Security Risks of Street Photography [Update]

We live in really, really sad times. People are being increasingly harassed for taking photos of public buildings, bridges etc. (at least in the US).

There's quite a bunch of interesting comments in Bruce Schneier's blog. Basically, everyone seems to think that such measures are just plain stupid. I tend to agree.

I notice more and more misdirected efforts to "secure" our world. I'll tell you a secret: terrorists most probably won't publicly photograph any targets, they'll do it covertly, using cell phone cameras or very small miniature cameras, or whatever. Measures such as forbidding photography of public buildings simply annoy tourists, artists, or random people who like photography.

What's next? Forbid email, because terrorists could use it to communicate? Forbid planes, because terrorists could use them to destroy buildings? Forbid snail mail, because terrorists could send letter bombs? Forbid cars, because terrorists could crash them into shopping malls?

Can you spot a pattern here? You can't just forbid perfectly sound and non-malicious activities or technologies to "battle terrorism" — that's just plain stupid. You will piss off a lot of people. And it won't help anything to stop terrorists.

Update: Waaaaah! Now they try to abolish broadband Internet on planes (or at least they want to spy on you) — after all, terrorists could trigger bombs using the Internet. Yeah... I can't believe how fucking stupid some people can be.

The 19 Deadly Sins of Software Security

Michael Howard, David LeBlanc and John Viega have written a book called The 19 Deadly Sins of Software Security, which is to be published soon.

It explains the most important security issues one encounters in the software industry in a Design Patterns-like format. Each software security Sin is structured according to the following sections: Overview, The Sin Explained, Sample Code Defect, Spotting the Defect Pattern, Spotting the Defect during Code Review, Testing the Defect during Test, Example Defects, Redemption Steps, Extra Defensive Measures, Other Resources, Summary.

The 19 chapters, or Sins, each 10-15 pages long:

  1. Buffer Overflows
  2. Format String problems
  3. SQL injection
  4. Command injection
  5. Failure to handle errors
  6. Cross-site scripting
  7. Failing to protect network traffic
  8. Use of "magic" URLs and hidden forms
  9. Improper use of SSL
  10. Use of weak password-based systems
  11. Failing to store and protect data
  12. Information leakage
  13. Improper file access
  14. Integer range errors
  15. Trusting network address information
  16. Signal race conditions
  17. Unauthenticated key exchange
  18. Failing to use cryptographically strong random numbers
  19. Poor usability

(via Dana Epp)

MediaWiki 1.4.6 Fixes Security Issue

I just upgraded my Crazy Hacks wiki to MediaWiki 1.4.6.

The new release fixes a few bugs, but more importantly it fixes a security issue. All users are advised to upgrade.

Hacked by a Fool

Somebody got hacked by a complete fool without any sort of clue. What the attacker (i.e. script kiddie) tried to do (and how he failed) is actually quite funny IMHO.

E.g., after trying

rm -rf bash_history

(notice the missing dot in the filename) he wanted to be really sure and issued


Surely, his tracks are perfectly covered now. Nobody will ever know.

(via EDV - Ende Der Vernunft)

Updated Drupal / Security Issues

As most of you probably noticed, the design and structure of my homepage and my blog changed quite a bit a few days ago.
That was me upgrading to Drupal 4.6.1, which makes my life a lot easier, has a bunch of new features (e.g. my blog now has tags) and bugfixes, and most importantly fixes a serious security issue.

Two days ago I tried to help a bit with the new Drupal 4.6.2 release, which mainly fixes two major security problems. The first one is an issue with incorrect input validation, resulting in the DRUPAL-SA-2005-002 security advisory. The second one fixes a problem in the XML-RPC library shipped with Drupal (and Wordpress, and PostNuke, and...), resulting in DRUPAL-SA-2005-003.
It was quite a fun experience for me, the release was coordinated and discussed on IRC, we had lots of peer-review of the advisories and release-announcement, testing the patches etc. Thanks to all who participated and made this such a great experience.

Syndicate content