
Sikkerhed: Sovereign Keys - Next generation SSL/TLS HTTPS
2012-01-23 20:23 af Thomas Damgaard Nielsen - Kommentarer

Politik: Imod overvågning, for privatliv
2009-06-27 17:36 af Thomas Damgaard Nielsen - Kommentarer
Her er endnu et videoklip fra PROSAs kampagne imod overvågning.
Apropos privatliv. Her er en fin pointe (citat fra Slashdot):

Sikkerhed: Stop overvågning af datatrafik
2009-06-24 16:30 af Thomas Damgaard Nielsen - Kommentarer
Nedenstående videoklip er udarbejdet af PROSA.
Se mere på http://www.prosa.dk/overvaagning/

Sikkerhed: 20 tips til at sikre Apache HTTP Server
2009-06-18 19:57 af Thomas Damgaard Nielsen - Kommentarer
Jeg faldt over Pete Freitags artikel 20 ways to Secure your Apache Configuration.
Heri gives nogle ganske fornuftige tips til, hvordan man sikrer sin Apache HTTP Server.

Sikkerhed: Indsigtsfuld kommentar om CAPTCHA
2009-03-28 10:30 af Thomas Damgaard Nielsen - Kommentarer
QuoteMstr har skrevet denne indsigtsfulde kommentar om CAPTCHAs
A few common CAPTCHA fallacies
Everyone has a great idea for a CAPTCHA, but very few people know what the hell is really going on. Remember that the machine doesn’t need to solve the CAPTCHA every time, that machines are infinitely patient and have huge memories, and that another machine needs to make sure the human gave the right answer!
Ideas that won’t work:
- Make clients identify an object from a picture. Machines can’t describe objects in pictures: if machines can’t describe the picture, how the hell is the CAPTCHA server supposed to verify that the client gave the correct answer? If a human being manually inputs the pictures and acceptable descriptions for each, then another human can program his attacking machine to do the same thing! Having a large, but finite set of pictures doesn’t help either since a machine doesn’t need to solve the CAPTCHA every time. It can just learn the correct responses without actually understanding the image. ANY APPROACH BASED ON IDENTIFYING A MEMBER OF A FINITE SET DOES NOT WORK AS A CAPTCHA.
- As a special case of #2, QUIZZES DO NOT WORK: either the questions are finite and subject to attacker memorization, or the number of patterns for the question is finite, and these patterns can be detected by a machine. (Consider “A train is coming from Denver at X miles per hour…” —- same problem, different coefficients)
- Send the client a special program that verifies he’s real: if it doesn’t work for DRM, it won’t work for CAPTCHAs. An attacker can just program his machine to simulate slow typing, slow thinking, or a cross-eyed human being. YOU CANNOT CONTROL THE EXECUTION ENVIRONMENT. No amount of Javascript obfuscation, encryption, or header-checking will make the slightest bit of difference for a determined hacker.
- As a special case of #3, TIMING ANALYSIS DOES NOT WORK. Machines can simulate arbitrary delays.
- Limiting CAPTCHA-solving attempts by cookie/IP address/etc.: that doesn’t work. Attackers don’t obey web standards, and have botnets
Really, it’s very easy to think you’ve come up with a very clever CAPTCHA. When you think that, all you’ve done is stoked your ego and screwed yourself over. It’s the same reason why we don’t roll our own cryptography: CAPTCHA-making is a very hard problem, mainly because your problem space must be infinite (to avoid an attacking machine simply memorizing answers), the answers verifiable by a machine, but the problems not solvable by a machine.
How many questions can be checked by machines but not answered by them?
Not many; fewer every day. There are no questions that can’t be answered by a computer (and which can be answered by a human mind). The Church-Turing thesis has some validity: the human mind is no more powerful than a turing machine, and ultimately, computers and our brains are equivalently computationally. There’s nothing a computer can’t solve: there are just things we haven’t figured out yet.

Sikkerhed: Magi med SSH-tunneler
2008-11-24 21:40 af Thomas Damgaard Nielsen - Kommentarer
Tunnels er en fantastisk brugbar funktionalitet i OpenSSH.
SSH-tunnels kan for eksempel anvendes, hvis du har brug for at kunne tilgå en ip-begrænset service fra en anden maskine.
Web-servicen https://host1/ er begrænset til kun at kunne blive tilgået fra host2.
Nu bruger du host3 og kan derfor ikke tilgå https://host1/.
Ved at oprette en tunnel gennem host2, kan du fra host3 tilgå web-servicen på host1 ved at skrive følgende fra host3:
ssh -L 8080:host1:443 host2
Herefter kan du fra host3 gå ind på https://localhost:8080/ og tilgå web-servicen.
Update 2008-11-24:
Jeg er klar over, at ovenstående ikke er verdens mest uddybende forklaring. Jeg vil nok skrive en bedre forklaring af SSH-tunneler senere.
Jeg har tidligere skrevet om ssh-tunneler i Port forwarding with PuTTY and SSH tunnels.
Andre SSH-relaterede artikler er:

Sikkerhed: Microsoft laver anti-virus til Windows
2008-11-20 21:08 af Thomas Damgaard Nielsen - Kommentarer [1]
Microsoft har annonceret, at de lave gratis anti-virus-software til Windows.
Er det bare mig der synes, at det er fjollet? Hvorfor fikser de ikke bare de huller i Windows der gør, at den er håbløst sårbar over for alle mulige slags virus og malware?

Sikkerhed: WPA er knækket
2008-11-08 06:25 af Thomas Damgaard Nielsen - Kommentarer
Nu er wifi-krypteringen WPA knækket.
Fra artiklen:
Indtil nu er WPA2 stadig “sikker”.
Jeg har tidligere skrevet om, hvorfor du ikke bør kryptere dit trådløse hjemmenetværk

Sikkerhed: Sådan kommer du igennem lufthavnens sikkerhed
2008-10-28 07:08 af Thomas Damgaard Nielsen - Kommentarer
I en særdeles interessant artikel i The Atlantic hjælper Bruce Schneier Jeffrey Goldberg med at teste sikkerheden i amerikanske lufthavne. (artiklen er delt over 3 sider. Heldigvis findes der en læser- og printervenlig version).
I artiklen fortæller Jeffrey Goldberg om, hvordan han har haft større mængder væsker, adskillige knive, Osama Bin Laden-t-shirts, bøger om Jihad og andet “farligt” med om bord på fly.
Artiklen er interessant og tankevækkende.