF XSS Vulnerability. If you host a PDF file anywhere on your site, you’re vulnerable to an XSS attack due to a bug in Acrobat Reader versions below 8. The fix is to serve PDFs as application/octet-stream to avoid them being displayed inline. 11th January 2007, 4:23 pm

Choosing Secure Passwords. Bruce Schneier describes the state of the art in password cracking software. 11th January 2007, 2:55 pm

A Cost Analysis of Windows Vista Content Protection (via) Vista’s content protection is a nightmare for hardware manufacturers and consumers alike. It’s far worse than even BoingBoing readers would expect. 24th December 2006, 10:34 am

Never store passwords in a database! The reddit.com developers just learnt this the hard way. It might be time to change some of your passwords. 16th December 2006, 12:01 am

Real-World Passwords. Random passwords phished from MySpace are surprisingly decent. 14th December 2006, 2:14 pm

BT acquires Counterpane Internet Security (via) They just bought Bruce Schneier. 25th October 2006, 10:57 am

Better Metrics for Security—Understanding the Symantec Internet Security Threat Report. Mozilla defends against yet more spurious bug count reports. 27th September 2006, 9:54 am

Parsing XML can open network sockets (via) Yikes. Something to bare in mind. 18th August 2006, 2:27 pm

Bruce Schneier Facts. “SSL is invulnerable to man-in-the-middle attacks. Unless that man is Bruce Schneier.” 17th August 2006, 2:19 pm

Schneier on Security: New Airline Security Rules. “I’m sure glad I’m not flying anywhere this week” says Bruce. Now I wish I wasn’t! 10th August 2006, 4:26 pm

On the total nondisclosure of the 8/9/06 [Rails] security vulnerability. The best argument I’ve seen in favour of full disclosure. 10th August 2006, 2:53 pm

Rails 1.1.5: Mandatory security patch. Upgrade now, and spread the word. 9th August 2006, 8:55 pm

Why is XSS so common? Because dev tools don’t escape things by default. 2nd August 2006, 8:57 pm

Don’t serve JSON as text/html. Another sneaky XSS trick. 5th July 2006, 11:46 pm

Mozilla causing XSS in Livejournal. Their recent worm attack was caused by the -moz-binding CSS property. 22nd January 2006, 9:37 pm

Xanga Hit By Script Worm (in December) (via) Description of an XSS worm that hit Xanga last month. 21st January 2006, 8:47 pm

DHS Funding Open Source Security. Paying for “source code analysis technology” coverage of Linux, Apache, PostgreSQL and more. 17th January 2006, 10:18 pm

Chris Shiflett: Google XSS Example (via) UTF-7 is a nasty vector for XSS. 24th December 2005, 5:21 pm

Zero-Day Exploit Targets IE (via) Remote code execution. No patch yet; disable Active Scripting instead. 22nd November 2005, 6:24 am

Cross-site request forgery (CSRF). Somehow this vulnerability is news to me. 6th May 2005, 11:07 pm

Usable Security: Look Beyond the “Fundamental Conflict”. Security and usability are not conflicting goals. 18th March 2005, 2:27 am

Not linking is not security. Ridiculous: Harvard rejects applicants who “hacked” by guessing a URL. 8th March 2005, 8:47 pm

Schneier on Security: Cryptanalysis of SHA-1. If you want to understand the “breaking” of SHA-1, this is the place to go. Surprisingly accessible. 19th February 2005, 3:12 pm

Schneier on Security: SHA-1 Broken. Whoa. 16th February 2005, 4:47 am

Internet Explorer 7. It’s been announced, but the stated focus is security and anti-phishing. No news on improved CSS. 15th February 2005, 7:04 pm

Secure wireless email on Mac OS X. Doug Bowman’s tutorial on SSH Tunnel Manager and wireless security. 8th February 2005, 11:20 am

User Education Is Not the Answer to Security Problems. Smart thinking on security from Jakob Nielsen. 1st November 2004, 1:22 pm

Net security threats growing fast. 30,000+ PCs a day are being compromised for botnets. 20th September 2004, 6:44 pm

OS X Security Update 2004-09-07 (via) Plenty of important fixes; a must-have. 8th September 2004, 3:45 pm

IE in Windows XP SP2. An overview of the new security changes. 10th August 2004, 7:39 pm

Race conditions in security UI. A vulnerability that is even more effective against advanced users (i.e. fast typists). 2nd July 2004, 4:14 pm

Bruce vs. Bruce (via) Schneier and Sterling discuss security and technology. 15th June 2004, 10:04 pm

Daring Fireball: Security Cannot Be Spun. Apple’s communication handling of the recent security problem was atrocious. 31st May 2004, 4 am

Background Images Security Flaw? Styling :visited links can reveal a user’s browser history. 24th May 2004, 8:24 pm

Mac OS X helpviewer security flaw fixed. Hit Software Update. Not sure if this fixes the telnet: variety though. 22nd May 2004, 5:08 am

Mac OS X URI Handler Arbitrary Code Execution (via) Very nasty: affects all web browsers, allows compromise by malicious web sites. 18th May 2004, 3:39 pm

Why Windows is a Security Nightmare. The pain of Windows Update over a 56K modem. 18th May 2004, 5:50 am

Bruce Schneier: We are all security customers. How can the US get the best return on investment for homeland security? 4th May 2004, 6:34 pm

M.I.T Card Information (via) Who’s bright idea was it to introduce a poorly secured swipe card system in a school full of hard-core techies? 25th April 2004, 8:58 pm

Will Trade Passwords For Chocolate (via) I’m not at all surprised. Most people see passwords as more of an annoyance than a security measure. 20th April 2004, 4:27 am

XP Service Pack 2 Review. Several welcome security improvements for those still suffering on Windows ;) 21st March 2004, 9:14 pm

Slouching toward Big Brother (via) Security is a trade-off 30th January 2004, 7:18 pm

Election boxes easy to mess with (via) More on Diebold’s ludicrous security 30th January 2004, 7:11 pm

non-consensual http user tracking using caches. Interesting security issue involving HTTP caching headers 20th January 2004, 10:37 pm

Blaster and the great blackout (via) Bruce Schneier writes for Salon.com 17th December 2003, 3:10 am

Microsoft Security FAQ (via) Point your less technical friends here 17th December 2003, 2:50 am

Debian’s Response. Praise for Debian’s handling of their recent security incident 9th December 2003, 3:16 am

Silly JavaScript Security. “Sorry, you do not have permission to press this key,” 5th December 2003, 10:42 pm