Category Archives: security

encryption is (mostly) not magic

A few months ago, Sony’s Playstation Network got hacked. Millions of accounts were breached, leaking physical addresses and passwords. Sony admitted that their data was “not encrypted.” Around the same time, researchers discovered that Dropbox stores user files “unencrypted.” Dozens … Continue reading

Posted in crypto, mozilla, privacy, security, web | 14 Comments

Online Voting is Terrifying and Inevitable

Voting online for public office is a terrifying proposition to most security experts. The paths to subversion or failure are many: the server could get overwhelmed by attackers, preventing voting altogether the server could get hacked and the votes changed … Continue reading

Posted in security, voting, web | 4 Comments

(your) information wants to be free

A couple of weeks ago, Epsilon, an email marketing firm, was breached. If you are a customer of Tivo, Best Buy, Target, The College Board, Walgreens, etc., that means your name and email address were accessed by some attacker. You … Continue reading

Posted in data, privacy, security | 9 Comments

intelligently designing trust

For the past week, every security expert’s been talking about Comodo-Gate. I find it fascinating: Comodo-Gate goes to the core of how we handle trust and how web architecture evolves. And in the end, this crisis provides a rare opportunity. … Continue reading

Posted in crypto, policy, security, web | 3 Comments

the difference between privacy and security

Facebook today rolled out new security features, both of which are awesome: SSL everywhere, and social re-authentication. True, SSL everywhere should probably be a default, even though I continue to believe that the cost is significantly underestimated by many privacy … Continue reading

Posted in privacy, security, web | 5 Comments

Crisis in the Java Community… could they have used a secret-ballot election?

There is a bit of a crisis in the Java community: the Apache Foundation just resigned its seat on the Java Executive Committee, as did two individual members, Doug Lea and Tim Peierls. From what I understand, the central issue … Continue reading

Posted in crypto, privacy, security, voting | Leave a comment

OK, let’s work to make SSL easier for everyone

So in the wake of the FireSheep situation, which I described yesterday, the tech world is filled with people talking past each other on one important topic: should we just switch everything over to SSL? As I stated yesterday, I … Continue reading

Posted in security, web | 5 Comments

keep your hands off my session cookies

For years, security folks — myself included — have warned about the risk of personalized web sites such as Google, Facebook, Twitter, etc. being served over plain HTTP, as opposed to the more secure HTTPS, especially given the proliferation of … Continue reading

Posted in crypto, security, web | 18 Comments

faulty logic, even for good, is still faulty

So Alex Halderman and team hacked the DC Internet Voting pilot. The voting system they attacked was not particularly well secured, and the type of attack used is a fairly simple web input corruption attack with little novelty. This hack, … Continue reading

Posted in security, voting | 4 Comments

Fort Knox vs. the Barking Dog

Over the last few days, Alex Halderman and his team at the University of Michigan hacked an Internet Voting System being field-tested by the DC Board of Elections. First, we need to commend both Alex’s team for their dutiful analysis … Continue reading

Posted in security, voting | 2 Comments