In the past, you have come here for truth. I now give you law. Science fiction author Arthur C. Clarke succinctly described the wondrous nature of technology in what has come to be known as Clarke’s Third Law (from a letter published in Science in January 1968): Any sufficiently advanced technology is indistinguishable from magic. The sentiment of that …
Author Archives: Mike Shema
Battling Geologic Time
65 million years ago, dinosaurs ruled the earth. (Which also seems about the last time I wrote something new here.) In 45 million lines of code, Windows XP dominated the desktop. Yes it had far too many security holes and people held onto it for far too long — even after Microsoft tried to pull …
Bad Code Entitles Good Exploits
I have yet to create a full taxonomy of the mistakes developers make that lead to insecure code. As a brief note towards that effort, here’s an HTML injection (aka cross-site scripting) example that’s due to a series of tragic assumptions that conspire to not only leave the site vulnerable, but waste lines of code …
RSA APJ 2014, CDS-W07 Slides
Here are the slides for my presentation, Building and Breaking Privacy Barriers, at this year’s RSA Asia Pacific and Japan conference in Singapore. The slides convey more theory than practical examples, but the ideas should come across without too much confusion. I expect to revisit the idea of a Rot network (a play on Tor) …
A Monstrous Confluence
You taught me language, and my profit on’t Is, I know how to curse: the red plague rid you, For learning me your language! Caliban, (The Tempest, I.ii.363-365) The announcement of the Heartbleed vulnerability revealed a flaw in OpenSSL that could be exploited by a simple mechanism against a large population of targets to extract …
RSA USA 2014, DSP-R04A Slides
Here are the slides for my presentation, DSP-R04A Is Your Browser a User Agent or a Double Agent?, at this year’s RSA USA conference in San Francisco. This departed from a security focus into the realm of privacy, noting how browsers struggle (or not) against tracking mechanisms and how various organizations build views of web site visitors.
Fonts of Dis-Knowledge
The oracles of ancient Greece claimed to have the power of precognition, derived from the gods themselves. In the 17th century, John Locke wrote of more experiential sources for ideas, where sensation and reflection were two fountains of knowledge. But none of these philosophical considerations are necessary to predict the effect of plugins on browser …
The Rank Decay Contingency
The idea: Penalize a site’s ranking in search engine results if the site suffers a security breach. Now, for some background and details… In December 2013 Target revealed that it had suffered a significant breach that exposed over 40 million credit card numbers. A month later it upped the count to 70 million and noted …
Audit Accounts, Partition Passwords, Stay Secure
It’s a new year, so it’s time to start counting days until we hear about the first database breach of 2014 to reveal a few million passwords. Before that inevitable compromise happens, take the time to clean up your web accounts and passwords. Don’t be a prisoner of bad habits. It’s good Operations Security (OpSec) …
Continue reading “Audit Accounts, Partition Passwords, Stay Secure”
Soylent Grün ist Menschenfleisch
Silicon Valley green is made of people. This is succinctly captured in the phrase: When you don’t pay for the product, the product is you. It explains how companies attain multi-billion dollar valuations despite offering their services for free. They promise revenue through the glorification of advertising. Investors argue that high valuations reflect a company’s …
