the whole world burns

Archive for category 'security'

Facebook's autocorrection of password typos


Apparently old news but new to me. Facebook employs a brilliant method to improve password usability:

My understanding for Facebook is that if you fail to log in, they make 3 extra automated attempts:

  • Swap capitalization on first character
  • Swap capitalization on whole input (e.g. caps lock left on)
  • remove last character of password. (e.g. If you hit \ when trying to press enter)

So your password is still stored securely as a salted hash, they just automatically attempt 3 extremely similar passwords if your initial attempt didn't work.

Genius. See also pASSWORD tYPOS and How to Correct Them Securely, with numbers on types of error and security impact of accepting them.

Bedford and the Normalization of Deviance

 # [via]

Fascinating article about a Gulfstream crash and the succession of seemingly unbelievable pilot errors preceding it. But these errors make sense in a culture where failing to follow correct procedures has been normalized:

Social normalization of deviance means that people within the organization become so much accustomed to a deviant behavior that they don’t consider it as deviant, despite the fact that they far exceed their own rules for the elementary safety. People grow more accustomed to the deviant behavior the more it occurs. To people outside of the organization, the activities seem deviant; however, people within the organization do not recognize the deviance because it is seen as a normal occurrence. In hindsight, people within the organization realize that their seemingly normal behavior was deviant.


 # [via]

Like typosquatting, but caused by bit-flipping. Interesting!

alert(1) to win - JavaScript injection game

 # [via]

Fun game of practical XSS. Some amazing tricks there and I am confident I have left some of these holes open in the past.

Chip and PIN is broken


The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN.

Would you have spotted the fraud?


Scarily authentic-looking ATM skimmers.

Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes

 # [via]

Short version: of course you need salt, but the real goal is to make brute-forcing infeasible. The best way to accomplish that task is to make your hash function as slow as possible, and able to be slowed even further to compensate for advances in hardware.

On the Chaser/APEC security debacle


Officers involved in the APEC security operation revealed last night that police manning CBD roadblocks are frequently not told whether motorcades coming toward them are legitimate.

"We're amazed at the lack of communication that allowed this to happen but how are they to know whether a motorcade is legitimate when they're not supposed to stop them and nothing is broadcast over the (police) radio," an officer said.

Also: Bruce Schneier link roundup.

EXIF metadata could identify "Harry Potter" leaker


It's troubling that the camera serial number is in the metadata at all.

Harry Potter 7 leaked online


If the photos were better I'd probably be reading it right now...

(FAKE?) SPOILERS: poster purports to have hacked Bloomsbury, stolen final Harry Potter book

 # [via]

After the quality of the last couple of books, I thought that spoilers, even fake ones, couldn't possibly make my expectations for this one any lower. I was wrong.

Bruce Schneier: Portrait of the Modern Terrorist as an Idiot


The recently publicized terrorist plot to blow up John F. Kennedy International Airport, like so many of the terrorist plots over the past few years, is a study in alarmism and incompetence: on the part of the terrorists, our government and the press. [...]

I don't think these nut jobs, with their movie-plot threats, even deserve the moniker "terrorist." But in this country, while you have to be competent to pull off a terrorist attack, you don't have to be competent to cause terror. All you need to do is start plotting an attack and -- regardless of whether or not you have a viable plan, weapons or even the faintest clue -- the media will aid you in terrorizing the entire population.

The most ridiculous JFK Airport-related story goes to the New York Daily News, with its interview with a waitress who served Defreitas salmon; the front-page headline blared, "Evil Ate at Table Eight."


Even under the best of circumstances, these are difficult prosecutions. Arresting people before they've carried out their plans means trying to prove intent, which rapidly slips into the province of thought crime. Regularly the prosecution uses obtuse religious literature in the defendants' homes to prove what they believe, and this can result in courtroom debates on Islamic theology. And then there's the issue of demonstrating a connection between a book on a shelf and an idea in the defendant's head, as if your reading of this article -- or purchasing of my book -- proves that you agree with everything I say. (The Atlantic recently published a fascinating article on this.)

For the record, I've kept my copy of Sayings of the Ayatollah Khomeini for the perversely specific details of the appropriate action in the case of, for example, a man molesting a camel. (It must be slaughtered, but a mule treated likewise may be sold.)

Security fixes to be patented?!


In the latest evolution of vulnerability discovery, a company called Intellectual Weapons is offering to work with researchers to develop fixes for security vulnerabilities and then patent those fixes.

Probably FUD, but still: if we needed any more evidence that software patents were a bad idea...

CIO: on the futility of computer forensics


This is antiforensics. It is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you. ...

AOL's absurdly bad password system


Issues apparently include:

  • Passwords truncated to the first 8 characters
  • Non-alphanumeric characters stripped
  • Stored encrypted (not hashed) in the Windows registry

And various Unix flavours have similar default behaviour?!

ComputerWorld on the rise of "Evil twin" Wi-Fi access points


That's the term for a Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up by a hacker to eavesdrop on wireless communications among Internet surfers.

Bruce Schneier: The Psychology of Security


Fascinating, like a security book by Malcolm Gladwell or Steven Levitt.

Small things, links and miscellany, sparkling with light. Sam's tumblelog.

Related Tags