462 items tagged “security”
2006
A Cost Analysis of Windows Vista Content Protection (via) Vista’s content protection is a nightmare for hardware manufacturers and consumers alike. It’s far worse than even BoingBoing readers would expect.
Rogues are very keen in their profession, and know already much more than we can teach them
Never store passwords in a database! The reddit.com developers just learnt this the hard way. It might be time to change some of your passwords.
Real-World Passwords. Random passwords phished from MySpace are surprisingly decent.
BT acquires Counterpane Internet Security (via) They just bought Bruce Schneier.
Better Metrics for Security—Understanding the Symantec Internet Security Threat Report. Mozilla defends against yet more spurious bug count reports.
Parsing XML can open network sockets (via) Yikes. Something to bare in mind.
Bruce Schneier Facts. “SSL is invulnerable to man-in-the-middle attacks. Unless that man is Bruce Schneier.”
Schneier on Security: New Airline Security Rules. “I’m sure glad I’m not flying anywhere this week” says Bruce. Now I wish I wasn’t!
On the total nondisclosure of the 8/9/06 [Rails] security vulnerability. The best argument I’ve seen in favour of full disclosure.
Rails 1.1.5: Mandatory security patch. Upgrade now, and spread the word.
Why is XSS so common? Because dev tools don’t escape things by default.
Don’t serve JSON as text/html. Another sneaky XSS trick.
Mozilla causing XSS in Livejournal. Their recent worm attack was caused by the -moz-binding CSS property.
Xanga Hit By Script Worm (in December) (via) Description of an XSS worm that hit Xanga last month.
DHS Funding Open Source Security. Paying for “source code analysis technology” coverage of Linux, Apache, PostgreSQL and more.
2005
Chris Shiflett: Google XSS Example (via) UTF-7 is a nasty vector for XSS.
Don’t be eval()
JavaScript is an interpreted language, and like so many of its peers it includes the all powerful eval() function. eval() takes a string and executes it as if it were regular JavaScript code. It’s incredibly powerful and incredibly easy to abuse in ways that make your code slower and harder to maintain. As a general rule, if you’re using eval() there’s probably something wrong with your design.
Zero-Day Exploit Targets IE (via) Remote code execution. No patch yet; disable Active Scripting instead.
Social engineering and Orange
I had a call on my mobile earlier today from a lady claiming to be from Orange (my phone service provider) who told me that my contract was about to expire. She asked me for my password.
[... 311 words]Understanding the Greasemonkey vulnerability
If you have any version of Greasemonkey installed prior to 0.3.5, which was released a few hours ago, or if you are running any of the 0.4 alphas, you need to go and upgrade right now. All versions of Greasemonkey aside from 0.3.5 contain a nasty security hole, which could enable malicious web sites to read any file from your hard drive without you knowing.
[... 809 words]Cross-site request forgery (CSRF). Somehow this vulnerability is news to me.
Fighting RFCs with RFCs
Google’s recently released Web Accelerator apparently has some scary side-effects. It’s been spotted pre-loading links in password-protected applications, which can amount to clicking on every “delete this” link — bypassing even the JavaScript prompt you carefully added to give people the chance to think twice.
[... 353 words]Giving away the index
My final year project is due in two weeks, and I’m going to be running on silent for most of them. I have, however, upgraded to Tiger and playing with Spotlight has given me plenty to think about.
[... 414 words]Usable Security: Look Beyond the “Fundamental Conflict”. Security and usability are not conflicting goals.
Not linking is not security. Ridiculous: Harvard rejects applicants who “hacked” by guessing a URL.
Schneier on Security: Cryptanalysis of SHA-1. If you want to understand the “breaking” of SHA-1, this is the place to go. Surprisingly accessible.
Internet Explorer 7. It’s been announced, but the stated focus is security and anti-phishing. No news on improved CSS.
Secure wireless email on Mac OS X. Doug Bowman’s tutorial on SSH Tunnel Manager and wireless security.