Archive for December, 2010

New Site

Fri, 17 Dec 2010

The new site for the business that my lovely wife Louise and I have started is now available, with a rough-and-ready layout for the time being.

This blog will be continued at franklinheath.co.uk/blog, with a corresponding RSS feed at franklinheath.co.uk/feed. If you’d like to continue to follow my irregular ponderings, please do subscribe there!

I am intending to continue the Symbian OS Platform Security book wiki there too, but we haven’t got the MediaWiki hosting sorted yet. Please tune in for further announcements 🙂

Advertisements

Thoughts on Trusting Password Managers

Tue, 14 Dec 2010

There has been a lot of buzz about the Gawker Media user account data breach, which came to light last weekend. One aspect of that is a privacy issue (anonymous comments are now no longer anonymous) but the main concern seems to be passwords from Gawker Media sites being used to gain access to accounts on other systems.

First a clarification: it’s not obvious that Gawker Media did anything fundamentally wrong here. The passwords were one-way encrypted, and database breaches can happen to even the most diligent system administrators (software inevitably has flaws, and there are lots of bad guys, some of whom will be able to develop or find out about Zero Day exploits). It doesn’t really matter how good the password encryption was either; once the encrypted passwords are available, off-the-shelf hardware can run through a staggering number of possible passwords to “brute-force” the encryption in seconds.

There are really only two defences, (more…)

Future of this Blog

Tue, 14 Dec 2010

Subscribers to this blog may well already have noticed that various symbian.org web sites will be shutting down on Friday. This blog, secblog.symbian.org, isn’t specifically mentioned; it is hosted at a free provider (actually sfsecurity.wordpress.com) so there’s no particular need for it to be closed, but the domain name may well be redirected along with the rest of the symbian.org subdomains.

Perhaps more to the point: this Friday will be the last working day for most Symbian Foundation staff, including me, so it won’t be appropriate for me to blog in Symbian’s name after that. I am planning to export the existing content from here though, and continue this blog* under another banner. I do want to say a few words about the Gawker Media breach while that’s still fresh, so I’ll do that here, and then update you on the new home for the blog before Friday.

* probably more accurate to say “restart this blog” as my last post was in July 😉