Simon Willison’s Weblog

Items tagged security in 2003

Filters: Year: 2003 × security ×


Blaster and the great blackout (via) Bruce Schneier writes for Salon.com # 17th December 2003, 3:10 am

Microsoft Security FAQ (via) Point your less technical friends here # 17th December 2003, 2:50 am

Nasty new IE vulnerability

Most people reading are probably aware of the common trick whereby spammers and other assorted ne’er-do-wells publish URLs with usernames that look like hostnames to fool people in to trusting a malicious site—for example, http://www.microsoft.com&session%123123123@simon.incutio.com. This trick is frequently used by spammers to steal people’s PayPal accounts, by tricking them in to “resetting” their password at a site owned by the spammer but disguised as PayPal.com.

[... 164 words]

Debian’s Response. Praise for Debian’s handling of their recent security incident # 9th December 2003, 3:16 am

Hacked for Spam

From the New York Times:

[... 636 words]

Silly JavaScript Security. “Sorry, you do not have permission to press this key,” # 5th December 2003, 10:42 pm

High security is low security

Via Crypto-Gram, a great piece from Bruce Tognazzini about how tough security measures can actively reduce the security of a system:

[... 225 words]

Signing comments on blogs

Adrian Holovaty has implemented reserved comment names in his blog, a feature that prevents anyone apart from him from using the names “Adrian”, “Adrian H.” or “Adrian Holovaty” when posting a comment. François Nonnenmacher suggests extending the idea to allow people to “confirm” their authorship of comments on any blog using a TrackBack sent to their site that in turn causes them to be sent an alert email, which they can then use to confirm their comment. I like his idea of authentication based on URLs (email addresses are no good; they should not be publically displayed for fear of spam harvesters) but I think I’ve come up with an alternative authentication scheme that removes the need for the user to manually confirm authorship. This is pretty complicated, so bare with me.

[... 762 words]

Hashing client-side data

Via Scott, a clever PHP technique for ensuring data sent to the browser as a cookie or hidden form variable isn’t tampered with by the user:

[... 248 words]