Security/Privacy

Javascript Password Strength Meter

What makes a strong password? This quick and dirty password strength meter is meant to help users learn how to create stronger passwords. Because it's written in Javascript the password is never sent over the network. Feel free to audit the code and recommend some better regular expressions, weightings, or bug fixes by submitting a comment.

NOTE: This was meant as a quick and dirty educational tool. It served my purposes many years ago. If you want to make it better please submit a comment with a patch or some type of improvement. Other than that I'm going to ignore comments like, "I put in XYZ password at it said it was weak, strong, whatever."

God, Establishing Identity and Authentication

I've been doing a lot of thinking about identity establishment and authentication in the last few years. Today I was reading Exodus--the story of Moses and the burning bush--when I realized that it served as a good example of the issues and provides a number of techniques for dealing with them.

Establishing Identity:

In Exodus God establishes His identity with Moses by appearing to him in a burning bush. God gives Moses a charge to free the Hebrews from Egypt in His name. When Moses asks how he should establish God's identity when he returns to the Hebrews God says, in Exodus 3:13-16, "Say to the Israelites, 'The LORD, the God of your fathers—the God of Abraham, the God of Isaac and the God of Jacob—has sent me to you.' This is my name forever, the name by which I am to be remembered from generation to generation."

God uses a web of trust (three people) to assert His identity to the Hebrews. The Hebrews trust their fore-fathers--Abraham, Isaac, and Jacob--they know that they all worshiped the same God. In this instance Moses is to go to them and say that that same God has sent him.

The Six Dumbest Ideas In Computer Security

We've all been there, some of us actually realized it at the time. Sadly others didn't. I'm speaking of the decisions we make every time we touch, or think about touching, a computer. Did you ever stop to think that maybe, just maybe, the decision you're about to make might be dumb? Go read, The Six Dumbest Ideas In Computer Security. What do you think now? Are you a turd polisher?

AOL techie jailed for selling email database to spammers

AOL techie jailed for selling email database to spammers, it just goes to show that all the encryption, security policies, and peer reviewed code in the world won't help you if you're people can be bought.

Hide your wireless network in plain sight

Imagine that wardrivers are casing your neighborhood. You've suppressed your SSID, you have WEP enabled and you've placed your wireless access point in a DMZ. You limit access to your wireless network by MAC address, block all most all traffic from the DMZ and require all your wireless clients to log into the real network via VPN in order to do anything. Sounds pretty good so far. The fact is that a hacker parked in your neighbor's driveway can still cause problems. How about making his life a little more difficult. What if when he turns on NetStumbler he sees 53,000 access points? Where would he start to look for yours? Enter Black Alchemy's Fake AP. FakeAP makes your Linux or *BSD machine look like thousands of wireless access points by broadcasting thousands of counterfeit beacon frames. This alone won't solve your wireless security issues but combined with the ideas mentioned above it might serve to confuse any miscreants looking to cause trouble. At least you won't be a soft target. References

Does MasterCard's SecureCode Protect Cardholders or Merchants?

The basic idea behind MasterCard's SecureCode program is that a cardholder can attach a personal message and a password (the SecureCode) to their credit card. When the cardholder attempts to make a purchase using the card at a merchant that supports SecureCode the payment processor--not the merchant--presents their personal message and asks them to enter their SecureCode. After authenticating the SecureCode the payment processor completes the transaction and the cardholder goes on their merry way. If authentication fails the charge is declined and the transaction is cancelled. Bottom line, SecureCode is a way for the card processor to authenticate the cardholder.

Encrypted RSS

Here's an interesting idea for encrypting RSS and then decrypting it in your browser (Firefox). Have a look at Joe Gregorio's article: Secure RSS Syndication