In Sergio Leone’s epic three-hour western, The Good, the Bad, and the Ugly, the three main characters form shifting, uneasy alliances as they search for a cache of stolen gold. To quote Blondie (the Good), “Two hundred thousand dollars is a lot of money. We’re gonna’ have to earn it.” Bug bounties have a lot […]
Category Archives: web security
Builder, Breaker, Blather, Why.
I recently gave a brief talk that noted how Let’s Encrypt and cloud-based architectures encourage positive appsec behaviors. Check out the slides and this blog post for a sense of the main points. Shortly thereafter a slew of security and stability events related to HTTPS and cloud services (SHA-1, Cloudbleed, S3 outage) seemed to undercut this thesis. But perhaps only superficially […]
An Event Mutates
This week I spoke again about evolving a bug bounty program. It was an iteration on A Mutation Event that I presented last month. In the spirit of my evolutionary metaphor, the content has been modified in its descent and adapted to the audience. The tweaks are both in presentation flow and in response to questions. I’ve also called out more clearly […]
A Mutation Event
The last time I was fortunate enough to present at a conference was a year ago at SOURCE Seattle. So it feels good to have had the chance to return in 2016 and present on a new topic of crowdsourced security. The title was Evolving a Bug Bounty Program and, accordingly, it embraced a theme of descent […]
Why You Should Always Use HTTPS
This first appeared on Mashable in May 2011. Five years later, the SSL Pulse notes only 76% of the top 200K web sites fully support TLS 1.2, with a quarter of them still supporting the egregiously insecure SSLv3. While Let’s Encrypt makes TLS certs more attainable, administrators must also maintain their sites’ TLS configuration to use the best protocols and ciphers […]
I’ll ne’er look you i’ the plaintext again
Look at this playbill: air fresheners, web security, cats. Thanks to Let’s Encrypt, this site is now accessible via HTTPS by default. Even better, WordPress serves the Strict-Transport-Security header to ensure browsers adhere to HTTPS when visiting it. So, whether you’re being entertained by odors, HTML injection, or felines, your browser is encrypting traffic. Let’s Encrypt makes this possible for […]
You’ve Violated APE Law!
Developers who wish to defend their code should be aware of Advanced Persistent Exploitability. It is a situation where breaking code remains possible due to broken code. Code has errors. Writing has errors. Consider the pervasiveness of spellcheckers and how often the red squiggle complains about a misspelling in as common an activity as composing email. Mistakes happen; they’re a natural […]
RSA APJ 2014, CDS-W07 Slides
Here are the slides for my presentation, Building and Breaking Privacy Barriers, at this year’s RSA Asia Pacific and Japan conference in Singapore. The slides convey more theory than practical examples, but the ideas should come across without too much confusion. I expect to revisit the idea of a Rot network (a play on Tor) […]
A Monstrous Confluence
You taught me language, and my profit on’t Is, I know how to curse: the red plague rid you, For learning me your language! Caliban, (The Tempest, I.ii.363-365) The announcement of the Heartbleed vulnerability revealed a flaw in OpenSSL that could be exploited by a simple mechanism against a large population of targets to extract […]
The Rank Decay Contingency
The idea: Penalize a site’s ranking in search engine results if the site suffers a security breach. Now, for some background and details… In December 2013 Target revealed that it had suffered a significant breach that exposed over 40 million credit card numbers. A month later it upped the count to 70 million and noted […]