Firesheep
A Firefox plugin that makes HTTP session hijacking as easy as a double-click.
evercookie is a javascript API available that produces
extremely persistent cookies in a browser. Its goal
is to identify a client even after they’ve removed standard
cookies, Flash cookies (Local Shared Objects or LSOs), and
others.evercookie accomplishes this by storing the cookie data in
several types of storage mechanisms that are available on
the local browser. Additionally, if evercookie has found the
user has removed any of the types of cookies in question, it
recreates them using each mechanism available.
Ars Technica did an an interview with the creator. All via Andy Baio.
Twitter officially disabled Basic authentication this week, the final step in the company’s transition to mandatory OAuth authentication. Sadly, Twitter’s extremely poor implementation of the OAuth standard offers a textbook example of how to do it wrong. This article will explore some of the problems with Twitter’s OAuth implementation and some potential pitfalls inherent to the standard. I will also show you how I managed to compromise the secret OAuth key in Twitter’s very own official client application for Android.
via Schneier
As described by Jeremiah Grossman, this is pretty nasty. See the proof-of-concept demo here, and be creeped out. (via Shawn Medero)
Evidence that the Israeli government has been cloning the passports of British citizens, and using them as fake IDs for assassins. Airport security? Haaaaa.
There are exceptions, of course, and proponents of cameras can always cherry-pick examples to bolster their argument. These success stories are what convince us; our brains are wired to respond more strongly to anecdotes than to data. But the data are clear: CCTV cameras have minimal value in the fight against crime.
A transcript taken from one of Welles’ Sketchbook shows for the BBC. 1955’s passport gestapo seems like a cakewalk compared to 2010’s passport gestapo, yet the more things change…
I’ll be in the peanut gallery for this one. The prizes are distinctly Schneier:
Contest ends on February 6th. Winner receives copies of my books, copies of Patrick Smith’s book, an empty 12-ounce bottle labeled “saline” that you can refill and get through any TSA security checkpoint, and a fake boarding pass on any flight for any date.
Disturbing news from the federal courts today, as a federal judge ruled that “government can obtain access to a person’s inbox contents without any notification to the subscriber.” which means anyone with a job in government can read your email without telling you.
Analysis at the link above, here’s a PDF of the actual ruling.
The key is distributed, and “dissolves” over time. This is very interesting. via Andy Baio.
This post has been removed for being out of date and out of the scope of information this blog now seeks to provide. If you got here by way of a search engine or link, my apologies.