software development, security, opinion
Archive for the ‘LINKS’ Category.
Rogue/Suspect Anti-Spyware Products & Web Sites
[via Diary Date]
See also some dissent about the specifics.
The problem is the bad platform.
The symptom is the miserythat so many users are living with.
The cottage industry for solutions is better than nothing, but it’s still a mess.
Jim Chow, Ben Pfaff, Tal Garfinkel, Kevin Christopher, Mendel Rosenblum:
Understanding Data Lifetime via Whole System Simulation:
We have used TaintBochs to analyze sensitive data handling in several
large, real world applications. Among these were Mozilla, Apache,
and Perl, which are used to process millions of passwords, credit card
numbers, etc. on a daily basis. Our investigation reveals that these
applications and the components they rely upon take virtually no measures
to limit the lifetime of sensitive data they handle, leaving passwords
and other sensitive data scattered throughout user and kernel memory. We
show how a few simple and practical changes can greatly reduce sensitive
data lifetime in these applications.
[via Justin Mason]
Jack Shafer in the Slate article
E-mail Confidential – Who’s afraid of Time Inc.’s legal disclaimer? has his attorney dissect an email disclaimer in detail.
This boilerplate proliferates because professionals
in the legal, auditing, and security consulting industries
feel compelled to recommend its use.
Unfortunately, the ratcheting ever-more-onerous language that
gets accreted by these things for cover-your-butt reasons results in most of them being statements that are intellectually ridiculous, legally dubious, and rude.
At this point, consulting professionals should be embarrassed to recommend this stuff.
[via Jeff Nolan via Techdirt]
Keith Pleas: “Brutal” Architecture is an instant classic, about the newly-constructed Seattle Public Library, plus understated and apt commentary on software architecture.
[via Jon Udell]
Yahoo publishes its DomainKeys specification.
FAQ at Yahoo! Anti-Spam Resource Center – DomainKeys.
I must say that I share Justin Mason’s distrust and disdain for software patents.
What the heck is patentable among these ideas anyway? They seem like obvious applications of digital signatures and DNS publication.
The most generous interpretation is that these might be defensive patents, and that for all intents, the IETF-required license is good enough.
Is this or SPF
likely to take the world by storm?
Either one permits senders to publish records that permit receivers to make some authentication judgments.
Well, deployment by senders is a bit more work (sign those messages) for DK than for SPF. But SPF breaks what has been considered normal forwarding behavior, in a way that the sender has no control over except by saying “put up with it” or by turning off SPF.
Deployment by receivers has no particular downside for either scheme — you’re basically implementing sender-requested filtering, and who can complain about that?
Of course, initially, rather than trying to subvert either scheme, spammers will avoid both. Is it possible that the world will shift so much that just being a non-DK domain will count against the sender? I do think it’s possible. At which point, yes, spammers adopt the technology but subvert it with throwaway domains and proxy zombies with access to signing servers.
You can’t avoid reputation systems in the end,
trusted third parties, (some even having good incentives to rate
accurately and respond quickly), blacklists, etc.
While investigating a computer server sending spam e-mail messages, the Information Technology Security Office at San Diego State University discovered computer intruders had circumvented departmental server security and gained illegal access to a file server in the Office of Financial Aid and Scholarships.
…
We recognize that identity theft has become one of the fastest growing
crimes in the nation and SDSU is making every effort to ensure that Social
Security information is not unnecessarily exposed. In late March, the
University will implement an alternative ID system using a new nine-digit ID
number called
"Red ID".
[via [Interesting-People] Bad year for San Diego Universities so far]
The University of California, San Diego is notifying past and present students, applicants, and some staff and faculty that unauthorized intruders have broken into four computers in the UCSD Business & Financial Services Department, computers which housed approximately 380,000 records of personal data including names, social security numbers, and drivers license numbers.
[via [Interesting-People] UCSD Computer Security Incident Alert]
Microsoft Shelves NGSCB Project As NX Moves To Center Stage
A lot of decisions have yet to be made,” said Mario Juarez, product manager in Microsoft’s Security and Technology Business Unit. “We’re going to come out later this year with a complete story.”
followed by hedging:
Microsoft: ‘Palladium’ Is Still Alive and Kicking
Juarez said Microsoft is not providing any of its NGSCB bits as part of the new Longhorn pre-alpha release that it is distributing this week to WinHEC attendees. But he denied that this means that the company is exorcising NGSCB from the product. Instead, he said that the NGSCB team decided that the driver developers at the show wouldn’t be the right targets for this code.
Update 2004/05/19: Real details from Microsoft pointed to by Dana Epp
Nice building
for the UIUC CS Department.
[via Slashdot]
More on Gary Robinson’s improved chi-squared evidence combination at Handling Redundancy in Email Token Probabilities
You are currently browsing the archives for the LINKS category.
