April 27, 2011
77 Million Accounts Stolen From Playstation Network

More information at PSN blog: Update on PlayStation Network and Qriocity.

I don’t know how I would feel if I had a PSN account, with personal details, billing and credit card information, but I wouldn’t be happy. Not at all.

The thing is that I trust a couple of providers that currently have more or less all this kind of information (I don’t think I have provided personal details to the same people that have my credit card information, but nevermind). So it could happen to me. It’s scary.

Could this happen to you? If your answer is no, think again.

by jjm on 6:44pm  |   URL: http://tmblr.co/ZPorZy4fK9Wg
(View comments
(Notes: 7)
  
Filed under: Sony PlayStation Network PSN identity theft scams security FAIL 
March 20, 2011
"A human error caused some sensitive server configuration information to be exposed this morning. Our technicians took immediate measures to protect from any issues that may come as a result."

From Tumblr staff blog, although you can find more information about this human error: Security hole spotted in Tumblr (I know, I know, but you must admit it’s funny they treat a human error as security hole).

Some sensitive souls are wondering if it’s OK to disclose that kind of information once one finds the problem, and this comment has a good point about it:

If someone’s fly is unzipped, I’d point it out because that’s the sort of accident that can happen to even the most competent and discerning.

If someone’s pants are sagged around their knees, I expect them to have noticed this themselves, and by walking around in public they’ve accepted the possibility of ridicule.

Yes, I would say that’s a pants down kind of issue.

And then some people start blaming PHP, while the truth is more simple and mundane: someone mistyped the opening PHP tag, and this code went live. That’s all.

Btw, I hope you’re not using a valuable password in your Tumblr. I’m not talking about mistyped tags but about not providing SSL access when you’re logged in the platform.

by jjm on 10:00am  |   URL: http://tmblr.co/ZPorZy3j7u_1
(View comments
(Notes: 3)
  
Filed under: PHP tumblr the human factor open tag bug security disclosure FAIL I'd love https everywhere 
December 14, 2010
"Let’s say you have good old traditional username and passwords on 50 different websites. That’s 50 different programmers who all have different ideas of how your password should be stored. I hope for your sake you used a different (and extremely secure) password on every single one of those websites. Because statistically speaking, you’re screwed."

Agreed.

From The Dirty Truth About Web Passwords. It’s just common sense, but I like it.

by jjm on 8:48pm  |   URL: http://tmblr.co/ZPorZy2A0tv8
(View comments
Filed under: security password Gawker fail breach hash salt don't reuse passwords 
December 2, 2010
"On Sunday, the 28th of November 2010 around 20:00 UTC the main distribution server of the ProFTPD project was compromised. The attackers most likely used an unpatched security issue in the FTP daemon to gain access to the server and used their privileges to replace the source files for ProFTPD 1.3.3c with a version which contained a backdoor."

From ProFTPD ftp.proftpd.org compromise.

That’s probably the worst possible scenario: the application is distributing the application itself, and they exploited a bug in the application to backdoor the distributed application. WTF!

by jjm on 9:45am  |   URL: http://tmblr.co/ZPorZy1xN4Vr
(View comments
Filed under: proftpd security exploit ftp.proftopd.org compromise WTF 
June 14, 2010
"We simply did not notice, but should have. We did not check the files on all mirrors regularly, but should have. We did not sign releases through PGP/GPG, but should have done so."

From Linux Trojan Raises Malware Concerns.

Linux, let’s say OSS, isn’t secure per se. You have to do your work.

by jjm on 12:18pm  |   URL: http://tmblr.co/ZPorZyfZZ1c
(View comments
Filed under: security backdoor PGP GPG open source 
June 13, 2010
Security “On Top”

Seguridad

OK, I confess this photo has been setup to illustrate a post about how to store password securely in your applications (AKA hash + random salt).

Indeed, how many times have you seen something like that? Security ‘on top’, by means of a post-it over a computer screen.

by jjm on 8:01pm  |   URL: http://tmblr.co/ZPorZyfPuzN
(View comments
Filed under: security post-it password write it down 
May 17, 2010
"We’re all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."

From Write Down Your Password by Bruce Schneier (via Reddit).

It’s an old post, but it’s true. Do it. Write down your password, and use a very good one.

by jjm on 6:22pm  |   URL: http://tmblr.co/ZPorZyaCz2V
(View comments
Filed under: Security Password Schneier paper 
March 6, 2009
"Dan Bernstein has just admitted that a security issue has been found in the djbdns software, one of most popular alternatives for the BIND nameserver. As part of the djbdns security guarantee, $1000 will be paid to Matthew Dempsky, the researcher that found the bug."

from Dan Bernstein Confirms Security Flaw In Djbdns.

Corollary: all programs have bugs, the difference is in the amount (and in the price!).

by jjm on 8:57am  |   URL: http://tmblr.co/ZPorZy50ZnN
(View comments
Filed under: djbdns $1000 security bugs 
January 28, 2009
"The ‘iServices.a’ Trojan hitchhikes on iWork ‘09’s installer, said Intego, which makes Mac security software."

Trojan Hides In Pirated Copies of Apple iWork ‘09, by Slashdot.

If you fear the big bad wolf, you should read How Security Companies Sucker Us With Lemons, about the information asymmetry of the security software market. The ones that tell to fearing the wolf, are selling you the cure.

I don’t mean Mac software is safer because it’s cooler, but it’s fun to see the same formula of the security software dealers of the Windows world.

by jjm on 9:03am  |   URL: http://tmblr.co/ZPorZy4PD90
(View comments
Filed under: security Mac trojan common sense 
December 25, 2008
"

I’ve advertised Dovecot as a secure IMAP server for the past few years now. I don’t think any software should be claimed to be secure unless it can be backed up in some way. So now that Dovecot 1.0 beta is finally out, I think it’s time for me to finally do that.

I’m offering 1000€ for the first person to demonstrate a remotely exploitable security hole in Dovecot.

"

from Dovecot IMAP server’s security page.

The offer began on 22 Jan 2006. It’s open source software, that privative software advocates say it’s more insecure because the source code is available. It doesn’t seem like Timo Sirainen, Dovecot’s author, it’s going out of money because of this offer.

by jjm on 10:10am  |   URL: http://tmblr.co/ZPorZy3_WSd
(View comments
Filed under: dovecot IMAP open source security