Security

DVD Rot: DVD Longevity and Reliability

What is going on with DVDs? The industry states that discs should last 50 to 100 years, but on-line reports claim significant problems with both pressed and recordable discs. Can movie discs wear out and fail from "DVD rot?" Is recordable DVD a trustworthy archival media, or is there evidence that discs can wear out from extended play? And what is the situation with the compatibility of recordable media? Is there a way to guarantee reasonable compatibility, some magic combination of formats and brands, software and burners, content and players?

Understanding LDAP: Design and Implementation

The implementation and exploitation of centralized, corporate-wide directories are among the top priority projects in most organizations. The need for a centralized directory emerges as organizations realize the overhead and cost involved in managing the many distributed micro and macro directories introduced in the past decade with decentralized client/server applications and network operating systems. This IBM Redbook will help you create a foundation of LDAP skills, as well as install and configure the IBM Directory Server. It is targeted at security architects and specialists who need to know the concepts and the detailed instructions for a successful LDAP implementation.

Securing Information Assets

In today’s competitive environment, organizations succeed or fail based on how well they manage information. To address this reality, organizations spend millions, if not billions, on securing their information advantages. New information technologies and methodologies are adopted, while old ones are dismantled or upgraded. To win, the information manager must constantly seek to outperform his or her competition. In this article the author asks how he or she does it? Perhaps by acquiring the best new technologies, hiring the most intelligent information professionals, and continuously keeping a watchful eye on the future. But, he asks, does having the best information, the best information systems, and the best information professionals, really pay off? Is there victory in sight? Or, is this just a continuous game with no clear winners?

Stop Password Masking

Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.

パスワードを隠すのをやめよう

ユーザがパスワードを打ち込んでも、黒い点の列でしかフィードバックが返ってこないとき、ユーザビリティは損なわれている。パスワードを隠したからといって、セキュリティは強化されないことが多く、逆に、ログインの失敗によって、あなたのビジネスに悪影響を及ぼす。

A Large-Scale Study of Web Password Habits

We report the results of a large scale study of password use and password re-use habits. The study involved half a million users over a three month period. A client component on users’ machines recorded a variety of password strength, usage and frequency metrics. This allows us to measure or estimate such quantities as the average number of passwords and average number of accounts each user has, how many passwords she types per day, how often passwords are shared among sites, and how often they are forgotten. We get extremely detailed data on password strength, the types and lengths of passwords chosen, and how they vary by site. The data is the ﬁrst large scale study of its kind, and yields numerous other insights into the role the passwords play in users’ online experience.

CAPTCHAs, CAPTCHAs Everywhere

My business and passion is accessibility and there is obviously a huge problem with these visual CAPTCHAs. If you used alt-text on this image, alt="e3TJ6Jdp", that would be fine and very welcome for blind visitors. It would also be welcome for any computer system seeking to sign up for lots of emails. Using alt-text on the image does not solve the problem! The visual image CAPTCHA is fundamentally inaccessible. For the example above, this means very simply that Yahoo excludes people who are blind (or vision impaired) from signing up for Yahoo email accounts.

Evaluating Existing Audio CAPTCHAs and an Interface Optimized for Non-Visual Use

Audio CAPTCHAs were introduced as an accessible alternative for those unable to use the more common visual CAPTCHAs, but anecdotal accounts have suggested that they may be more difficult to solve. This paper demonstrates in a large study of more than 150 participants that existing audio CAPTCHAs are clearly more difficult and time-consuming to complete as compared to visual CAPTCHAs for both blind and sighted users. In order to address this concern, we developed and evaluated a new interface for solving CAPTCHAs optimized for non-visual use that can be added in-place to existing audio CAPTCHAs. In a subsequent study, the optimized interface increased the success rate of blind participants by 59% on audio CAPTCHAs, illustrating a broadly applicable principle of accessible design: the most usable audio interfaces are often not direct translations of existing visual interfaces.

Unicode Consortium Technical Report on Unicode Security Considerations

Unicode Technical Report #36 on Unicode Security Considerations "describes some of the security considerations that programmers, system analysts, standards developers, and users should take into account [when using the Unicode Standard], and provides specific recommendations to reduce the risk of problems."

Interview with Stefan Esser

I think the WordPress software is the best blogging software around from an end user’s perspective. Its GUI is full of eye-candy and features that are not present in other blog software. But wearing my security hat, I see past this eye-candy onto the code and see several bad design decisions.

Securing XML - Case Studies from the Financial Services Industry

XML is becoming the de facto business document interchange language for the Internet. Technologies such as SOAP and EBXML have been developed within the XML framework. Digital security standards and techniques are now being applied to XML, and to 'business webs' built using XML and Web Services. This presentation discusses these initiatives and the issues being encountered when applying security principles of confidentiality and non-repudiation to XML. Drawing on practical experience in Vordel projects, this presentation looks at how Web Services can be applied in the Financial Services industry to provide for improved secure partner and customer integration for the delivery of products and services.

Enhanced Interoperability for Security of XML Web Services

Enterprises are adopting Web Services to ease application integration across heterogeneous environments within and across security domain boundaries. Security is an important element for the adoption of Web Services. The Organization for the Advancement of Structured Information Standards (OASIS) has recently ratified the Web Services Security standards (Web Services Security: SOAP Message Security 1.0 (WS-Security 2004 ), Web Services Security: UsernameToken Profile 1.0 , and Web Services Security: X.509 Certificate Token Profile ) to provide an extensible framework for providing message integrity, confidentiality, identity propagation, and authentication. The Web Services Interoperability Organization (WS-I) is profiling standards to provide guidelines for implementation and use of relevant standards to enhance interoperability. This paper describes the activities of the WS-I Basic Security Profile (BSP) Working Group (WG). This Working Group is chartered to improve interoperability of security technologies for Web Services by profiling the OASIS Web Service Security and HTTP Over TLS standards. This interoperability profile (known as the Basic Security Profile 1.0) is an extension of the WS-I Basic Profile . The WS-I Basic Profile addresses interoperability for implementations of core Web Services standards.

The RIAA Succeeds Where the Cypherpunks Failed

The RIAA is succeeding where the Cypherpunks failed, convincing users to trade a broad but penetrable privacy for unbreakable anonymity under their personal control. In contrast to the Cypherpunks "eat your peas" approach, touting encryption as a first-order service users should work to embrace, encryption is now becoming a background feature of collaborative workspaces. Because encryption is becoming something that must run in the background, there is now an incentive to make its adoption as easy and transparent to the user as possible. It's too early to say how widely casual encryption use will spread, but it isn't too early to see that the shift is both profound and irreversible.

Encrypting Documents

How you can be like a super secret CIA agent and encrypt documents using Word 2007.

Captcha Usability Revisited: Google Inaccessible to Blind People

An online petition is being circulated to all Internet users for the purpose of collecting signatures showing support for Google to make its word verification scheme accessible to the blind and visually impaired.

The History of Attachment Security in Outlook, Part 1

A partial history of why Outlook has so, so many viruses communicated using it, and how people at Microsoft thought to try and stop it. A study of why minor patches can't repair major architecture issues.

Configuring Information Rights Management for Messaging in Outlook 2003

Information Rights Management (IRM), a new feature in Microsoft® Office 2003, can help prevent sensitive information from being distributed to or read by people who do not have permission to access the content. In Microsoft Office Outlook® 2003, users can create and send e-mail messages with restricted permission to help prevent messages from being forwarded, printed, or copied and pasted. Microsoft Office 2003 documents, workbooks, and presentations that are attached to messages with restricted permission are automatically restricted as well.

Seven Habits for Writing Secure PHP Applications

Security in a PHP application includes remote and local security concerns. Discover the habits PHP developers should get into to implement Web applications that have both characteristics.

Malware: Whether on the Desktop or the Web, It’s a Perception Thing

In this column, I’ll explore the user experience of malicious software, or malware. My position is that, like many qualitative attributes, malware is in the eye of the beholder. And, I’ll suggest a method that product or service developers can use to assess the risk that their users, the media, or the market at large might perceive their offerings as malware.

How They Hack Your Website: Overview of Common Techniques

We hear the same terms bandied about whenever a popular site gets hacked. You know… SQL Injection, cross site scripting, that kind of thing. But what do these things mean? Is hacking really as inaccessible as many of us imagine; a nefarious, impossibly technical twilight world forever beyond our ken? Not really.

Hidden Information for All to See

Just what kind of information about yourself and your company are you releasing for all the world to see? Shouldn't you know? Although it takes special forensic tools to access most hidden information in computers, some of it is in plain view without using tools to see it. This article is about one of the “plain view” instances: Information that Microsoft Word saves about you, your company, and the topic you are writing about – all of which anyone can see after accessing and opening your document.

The Security Dilemma: Balancing Robustness and Usability

Heisenberg's uncertainty principle says the more you try to know about a particle's position, the less you can know about its momentum. A similar dilemma affects IT security. It seems the more features you load into a product, the less usable it can be.

Web Security Isn't Scary!

Security is the lifeblood of any web application and every online business. No matter how hard you work designing a great site, creating high-end content, building a lively traffic stream, and improving every aspect of your online business, it can easily be stolen away if you aren’t protected. Protecting your web presence seems like a daunting task, but there are simple solutions that any webmaster can do to increase security of their applications.

httplib2: HTTP Persistence and Authentication

In this latest Restful Web column, Joe Gregorio explains HTTP persistent connections, pipelining, and the sad state of HTTP authentication.

Workplace Surveillance and Managing Privacy Boundaries

According to communication privacy management (CPM) theory, people manage the boundaries around information that they seek to keep private. How does this theory apply when employees are monitored electronically? Using data from 154 face-to-face interviews with employees from a range of organizations, the authors identified various ways organizations, employees, and coworkers describe electronic surveillance and the privacy expectations, boundaries, and turbulence that arise. Privacy boundaries are established during new-employee orientation when surveillance is described as coercive control, as benefiting the company, and/or as benefiting employees. Correlations exist between the surveillance-related socialization messages interviewees remember receiving and their attitudes. Although little boundary turbulence appeared, employees articulated boundaries that companies should not cross. The authors conclude that CPM theory suppositions need modification to fit the conditions of electronic surveillance.

How Safe is the Data on Your Hard Disk?

As a technical writer with above average organizational skill, you likely already keep your files in nice little subdirectories in logical little groups -- User's Guide illustrations here, research notes there, stuff for the service manual over yonder. But what if, in an instant, your files were all taken out of their subdirectories and put in one big directory? Could you distinguish one file from the other without opening them up? You can only assume that files with identical names disappeared.

Good Times, Bad Times

The first 'macro viruses' attached to Microsoft Word documents emerged within weeks after Office 97 was released, and sounded the warning that a new era was upon us.

The Inaccessibility of CAPTCHA: Alternatives to Visual Turing Tests on the Web

A common method of limiting access to services made available over the Web is visual verification of a bitmapped image. This presents a major problem to users who are blind, have low vision, or have a learning disability such as dyslexia. This document examines a number of potential solutions that allow systems to test for human users while preserving access by users with disabilities.

Minimal-Feedback Hints for Remembering Passwords

Passwords are a widely used mechanism for user authentication and are thus critical to the security of many systems. Strong passwords (e.g., b5j#Kv!8N) are less vulnerable to attack but at the same time more difficult to remember. Minimal-feedback hints are introduced to support users in remembering their passwords and thereby enabling them to choose stronger passwords.

iScribe - Information Security Documentation

A blog on documentation requirements of the InfoSec domain, security implications of documentation technologies, tools and practices, and the information security perspective on information standards with occassional blurbs of the writer's views and lessons in technical communication.

Community Creators, Secure Your Code! Part II

In part one of this two-part series, we discussed the threat of cross-site scripting in general terms and introduced a number of important security concepts. In part two, we’ll take a more in-depth, hands-on approach: How does an attacker actually exploit the weaknesses found? How can you protect yourself? For reasons of length, we’ll limit our discussion to two specific, representative examples.

Community Creators, Secure Your Code!

Don’t be like MySpace. Protect your community site from malicious cross-site scripting attacks.

Password Security: What Users Know and What They Actually Do

This study investigated the common password generation practices of online users. Three hundred and fifteen undergraduate and graduate students completed a survey querying (1) the types and number of different password protected accounts maintained; (2) actual practices used in generating, storing and using passwords; (3) practices believed they should use in generating and storing passwords; and (4) general demographic information. Results indicate that, in general, users do not vary the complexity of passwords depending on the nature of the site (bank account vs. instant messenger) or change their passwords on any regular basis if it is not required by the site. Users report using lower case letters, numbers or digits, personally meaningful numbers and personally meaningful words when creating passwords, despite the fact that they realize that these methods may not be the most secure.

"Backing Up" Doesn't Mean Retreating

Recently, several friends and colleagues have lost important files as a result of viruses, power failures, computer crashes, and miscellaneous other disasters that accompany working with computers. Each person could have minimized the consequences if they had developed and rigorously followed a simple backup strategy for their data. The fact that this happened to experienced computer users in each case leads me to believe that data loss is symptomatic of a broader problem: As technical communicators, our tight focus on documenting how to use a product sometimes makes us forget to document the consequences of using the product.

Mask Your Web Server for Enhanced Security

Masking or anonymizing a Web server involves removing identifying details that intruders could use to detect your OS and Web server vendor and version.

Password Encryption: Rationale and Java Example

Most of the web sites today have some sort of a registration module where a user is asked to choose a username/password combination. This data gets stored in the database. You might wonder if the password you provide will be kept well-protected (read encrypted). In case you are the person designing such backend registration component, why not give your users peace of mind by encrypting their passwords?

PHP Login System with Admin Features

I have written and am presenting here a complete Login System that can be easily integrated into any website.

The New Digital Divide

Five years ago, having access to the Internet and a healthy computer required quite a low level of knowledge. Now, you need a veritable technology armory to stand any hope of staying safe.

Smarter Image Hotlinking Prevention

Tthe usual approaches for preventing hotlinking (hijacking) images have a couple of side effects. This system works much better.

Securing a MySQL Server on Windows

Windows servers can be difficulty to keep secure. The intent of this article is to list the steps that an administrator can take to properly secure a MySQL installation on Windows. While the procedures listed are written for Windows users, the principles contained herein will be of benefit to users of Linux and Unix as well.

Dangers of Personal Blogging

Bloggers who recklessly gush all types of personal details in their blogs may regret it. Stalkers, child predators, identity theft criminals, fanatics, and others are seeking photos and names of children, home addresses, home phone numbers, etc. Learn about the Dark Side of blogging and be smart.

Hard Passwords Made Easy

In this article, I’ll discuss how to create a strong password, and how to keep track of all your strong passwords, if you have a definite need to keep more than a couple. Don't bother creating and remembering strong passwords for low value systems, and certainly don’t use the same passwords for low value systems that you use in high value systems.

User Education Is Not the Answer to Security Problems

Internet scams cannot be thwarted by placing the burden on users to defend themselves at all times. Beleaguered users need protection, and the technology must change to provide this.

An Introduction to Cookies

Put simply, cookies are 'caller ID for the 'Net.' They store small pieces of text in your browser and can only be retrieved by the site that stored them in the first place. Although many sites use cookies only for user identification, others developing CD or standalone help and courseware recognize the cookie's ability to imitate server behavior by generating dynamic HTML content.

Technical Communication and Encryption: Adding Value to the Technical Communicator's Job

Working on a global scale might give you the opportunity to add value to your technical communicator's job. In particular, when dealing with encryption on the Internet, you should be aware of restrictions which might have an impact on your documentation.

Encryption Tutorial

Dishes up the why and how of real-life data encryption, covering PGP and GnuPG, and using PHP and the mcrypt and mhash libraries.

Introduction to Web Security

Computer security is a give and take situation. You can never be safe so long as you offer services. However, without offering services you may as well not have the computer in the first place. Thus, security becomes more about acceptable risk and emergency recovery than impregnability. It is your job to make sure that the cons of a break have far less impact than the pros of having a web site.

Datensicherung und Archivierung

Many computer users ignore the risk of data loss - until it is th late: Imporant Data have vanished. Who then desperately seeks advice in any of my mailing lists might get my try answer: "Simply restore from your last backup." OK, I do confess: This might contribute to a nervous break down. So better be prepared!

Your Next Assignment: Computer Security Policy

The recent rash of high-profile computer viruses and attacks has further exposed troubling weaknesses in computer security. The media and even some computer security experts would have us believe that hackers are the primary culprits against whom individuals and organizations must protect themselves. This article provides guidance for technical communicators tasked with planning, creating, and implementing computer security policy for their organizations.

Alienation

A hypothetical example to help technical communicators think through ethical issues in the workplace (before they occur in real life).

Responses to "Alienation"

In the April 2003 issue, Intercom printed a hypothetical dilemma by John G. Bryan entitled 'Alienation.' A summary of this story appears in the box on this page; reader responses appear below. The responses do not reflect the views of STC's ethics committee and may have been edited for length.

Password Usability

Poor password usability can ruin your web registration process. While passwords are a painful fact of life, there are ways to minimize the problems that users face. This article contains suggestions on how to best collect passwords during the registration process, and it will help you determine if you should allow users to save their passwords.

Scalable Exploitation of, and Responses to Information Leakage Through Hidden Data in Published Documents

In considering the leakage of information through hidden text mechanisms in commonly used information interchange formats we demonstrate how to automate and scale the search for hidden data in Word documents. The combination of this scaling with typical behaviour patterns of Word users and the default settings of the Word program leads to an uncomfortable state of affairs for Word users concerned about information security. We discuss some countermeasures employable by users and note more general consequences of these effects.

Public Key Infrastructure Digital Signatures and Systematic Risk

The last few years have seen very considerable developments in the networks and technologies of electronic commerce, matched by the promotional and regulatory initiatives of international and national government towards electronic commerce. Of particular note have been the technological and regulatory developments in relation to public key cryptography and digital signatures. These regulatory developments arguably represent a promotion of an emerging Public Key Infrastructure as an international open network infrastructure for digital signature authorisation in electronic commerce. However, over the same period concerns have been growing in other international open network infrastructures, such as banking and finance, that such strongly inter-connected and inter-dependent infrastructures may be subject to systematic risk. Indeed, it appears that vulnerability to systematic risk is a characteristic of any complex open network. Therefore, the question can be posed whether the emerging Public Key Infrastructure is also vulnerable to systematic risk.

Encryption Basics Decrypted

Most people sending e-mail nowadays take no steps to prevent their messages from being intercepted. That's fine for many types of messages, but just as there are written messages that you wouldn't want to put on a postcard and would prefer to have protected by an envelope, there's a need for encryption in electronic communication. Besides, encryption can do more than keep things secret. The concepts on which encryption is based can be difficult, and most of the complication is handled behind the scenes by software. Nevertheless, it's useful to have a general understanding of how encryption works. Encryption software (often part of a Web browser or server, e-mail client, or other program) is built around the use of a special number, called a key, to convert information into a form that can be read only by someone who has the key needed to decrypt it.

Untangling the Web: Hoaxes, Scams, and Rumors

If you've had an e-mail address for long, you've probably received a message (forwarded through a long chain of people) warning you about some dangerous computer virus that can infect your computer through e-mail. Some warnings even say that the virus will physically damage your hard drive or monitor. But they aren't true.

Yours Authentically...

As electronic documents gain ascendancy, the authenticity of the author and the integrity of e-mail documents, which most of us usually take for granted, may become major stumbling blocks for ecommerce, e-learning, online training, and technical communication in the future. How can we be certain of the authenticity of electronic documents? While this problem exists equally for paper-based documents, given sophisticated scanners, software, and color printers, electronic documents are especially prone to tampering, mismanagement, and outright fraud.

Asking for Usernames and Passwords on the Web

The Web has moved beyond purely open content available to all. We now want to use it to collect and provide information that we want to restrict in some way – to members, or to staff, or because it is sensitive or personal data. One common method of restricting access is to ask users to enter username and password. Even this simple combination can be a source of annoyance and frustration to users but it does not have to be. This paper compares options for setting up and maintaining usernames and passwords, and also shows how to design a screen so that users are guided easily to the correct choices.

Viruses and the Desktop Publisher

Viruses are of particular interest to the desktop publisher because we frequently exchange disks with clients, open other people's Word files to edit them, and receive unsolicited files via email — all examples of 'at risk' behavior. Everyone should practice 'safe computing' and Windows users especially should make certain their anti-virus software is kept up to date. A list of vendors and informational sites can be found in the sidebar on the right.

Protecting Yourself Against Viruses and Hackers

Discusses how business owners can protect themselves from computer viruses and hackers. The article includes a sidebar listing anti-virus resources.

Virus Alert: Understanding the Risks

Computer viruses are human created vices that will be around for as long as there are files and programs to corrupt. This article explains what types of viruses are out there, and how to prevent their spread.

Security and Human Factors

A big lie of computer security is that security improves as password complexity increases. In reality, users simply write down difficult passwords, leaving the system vulnerable. Security is better increased by designing for how people actually behave.

Types of Computer Viruses

A collection of fictitious viruses and their characteristics.