Simon Willison’s Weblog

Quotations tagged security in 2007

Filters: Type: quotation × Year: 2007 × security ×

I don’t understand why the NSA was so insistent about including Dual_EC_DRBG in the standard. It makes no sense as a trap door: It’s public, and rather obvious. It makes no sense from an engineering perspective: It’s too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective: Swapping one random-number generator for another is easy.

Bruce Schneier # 16th November 2007, 10:25 am

In the long term, I want to replace JavaScript and the DOM with a smarter, safer design. In the medium term, I want to use something like Google Gears to give us vats with which we can have safe mashups. But in the short term, I recommend that you be using Firefox with No Script. Until we get things right, it seems to be the best we can do.

Douglas Crockford # 7th November 2007, 3:36 pm

A school in the UK is using RFID chips in school uniforms to track attendance. So now it’s easy to cut class; just ask someone to carry your shirt around the building while you’re elsewhere.

Bruce Schneier # 24th October 2007, 8:36 pm

Historically, Internet companies have rarely encrypted passwords to aid customer service.

Fasthosts # 18th October 2007, 5:27 pm

Currently WebRunner applications share cookies with other WebRunner applications, but not with Firefox. WebRunner uses its own profile, not Firefox’s profile. There is a plan to allow WebRunner applications to create their own, private profiles as well.

Mark Finkle # 30th September 2007, 4:08 pm

A typical phishing email will have a generic greeting, such as ’Dear User’. Note: All PayPal emails will greet you by your first and last name.

PayPal's Phishing Guide # 22nd September 2007, 2:33 pm

E-Trade financial tried using a RSA fob as a second factor of authentication, but as of their 11/07/06 financial report their fraud losses continue to increase. That said, they considered this program a success because users indicated they feel safer and are more likely to provide assets.

Usable Security # 20th July 2007, 10:31 am

If you found a hole in software that millions of people use, and is very high profile, you can sell that to the highest bidder for perhaps one or two million dollars.

Jacques Erasmus # 4th February 2007, 7:06 pm

The JavaScript alert(), confirm() and prompt() functions in Firefox, Opera and MSIE (but not Safari) will truncate the message after any null character. So an unsuspecting programmer who inserts user-provided text into one of these dialog boxes opens up an opportunity for the user to rewrite the bottom of the dialog box.

Neil Fraser # 13th January 2007, 12:28 pm

If you are subject to an XSS, the same domain policy already ensures that you’re f’d. An XSS attack is the “root” or “ring 0” attack of the web.

Alex Russell # 8th January 2007, 10:48 pm

Why don’t we have a .bank or .bank.country_code TLD that’s regulated by the same people that regulate the banks themselves?

Dean Wilson # 7th January 2007, 10:22 pm