|
|
download here
Fri Jan 08 01:40:31 HKT 2010 From /weblog/security referenceReview and summary of "19 Deadly Sins of Software Security" - http://www.codinghorror.com/blog/archives/000841.html Dumb idea of security and recommend fix - http://www.ranum.com/security/computer_security/editorials/dumb/ ... interesting to read but not much real impact Top 25 coding issue about security - http://www.sans.org/top25errors/ http://java.sun.com/security/seccodeguide.html (google search) (amazon search) Wed Jun 17 01:55:55 HKT 2009 From /weblog/security TLSA list of diagrams to show how TLS work Understanding TLS protocol -- handshaking kickoff - http://blogs.sun.com/xuelei/entry/understanding_tls_protocol_1 Understanding TLS protocol -- connection states - http://blogs.sun.com[..]rstanding_tls_protocol_connection_states Understanding TLS protocol -- handshaking renew - http://blogs.sun.com[..]rstanding_tls_protocol_handshaking_renew Understanding TLS protocol -- handshaking resume - http://blogs.sun.com[..]standing_tls_protocol_handshaking_resume Another reading, about the handshaking for HTTP protocol - http://www.moserware.com[..]/06/first-few-milliseconds-of-https.html (google search) (amazon search) Mon Sep 01 23:57:32 HKT 2008 From /weblog/security crackMore on BGP Attacks - http://blog.wired.com/27bstroke6/2008/08/how-to-intercep.html Discussion of crack protection - http://discuss.joelonsoftware.com/default.asp?design.4.579670 http://www.focusoncode.com/exe-packers-crypters-and-compressors/ , introduce tools - http://www.pelock.com/ Ten Immutable Laws of Security Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more Law #5: Weak passwords trump strong security Law #6: A computer is only as secure as the administrator is trustworthy Law #7: Encrypted data is only as secure as the decryption key Law #8: An out of date virus scanner is only marginally better than no virus scanner at all Law #9: Absolute anonymity isn't practical, in real life or on the Web Law #10: Technology is not a panacea http://www.microsoft.com[..]s/security/essays/10imlaws.mspx?mfr=true (google search) (amazon search) Sun Jun 01 23:59:36 HKT 2008 From /weblog/security passwordPassword is only worked for one time - http://www.mobileread.com/forums/showthread.php?threadid=6462 crack captcha - http://sam.zoy.org/pwntcha/ Java password mask - http://java.sun.com[..]er/technicalArticles/Security/pwordmask/ OpenID resource - http://openid.net/ http://www.arachna.com[..]ge/spidaman/20070225#the_openid_snowball http://developers.sun.com/identity/ http://www.theserverside.com[..]_id=46569&asrc=EM_NLN_2030603&uid=703565 OpenID explain - http://ravichodavarapu.blogspot.com/2007/06/what-is-openid.html A technique that crack winxp password at 3 min - http://www.infoq.com/news/2007/09/rainbowtables Using image as password - http://dsc.discovery.com/news/briefs/20060306/password_tec.html The other interesting idea, Evolving Password - http://www.docuverse.com[..]uid=79730e53-1d30-47ae-98e8-abb55201429b Passphrase Evangelism - http://www.codinghorror.com/blog/archives/000360.html Rainbow Hash Cracking - http://www.codinghorror.com/blog/archives/000949.html (google search) (amazon search) Thu Dec 06 23:33:35 HKT 2007 From /weblog/security wifiTJX lost customer data due to haven't update wifi code - http://www.google.com[..].com/article/07/01/17/HNtjxbreach_1.html (google search) (amazon search) Wed Nov 28 13:35:27 HKT 2007 From /weblog/security config fileEncrypting configuration, probably a good idea - http://www.jasypt.org/encrypting-configuration.html (google search) (amazon search) Tue Jun 20 14:44:56 HKT 2006 From /weblog/security losting notebookCases like that happen again and again and again... We really need to educate user about security: http://www.dailytech.com/article.aspx?newsid=2914 (google search) (amazon search) Sun May 07 19:57:54 HKT 2006 From /weblog/security HK police information leakageLook like most Government don't handle data security well. Recently HK police information leakage case is one of great example: http://www.thestandard.com.hk[..]35&sid=7287851&con_type=1&d_str=20060330 http://www.google.com[..]ge+case&sourceid=opera&ie=utf-8&oe=utf-8 However, this is not only HK problem some other countries facing similar problem also: http://thedailywtf.com/forums/65974/ShowPost.aspx http://thedailywtf.com/forums/71199/ShowPost.aspx For HK case, look like it just some idiots in Government given out real data for testing, of course the IT service provider should also check the data and keep the data secure even for test data. But for later case, it is more trick, it turn out Googlebot is too clear to bypass the security trick which call GET HTTP command to delete link everyday. Remember, all client side security is not safe. (google search) (amazon search) Wed Apr 05 15:46:05 HKT 2006 From /weblog/security Test security via HTTP header manipulation toolAn article show how to test various security bug of website using HTTP header manipulation tool. However, look like using a HTTP client is more easy and scriptable? http://www.onlamp.com/lpt/a/6268 (google search) (amazon search) |