That’s what many NoScript users have claimed of doing after the recent debate about NoScript circumventing ADBlockPlus for displaying the ads from its own page. One question I kept asking myself: Are these really noscript users?
I can’t understand all the fighting about blackhats, whitehats, grayhats or any other color for that matter.
Hackers have no color.
Hackers have no creed.
Hackers have no ethics.
Hackers have free will.
Hackers make things work.
Hackers can handle any situation, with almost any tool (MacGuyver type of person), in almost every field…
Hackers do it for FUN and profit. Not vice-versa…
Code review is probably the single-most effective technique for identifying security flaws. When used together with automated tools and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. (Introduction)
(continue)
For those of you who don’t use Twitter I should specify that Twitter has long time moved away from “what are you doing” principle and today is more of a base framework (Twitter API) for many new (and innovative?) web applications.
Due to this direction that Twitter is adopting (involuntarily) dozens of web applications have sprung up; from url shortening services to web applications like: WeFollow, TwitterSheep, TwitterTag, TwitVid, YFrog, TwitPic and many more…
I think that everyone has heard of the recent “hacking series” against major antivirus companies. After the recent SQL injections in Kaspersky, BitDefender (here and here) and F-Secure the regular user might wonder in which company should they still trust.
Yesterday while browsing some security tagged discussions on stackoverflow.com I’ve noticed someone mentioned some filter_ prefixed PHP functions. At first I thought they were some custom written ones, but on a quick check it turned out that there really where this functions. I was shocked. Anyway, let’s digg into it…
People tend to overdo things… And somewhere (not sure were) I’ve read an article (or better call it tutorial) where for simple modifications of parameter/header values the author suggested an intercepting proxy like: WebScarab, BurpProxy, ParosProxy, ProxyStrike, etc. Yes they’re up to the job, but aren’t there some simpler solutions? Yes there are, and those solutions will be presented in the following lines…
When submitted my last article to reddit a user suggested an interesting paper from the Web 2.0 Security & Privacy Conference 2008, mainly the <input type=”password”> must die! paper, which suggests new methodologies for user authentication. I already mentioned a couple of times about password insecurities (if we may call them so) here and here, not necessarily suggesting a replacement for them.
This new methodology mentioned earlier is slightly different from OpenID because it suggests its implementation directly into the browser. Implementation that would be highly welcome, but unlikely to be found native in current browsers, and those soon to come. Another interesting paper I’ve read was Web Authentication by Email Address which takes the OpenID concept and brings it closer to the user, because a user is more accommodated in using an email address as an identifier instead of an url.
For more papers from the W2SP conference check out the 2007 or the 2008 papers.
With all the buzz around Clickjacking I had to come up with an article which would contain that word, or at least a part of it. This article could be also named Form Thievery, but it wouldn’t sound that cool
, would it?
Ok so this is a subject I just can’t let go. The first article I wrote about passwords was Password Insecurity – Wordlists/Dictionary where I stated that everybody should use pass phrases instead of regular 8 character passwords. I think that was the most notable thing about the article. While in this article will go further with password malpractice.