Simon Willison’s Weblog

Subscribe
Atom feed for security

490 items tagged “security”

2003

High security is low security

Via Crypto-Gram, a great piece from Bruce Tognazzini about how tough security measures can actively reduce the security of a system:

[... 225 words]

Signing comments on blogs

Adrian Holovaty has implemented reserved comment names in his blog, a feature that prevents anyone apart from him from using the names “Adrian”, “Adrian H.” or “Adrian Holovaty” when posting a comment. François Nonnenmacher suggests extending the idea to allow people to “confirm” their authorship of comments on any blog using a TrackBack sent to their site that in turn causes them to be sent an alert email, which they can then use to confirm their comment. I like his idea of authentication based on URLs (email addresses are no good; they should not be publically displayed for fear of spam harvesters) but I think I’ve come up with an alternative authentication scheme that removes the need for the user to manually confirm authorship. This is pretty complicated, so bare with me.

[... 762 words]

Hashing client-side data

Via Scott, a clever PHP technique for ensuring data sent to the browser as a cookie or hidden form variable isn’t tampered with by the user:

[... 248 words]

2002

Security and coding style

A couple of good web development security resources:

[... 127 words]

Remembering passwords

Via Scott, an article with some great tips on remembering your passwords. It includes the following vitally important tip:

[... 273 words]

XML security on SitePoint

Getting Started with XML Security is a SitePoint article of epic proportions. I had never really looked at any of the XML security applications but this article appears to cover the lot.

OWASP Security guide

The Open Web Application Security Project (OWASP) have a free guide to building secure web applications, which covers a large range of common problems such as cross site scripting and SQL injection vulnerabilities. The report is a 60 page PDF and although I haven’t had time to go through it yet it looks like an excellent read.

How the RIAA was hacked

The Register: Want to know how RIAA.org was hacked? They had an un-password-protected admin panel listed in their robots.txt file. Muppets.

Magic quotes solution

Pink Goblin (otherwise known as HarryF) explains why magic quotes are evil. This is an issue that every PHP developer should be aware of, as it can cause all kinds of problems in your scripts if you ignore it. He suggests using a custom myAddSlashes() function which only calls addslashes() if magic quotes are turned off. I have an alternative solution—chose your preferred setting (quotes on or off) and apply it at run time to all incoming data in one go. My code for doing this is available here. By a bizzare coincidence I wrote the script this morning, then spotted a link to the Pink Goblin article on tidak ada literally five minutes after finishing it.

Palladium

Via Boing Boing: Seth Schoen’s notes on Palladium after a meeting with Microsoft. Cory Doctorow points out that Seth is probably the most knowledgeable tech person to have been briefed on Palladium by MSFT without signing an NDA and his post certainly makes interesting reading. Palladium has had a lot of coverage since the Newsweek article announcing it first broke, with Robert Cringely providing some of the best analysis (in my opinion at least). The Register also has a story about Palladium which introduces some more information and guestimates on a shipping schedule.