Category Archives: security

defending against your own stupidity

Posted on September 7, 2010 by ben

When thinking about security, it is tempting to determine the worst-case attacker and focus defenses against it. (Of course, by worst-case, I mean within the bounds of a reasonable threat model: the NSA is not a reasonable worst-case attacker for … Continue reading

Posted in security | 7 Comments

an unwarranted bashing of Twitter’s oAuth

Posted on September 2, 2010 by ben

Ryan Paul over at ArsTechnica claims a compromise of Twitter’s oAuth system, but fails to demonstrate such a compromise. It’s unfortunate, because some of his comments are indeed worthwhile, and there are a few interesting recommendations that Twitter should follow … Continue reading

Posted in security, web | 31 Comments

Usenix Security, voting and health security

Posted on August 9, 2010 by ben

I’m at Usenix Security 2010 in DC, starting with the EVT/WOTE Workshop on voting where I’ll be presenting an update on Helios, then the HealthSec workshop where I’ll be on a panel discussing my paper with Zak Kohane and Ken … Continue reading

Posted in security, voting | Leave a comment

if you’re outraged by accidental breaches, you’d better sit down

Posted on May 14, 2010 by ben

A few days ago, a security bug was discovered on Facebook, whereby users could see the chat transcripts of their friends talking to other friends. Then, another security hole was discovered where a problem at Yelp revealed email addresses of … Continue reading

Posted in policy, security | 2 Comments

Myth: the app store will protect you and prevent user confusion

Posted on April 5, 2010 by ben

An interesting thing happened with the Apple AppStore this weekend: This weekend, as hundreds of thousands of people explored their iPads [...] they found [...] an application called Facebook Ultimate, featuring a sleek version of the familiar ‘f’ logo. The … Continue reading

Posted in autonomy, security | Leave a comment

Protecting against web history sniffing attacks: an alternative

Posted on March 31, 2010 by ben

When a web site links to another web site, the link appears in a different color, usually a lighter shade of blue, if you’ve already visited the site. Unfortunately, this means that a malicious web site can learn what sites … Continue reading

Posted in security, web | 6 Comments

I was wrong about the iPad

Posted on January 31, 2010 by ben

So I made a couple of predictions about the iPad, Apple’s tablet, and I realize in retrospect that, while I got some of the details right, I got the gist completely wrong. I thought it was going to be a … Continue reading

Posted in policy, security | 1 Comment

Sometimes it’s not counter-intuitive

Posted on December 27, 2009 by ben

Bruce Schneier writes that it’s reasonable for unmanned drones to broadcast unencrypted video streams, because the video stream is not that useful to enemies, and given that many people need access to the video feed, the key distribution problem would … Continue reading

Posted in crypto, security | Leave a comment

It’s a WRAP followup: maybe the goal was client-side certs?

Posted on December 23, 2009 by ben

I’m having some interesting offline followup discussions with folks about oAuth WRAP and my relatively negative reaction to it. One of the comments seems to be that SSL will recreate exactly the security that HMAC signatures were trying to achieve, … Continue reading

Posted in security, web | Leave a comment

It’s a WRAP

Posted on December 22, 2009 by ben

I’m just finding out about oAuth WRAP, a new, simplified version of oAuth which some are calling the “valet key” approach to web data sharing: don’t give your Facebook password to a random web app, instead use oAuth to mint … Continue reading

Posted in security, web | 6 Comments