Activity tagged “security”
An overview of some of the techniques that *don't* prevent or mitagate timing attacks.
A very good, simple, overview of how timing attacks work. Also covers the “how realistic is an exploit” question well. (Answer: very.)
Most known OpenID implementations are vulnerable to a timing attack in HMAC validation that will let remote attackers forge valid authentication tokens. Timing attacks are a bit tricky to understand, but very real. They're also quite subtle — a bit like buffer overflows — so knowing what they look like in the wild is important.
This should be required reading for web developers. Kudos to Google for putting this out.
Very simple, plain-English “getting started with GPG” guide.
Wrappers for OpenSSL and LibSSH2.
The first (that I know of) open source, non-centralized laptop tracker. Gotta give this a shot.
Handing security problems is the *worst* part of being an OSS maintainer. Learn from what the Ruby folks did wrong.
By far the best analysis of the Debian/OpenSSL bug. No pointed fingers, and lots of good lessons for the future.
Sounds relatively smart. However, I'd be suspicious of using chroot — I'm told it wasn't especially designed to be a security feature exactly. Were I to do something of this nature, I'd probably use pypy-sandbox.
Recommended by Bruce Schneir and available online for free.
Required reading this AM.
Who's Stealing Your Passwords? Global Hackers Create a New Online Crime Economy - CIO.com - Business Technology Leadership
The first in a three-part series about the state-of-the-art and the future of malware. Via Bruce Schneier.
“The index currently contains 1427 papers.”
With skill and luck neither you nor I will need these tips. However, shit happens; this is a great guide to cleaning it up.
rsync.net's warrent canary hasn't been updated in ten days.
I think I've found a nearly perfect password manager.
“If the client manages to login, his history is cleared and subsequent new connections are not blocked. Password guessers, however, would not manage to prove their legitimacy… they're all treated as scum unless they can prove to be Good People.”
We should support bcrypt in Django if this module is installed.
Really interesting analysis of a cracked Linux box. We're lucky that these script kiddies always seem to make some stupid mistakes (in this case not cleaning up .bash_history); a good cracker probably wouldn't be detected for months.
Sounds like a great and super-cheap way to roll your own security system.
Revealing the “psudo” in “psudorandom” (thanks for the quip, Matt)
Help get the word out: if you're using WordPress 2.1.1, upgrade to 2.1.2 right away. I feel really bad for the WP guys; this is the nightmare scenario for anyone writing software.
Ping's page on his voting research. Some hackers hack code, others hack democracy.
From Brett Cannon's talk on his proposed Python security system.
Wonderful, insightful article about security. A choice quote: “until recently, you or I couldn’t take a bottle of water or a tube of toothpaste on an airplane. Mothers were forced to drink their babies’ milk. Elderly women were subject to humiliating
This is a pretty strong argument that Django should do default template escaping. Guess I'm starting to change my mind.
Another tool to thwart dictionary attacks, this one written in Python.
“This script will attempt to restrict IP addresses that repeatedly fail login attempts via SSH.”
Great guide to securing OS X.
There’s only one perfectly safe way to allow untrusted users to enter raw HTML. You’re not going to like it.
Prompted by recent reading on cryptography and computer security, I’ve been rethinking my pretty lax personal security plan. Taking to heart the lesson that the best security is open, I ‘m posting my plans publicly for comment.