Benlog

security, privacy, transparency.

Archive for the 'security' Category

an unwarranted bashing of Twitter’s oAuth

Posted: Thursday, September 2nd, 2010 @ 2:31 pm in security, web | View Comments

Ryan Paul over at ArsTechnica claims a compromise of Twitter’s oAuth system, but fails to demonstrate such a compromise. It’s unfortunate, because some of his comments are indeed worthwhile, and there are a few interesting recommendations that Twitter should follow (hah, no pun intended). But what we have here is not a “compromise”, and the [...]

Usenix Security, voting and health security

Posted: Monday, August 9th, 2010 @ 11:24 am in security, voting | View Comments

I’m at Usenix Security 2010 in DC, starting with the EVT/WOTE Workshop on voting where I’ll be presenting an update on Helios, then the HealthSec workshop where I’ll be on a panel discussing my paper with Zak Kohane and Ken Mandl on using a Personally Controlled Health Record for health-information exchange [PDF]. The voting crowd [...]

if you’re outraged by accidental breaches, you’d better sit down

Posted: Friday, May 14th, 2010 @ 8:41 pm in policy, security | View Comments

A few days ago, a security bug was discovered on Facebook, whereby users could see the chat transcripts of their friends talking to other friends. Then, another security hole was discovered where a problem at Yelp revealed email addresses of Facebook users. And today, Google realized that they accidentally collected network traffic from open wi-fi [...]

Myth: the app store will protect you and prevent user confusion

Posted: Monday, April 5th, 2010 @ 5:23 pm in autonomy, security | View Comments

An interesting thing happened with the Apple AppStore this weekend: This weekend, as hundreds of thousands of people explored their iPads [...] they found [...] an application called Facebook Ultimate, featuring a sleek version of the familiar ‘f’ logo. The application quickly rose through the ranks to become one of the App Store’s top selling [...]

Protecting against web history sniffing attacks: an alternative

Posted: Wednesday, March 31st, 2010 @ 11:18 am in security, web | View Comments

When a web site links to another web site, the link appears in a different color, usually a lighter shade of blue, if you’ve already visited the site. Unfortunately, this means that a malicious web site can learn what sites you visit by putting up a few links and checking to see how your browser [...]

I was wrong about the iPad

Posted: Sunday, January 31st, 2010 @ 4:00 pm in policy, security | View Comments

So I made a couple of predictions about the iPad, Apple’s tablet, and I realize in retrospect that, while I got some of the details right, I got the gist completely wrong. I thought it was going to be a special-purpose device. And most commentators are saying just that. But I was wrong and they [...]

Sometimes it’s not counter-intuitive

Posted: Sunday, December 27th, 2009 @ 5:36 pm in crypto, security | View Comments

Bruce Schneier writes that it’s reasonable for unmanned drones to broadcast unencrypted video streams, because the video stream is not that useful to enemies, and given that many people need access to the video feed, the key distribution problem would be very difficult to manage, and some allies could be severely handicapped if they happened [...]

It’s a WRAP followup: maybe the goal was client-side certs?

Posted: Wednesday, December 23rd, 2009 @ 2:48 pm in security, web | View Comments

I’m having some interesting offline followup discussions with folks about oAuth WRAP and my relatively negative reaction to it. One of the comments seems to be that SSL will recreate exactly the security that HMAC signatures were trying to achieve, and it was really hard for developers to do oAuth right in the first place. [...]

It’s a WRAP

Posted: Tuesday, December 22nd, 2009 @ 1:58 pm in security, web | View Comments

I’m just finding out about oAuth WRAP, a new, simplified version of oAuth which some are calling the “valet key” approach to web data sharing: don’t give your Facebook password to a random web app, instead use oAuth to mint them a valet key that lets the app access only some specific portions of your [...]

Facebook account hacked

Posted: Wednesday, November 11th, 2009 @ 1:17 am in security, web | View Comments

So this evening my Facebook account was hacked and spam messages were posted to a few dozen friends on my behalf. Thankfully, since I’m friends with a number of security-savvy folks, I was notified almost instantly. Now I’ve never cared too much about my Facebook account, so I used one of my weak passwords. I’m [...]