Please Put OpenSSL Out of Its Misery

OpenSSL must die, for it will never get any better.

POUL-HENNING KAMP

The OpenSSL software package is around 300,000 lines of code, which means there are probably around 299 bugs still there, now that the Heartbleed bug — which allowed pretty much anybody to retrieve internal state to which they should normally not have access — has been fixed.

That’s really all you need to know, but you also know that won’t stop me, right?

Please Put OpenSSL Out of Its Misery

 

More Encryption Is Not the Solution

Cryptography as privacy works only if both ends work at it in good faith

POUL-HENNING KAMP

The recent exposure of the dragnet-style surveillance of Internet traffic has provoked a number of responses that are variations of the general formula, “More encryption is the solution.” This is not the case. In fact, more encryption will probably only make the privacy crisis worse than it already is.

More Encryption Is Not the Solution

 

Resolved: the Internet Is No Place for Critical Infrastructure

Risk is a necessary consequence of dependence

DAN GEER

What is critical? To what degree is critical defined as a matter of principle, and to what degree is it defined operationally? I am distinguishing what we say from what we do.

Mainstream media love to turn a spotlight on anything they can label “hypocrisy,” the Merriam-Webster unabridged dictionary meaning of which is:

the act or practice of pretending to be what one is not or to have principles or beliefs that one does not have, especially the false assumption of an appearance of virtue

 

Resolved: the Internet Is No Place for Critical Infrastructure

 

Queue Video Portrait: Ang Cui

Ang Cui is a Ph.D. student at Columbia University in New York City. His research focuses on embedded devices such as routers, printers and VOIP phones. He is the inventor of a novel, host-based defense mechanism known as Symbiotes. Symbiotes are designed specifically to retrofit black-box, vulnerable, legacy embedded systems with sophisticated anti-exploitation mechanisms. In this video portrait, Ang describes how the extent of the embedded threat in real-world environments, discusses novel exploitation techniques for embedded systems–like enterprise networking equipment–and develops practical defenses for embedded systems that constitute our global communication substrate.

 

Ang Cui

 

Queue Portrait: Ang Cui

 

A Decade of OS Access-control Extensibility

Open source security foundations for mobile and embedded devices

ROBERT N. M. WATSON, UNIVERSITY OF CAMBRIDGE COMPUTER LABORATORY

To discuss operating system security is to marvel at the diversity of deployed access-control models: Unix and Windows NT multiuser security; Type Enforcement in SELinux; anti-malware products; app sandboxing in Apple OS X, Apple iOS, and Google Android; and application-facing systems such as Capsicum in FreeBSD. This diversity is the result of a stunning transition from the narrow 1990s Unix and NT status quo to security localization—the adaptation of operating-system security models to site-local or product-specific requirements.

A Decade of OS Access-control Extensibility

Related:

Building Systems to Be Shared, Securely

ACM CTO Roundtable on Mobile Devices in the Enterprise

Extensible Programming for the 21st Century

Rethinking Passwords

Our authentication system is lacking. Is improvement possible?

WILLIAM CHESWICK

There is an authentication plague upon the land. We have to claim and assert our identity repeatedly to a host of authentication trolls, each jealously guarding an Internet service of some sort. Each troll has specific rules for passwords, and the rules vary widely and incomprehensibly.

Password length requirements vary: Dartmouth wants exactly eight characters; my broker, six to eight; Wells Fargo, eight or more. Special characters are often encouraged or required, but some characters are too special: many disallow spaces, single or double quotes, underlines, or hyphens. Some systems disallow certain characters at the beginning of the password; dictionary checks abound, including foreign language dictionaries.

Rethinking Passwords

 

Related:

Security – Problem Solved?

Building Secure Web Applications

LinkedIn Password Leak: Salt Their Hide

 

Splinternet Behind the Great Firewall of China

Once China opened its door to the world, it could not close it again

Daniel Anderson

What if you could not access YouTube, Facebook, Twitter, and Wikipedia? How would you feel if Google informed you that your connection had been reset during a search? What if Gmail was only periodically available, and Google Docs, which was used to compose this article, was completely unreachable? What a mess!

<a href=’http://queue.acm.org/detail.cfm?id=2405036′>http://queue.acm.org/detail.cfm?id=2405036</a>

Browser Security Case Study: Appearances Can Be Deceiving

A discussion with Jeremiah Grossman, Ben Livshits, Rebecca Bace, and George Neville-Neil

It seems every day we learn of some new security breach. It’s all there for the taking on the Internet—more and more sensitive data every second. As for privacy, we Facebook, we Google, we bank online, we shop online, we invest online… we put it all out there. And just how well protected is all that personally identifiable information? Not very.

The browser is our most important connection to the Web, and our first line of defense. But have the browser vendors kept up their end of the bargain in protecting users? They claim to have done so in various ways, but many of those claims are thin. From SSL (Secure Sockets Layer) to the Do Not Track initiative to browser add-ons to HTML5, attempts to beef up security and privacy safeguards have fallen well short.

Browser Security Case Study: Appearances Can Be Deceiving

 

Related:

Java Security Architecture Revisited

CTO Roundtable: Malware Defense Overview

Building Secure Web Applications

The Web Wont Be Safe or Secure until We Break It

Unless you’ve taken very particular precautions, assume every Web site you visit knows exactly who you are.

JEREMIAH GROSSMAN, WHITEHAT SECURITY

The Internet was designed to deliver information, but few people envisioned the vast amounts of information that would be involved or the personal nature of that information. Similarly, few could have foreseen the potential flaws in the design of the Internet—more specifically, Web browsers—that would expose this personal information, compromising the data of individuals and companies.

If people knew just how much of their personal information they unwittingly make available to each and every Web site they visit—even sites they’ve never been to before—they would be disturbed. If they give that Web site just one click of the mouse, out goes even more personally identifiable data, including full name and address, hometown, school, marital status, list of friends, photos, other Web sites they are logged in to, and in some cases, their browser’s auto-complete data and history of other sites they have visited.

http://queue.acm.org/detail.cfm?id=2390758

 

Related:

Browser Security

Security In The Browser

Cybercrime 2.0: When The Cloud Turns Dark

 

Queue Portrait: Video Interview with Robert Watson

Robert Watson

Robert Watson is a security researcher and open source developer at the University of Cambridge looking at the hardware-software interface. He talks to us about spanning industry and academia, the importance of open source in software research, and challenges facing research that spans traditional boundaries in computer science. We also learn a bit about CPU security, and why applications, rather than operating systems, are increasingly the focus of security research. What are the challenges in the evolving hardware-software interface? Could open source hardware provide a platform for hardware-software research? And why is current hardware part of the problem? George Neville-Neil, Queue’s Kode Vicious, interviews Robert to learn about an exciting computer science research project at Cambridge.

http://queue.acm.org/detail_video.cfm?id=2382552