pages tagged with security

OAuth and HTTP caching

created 23 September 2009 in links tagged headers, http, oauth and security.

Every single piece of infrastructure that people are using on the Web today was developed after the authenticate headers were designed. If people have designed a scripting host in such a fashion that the information does not make it through, that is clearly either a deliberate decision on their part or the system is so clueless that you probably don’t want to use it for any security related application in any case.

http://www.ietf.org/mail-archive/web/oauth/current/msg003...

How to setup OPIE with pam On Linux

created 10 June 2009 in links tagged linux, pam, password and security.

How to use one-time-pads to log into linux machines remotely. Clever stuff, if a little more paranoid than I really need right now.

http://www.rho.cc/1Key/pam_opie_Setup.php

Explaining the OAuth Session Fixation Attack

created 23 April 2009 in links tagged oauth and security.

Wow, OAuth has a really big hole in it. How did we (I say we because I’ve been over the spec a lot, not because I’m part of anything ‘official’) miss this? Doubly alarming because I can’t think of any solutions to it that don’t involve attaching parameters to the callback url, thus screwing desktop/phone-based clients.

http://www.hueniverse.com/hueniverse/2009/04/explaining-t...

Wordpress iPhone app released

created 22 July 2008 in notes tagged iphone, security and wordpress.

There’s a dedicated iPhone app for Wordpress blogs now. Except that it doesn’t work out the box. I’m very impressed otherwise, though. As mentioned by @mattb, it’s a pity that it doesn’t let you moderate comments as well. But the ease with which I can take a photo and get it onto a wordpress blog is impressive.

Twittervision on the iPhone

created 19 July 2008 in notes tagged annoying, iphone and security.

I tried Twittervision on the iPhone. And it’s quite pretty, in a hypnotic way. So I gave it my twitter username/password, to try it as a twittering interface. And it’s lousy. But ok, I have a twittering interface. I delete the app.

Today, I see a tweet from @davetroy. Who? I don’t know him. Turns out that he wrote Twittervision. And now I’m following him. Which means that (a) his app must have followed him on my behalf, because I didn’t do it, and (b) he can now see all my private tweets (because my twitterstream isn’t public).

Well, fuck you, Mr Dave Troy.

Slashdot | All Your Coffee Are Belong To Us

created 18 June 2008 in links tagged coffee, machine, security and windows.

yay, coffee machines with remote-exploitable backdoors.

http://it.slashdot.org/it/08/06/17/1941200.shtml

rentzsch.com: Securing Firewire

created 15 March 2008 in links tagged firewire, password and security.

The windows world just found that plugging a FW device in gives full raw access to a target’s memory. This isn’t a surprise if you saw this attack (on the mac) in 2002. It is a surprise to find that MacOS protects against it if you have an OF password.

http://rentzsch.com/macosx/securingFirewire

FAA: Boeing’s New 787 May Be Vulnerable to Hacker Attack

created 06 January 2008 in links tagged 787, boeing, dreamliner, idiocy, network and security.

The computer network in the Dreamliner’s passenger compartment, designed to give passengers in-flight internet access, is connected to the plane’s control, navigation and communication systems.

http://www.wired.com/politics/security/news/2008/01/dream...

Setting up firmware password protection in Mac OS X

created 19 November 2007 in links tagged firmware, password and security.

The Open Firmware Password can be reset and changed […] via physical access to the inside of the computer

http://docs.info.apple.com/article.html?artnum=106482

Larholm.com - Me, myself and I » Internet Explorer 0day Exploit

created 10 July 2007 in links tagged internetexplorer and security.

I foresee much confusion over the next week. Is this a Firefox bug or an Internet Explorer bug? You need to have them both installed to see it..

http://larholm.com/2007/07/10/internet-explorer-0day-expl...

Firefox “firefoxurl” URI Handler Registration Vulnerability - Advisories - Secunia

created 10 July 2007 in links tagged firefox and security.

Correct me if I’m wrong, but I think this is the exact same class of hole that the Safari for Windows beta had a few weeks ago - a protocol handler allowing arbitrary command line execution. Think it’ll get as much press?

http://secunia.com/advisories/25984/