Routing security incidents can still slip past deployed security defenses.
SHARON GOLDBERG, BOSTON UNIVERSITY
BGP (Border Gateway Protocol) is the glue that sticks the Internet together, enabling data communications between large networks operated by different organizations. BGP makes Internet communications global by setting up routes for traffic between organizations—for example, from Boston University’s network, through larger ISPs (Internet service providers) such as Level3, Pakistan Telecom, and China Telecom, then on to residential networks such as Comcast or enterprise networks such as Bank of America.
> Why Is It Taking So Long to Secure Internet Routing?
What DNS Is Not
The Network is Reliable
DNS Complexity by Paul Vixie
Public, verifiable, append-only logs
BEN LAURIE, GOOGLE
On August 28, 2011, a mis-issued wildcard HTTPS certificate for google.com was used to conduct a man-in-the-middle attack against multiple users in Iran. The certificate had been issued by a Dutch CA (certificate authority) known as DigiNotar, a subsidiary of VASCO Data Security International. Later analysis showed that DigiNotar had been aware of the breach in its systems for more than a month—since at least July 19. It also showed that at least 531 fraudulent certificates had been issued. The final count may never be known, since DigiNotar did not have records of all the mis-issued certificates. On September 20, 2011, DigiNotar was declared bankrupt.
> Certificate Transparency
The Case Against Data Lock-in
A Decade of OS Access-control Extensibility
Preventing script injection vulnerabilities through software design
CHRISTOPH KERN, GOOGLE
Script injection vulnerabilities are a bane of Web application development: deceptively simple in cause and remedy, they are nevertheless surprisingly difficult to prevent in large-scale Web development.
> Securing the Tangled Web
Fault Injection in Production
High Performance Web Sites
You must have some trust if you want to get anything done.
In his novel The Diamond Age,7 author Neal Stephenson describes a constructed society (called a phyle) based on extreme trust in one’s fellow members. Part of the membership requirements is that, from time to time, each member is called upon to undertake certain tasks to reinforce that trust. For example, a phyle member might be told to go to a particular location at the top of a cliff at a specific time, where he will find bungee cords with ankle harnesses attached. The other ends of the cords trail off into the bushes. At the appointed time he is to fasten the harnesses to his ankles and jump off the cliff. He has to trust that the unseen fellow phyle member who was assigned the job of securing the other end of the bungee to a stout tree actually did his job; otherwise, he will plummet to his death. A third member secretly watches to make sure the first two don’t communicate in any way, relying only on trust to keep tragedy at bay.
> Who Must You Trust?
The Answer is 42 of Course
Weapons of Mass Assignment
LinkedIn Password Leak: Salt Their Hide
If you see something, say something.
In February Apple revealed and fixed an SSL (Secure Sockets Layer) vulnerability that had gone undiscovered since the release of iOS 6.0 in September 2012. It left users vulnerable to man-in-the-middle attacks thanks to a short circuit in the SSL/TLS (Transport Layer Security) handshake algorithm introduced by the duplication of agoto statement. Since the discovery of this very serious bug, many people have written about potential causes. A close inspection of the code, however, reveals not only how a unit test could have been written to catch the bug, but also how to refactor the existing code to make the algorithm testable—as well as more clues to the nature of the error and the environment that produced it.
> Finding More Than One Worm in the Apple
Security is Harder than You Think
Nine IM Accounts and Counting
Browser Security Case Study
How good security at the NSA could have stopped him
Edward Snowden, while an NSA (National Security Agency) contractor at Booz Allen Hamilton in Hawaii, copied up to 1.7 million top-secret and above documents, smuggling copies on a thumb drive out of the secure facility in which he worked, and later released many to the press. This has altered the relationship of the U.S. government with the American people, as well as with other countries. This article examines the computer security aspects of how the NSA could have prevented this, perhaps the most damaging breach of secrets in U.S. history. The accompanying sidebar looks at the Constitutional, legal, and moral issues.
OpenSSL must die, for it will never get any better.
The OpenSSL software package is around 300,000 lines of code, which means there are probably around 299 bugs still there, now that the Heartbleed bug — which allowed pretty much anybody to retrieve internal state to which they should normally not have access — has been fixed.
That’s really all you need to know, but you also know that won’t stop me, right?
> Please Put OpenSSL Out of Its Misery
Cryptography as privacy works only if both ends work at it in good faith
The recent exposure of the dragnet-style surveillance of Internet traffic has provoked a number of responses that are variations of the general formula, “More encryption is the solution.” This is not the case. In fact, more encryption will probably only make the privacy crisis worse than it already is.
> More Encryption Is Not the Solution
Risk is a necessary consequence of dependence
What is critical? To what degree is critical defined as a matter of principle, and to what degree is it defined operationally? I am distinguishing what we say from what we do.
Mainstream media love to turn a spotlight on anything they can label “hypocrisy,” the Merriam-Webster unabridged dictionary meaning of which is:
the act or practice of pretending to be what one is not or to have principles or beliefs that one does not have, especially the false assumption of an appearance of virtue
> Resolved: the Internet Is No Place for Critical Infrastructure
Ang Cui is a Ph.D. student at Columbia University in New York City. His research focuses on embedded devices such as routers, printers and VOIP phones. He is the inventor of a novel, host-based defense mechanism known as Symbiotes. Symbiotes are designed specifically to retrofit black-box, vulnerable, legacy embedded systems with sophisticated anti-exploitation mechanisms. In this video portrait, Ang describes how the extent of the embedded threat in real-world environments, discusses novel exploitation techniques for embedded systems–like enterprise networking equipment–and develops practical defenses for embedded systems that constitute our global communication substrate.
Queue Portrait: Ang Cui