Continuations

I wrote a blog post last week about the current Privacy Theater in the US, where the government is simultaneously pushing stricter privacy regulations and huge backdoors that would completely undermine privacy. The backdoors come in the form of the Cyber Intelligence Sharing and Protection Act or CISPA. The folks at Lumin Consulting have put together a good infographic that illustrates how CISPA undermines privacy: I am actually sympathetic to the basic idea behind CISPA, which is to make it ...

For the longest time I would have said that the right way to design a cloud application or service is as multi-tenant. But yesterday I was having a conversation with Peter Soderling from NY-based Stratus Security, which provides a secure managed API proxy (in closed beta). Peter said they had chosen to architect their service from day one as a multi-instance solution for added security and performance. If you are unfamiliar with the terms, a multi-tenant architecture commingles the data and p...

Caring about the security of your site or service is a bit akin to going to the dentist on a regular basis: It’s not pleasant, doesn’t really get you any visible results and costs time and money. Hence the people who care/go regularly are the ones who have had a bad experience by not doing so. In my own case that is now (sadly) true for both my teeth and security. My exposure to computer security issues started in the fall of 1987 when I was a freshman at Harvard. We had a bunch of VAX machin...

I have seen various headlines about Javascript security issues but never paid any close attention (my bad). But today I was talking to a friend about keeping javascript based widgets small by using a two stage process of loading a small script first, which would then pull down the rest of the script and any associated data. I assumed that this could simply be done as follows. A site located at say “acme.com” would add the following to their pageWhere loader.js then does axmlhttp=new XMLHttpRe...

I have long operated an open and unsecured wifi access point at home. Why? For anything that really requires security, such as online banking, I am relying on end-to-end encryption via SSL. That requires being somewhat diligent to make sure your browser actually shows it has a secure connection because otherwise you are potentially subject to a MITM attack where the attacker rewrites secure to unsecure connections. But end-to-end based on certificates provides much higher security than any of...

First there was the Path address book tempest. Now there is a concern about apps being able to access photos without permission. It would be a shame if this resulted in more centralized control over apps and longer review processes. What we need instead is some kind of peer produced approach to app security. What I have in mind is something along the lines of what Chris Dixon did with SiteAdvisor for web sites. Some people will (voluntarily?) run software on their mobile handsets that monitor...

In case you missed it, email services provider Epsilon had a massive security breach and a large number of email lists were exposed, including those of several large banks such as JP Morgan Chase and Citi. This is likely to result in more targeted phishing campaigns as it is now in the open who is an actual customer. As a quick aside, it is somewhat shocking how many sites leak this kind of information in due course of operation – most password resets work on the basis of entering an email ad...

The Internet has experienced an epic set of attacks over the last few months. This has ranged from massive compromises such as Sony’s Playstation Network to the smaller but potentially equally impactful breach of Mt. Gox (a bitcoin exchange that is still trying to recover). The affected entities have included both companies and governments, as in the recent hack of the CIA’s web site. It would be naive to believe that groups such as Anonymous or LulzSec will go away easily or even if they did...