I just noticed an interesting article over at Forbes about the “Owners of Portugal” documentary. The article pointed to a couple of extremely interesting charts. And, although it asks not to jump to conclusions I find that, not jumping to conclusions, extremely hard to do.
The charts in question are: the big family and 30 years, 115 members of the government.
Check for yourself, I bet you’ll start jumping to conclusions!… -->
continue reading →Well, that’s a good thing I do not go to McDonald’s to eat, it seems you are opening yourself to physical abuse by stepping over their threshold. Dr. Steve Mann, inventor and engineer of the Glass Eye technology that helps partially blind people to see gets thrown out of McDonald’s for wearing his own invention. I do hope you will heed the warning and stay away from that evil, evil place!… -->
continue reading →A very interesting paper was published at Microsoft Research by Cormac Herley. It looks at the question “Why Do Nigerian Scammers Say They are From Nigeria?” and comes out with an unavoidable conclusion that that is by design.
Far-fetched tales ofWest African riches
strike most as comical. Our analysis suggests that is an
advantage to the attacker, not a disadvantage. Since
his attack has a low density of victims the Nigerian
scammer has an over-riding need to reduce false positives.
By sending an email that repels all but the most
gullible the scammer gets the most promising marks to
self-select, and tilts the true to false positive ratio in his
favor.
An interesting consequence of which is that even if only few people take the trouble to answer those scam letters but never actually go through with the money transfer, the Nigerian Scam would become prohibitively expensive to run.… -->
continue reading →… --> continue reading →But always remember, life is not the amount of breaths you take. It’s the moments that take your breath away.
— Alex “Hitch“.
Washington Post reports on the Yahoo password database leak, the auditors say that Yahoo stores passwords in clear text. I am shocked.
I mean, how more silly can you get? We have been talking about not storing passwords in clear for, oh, I don’t know, ages now. Definitely long enough to expect that nobody in the right mind would do such nonsense any longer.
We do expect an occasional idiocy like the recent discovery that LinkedIn stores passwords hashed with a weak algorithm and not following the security recommendations. Fine, but just storing the passwords in clear is beyond such simple fallacy, this is almost like intentionally evil.
We know that sites get broken into. If a site has not been broken into, it is just a matter of time. And the more prominent sites are, of course, prime targets and should expect the break-ins like everyday business.
When the break-in occurs, the first thing attackers would go after are credit card numbers and other monetary assets. Next on the list are the password databases. And that’s why the passwords are never stored in plain, they are never encrypted, they are hashed. One-way hash, properly done, is a good way to keep passwords safe even when they get stolen.… -->
continue reading →I have been toying with the idea of starting a security blog for some time now. Today, again, was talking to my colleagues and at least one of them thinks it is a great idea.
I always look with horror at what passes as security “features” proposed to the people who just start writing websites. The frameworks are no better, they usually have a long outdated set of functions. Or some of them are defective by design. And there seems to be no place on the whole Internet to turn for help. You would not e-mail Bruce Schneier every time you need to make a password hash, would you?
So I think there must be a place where people can turn to for some information on how the proper security is built. How the user authentication should be set up, how the passwords are stored, what is a good and a bad implementation of “remember me” function and so on. Something has to be done to improve the security of all those start-up website coming online by the thousand every day. Even old companies, like LinkedIn and Citibank, get hacked because they do not do it right. The help on security must be provided somehow, somewhere.
Isn’t there such a place already?… -->
continue reading →Here is the matrix presented by Jacob West and Alexander Hoole from HP Fortify at RSA 2012. They look at security bugs along 2 different dimensions:
Explicit in Code Implied in Code Generic 50% – Can be found by static analysis tools Can be found in pen testing or expert reviews Application-Specific Need to understand application patterns and requirements – custom rules and manual reviews Probably can’t be foundThese guys are in the business of finding bugs with tools. So we forgive them their optimistic estimates. But even they have to admit we can not find everything with tools. And even with expert reviews, there still remains something that is not easily discoverable…
These problems are not easy and they require actual understanding of both software design and security of software. So if you use unskilled development force in your software house, be prepared that half of the security problems will not be possible to discover, whatever tools you use.… -->
continue reading →I spent two days trying to trace why the plugin I am writing did not work. Eventually I realized that the files defining the models were not loaded at all. After several hours trying to figure this out I came across this explanation provided by zuha-3:
My bet is that you don’t have a plugin defined somewhere. I had the same problem in a couple of places after the upgrade because I had forgotten to name which plugin the model could be found in.
belongsTo = array(
className = [PLUGIN].[MODEL]instead of...
belongsTo = array(
className = [MODEL]
And this goes for all relationships, and you might have just missed one.
And so finally it worked. This should be like written in really large letters on the page that talks about plugins in CakePHP documentation. Two days for this simple stupid thing…… -->
continue reading →The best news of the day so far: Mozilla is launching mobile phones based on the Firefox OS (using the Boot to Gecko project). Unfortunately, they do not give any deadlines or any dates at all. But I am already in line waiting to get my Open Source mobile phone! Come on, guys! Do it! Hell, yeah!… -->
continue reading →I just watched again for the umpteenth time Interstate 60: Episodes of the Road. It’s an absolute marvel that wraps deep insights into a very entertaining story and wakes the longing. An absolute recommendation for all and everyone either as an entertainment and relaxation or as a not-so-subtle guidance in the moment of doubt.… -->
continue reading →
