I wish the DHS...
Posted by Doug Thu, 29 Sep 2005 21:16:03 GMT
“I wish the DHS were half as good at keeping people safe as they are at scaring people.”—Bruce Schneier
Servers Identifying Themselves (Anti-Phishing)
Posted by Doug Fri, 01 Jul 2005 18:14:00 GMT
Part of the problem with passwords is that users can be tricked into giving them to the wrong people. This (pdf) is a proposal to help combat that. Bruce Schneier, my favorite security guru, points out a method developed by Rachna Dhamija and Doug Tygar of UC Berkeley for servers to identify themselves. To be honest, I haven’t read the paper from Dhamija and Tygar; just Bruce’s summary. However, it seems like a really cool idea. Basically, the server generates a unique abstract image to associate itself with each user. When the server asks for authentication, it displays the image. The user can visually determine if the right image is displayed to verify that the web page is authentic. Of course, what users are supposed to do is examine the SSL certificate for the site. No one does this. In fact, browsers are making this harder to do. So servers have it in their best interest to make sure that users know they are the legit server. They suffer as much from phishing as the victim user does. I might try to figure out how to implement this nicely with some of my web sites.Security False Positives are Security Failures
Posted by Doug Mon, 21 Mar 2005 14:57:00 GMT
Repeat after me, “Security False Positives are Security Failures.” “Security False Positives are Security Failures…”A man who recently had received radiation treatment for a medical condition set off a nuclear alert detector on a fire engine, prompting police to close down a roadway in Escondido while authorities searched for a nuclear weapon.On News Observer from my Number One Security Man, Bruce Schneier.
