I rather like this. I guess it could feel like an invasion of privacy – but the truth is: all web companies have been tracking you like this since the late 1990’s. Until now … they used the data, but never shared it with the you, the user. This is […]
security
24 posts
I’ve posted a few times over the years the … disappointing … state of LinkedIn’s engineering. But this takes the biscuit: it appears they were storing deliberately insecure passwords, and someone leaked the list: http://news.ycombinator.com/item?id=4073309 (that page has links + info on how to check if your own password is […]
Two things here: if you run any Rails site, check out the security hole ASAP if you haven’t already. You might be safe – but given that even GitHub wasn’t, I’d double check if I were you. (The Rails community seemingly isn’t patching it – and there’s nothing recent on […]
The mashup (My new “preferred explanation of piracy + DRM”) The original (From Cyanide&Happiness webcomic, if you don’t know it already..)
UPDATE: I’ve had a followup email from them that suggests it’s legit, and we were just mis-targetted (I’d guess they’re using a call-list they got from somewhere that’s not great on its filtering). Strange email exchange this morning: Subject: contact [sic – no capitalization, no sentence] Could you kindly supply […]
After a little tweaking, my rule is growing, and proving extremely effective: # bad websites: domains which regularly or overwhelmingly feature spam SecRule REQUEST_HEADERS:REFERER “http://[^/]*(yijiezi|yourhcg|lukejaten|squidoo|answerbag|jvlai|chaohuis|cledit|bait|lukejaten)” “t:lowercase,deny,nolog,status:500” # porn and gambling: they make much cash out of random visitors SecRule REQUEST_HEADERS:REFERER “http://[^/]*(holdem|poker|casino|porn|girlz|pussy|penis|babe|exposed|sex)” “t:lowercase,deny,nolog,status:500” # fake / illegal designer clothing and luxury […]
I like computer security to be EASY and SECURE. I hate passwords, and I use them rarely if at all. Instead, I use digital keys as much as possible (i.e. something based on a physical key stored on a removable USB drive that I take with me wherever I go). […]
There’s a growing problem right now with Facebook Connect: it can silently log you in to websites that you *don’t want* to share your private data with. I saw a funny example last month where a porn website had integrated Facebook Connect … so when you visit the site, one […]
UPDATE: there were several bugs in my original version – by Debian standards, ModSecurity is damn hard to configure correctly, mainly because the Debian packager has left out so much that’s essential! This version is fully tested and working… Mod Security is an awesome, open-source product for Apache that will […]
IMHO, Flickr/Yahoo has one of the best user-authentication systems I’ve ever seen. I’m sure it’s no accident that Twitter (eventually) moved to a system that is extremely similar. (NB: I don’t know if flickr copied if from someone else, but they were the first I remember seeing like this, many […]
Removing words isn’t always the best route to UX design. Here’s an example (that just bit me) of Apple’s obsession with “remove words, look pretty” making their systems/applications unusable: “Copying 3,000 files…” “STOP! One or more of these files you don’t have permission to read. Stop, Retry, Continue?” Which one, […]
Today, I *almost* bought Civilization 5. The temptation was strong… …but they still won’t allow me to buy it. You go into a shop, and spend money, and they tell you you’re a pirate, that you’re a thief, and that unless you create a Steam account and connect the internet […]
On many sites, I can’t pay for things online any more, as Halifax/VISA has decided to make it even harder than ever. It used to be I could generate a new one-time password every time I bought something – now they require me to phone an expensive pay-by-the-second 0800 phone […]
(this assumes you are running Debian on your server; if not, I suggest you switch) Mediawiki. One of the world’s less secure wikis? Probably. I use and install it a lot, and it’s usually “the compromise wiki”: it’s weak at a lot of things, but it’s the “least worst overall” […]
Every now and then I scan through my auto-spam folder and see what’s in there. Sometimes the subject lines are hilarious. Other times they teach you about new kinds of phishing attack that are being attempted. Mostly, they just say depressing things about what it is to be a human […]
I’m just finishing up a quick PHP project at the moment, which allows anyone to register an account – so as the final step before launching it, I needed to add some form of CAPTCHA system. I tried a couple of 3rd party ones and source code ones and none […]
Please stop spamming the blog, not for me, but for yourself. There are multiple layers of spam filter (you may have noticed that none of your fake posts has got through so far), so I have the luxury of having the few “uncertain” hits emailed to me, because there’s so […]
(in case you hadn’t been following, this year EA has been putting some particularly nasty DRM on their most-hyped games such as Spore and the Crysis expansion; but unlike previous years, there’s been public outrage) A couple of things of note here: EA thinks it can get away with what […]
I’m there now, drop me a line (see About page for email) if you’re around. I’ve just given a quick presentation introducing the ENISA’s (European Network and Information Security Agency) whitepaper on “Security and Privacy in MMO’s and VW’s”. It’s free, and it’s fairly simple (aimed at everyone from consumers […]
This week, I was at the Virtual Goods Summit in San Francisco (my session writeups should appear on http://freetoplay.biz over the coming days). A couple of things struck me during the conference, including the large number of “payment providers” (companies that specialized in extracting cash out of your users via […]