Again about weak and strong passwords: In post “Is your password strong enough“, I wrote about password policies and how to create strong passwords. It seems that majority of people use weak passwords. In recent article on his blog and essay that appeared on Wired.com, Bruce Schenier analyzed common usual passwords used by people. It was initiated by “MySpace password exploit“. It is amazing to see usual and simple passwords that are used very often. [Thanks to colleague Dejan Vesic for bringing this to my attention].
Sphere: Related Content
In earlier post on this Web site, I wrote about dilemma to disclose or not to disclose security flaws publicly. This disclosure game is becoming hotter and hotter at present time. Recently I’ve read four interesting articles at CSO online. These articles put light on this problem from different angles, sometime totally opposite.
1. Article “Microsoft: Responsible Vulnerability Disclosure Protects Users“ by Mark Miller, Director, Microsoft Security Response Center says:
“Responsible disclosure benefits everyone in the security ecosystem by providing the most comprehensive and highest-quality security update possible.”
2. Next article “The Vulnerability Disclosure Game: Are We More Secure?“ by Marcus J. Ranum says in headline:
“Can we speak frankly about “vulnerability disclosure” now? More than a decade into the process, can anyone say security has improved?”
3. Third article “Full Disclosure of Security Vulnerabilities a ‘Damned Good Idea’“ has subtitle:
“Security guru Bruce Schneier sounds off on why full disclosure forces vendors to patch flaws.”
4. Interesting and little bit longer then previous articles is article “The Chilling Effect“ by Scott Berinato which says:
“How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal.”
This dilemma probably will be around for prolonged period of time. It is my estimation that, as usual, will end up with balanced view that will reconcile different views in socially and technologically acceptable manner.
Sphere: Related Content
Recently I read again interesting article in IEEE Security & Privacy magazine by Michael Howard, “A Process for Performing Security Code Reviews,” IEEE Security & Privacy, vol. 4, no. 4, July/August 2006, pp. 74-79. That very good article starts with:
No one really likes reviewing source code for security vulnerabilities; it’s slow, tedious, and mind-numbingly boring. Yet, code review is a critical component of shipping secure software to customers. Neglecting it isn’t an option.
Absolutely true. Read full article here.
Sphere: Related Content
Loading ...
