We’ve all heard of “back door” access. This refers to a situation where some kind of access to the system is available that does not go through the normal procedures, and is sometimes present during the early stages of development to provide convenient and efficient ways to interact with a partially complete system.
Obviously, it is essential that the final version of the solution is built without these back doors present, otherwise you have a major hole in your security.
Then there is the front door, and that will be present in the final version you put into the hands of your customers.
During development it is tempting to make the front door as “convenient” as the back door, just [click title to read more…]
It’s the first weekend after the announcement of CVE-2014-0160, aka “Heartbleed” and if you were to believe even a small fraction of what’s been written about it you’d think the world had come to an end. There’s a lot of nonsense. A lot of dumbed-down explanations seem to add more confusion (Randall Munroe’s angle is a notable exception). The detailed investigations will be read by many, but only understood properly by those who already understand.
As a consequence of this bug I’ve been particularly busy with many of the systems around the world in which I have a role (always behind the scenes). All is a bit quieter now, so I’ve had a chance to peruse what has been written, [click title to read more…]
Password creating tips you should not use (because the hackers already know about them):
Replace letters with numbers that have a similar shape. Like E becomes 3.
Use “CamelCase”.
Add 123 to the end.
Use your name twice: FredFred…
… or backwards: Dref
Start with a digit.
Put a space at the end.
Use a random password generator.
Don’t agree with the last one? In my experience, the more random and/or long the password becomes, the greater the chance that the user will write it down somewhere. Perhaps even in a file on a related computer, which makes it vulnerable.
A good password will be a little random and not too long, and preferably will have nothing to do [click title to read more…]
There’s been a lot of talk recently about privacy and the right to access personal information for “new” purposes, mainly in connection with new taxes that will require a census of home ownership, which some are proposing be based on data from utility bills. The information held by the utility companies was given to them to facilitate the payment of utility bills, not the gathering of unrelated taxes. People are a little concerned. The Data Protection Commissioner is echoing that concern.
So in what way can we consider certain facts to belong to us? It’s easy enough to understand that one’s thoughts and opinions are “owned”, and perhaps the derivatives of these (e.g. artistic works) could also be owned. But [click title to read more…]
There was a bit of a hubbub today when CNET published an article on Google’s apparent collection of MAC addresses as part of its Street View service. The problem, according to the article, is that these unique numbers were from more than just Wi-Fi access points, they were from laptops, phones and other Wi-Fi devices, and this data was cross-referenced with their locations. Furthermore, all this information could be accessed by any Joe Public through a simple API made available (until recently) by Google. To add to the problem, Google don’t provide you with a way to remove any of the data associated with yourself.
With a bit of mash-up experience one could [click title to read more…]