Last week we talked about giving away your passwords and how you should never do it.  When a website wants to use the services of another—such as Bitly posting to your Twitter stream—instead of asking you to share your password, they should use OAuth instead.OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.This is a quick guide to illustrate, as simply as possible, how OAuth works.The ActorsThere are 3 main players in an OAuth transaction: the user, the consumer, and...

A study of how 31 popular open source code libraries were downloaded over the past 12 months found that more than a third of the 1,261 versions of these libraries had a known vulnerability and about a quarter of the downloads were tainted. The study was undertaken by Aspect Security, which evaluates software for vulnerabilities, with Sonatype, a firm that provides a central repository housing more than 300,000 libraries for downloading open source components and gets 4 billion requests per year. [ Track the latest trends in open source with InfoWorld's Open Sources blog and Technology: Open So...

Hacker News is a very famous IT information hub. We can find many useful links about the latest IT news and fantastic technology demos. But there are two things I don’t like about Hacker News. Maybe some of you also have the same feelings.1.  About the more link. Every time we click the more link to go to next page, there will be a unique key generated to produce the new page. It is a good security mechanism. Also it may increase pages views as we need to read page by page but cannot jump to one specific page. But one problem is that if I open a page and navigate some pages and I h...

A group of researchers (Arjen Lenstra and collaborators  from EPFL Lausanne and James Hughes from Palo Alto) published a study, Ron was wrong Whit is right, of new vulnerabilities of cryptosystems. The New York Times picked up the story. Although Lenstra et al discuss several cryptosystems, their results are particularly relevant to those based on RSA. The title mirrors their conviction that cryptosystems based on a single random element have fewer key generation problems than RSA, that uses two random primes.The technical problem they identify...

The prevalence of free, open WiFi has made it rather easy for a WiFi eavesdropper to steal your identity cookie for the websites you visit while you're connected to that WiFi access point. This is something I talked about in Breaking the Web's Cookie Jar. It's difficult to fix without making major changes to the web's infrastructure.In the year since I wrote that, a number of major websites have "solved" the WiFi eavesdropping problem by either making encrypted HTTPS web traffic an account option or mandatory for all logged in users.For example, I just noticed that Twitter, transparently to me...

Shared hosting is incredibly popular with users who are looking for the cheapest hosting available – the problem is that along with the low price you get poor performance and even more concerning – questionable security.When running on a shared host dozens if not hundreds of other sites are running on the same servers – this means any single security flaw in any of those applications can compromise the entire server. This  dramatically increases the odds of your server being compromised.Because shared hosting is inherently in-secure Microsoft has built in fe...

Backstory While at RIT around 2004 or 2005, I discovered that a few important machines at the datacenter allowed all students, faculty, and staff to authenticate against them via ssh. Everyone's shells appear to be set to /bin/false (or some derivative) on said machines, so the only thing you'll see after you authenticate is the login banner and your connection will close. I thought to myself, "Fine, no shell for me. I wonder if port forwarding works?" Seems reasonable, right? Whatever sysadmin was tasked with securing these machines forgot some...

The last year has been a phenomenal one for the Android ecosystem. Device activations grew 250% year-on-year, and the total number of app downloads from Android Market topped 11 billion. As the platform continues to grow, we’re focused on bringing you the best new features and innovations - including in security.Adding a new layer to Android securityToday we’re revealing a service we’ve developed, codenamed Bouncer, which provides automated scanning of Android Market for potentially malicious software without disrupting the user experience of Android Market or requiring de...