Security

RSS
Sort By:

Quality Software Costs Money - Heartbleed Was Free

How to generate funding for FOSS

by Poul-Henning Kamp | June 19, 2014

1 comments

Who Must You Trust?

You must have some trust if you want to get anything done.

by Thomas Wadlow | May 30, 2014

CACM This article appears in print in Communications of the ACM, Volume 57 Issue 7

5 comments

Finding More Than One Worm in the Apple

If you see something, say something.

by Mike Bland | May 12, 2014

CACM This article appears in print in Communications of the ACM, Volume 57 Issue 7

13 comments

The NSA and Snowden: Securing the All-Seeing Eye

How good security at the NSA could have stopped him

by Bob Toxen | April 28, 2014

4 comments

Please Put OpenSSL Out of Its Misery

OpenSSL must die, for it will never get any better.

by Poul-Henning Kamp | April 12, 2014

45 comments

Rate-limiting State

The edge of the Internet is an unruly place

by Paul Vixie | February 4, 2014

CACM This article appears in print in Communications of the ACM, Volume 57 Issue 4

7 comments

Resolved: the Internet Is No Place for Critical Infrastructure

Risk is a necessary consequence of dependence

by Dan Geer | April 26, 2013

0 comments

A Decade of OS Access-control Extensibility

Open source security foundations for mobile and embedded devices

by Robert N. M. Watson | January 18, 2013

CACM This article appears in print in Communications of the ACM, Volume 56 Issue 2

2 comments

Rethinking Passwords

Our authentication system is lacking. Is improvement possible?

by William Cheswick | December 31, 2012

CACM This article appears in print in Communications of the ACM, Volume 56 Issue 2

6 comments

LinkedIn Password Leak: Salt Their Hide

If it does not take a full second to calculate the password hash, it is too weak.

by Poul-Henning Kamp | June 7, 2012

36 comments

SAGE: Whitebox Fuzzing for Security Testing

SAGE has had a remarkable impact at Microsoft.

by Patrice Godefroid, Michael Y. Levin, David Molnar | January 11, 2012

0 comments

How to Improve Security?

It takes more than flossing once a year.

by George Neville-Neil | August 12, 2011

1 comments

Weapons of Mass Assignment

A Ruby on Rails app highlights some serious, yet easily avoided, security vulnerabilities.

by Patrick McKenzie | March 30, 2011

CACM This article appears in print in Communications of the ACM, Volume 54 Issue 5

3 comments

National Internet Defense - Small States on the Skirmish Line

Attacks in Estonia and Georgia highlight key vulnerabilities in national Internet infrastructure.

by Ross Stapleton-Gray, Bill Woodcock | January 19, 2011

0 comments

The Theft of Business Innovation: Overview

An overview of key points discussed in the joint ACM-BCS Roundtable on Threats to Global to Competitiveness.

November 5, 2010

0 comments

The Theft of Business Innovation:
An ACM-BCS Roundtable on Threats to Global Competitiveness

These days, cybercriminals are looking to steal more than just banking information.

by Mache Creeger | November 1, 2010

CACM This article appears in print in Communications of the ACM, Volume 53 Issue 12

1 comments

Lessons from the Letter

Security flaws in a large organization

by George V. Neville-Neil | July 22, 2010

1 comments

The Virtue of Paranoia

Dear KV, I just joined a company that massages large amounts of data into an internal format for its own applications to work on. Although the data is backed up regularly, I have noticed that access to this data, which has accumulated to be several petabytes in size, is not particularly well secured. There is no encryption, and although the data is not easily reachable from the Internet, everyone at the company has direct access to the volumes, both physically and electronically, all the time.

by George Neville-Neil | July 28, 2008

0 comments

Intellectual Property and Software Piracy:
The Power of IP Protection and Software Licensing, an interview with Aladdin vice president Gregg Gronowski

Intellectual Property (IP) - which ranges from ideas, inventions, technologies, and patented, trademarked or copyrighted work and products - can account for as much as 80% of a software company's total market value. Since IP is considered a financial asset in today's business climate, the threats to IP create a real concern. In an interview with ACM Queuecast host Michael Vizard, Aladdin vice president Gregg Gronowski explains how Software Digital Rights Management solutions are the de-facto standard today for protecting software IP, preventing software piracy, and enabling software licensing and compliance.

July 14, 2008

1 comments

Document & Media Exploitation

A computer used by Al Qaeda ends up in the hands of a Wall Street Journal reporter. A laptop from Iran is discovered that contains details of that country's nuclear weapons program. Photographs and videos are downloaded from terrorist Web sites.

by Simson L. Garfinkel | January 17, 2008

0 comments

The Seven Deadly Sins of Linux Security

Avoid these common security risks like the devil.

by Bob Toxen | June 7, 2007

0 comments

The Evolution of Security

Security people are never in charge unless an acute embarrassment has occurred. Otherwise, their advice is tempered by “economic reality,” which is to say that security is a means, not an end. This is as it should be. Since means are about tradeoffs, security is about trade-offs, but you knew all that.

by Daniel E. Geer | May 4, 2007

0 comments

Open vs. Closed:
Which Source is More Secure?

There is no better way to start an argument among a group of developers than proclaiming Operating System A to be "more secure" than Operating System B. I know this from first-hand experience, as previous papers I have published on this topic have led to reams of heated e-mails directed at me including some that were, quite literally, physically threatening. Despite the heat (not light!) generated from attempting to investigate the relative security of different software projects, investigate we must.

by Richard Ford | February 2, 2007

0 comments

One Step Ahead

Every day IT departments are involved in an ongoing struggle against hackers trying to break into corporate networks. A break-in can carry a hefty price: loss of valuable information, tarnishing of the corporate image and brand, service interruption, and hundreds of resource hours of recovery time. Unlike other aspects of information technology, security is adversarial; it pits IT departments against hackers.

by Vlad Gorelik | February 2, 2007

0 comments

Pointless PKI

We've had problems in the past with internal compromises, and management has decided that the only way to protect the information is to encrypt it during transmission.

by George Neville-Neil | July 27, 2006

0 comments

Attack Trends:
2004 and 2005

Counterpane Internet Security Inc. monitors more than 450 networks in 35 countries, in every time zone. In 2004 we saw 523 billion network events, and our analysts investigated 648,000 security “tickets.” What follows is an overview of what’s happening on the Internet right now, and what we expect to happen in the coming months.

by Bruce Schneier | July 6, 2005

0 comments

Security - Problem Solved?

There are plenty of security problems that have solutions. Yet, our security problems don’t seem to be going away. What’s wrong here? Are consumers being offered snake oil and rejecting it? Are they not adopting solutions they should be adopting? Or, is there something else at work, entirely? We’ll look at a few places where the world could easily be a better place, but isn’t, and build some insight as to why.

by John Viega | July 6, 2005

1 comments

The Answer is 42 of Course

Why is security so hard? As a security consultant, I’m glad that people feel that way, because that perception pays my mortgage. But is it really so difficult to build systems that are impenetrable to the bad guys?

by Thomas Wadlow | July 6, 2005

0 comments

Security is Harder than You Think

Many developers see buffer overflows as the biggest security threat to software and believe that there is a simple two-step process to secure software: switch from C or C++ to Java, then start using SSL (Secure Sockets Layer) to protect data communications. It turns out that this naïve tactic isn't sufficient. In this article, we explore why software security is harder than people expect, focusing on the example of SSL.

by John Viega, Matt Messier | August 31, 2004

0 comments

Perfect Storm:
The Insider, Naivety, and Hostility

Every year corporations and government installations spend millions of dollars fortifying their network infrastructures. Firewalls, intrusion detection systems, and antivirus products stand guard at network boundaries, and individuals monitor countless logs and sensors for even the subtlest hints of network penetration. Vendors and IT managers have focused on keeping the wily hacker outside the network perimeter, but very few technological measures exist to guard against insiders - those entities that operate inside the fortified network boundary. The 2002 CSI/FBI survey estimates that 70 percent of successful attacks come from the inside. Several other estimates place those numbers even higher.

by Herbert H Thompson, Richard Ford | August 31, 2004

0 comments

Security: The Root of the Problem

Security bug? My programming language made me do it! It doesn't seem that a day goes by without someone announcing a critical flaw in some crucial piece of software or other. Is software that bad? Are programmers so inept? What the heck is going on, and why is the problem getting worse instead of better? One distressing aspect of software security is that we fundamentally don't seem to "get it."

by Marcus J Ranum | August 31, 2004

0 comments

Sensible Authentication

The problem with securing assets and their functionality is that, by definition, you don't want to protect them from everybody. It makes no sense to protect assets from their owners, or from other authorized individuals (including the trusted personnel who maintain the security system). In effect, then, all security systems need to allow people in, even as they keep people out. Designing a security system that accurately identifies, authenticates, and authorizes trusted individuals is highly complex and filled with nuance, but critical to security.

by Bruce Schneier | February 24, 2004

0 comments