Simon Willison’s Weblog

Subscribe

Posts tagged security in 2003

Filters: Year: 2003 × security × Sorted by date

Blaster and the great blackout (via) Bruce Schneier writes for Salon.com

# 17th December 2003, 3:10 am / bruce-schneier, security, worm

Microsoft Security FAQ (via) Point your less technical friends here

# 17th December 2003, 2:50 am / microsoft, security

Nasty new IE vulnerability

Most people reading are probably aware of the common trick whereby spammers and other assorted ne’er-do-wells publish URLs with usernames that look like hostnames to fool people in to trusting a malicious site—for example, http://www.microsoft.com&session%123123123@simon.incutio.com. This trick is frequently used by spammers to steal people’s PayPal accounts, by tricking them in to “resetting” their password at a site owned by the spammer but disguised as PayPal.com.

[... 164 words]

7:21 pm / 9th December 2003 / bugtraq, ie, microsoft, security

Debian’s Response. Praise for Debian’s handling of their recent security incident

# 9th December 2003, 3:16 am / debian, security

Hacked for Spam

From the New York Times:

[... 636 words]

2:56 am / 9th December 2003 / security, spam

Silly JavaScript Security. “Sorry, you do not have permission to press this key,”

# 5th December 2003, 10:42 pm / javascript, security

High security is low security

Via Crypto-Gram, a great piece from Bruce Tognazzini about how tough security measures can actively reduce the security of a system:

[... 225 words]

9:14 pm / 15th November 2003 / bruce-schneier, security, tog

Signing comments on blogs

Adrian Holovaty has implemented reserved comment names in his blog, a feature that prevents anyone apart from him from using the names “Adrian”, “Adrian H.” or “Adrian Holovaty” when posting a comment. François Nonnenmacher suggests extending the idea to allow people to “confirm” their authorship of comments on any blog using a TrackBack sent to their site that in turn causes them to be sent an alert email, which they can then use to confirm their comment. I like his idea of authentication based on URLs (email addresses are no good; they should not be publically displayed for fear of spam harvesters) but I think I’ve come up with an alternative authentication scheme that removes the need for the user to manually confirm authorship. This is pretty complicated, so bare with me.

[... 762 words]

9:10 pm / 22nd July 2003 / adrian-holovaty, blogging, hashing, security, trackback

Safe HTML checker

I’ve finally enabled a subset of HTML in my comments. In doing so, I had several requirements that needed to be fulfilled:

[... 227 words]

3:04 pm / 23rd February 2003 / security

Hashing client-side data

Via Scott, a clever PHP technique for ensuring data sent to the browser as a cookie or hidden form variable isn’t tampered with by the user:

[... 248 words]

11:53 pm / 8th February 2003 / hashing, owasp, php, scott-johnson, security

Types

Years

Months

Tags