Wednesday, November 21, 2007

Rootkitting Your Customers

I am a big fan of Dan Geer (image at left); he always has an interesting perspective on security issues, but that's not to say I agree...
Tuesday, November 20, 2007

Soft tokens aren't tokens at all

The three categories of authentication : Something you know Something you have Something you are Physical hardware tokens, like RSA's Se...
4 comments:

Still More TOR

F-Secure's blog is discussing how there are more bad TOR nodes out there. I discussed awhile back how TOR's goal of anonymity is ...
Monday, November 19, 2007

Possible Criminal Charges for Lost Laptops in the UK

Of course, the media are spinning this as " don't encrypt your laptop and you could go to jail " when the goal of the legislat...
Sunday, November 18, 2007

Analyzing Trust in Hushmail

Recently, law enforcement acquired confidential email messages from the so-called secure email service , Hushmail . Law enforcement explo...
Wednesday, November 14, 2007

Pay Extra for their Mistakes: EV Certificates

Extended Validation (EV) SSL Certificates are one of the information security industry's worst cover-ups. And to make matters worse, it...
Wednesday, October 31, 2007

Retail, Protected Consumer Information, and Whole Disk Encryption

There has been a lot of discussion around retailers pushing back on the PCI (Payment Card Industry) Data Security Standards group. The...
2 comments:
Thursday, October 25, 2007

Opt-in Security

So many of computer security implementations today depend on what I call "opt-in" security. It could be called " trusted cli...
2 comments:
Wednesday, October 24, 2007

DNS Re-Binding

One of the biggest problems with security threats in the Web 2.0 world is the erosion of trust boundaries . Dynamic web applications pull ...
Monday, October 22, 2007

Open Source Trustworthy Computing

There is a pretty good article over at LWN.net about the state of Trustworthy Computing in Linux , detailing the current and planned support...
Thursday, October 18, 2007

Cornell's Nexus Operating System

I hold out hope for this project: Cornell University's Nexus Operating System . There are only a few publications thus far, but the ide...

Download Links and Hash Outputs

I never have quite figured out why people will put a download link with a SHA-1 or MD5 hash output side-by-side on the same web page. Someb...
2 comments:

Zealots and Good Samaritans in the Case of Wikipedia

Dartmouth College researchers Denise Anthony and Sean W. Smith recently released a technical report of some very interesting research aro...
Tuesday, October 16, 2007

Identity Management in Security Products

For years, one of my biggest frustrations with vendors claiming to have "enterprise" software applications (I'm talking genera...

Browser Rootkits

Rootkits , in general, are of extreme interest to me-- not because of what can be done with them (I can assume anything can be done with th...
Wednesday, October 10, 2007

Analyzing Trust in the Microsoft URI Handler Issues

There's a buzz around the Microsoft URI Handlers . Basically, applications that rely on that Windows service can be handed data that is...

Trusted vs Trustworthy

From a recent Secunia advisory post : " Solution: Do not browse untrusted websites, follow untrusted links, or open untrusted .PD...

On Open Source and Security

Recently, I noted that it's not important whether source code is open or not for security , it's important to have well-qualified an...
Saturday, October 6, 2007

Sorry for the delay, Jon

I just came across this on Jon Callas' CTO Corner just now (11 PM GMT, when I started this draft). I had a busy day Friday (obviously...
Friday, October 5, 2007

About "Backdoors" ...

Again, inspired by the PGP WDE Bypass Issue ... I am not the only one in the world that uses the term " backdoor " in a generic...