Seen on Slashdot: Alarm Raised On Teenage Hackers – my view on it: these kids shown the challenge to be on the defender’s side. IMHO most of them do this because they want to feel special. Showing them that attacking a system is pretty easy compared with defending it could win the over…
This has been floating around the ‘net for some time: Clickjacking. With all due respect for the guys who discovered it – this is pretty old. It was used a couple of years ago on MySpace where the entire page was covered by a transparent div to redirect people to other sites wherever the clicked and it is still used on porno sites. Now credit where credit is due: combining this with chaning the Flash settings is a nice touch. It also shows why you should be very worried about security: most of the attacks (even the new/hyped ones) have been known for some time. The same with bugs: those flaws patched by MS every month – most of them have been there since the software was released. Who is to say that they weren’t independently discovered and exploited?
Via the things that make you go hmmm come the following links:
An AC/DC (they rock!) video in excel. Watch it below or download it from the official site.
On the same blog you can find an post about why you should never go with a hosted blog. My opinion is the exact opposite: sure, there are many disadvantages, but the most important advantage for me is: it can handle any kind of traffic and when security problems arise, they are quickly fixed without me doing anything. Compare this with me going with a shared hosting (because I’m too cheap to rent a VPS) – it would get hacked in less than six months. It also links to an article in Wired which talks about why you should stop blogging. I think that most of the points the article makes don’t apply to me, because I tend to post much more “tutorial” type content will be always relevant.
Still from the same blog: usernamecheck.com – a cool way to instantly check the availability of a username on a lot (and by a lot I mean a loat :-)) of services. The site itself goes up and down (probably it can’t handle the load), but when it works, it is cool.
It seems that some people were having problems Google (I’ve also seen an other variation of the same tip suggesting to visit “sorry.google.com” rather than “google.com/sorry). It’s not the end of the world (although you might want to take a look at your network to confirm that there is nothing – like malware – making automated requests) since both Yahoo and Live Search are comparable in the terms of result quality.
Via the GSD blog comes the following program tip: Microsoft ICE (no, it’s not a drug, it’s the “Image Composite Editor”). It can create panoramic images and can output several formats (although nothing too widely supported – like Flash, can we have Flash please? I guess there isn’t a big chance…)
The Google Webmaster Central Blog has some presentations about “debunking myths” with regards to search engines / Google. You might want to take a look at them.
The SANS blog asks: should I switch my (software) vendor?. My opinion is: first, make sure that you are using your current software to the maximum. Introducing new software only means introducing new possible vulnerabilities, new patches you have to track, new unforeseen interactions between the components, etc. So first, take a look at what you have (of course for this you need competent people). Then evaluate other possible solutions, but keep in mind that there is no silver bullet.
From the Frequency X blog comes a description of a hardware device which can be used to secure banking transactions. This is a good move, however, given that it will cost some serious money to implement, I doubt that it will get fast adoption. Also, the devil is in the details. How secure is the computer-device interface? The display seems too small to show all the transaction details, making it theoretically possible to authorize the transaction to the wrong target…
Via the Network Security blog comes An Illustrated Guide to the Kaminsky DNS Vulnerability. Nicely done, worth looking at if you still have questions about the topic (it also starts out assuming that you have minimal knowledge of the DNS system, so it is useful for beginners too).
From the securosis blog comes a post about how people outside the security field prioritize, and why it seems to security professionals that they “don’t get it”. Some good quotes:
Will the future be more secure? It’ll be just as insecure as it possibly can, while still continuing to function. Just like it is today.
If we don’t take risks, we can’t possibly grow. No matter what someone tells us, we sometimes need to touch the hot stove and learn for ourselves. It’s human nature; don’t expect it to change. Security is only good news when it’s no news.
Via the OldNewThing blog comes the link to How to get someone to answer your questions which suggests that you purposefully say the wrong thing because this makes people more likely to reply. Interesting idea, but I don’t know I would use it…
Finally, via CyberSpeak comes the site 123people.com, a meta-searchengine which, given a name, tries to gather information about the given person from all over the web. Give it a try, and you might be surprised how much information is out there about you (amongst others, it managed to find my work email – which is interesting since I don’t really share that with people).