security – Page 6

Tag: security (page 6 of 7)

Links from February 3rd

A few links from the past few days.

Martin Fowler: Flaccid Scrum. An argument that the Scrum process, which is focused on project management, is doomed to failure without good technical process operating in the background.
Fraser Speirs: On the Flickr support in iPhoto ’09. Musings from a third party developer whose product is being subsumed into the platform.
Bruce Schneier: The Exclusionary Rule and Security. A perspective on the recent Supreme Court ruling that loosened the restraints on police handling of evidence. Schneier argues that loosening the rules creates poor incentives for the police.
Last.fm: Closing in on clean metadata: artist and track spelling auto-correction is here. Very cool.
Dom Sagolla: How Twitter Was Born.
Dealbreaker: No More Than The President Of The United States. A look at the President’s real compensation.
Food & Think: Wing Shortage Looms On Eve of Big Game. 5% of the chicken wings consumed each year are eaten on Super Bowl Sunday.
Vitalsecurity.org: Direct Revenue: A Twisting History. An informative followup on this widely linked interview with a reformed adware author.
Marginal Revolution: What is the best food produced en masse? An interesting answer to an interesting question about food.
Felix Salmon: Where’s Markopolos’s Blog? An argument that had Harry Markopolos, the guy who tried repeatedly to inform the SEC of the Madoff ponzi scheme, just published his findings on a blog, he would have seen results. Wikileaks would have worked too.
Sam Ruby: Rails 2.3.0 RC1. I don’t know how developers keep up with all the changes in Rails, I feel particularly bad for authors publishing Rails books.
git ready: converting from svn
Michael Widenius: Time to move on. MySQL creator leaves Sun.
Paul Buchheit: Communicating with code. An argument for skipping design and requirements and just iterating in code.

Bruce Schneier argues that data breach notification laws are a good idea. I’d agree. I was working on an application that stored personal information when the ChoicePoint breach was reported, and it changed the way I thought about how much data we should archive. As Schneier points out, most identity theft results from computers belonging to individuals being compromised, but companies that deal in bulk amounts of user data should be particularly responsible when it comes to safeguarding that data. Without such laws, I don’t think they’d be as careful.

A practical perspective on security

January 19, 2009 / Rafe / 0 Comments

Via Bruce Schneier:

Remember, if it’s in the news don’t worry about it. The very definition of news is “something that almost never happens.” When something is so common that it’s no longer news—car crashes, domestic violence—that’s when you should worry about it.

How Twitter was exploited

January 6, 2009 / Rafe / 0 Comments

Now it can be told (apparently). The Twitter abuse that I posted about yesterday resulted from a Twitter employee giving their password to a third party service. Someone then used that password to access Twitter with administrative rights and amuse themselves.

Part of the problem here is that the credentials required to access your account through the API are the same as those required to access the site through the Web interface. But the other lesson here for developers is that you should really split up the administrative features of your application and the end user features into separate accounts. They probably shouldn’t even use the same interface. That may be more painful for users but it eliminates a lot of risks. And of course employees should know better than to hand out their passwords to random Web sites.

Update: Turns out the password in question was guessed, not phished. Either way, it’s an argument for separating the administrative functions from the standard user interface.

Update on Twitter phishing

January 5, 2009 / Rafe / 1 Comment

Looks like the Twitter phishing attacks over the weekend led to some hilarious results.

Phishing on Twitter

January 4, 2009 / Rafe / 0 Comments

There’s a phishing scheme being run against Twitter users right now. It looks like the objective is the collection of more Twitter passwords, but I’d expect that there is some other fraudulent angle as well that is perhaps yet to be revealed. In any case, avoid clicking on links in direct messages and if you’ve given your password to a third party service, you may want to change it.

Putting airport security to the test

October 19, 2008 / Rafe / 0 Comments

Bruce Schneier and Atlantic Monthly writer Jeffrey Goldberg travelled around the country testing the limits of airport security. If you read Schneier’s blog, none of their findings will surprise you, but the article is entertaining nonetheless.

Here’s an example:

On another occasion, at LaGuardia, in New York, the transportation-security officer in charge of my secondary screening emptied my carry-on bag of nearly everything it contained, including a yellow, three-foot-by-four-foot Hezbollah flag, purchased at a Hezbollah gift shop in south Lebanon. The flag features, as its charming main image, an upraised fist clutching an AK-47 automatic rifle. Atop the rifle is a line of Arabic writing that reads THEN SURELY THE PARTY OF GOD ARE THEY WHO WILL BE TRIUMPHANT. The officer took the flag and spread it out on the inspection table. She finished her inspection, gave me back my flag, and told me I could go. I said, “That’s a Hezbollah flag.” She said, “Uh-huh.” Not “Uh-huh, I’ve been trained to recognize the symbols of anti-American terror groups, but after careful inspection of your physical person, your behavior, and your last name, I’ve come to the conclusion that you are not a Bekaa Valley–trained threat to the United States commercial aviation system,” but “Uh-huh, I’m going on break, why are you talking to me?”

Using games for terrorist collaboration

September 16, 2008 / Rafe / 3 Comments

A defense researcher has created a hypothetical scenario that envisions how terrorists might conspire to commit a terrorist attack using World of Warcraft.

Fighting censorship with banner ads

September 9, 2008 / Rafe / 0 Comments

James Fallows writes about uptake of Hot Spot Shield in China. It’s a tool that tunnels your Web traffic through a VPN so that people can’t snoop on your Internet traffic, and is supported by ads that it inserts when you load Web pages. Among other things, it enables users in China to circumvent the Great Firewall and view Web pages that are otherwise blocked. (I wonder how long it will be before the Chinese government blocks access to anchorfree.com from inside the firewall so that people can’t download Hot Spot Shield?)

Ruby Gems as an attack vector

August 31, 2008 / Rafe / 3 Comments

Tim Bray warns of the dangers of Ruby Gems as an attack vector. The risk is that basically anyone can create a Gem and make it available using the gem installer.

I’ll say that this is why real systems administrators detest the various packaging schemes that scripting languages offer. It’s generally a much better practice to manage libraries through the operating system’s centralized packaging system — Red Hat’s RPM, FreeBSD Ports, Debian/Ubuntu’s APT, and so forth. Administrators who want to go beyond the vendor-approved repositories for packages are free to do so, but packages from the vendor list can be installed with relative confidence.

Who knows what to expect from packages from CPAN, PEAR, RubyForge, and the like? (This also ties into my longer argument about why developers are the natural enemy of the systems administrator, but I’ll get into that some other time.)

rc3.org

Strong opinions, weakly held