2010 May 27, 8:52Time to stock up on prepaid anonymous cell phones before its too late! Or just use the call encryption Android application...
privacy security cellphone anonymous politics government technical 2010 May 24, 6:26"What You See is What They Get: Protecting users from unwanted use of microphones, cameras, and other sensors," by Jon Howell and Stuart Schechter.
"We introduce the sensor-access widget, a graphical user interface element that resides within an application's display. The widget provides an animated representation of the personal data being
collected by its corresponding sensor, calling attention to the application's attempt to collect the data."
Not sure how well that scales...
technical security privacy research 2010 May 23, 4:32"The ability to detect visitors' browsing history requires just a few lines of code. Armed with a list of websites to check for, a malicious webmaster can scan over 25 thousand links per second (1.5
million links per minute) in almost every recent browser."
technical privacy security web browser 2010 May 14, 8:52It really is an actual quote from the Sacramento Credit Union's website: "The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe, or the
words “insert,” “delete,” “drop,” “update,” “null,” or “select.”"
Out of context that seems hilarious, but if you read the doc the next Q/A twists it like a defense in depth rather than a 'there-I-fixed-it'.
technical security humor sql 2010 May 7, 6:29UMP instead of CORS for cross-domain access control: "...a developer can read only UMP and ignore CORS, yet still create safe code. This code can successfully message with CORS resources that do not
require credentials. UMP is therefore a way of messaging with the credential-free subset of CORS resources."
w3c security web browser technical 2010 May 6, 7:43Covers case studies of insecure usage of HTML5 cross-document messaging and web storage.
html html5 web browser security technical webstorage research facebook google system:filetype:pdf system:media:document 2010 May 6, 7:25Another subset of javascript and DOM access to make a sandbox: "FBJS is Facebook's solution for developers who want to use JavaScript in their Facebook applications. We built FBJS to empower
developers with all the functionality they need, and to protect our users' privacy at the same time."
sandbox web browser facebook html javascript technical security web-sandbox 2010 May 6, 7:22"Caja allows websites to safely embed DHTML web applications from third parties, and enables rich interaction between the embedding page and the embedded applications. It uses an object-capability
security model to allow for a wide range of flexible security policies, so that the containing page can effectively control the embedded applications' use of user data and to allow gadgets to prevent
interference between gadgets' UI elements."
security web browser web-sandbox caja google javascript html technical 2010 May 6, 7:16"Today web gadgets, mashup components, advertisements, and other 3rd party content on websites either run with full trust alongside your content or are isolated inside of IFrames. As a result, many
modern web applications are intrinsically insecure, often with unpredictable service quality. Live Labs Web Sandbox addresses this problem."
web browser web-sandbox technical javascript html windows live security sandbox microsoft silverlight 2010 May 6, 7:14"ADsafe defines a safe subset of the JavaScript Programming Language, and an interface that allows programs written in that language to usefully interact with a specific subtree of of the HTML
document."
technical ajax javascript json security advertising ad web browser web-sandbox 2010 Apr 21, 6:51Adds SHA 256 & 512 to HTTP instance digest: 'The IANA registry named "Hypertext Transfer Protocol (HTTP) Digest Algorithm Values" defines values for digest algorithms used by Instance Digests in
HTTP. Instance Digests in HTTP provide a digest, also known as a checksum or hash, of an entire representation of the current state of a resource. This document adds new values to the registry and
updates previous values.'
hash cryptography http instance-digest sha security technical ietf rfc standard 2010 Apr 21, 6:49"OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-users to authorize
third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections."
oauth authorization security privacy internet web rfc standard technical 2010 Apr 11, 3:51"In fact, more air marshals have been arrested than the number of people arrested by air marshals." Its easy to get awesome stats like this when talking about lawlessness on airplanes given its great
infrequency.
statistics humor security bruce-schneier airplane 2010 Mar 31, 7:54"Summary: Exploring cross-domain threats and use cases, security principles for cross-origin requests, and finally, weighing the risks for developers to enhance cross-domain access from web
applications running in the browser."
technical msdn microsoft security xss XMLHttpRequest web browser 2010 Mar 26, 5:16Interesting point that web browsers block HTML FORMs from submitting to some ports in order to avoid malicious servers from getting clients to do their dirty work. Of course it requires the host on
the other side of that port to be able to interpret the HTTP request as something relevant to the protocol they actually expect.
security web browser ie http html form technical 2010 Mar 23, 9:10Laziness is a virtue in programming esp. wrt. security. Marc Stiegler gives a talk at Google on the topic.
via:kris.kowal programming security video google lazy 2010 Mar 22, 8:40PDF overtakes Word as targeted attack vector of choice.
security office adobe pdf word powerpoint microsoft technical statistics internet malware 2010 Mar 10, 5:19Covers same origin policy and how it applies to different HTML and HTTP features.
technical web browser javascript csrf ajax html security xss XMLHttpRequest 2010 Mar 8, 1:50Paper suggests history stealing to find what popular social networking site groups a visitor to your web site belongs to and stats on how easy it is to then uniquely identify the visitor on the
popular social networking site.
security privacy social social-network paper research web browser css technical system:filetype:pdf system:media:document
Some rights reserved