Being able to POST an email address to
https://appleid.apple.com/account/validation/appleidand getting back a response indicating if it is a valid account or not, with little to no rate limiting, is a bug.
Schneier: For a couple of decades I’ve been talking about three parts to security: protection, detection, and response. Response is most neglected of the three, and that’s where Co3 Systems sits. It’s the only product that does incident-responses coordination, which is important right now for two reasons. One, attacks have gotten more sophisticated, which means response has to be similarly sophisticated. And two, the regulatory environment has gotten more complicated, which means response has to be more regimented and documented. One of the real problems with any emergency response system is that it is only used in an emergency, which means that it’s real easy to get it wrong. Co3 Systems solves all of these problems.
The general dynamics of change are these:
Moore’s Law continues to give us two orders of magnitude in compute
power per dollar per decade while storage grows at three orders of
magnitude and bandwidth at four. These are top-down economic
drivers. As such, the future is increasingly dense with stored
data but, paradoxically, despite the massive growth of data volume,
that data becomes more mobile with time.
Dan Geer at his finest. Everyone should take the 15 minutes to read this, not just security wonks.
fingerprints are perhaps a good replacement for usernames. However, they’re really not a good replacement for passwords.
No telecommunications company has ever challenged the secretive Foreign Intelligence Surveillance court’s orders for bulk phone records under the Patriot Act, the court revealed on Tuesday.
I admit that at this point one of my biggest concerns was to avoid coming off like a crank. After all, if I got quoted sounding too much like an NSA conspiracy nut, my colleagues would laugh at me. Then I might not get invited to the cool security parties.
All of this is a long way of saying that I was totally unprepared for today’s bombshell revelations describing the NSA’s efforts to defeat encryption. Not only does the worst possible hypothetical I discussed appear to be true, but it’s true on a scale I couldn’t even imagine. I’m no longer the crank. I wasn’t even close to cranky enough.
Demystifying some of the recent NSA crypto revelations.
At the Black Hat conference in 2010, an ATM designed and built by my employer was setup on stage, and a security researcher demonstrated an exploit which emptied out all its cash.
Nice piece on Barnaby Jack and the perspective of the being the guy on the other side of the fence.