Sort By:

Sensible Authentication

The problem with securing assets and their functionality is that, by definition, you don't want to protect them from everybody. It makes no sense to protect assets from their owners, or from other authorized individuals (including the trusted personnel who maintain the security system). In effect, then, all security systems need to allow people in, even as they keep people out. Designing a security system that accurately identifies, authenticates, and authorizes trusted individuals is highly complex and filled with nuance, but critical to security.

by Bruce Schneier | February 24, 2004


Security: The Root of the Problem

Security bug? My programming language made me do it! It doesn't seem that a day goes by without someone announcing a critical flaw in some crucial piece of software or other. Is software that bad? Are programmers so inept? What the heck is going on, and why is the problem getting worse instead of better? One distressing aspect of software security is that we fundamentally don't seem to "get it."

by Marcus J Ranum | August 31, 2004


Perfect Storm:
The Insider, Naivety, and Hostility

Every year corporations and government installations spend millions of dollars fortifying their network infrastructures. Firewalls, intrusion detection systems, and antivirus products stand guard at network boundaries, and individuals monitor countless logs and sensors for even the subtlest hints of network penetration. Vendors and IT managers have focused on keeping the wily hacker outside the network perimeter, but very few technological measures exist to guard against insiders - those entities that operate inside the fortified network boundary. The 2002 CSI/FBI survey estimates that 70 percent of successful attacks come from the inside. Several other estimates place those numbers even higher.

by Herbert H Thompson, Richard Ford | August 31, 2004


Security is Harder than You Think

Many developers see buffer overflows as the biggest security threat to software and believe that there is a simple two-step process to secure software: switch from C or C++ to Java, then start using SSL (Secure Sockets Layer) to protect data communications. It turns out that this naïve tactic isn't sufficient. In this article, we explore why software security is harder than people expect, focusing on the example of SSL.

by John Viega, Matt Messier | August 31, 2004


The Answer is 42 of Course

Why is security so hard? As a security consultant, I’m glad that people feel that way, because that perception pays my mortgage. But is it really so difficult to build systems that are impenetrable to the bad guys?

by Thomas Wadlow | July 6, 2005


Security - Problem Solved?

There are plenty of security problems that have solutions. Yet, our security problems don’t seem to be going away. What’s wrong here? Are consumers being offered snake oil and rejecting it? Are they not adopting solutions they should be adopting? Or, is there something else at work, entirely? We’ll look at a few places where the world could easily be a better place, but isn’t, and build some insight as to why.

by John Viega | July 6, 2005


Attack Trends:
2004 and 2005

Counterpane Internet Security Inc. monitors more than 450 networks in 35 countries, in every time zone. In 2004 we saw 523 billion network events, and our analysts investigated 648,000 security “tickets.” What follows is an overview of what’s happening on the Internet right now, and what we expect to happen in the coming months.

by Bruce Schneier | July 6, 2005


Pointless PKI

We've had problems in the past with internal compromises, and management has decided that the only way to protect the information is to encrypt it during transmission.

by George Neville-Neil | July 27, 2006


One Step Ahead

Every day IT departments are involved in an ongoing struggle against hackers trying to break into corporate networks. A break-in can carry a hefty price: loss of valuable information, tarnishing of the corporate image and brand, service interruption, and hundreds of resource hours of recovery time. Unlike other aspects of information technology, security is adversarial; it pits IT departments against hackers.

by Vlad Gorelik | February 2, 2007


Open vs. Closed:
Which Source is More Secure?

There is no better way to start an argument among a group of developers than proclaiming Operating System A to be "more secure" than Operating System B. I know this from first-hand experience, as previous papers I have published on this topic have led to reams of heated e-mails directed at me including some that were, quite literally, physically threatening. Despite the heat (not light!) generated from attempting to investigate the relative security of different software projects, investigate we must.

by Richard Ford | February 2, 2007


The Evolution of Security

Security people are never in charge unless an acute embarrassment has occurred. Otherwise, their advice is tempered by “economic reality,” which is to say that security is a means, not an end. This is as it should be. Since means are about tradeoffs, security is about trade-offs, but you knew all that.

by Daniel E. Geer | May 4, 2007


The Seven Deadly Sins of Linux Security

Avoid these common security risks like the devil.

by Bob Toxen | June 7, 2007


Document & Media Exploitation

A computer used by Al Qaeda ends up in the hands of a Wall Street Journal reporter. A laptop from Iran is discovered that contains details of that country's nuclear weapons program. Photographs and videos are downloaded from terrorist Web sites.

by Simson L. Garfinkel | January 17, 2008


Intellectual Property and Software Piracy:
The Power of IP Protection and Software Licensing, an interview with Aladdin vice president Gregg Gronowski

Intellectual Property (IP) - which ranges from ideas, inventions, technologies, and patented, trademarked or copyrighted work and products - can account for as much as 80% of a software company's total market value. Since IP is considered a financial asset in today's business climate, the threats to IP create a real concern. In an interview with ACM Queuecast host Michael Vizard, Aladdin vice president Gregg Gronowski explains how Software Digital Rights Management solutions are the de-facto standard today for protecting software IP, preventing software piracy, and enabling software licensing and compliance.

July 14, 2008


The Virtue of Paranoia

A koder with attitude, KV answers your questions. Miss Manners he ain't.

by George Neville-Neil | July 28, 2008


Lessons from the Letter

Security flaws in a large organization

by George V. Neville-Neil | July 22, 2010


The Theft of Business Innovation:
An ACM-BCS Roundtable on Threats to Global Competitiveness

These days, cybercriminals are looking to steal more than just banking information.

by Mache Creeger | November 1, 2010

CACM This article appears in print in Communications of the ACM, Volume 53 Issue 12


The Theft of Business Innovation: Overview

An overview of key points discussed in the joint ACM-BCS Roundtable on Threats to Global to Competitiveness.

November 5, 2010


National Internet Defense - Small States on the Skirmish Line

Attacks in Estonia and Georgia highlight key vulnerabilities in national Internet infrastructure.

by Ross Stapleton-Gray, Bill Woodcock | January 19, 2011


Weapons of Mass Assignment

A Ruby on Rails app highlights some serious, yet easily avoided, security vulnerabilities.

by Patrick McKenzie | March 30, 2011

CACM This article appears in print in Communications of the ACM, Volume 54 Issue 5


How to Improve Security?

It takes more than flossing once a year.

by George Neville-Neil | August 12, 2011


SAGE: Whitebox Fuzzing for Security Testing

SAGE has had a remarkable impact at Microsoft.

by Patrice Godefroid, Michael Y. Levin, David Molnar | January 11, 2012


LinkedIn Password Leak: Salt Their Hide

If it does not take a full second to calculate the password hash, it is too weak.

by Poul-Henning Kamp | June 7, 2012


Rethinking Passwords

Our authentication system is lacking. Is improvement possible?

by William Cheswick | December 31, 2012

CACM This article appears in print in Communications of the ACM, Volume 56 Issue 2


A Decade of OS Access-control Extensibility

Open source security foundations for mobile and embedded devices

by Robert N. M. Watson | January 18, 2013

CACM This article appears in print in Communications of the ACM, Volume 56 Issue 2


Resolved: the Internet Is No Place for Critical Infrastructure

Risk is a necessary consequence of dependence

by Dan Geer | April 26, 2013

CACM This article appears in print in Communications of the ACM, Volume 11 Issue 4


Rate-limiting State

The edge of the Internet is an unruly place

by Paul Vixie | February 4, 2014

CACM This article appears in print in Communications of the ACM, Volume 57 Issue 4


Please Put OpenSSL Out of Its Misery

OpenSSL must die, for it will never get any better.

by Poul-Henning Kamp | April 12, 2014


The NSA and Snowden: Securing the All-Seeing Eye

How good security at the NSA could have stopped him

by Bob Toxen | April 28, 2014


Finding More Than One Worm in the Apple

If you see something, say something.

by Mike Bland | May 12, 2014

CACM This article appears in print in Communications of the ACM, Volume 57 Issue 7


Who Must You Trust?

You must have some trust if you want to get anything done.

by Thomas Wadlow | May 30, 2014

CACM This article appears in print in Communications of the ACM, Volume 57 Issue 7


Quality Software Costs Money - Heartbleed Was Free

How to generate funding for FOSS

by Poul-Henning Kamp | June 19, 2014


Internal Access Controls

Trust, but Verify

by Geetanjali Sampemane | December 10, 2014

CACM This article appears in print in Communications of the ACM, Volume 58 Issue 1