http://queue.acm.org/listing.cfm?item_topic=Security&qc_type=topics_list&filter=Security&page_title=Security&order=desc http://queue.acm.org/detail.cfm?id=2697395 Every day seems to bring news of another dramatic and high-profile security incident, whether it is the discovery of longstanding vulnerabilities in widely used software such as OpenSSL or Bash, or celebrity photographs stolen and publicized. There seems to be an infinite supply of zero-day vulnerabilities and powerful state-sponsored attackers. In the face of such threats, is it even worth trying to protect your systems and data? What can systems security designers and administrators do? Security Wed, 10 Dec 2014 22:35:01 GMT Geetanjali Sampemane 2697395 http://queue.acm.org/detail.cfm?id=2636165 The world runs on free and open-source software, FOSS for short, and to some degree it has predictably infiltrated just about any software-based product anywhere in the world. Security Thu, 19 Jun 2014 15:23:37 GMT Poul-Henning Kamp 2636165 http://queue.acm.org/detail.cfm?id=2630691 In his novel The Diamond Age, author Neal Stephenson describes a constructed society (called a phyle) based on extreme trust in one's fellow members. Part of the membership requirements is that, from time to time, each member is called upon to undertake certain tasks to reinforce that trust. For example, a phyle member might be told to go to a particular location at the top of a cliff at a specific time, where he will find bungee cords with ankle harnesses attached. The other ends of the cords trail off into the bushes. At the appointed time he is to fasten the harnesses to his ankles and jump off the cliff. He has to trust that the unseen fellow phyle member who was assigned the job of securing the other end of the bungee to a stout tree actually did his job; otherwise, he will plummet to his death. A third member secretly watches to make sure the first two don't communicate in any way, relying only on trust to keep tragedy at bay. Whom you trust, what you trust them with, and how much you trust them are at the center of the Internet today, as well as every other aspect of your technological life. Security Fri, 30 May 2014 16:14:17 GMT Thomas Wadlow 2630691 http://queue.acm.org/detail.cfm?id=2620662 In February Apple revealed and fixed an SSL (Secure Sockets Layer) vulnerability that had gone undiscovered since the release of iOS 6.0 in September 2012. It left users vulnerable to man-in-the-middle attacks thanks to a short circuit in the SSL/TLS (Transport Layer Security) handshake algorithm introduced by the duplication of a goto statement. Since the discovery of this very serious bug, many people have written about potential causes. A close inspection of the code, however, reveals not only how a unit test could have been written to catch the bug, but also how to refactor the existing code to make the algorithm testable - as well as more clues to the nature of the error and the environment that produced it. Security Mon, 12 May 2014 19:11:40 GMT Mike Bland 2620662 http://queue.acm.org/detail.cfm?id=2612261 Edward Snowden, while an NSA (National Security Agency) contractor at Booz Allen Hamilton in Hawaii, copied up to 1.7 million top-secret and above documents, smuggling copies on a thumb drive out of the secure facility in which he worked, and later released many to the press. This has altered the relationship of the U.S. government with the American people, as well as with other countries. This article examines the computer security aspects of how the NSA could have prevented this, perhaps the most damaging breach of secrets in U.S. history. The accompanying sidebar looks at the Constitutional, legal, and moral issues. Security Mon, 28 Apr 2014 12:47:59 GMT Bob Toxen 2612261 http://queue.acm.org/detail.cfm?id=2602816 The OpenSSL software package is around 300,000 lines of code, which means there are probably around 299 bugs still there, now that the Heartbleed bug which allowed pretty much anybody to retrieve internal state to which they should normally not have access has been fixed. Security Sat, 12 Apr 2014 12:22:16 GMT Poul-Henning Kamp 2602816 http://queue.acm.org/detail.cfm?id=2578510 By design, the Internet core is dumb, and the edge is smart. This design decision has enabled the Internet's wildcat growth, since without complexity the core can grow at the speed of demand. On the downside, the decision to put all smartness at the edge means we're at the mercy of scale when it comes to the quality of the Internet's aggregate traffic load. Not all device and software builders have the skills and the quality assurance budgets that something the size of the Internet deserves. Furthermore, the resiliency of the Internet means that a device or program that gets something importantly wrong about Internet communication stands a pretty good chance of working "well enough" in spite of this. Security Tue, 04 Feb 2014 16:51:39 GMT Paul Vixie 2578510 http://queue.acm.org/detail.cfm?id=2479677 What is critical? To what degree is critical defined as a matter of principle, and to what degree is it defined operationally? I am distinguishing what we say from what we do. Security Fri, 26 Apr 2013 20:43:59 GMT Dan Geer 2479677 http://queue.acm.org/detail.cfm?id=2430732 To discuss operating system security is to marvel at the diversity of deployed access-control models: Unix and Windows NT multiuser security; Type Enforcement in SELinux; anti-malware products; app sandboxing in Apple OS X, Apple iOS, and Google Android; and application-facing systems such as Capsicum in FreeBSD. This diversity is the result of a stunning transition from the narrow 1990s Unix and NT status quo to 'security localization' - the adaptation of operating-system security models to site-local or product-specific requirements. Security Fri, 18 Jan 2013 19:13:20 GMT Robert N. M. Watson 2430732 http://queue.acm.org/detail.cfm?id=2422416 There is an authentication plague upon the land. We have to claim and assert our identity repeatedly to a host of authentication trolls, each jealously guarding an Internet service of some sort. Each troll has specific rules for passwords, and the rules vary widely and incomprehensibly. Security Mon, 31 Dec 2012 01:25:08 GMT William Cheswick 2422416