Simon Willison’s Weblog

Never store passwords in a database! The reddit.com developers just learnt this the hard way. It might be time to change some of your passwords.

# 16th December 2006, 12:01 am / reddit, security

Real-World Passwords. Random passwords phished from MySpace are surprisingly decent.

# 14th December 2006, 2:14 pm / bruce-schneier, passwords, myspace, security, phishing

BT acquires Counterpane Internet Security (via) They just bought Bruce Schneier.

# 25th October 2006, 10:57 am / bruce-schneier, security, bt

Better Metrics for Security—Understanding the Symantec Internet Security Threat Report. Mozilla defends against yet more spurious bug count reports.

# 27th September 2006, 9:54 am / security, mozilla, symantec

Parsing XML can open network sockets (via) Yikes. Something to bare in mind.

# 18th August 2006, 2:27 pm / xml, security

Bruce Schneier Facts. “SSL is invulnerable to man-in-the-middle attacks. Unless that man is Bruce Schneier.”

# 17th August 2006, 2:19 pm / bruce-schneier, security, funny

Schneier on Security: New Airline Security Rules. “I’m sure glad I’m not flying anywhere this week” says Bruce. Now I wish I wasn’t!

# 10th August 2006, 4:26 pm / bruce-schneier, security, airlines

On the total nondisclosure of the 8/9/06 [Rails] security vulnerability. The best argument I’ve seen in favour of full disclosure.

# 10th August 2006, 2:53 pm / rails, disclosure, security

Rails 1.1.5: Mandatory security patch. Upgrade now, and spread the word.

# 9th August 2006, 8:55 pm / rails, security

Why is XSS so common? Because dev tools don’t escape things by default.

# 2nd August 2006, 8:57 pm / xss, security

Don’t serve JSON as text/html. Another sneaky XSS trick.

# 5th July 2006, 11:46 pm / security, json, xss, http

Mozilla causing XSS in Livejournal. Their recent worm attack was caused by the -moz-binding CSS property.

# 22nd January 2006, 9:37 pm / mozilla, css, livejournal, security, xss

Xanga Hit By Script Worm (in December) (via) Description of an XSS worm that hit Xanga last month.

# 21st January 2006, 8:47 pm / xanga, worm, xss, security

DHS Funding Open Source Security. Paying for “source code analysis technology” coverage of Linux, Apache, PostgreSQL and more.

# 17th January 2006, 10:18 pm / security, open-source, dhs, linux, apache, postgresql

Chris Shiflett: Google XSS Example (via) UTF-7 is a nasty vector for XSS.

# 24th December 2005, 5:21 pm / xss, security, google, chris-shiflett

Zero-Day Exploit Targets IE (via) Remote code execution. No patch yet; disable Active Scripting instead.

# 22nd November 2005, 6:24 am / security, exploits, zeroday, ie

Cross-site request forgery (CSRF). Somehow this vulnerability is news to me.

# 6th May 2005, 11:07 pm / csrf, security

Usable Security: Look Beyond the “Fundamental Conflict”. Security and usability are not conflicting goals.

# 18th March 2005, 2:27 am / usability, security, ka-ping-yee

Not linking is not security. Ridiculous: Harvard rejects applicants who “hacked” by guessing a URL.

# 8th March 2005, 8:47 pm / security, harvard, outrageous

Schneier on Security: Cryptanalysis of SHA-1. If you want to understand the “breaking” of SHA-1, this is the place to go. Surprisingly accessible.

# 19th February 2005, 3:12 pm / security, cryptanalysis, sha, hashing, bruce-schneier

Schneier on Security: SHA-1 Broken. Whoa.

# 16th February 2005, 4:47 am / sha, security, hashing, bruce-schneier

Internet Explorer 7. It’s been announced, but the stated focus is security and anti-phishing. No news on improved CSS.

# 15th February 2005, 7:04 pm / ie, ie7, css, security, phishing

Secure wireless email on Mac OS X. Doug Bowman’s tutorial on SSH Tunnel Manager and wireless security.

# 8th February 2005, 11:20 am / security, douglas-bowman, osx, ssh, email

User Education Is Not the Answer to Security Problems. Smart thinking on security from Jakob Nielsen.

# 1st November 2004, 1:22 pm / jakob-nielsen, security, usability