You must have some trust if you want to get anything done.
In his novel The Diamond Age,7 author Neal Stephenson describes a constructed society (called a phyle) based on extreme trust in one’s fellow members. Part of the membership requirements is that, from time to time, each member is called upon to undertake certain tasks to reinforce that trust. For example, a phyle member might be told to go to a particular location at the top of a cliff at a specific time, where he will find bungee cords with ankle harnesses attached. The other ends of the cords trail off into the bushes. At the appointed time he is to fasten the harnesses to his ankles and jump off the cliff. He has to trust that the unseen fellow phyle member who was assigned the job of securing the other end of the bungee to a stout tree actually did his job; otherwise, he will plummet to his death. A third member secretly watches to make sure the first two don’t communicate in any way, relying only on trust to keep tragedy at bay.
> Who Must You Trust?
The Answer is 42 of Course
Weapons of Mass Assignment
LinkedIn Password Leak: Salt Their Hide
If you see something, say something.
In February Apple revealed and fixed an SSL (Secure Sockets Layer) vulnerability that had gone undiscovered since the release of iOS 6.0 in September 2012. It left users vulnerable to man-in-the-middle attacks thanks to a short circuit in the SSL/TLS (Transport Layer Security) handshake algorithm introduced by the duplication of agoto statement. Since the discovery of this very serious bug, many people have written about potential causes. A close inspection of the code, however, reveals not only how a unit test could have been written to catch the bug, but also how to refactor the existing code to make the algorithm testable—as well as more clues to the nature of the error and the environment that produced it.
> Finding More Than One Worm in the Apple
Security is Harder than You Think
Nine IM Accounts and Counting
Browser Security Case Study
How good security at the NSA could have stopped him
Edward Snowden, while an NSA (National Security Agency) contractor at Booz Allen Hamilton in Hawaii, copied up to 1.7 million top-secret and above documents, smuggling copies on a thumb drive out of the secure facility in which he worked, and later released many to the press. This has altered the relationship of the U.S. government with the American people, as well as with other countries. This article examines the computer security aspects of how the NSA could have prevented this, perhaps the most damaging breach of secrets in U.S. history. The accompanying sidebar looks at the Constitutional, legal, and moral issues.
OpenSSL must die, for it will never get any better.
The OpenSSL software package is around 300,000 lines of code, which means there are probably around 299 bugs still there, now that the Heartbleed bug — which allowed pretty much anybody to retrieve internal state to which they should normally not have access — has been fixed.
That’s really all you need to know, but you also know that won’t stop me, right?
> Please Put OpenSSL Out of Its Misery
Cryptography as privacy works only if both ends work at it in good faith
The recent exposure of the dragnet-style surveillance of Internet traffic has provoked a number of responses that are variations of the general formula, “More encryption is the solution.” This is not the case. In fact, more encryption will probably only make the privacy crisis worse than it already is.
> More Encryption Is Not the Solution
Risk is a necessary consequence of dependence
What is critical? To what degree is critical defined as a matter of principle, and to what degree is it defined operationally? I am distinguishing what we say from what we do.
Mainstream media love to turn a spotlight on anything they can label “hypocrisy,” the Merriam-Webster unabridged dictionary meaning of which is:
the act or practice of pretending to be what one is not or to have principles or beliefs that one does not have, especially the false assumption of an appearance of virtue
> Resolved: the Internet Is No Place for Critical Infrastructure
Ang Cui is a Ph.D. student at Columbia University in New York City. His research focuses on embedded devices such as routers, printers and VOIP phones. He is the inventor of a novel, host-based defense mechanism known as Symbiotes. Symbiotes are designed specifically to retrofit black-box, vulnerable, legacy embedded systems with sophisticated anti-exploitation mechanisms. In this video portrait, Ang describes how the extent of the embedded threat in real-world environments, discusses novel exploitation techniques for embedded systems–like enterprise networking equipment–and develops practical defenses for embedded systems that constitute our global communication substrate.
Queue Portrait: Ang Cui
Open source security foundations for mobile and embedded devices
ROBERT N. M. WATSON, UNIVERSITY OF CAMBRIDGE COMPUTER LABORATORY
To discuss operating system security is to marvel at the diversity of deployed access-control models: Unix and Windows NT multiuser security; Type Enforcement in SELinux; anti-malware products; app sandboxing in Apple OS X, Apple iOS, and Google Android; and application-facing systems such as Capsicum in FreeBSD. This diversity is the result of a stunning transition from the narrow 1990s Unix and NT status quo to security localization—the adaptation of operating-system security models to site-local or product-specific requirements.
A Decade of OS Access-control Extensibility
Building Systems to Be Shared, Securely
ACM CTO Roundtable on Mobile Devices in the Enterprise
Extensible Programming for the 21st Century
Our authentication system is lacking. Is improvement possible?
There is an authentication plague upon the land. We have to claim and assert our identity repeatedly to a host of authentication trolls, each jealously guarding an Internet service of some sort. Each troll has specific rules for passwords, and the rules vary widely and incomprehensibly.
Password length requirements vary: Dartmouth wants exactly eight characters; my broker, six to eight; Wells Fargo, eight or more. Special characters are often encouraged or required, but some characters are too special: many disallow spaces, single or double quotes, underlines, or hyphens. Some systems disallow certain characters at the beginning of the password; dictionary checks abound, including foreign language dictionaries.
Security – Problem Solved?
Building Secure Web Applications
LinkedIn Password Leak: Salt Their Hide
Once China opened its door to the world, it could not close it again
What if you could not access YouTube, Facebook, Twitter, and Wikipedia? How would you feel if Google informed you that your connection had been reset during a search? What if Gmail was only periodically available, and Google Docs, which was used to compose this article, was completely unreachable? What a mess!