The RIAA Succeeds Where the Cypherpunks Failed

The RIAA is succeeding where the Cypherpunks failed, convincing users to trade a broad but penetrable privacy for unbreakable anonymity under their personal control. In contrast to the Cypherpunks "eat your peas" approach, touting encryption as a first-order service users should work to embrace, encryption is now becoming a background feature of collaborative workspaces. Because encryption is becoming something that must run in the background, there is now an incentive to make its adoption as easy and transparent to the user as possible. It's too early to say how widely casual encryption use will spread, but it isn't too early to see that the shift is both profound and irreversible.

Shirky, Clay. Shirky.com (2003). Articles>Legal>Security

Enhanced Interoperability for Security of XML Web Services

Enterprises are adopting Web Services to ease application integration across heterogeneous environments within and across security domain boundaries. Security is an important element for the adoption of Web Services. The Organization for the Advancement of Structured Information Standards (OASIS) has recently ratified the Web Services Security standards (Web Services Security: SOAP Message Security 1.0 (WS-Security 2004 ), Web Services Security: UsernameToken Profile 1.0 , and Web Services Security: X.509 Certificate Token Profile ) to provide an extensible framework for providing message integrity, confidentiality, identity propagation, and authentication. The Web Services Interoperability Organization (WS-I) is profiling standards to provide guidelines for implementation and use of relevant standards to enhance interoperability. This paper describes the activities of the WS-I Basic Security Profile (BSP) Working Group (WG). This Working Group is chartered to improve interoperability of security technologies for Web Services by profiling the OASIS Web Service Security and HTTP Over TLS standards. This interoperability profile (known as the Basic Security Profile 1.0) is an extension of the WS-I Basic Profile . The WS-I Basic Profile addresses interoperability for implementations of core Web Services standards.

Austel, Paula, Michael McIntosh and Anthony Nadalin. IDEAlliance (2004). Articles>Web Design>XML>Security

Securing XML - Case Studies from the Financial Services Industry

XML is becoming the de facto business document interchange language for the Internet. Technologies such as SOAP and EBXML have been developed within the XML framework. Digital security standards and techniques are now being applied to XML, and to 'business webs' built using XML and Web Services. This presentation discusses these initiatives and the issues being encountered when applying security principles of confidentiality and non-repudiation to XML. Drawing on practical experience in Vordel projects, this presentation looks at how Web Services can be applied in the Financial Services industry to provide for improved secure partner and customer integration for the delivery of products and services.

O'Neill, Mark. IDEAlliance (2004). Articles>Information Design>Security>XML

Interview with Stefan Esser

I think the WordPress software is the best blogging software around from an end user’s perspective. Its GUI is full of eye-candy and features that are not present in other blog software. But wearing my security hat, I see past this eye-candy onto the code and see several bad design decisions.

Esser, Stefan. Blog Security (2007). Articles>Content Management>Security>WordPress

Unicode Consortium Technical Report on Unicode Security Considerations

Unicode Technical Report #36 on Unicode Security Considerations "describes some of the security considerations that programmers, system analysts, standards developers, and users should take into account [when using the Unicode Standard], and provides specific recommendations to reduce the risk of problems."

Cover Pages (2005). Articles>Language>Security>Unicode

CAPTCHAs, CAPTCHAs Everywhere

My business and passion is accessibility and there is obviously a huge problem with these visual CAPTCHAs. If you used alt-text on this image, alt="e3TJ6Jdp", that would be fine and very welcome for blind visitors. It would also be welcome for any computer system seeking to sign up for lots of emails. Using alt-text on the image does not solve the problem! The visual image CAPTCHA is fundamentally inaccessible. For the example above, this means very simply that Yahoo excludes people who are blind (or vision impaired) from signing up for Yahoo email accounts.

Thatcher, Jim. JimThatcher.com (2009). Articles>Accessibility>Security>Web Design

Evaluating Existing Audio CAPTCHAs and an Interface Optimized for Non-Visual Use  

Audio CAPTCHAs were introduced as an accessible alternative for those unable to use the more common visual CAPTCHAs, but anecdotal accounts have suggested that they may be more difficult to solve. This paper demonstrates in a large study of more than 150 participants that existing audio CAPTCHAs are clearly more difficult and time-consuming to complete as compared to visual CAPTCHAs for both blind and sighted users. In order to address this concern, we developed and evaluated a new interface for solving CAPTCHAs optimized for non-visual use that can be added in-place to existing audio CAPTCHAs. In a subsequent study, the optimized interface increased the success rate of blind participants by 59% on audio CAPTCHAs, illustrating a broadly applicable principle of accessible design: the most usable audio interfaces are often not direct translations of existing visual interfaces.

Bigham, Jeffrey P. and Anna C. Cavender. University of Washington-Seattle (2008). Articles>Accessibility>Security>Web Design

A Large-Scale Study of Web Password Habits  

We report the results of a large scale study of password use and password re-use habits. The study involved half a million users over a three month period. A client component on users’ machines recorded a variety of password strength, usage and frequency metrics. This allows us to measure or estimate such quantities as the average number of passwords and average number of accounts each user has, how many passwords she types per day, how often passwords are shared among sites, and how often they are forgotten. We get extremely detailed data on password strength, the types and lengths of passwords chosen, and how they vary by site. The data is the first large scale study of its kind, and yields numerous other insights into the role the passwords play in users’ online experience.

Florencio, Dinei and Cormac Herley. WWW 2007 (2007). Articles>Web Design>Security

Stop Password Masking

Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.

Nielsen, Jakob. Alertbox (2009). Articles>Web Design>Security>Usability

パスワードを隠すのをやめよう

ユーザがパスワードを打ち込んでも、黒い点の列でしかフィードバックが返ってこないとき、ユーザビリティは損なわれている。パスワードを隠したからといって、セキュリティは強化されないことが多く、逆に、ログインの失敗によって、あなたのビジネスに悪影響を及ぼす。

Nielsen, Jakob. Usability.gr.jp (2009). (Japanese) Articles>Web Design>Security>Usability

Securing Information Assets    

In today’s competitive environment, organizations succeed or fail based on how well they manage information. To address this reality, organizations spend millions, if not billions, on securing their information advantages. New information technologies and methodologies are adopted, while old ones are dismantled or upgraded. To win, the information manager must constantly seek to outperform his or her competition. In this article the author asks how he or she does it? Perhaps by acquiring the best new technologies, hiring the most intelligent information professionals, and continuously keeping a watchful eye on the future. But, he asks, does having the best information, the best information systems, and the best information professionals, really pay off? Is there victory in sight? Or, is this just a continuous game with no clear winners?

Desouza, Kevin C. Business Information Review (2009). Articles>Management>Information Design>Security

Understanding LDAP: Design and Implementation

The implementation and exploitation of centralized, corporate-wide directories are among the top priority projects in most organizations. The need for a centralized directory emerges as organizations realize the overhead and cost involved in managing the many distributed micro and macro directories introduced in the past decade with decentralized client/server applications and network operating systems. This IBM Redbook will help you create a foundation of LDAP skills, as well as install and configure the IBM Directory Server. It is targeted at security architects and specialists who need to know the concepts and the detailed instructions for a successful LDAP implementation.

IBM (2004). Books>Software>Technology>Security

DVD Rot: DVD Longevity and Reliability

What is going on with DVDs? The industry states that discs should last 50 to 100 years, but on-line reports claim significant problems with both pressed and recordable discs. Can movie discs wear out and fail from "DVD rot?" Is recordable DVD a trustworthy archival media, or is there evidence that discs can wear out from extended play? And what is the situation with the compatibility of recordable media? Is there a way to guarantee reasonable compatibility, some magic combination of formats and brands, software and burners, content and players?

Dixon, Douglas. Manifest Technology (2003). Articles>Technology>Security>DVD