Comments on: The Almost Hopeless Challenge Of Web Security

By: sfdghsdfd

sfdghsdfd — Mon, 28 Sep 2009 02:57:15 +0000

http://www.voguemalls.com
HOT SELL: Ed hardy/ lacoste/ polo/ ca/ A&F Tshirt :$12
coach/ gucci/ lv/ ed hardy/ D&G/ Fendi handbag :$35
nike jordan(1-24)/ jordan ring/ nike shox/ air max/ af1/ Dunk :$32
lv/ ed hardy/ gucci/ coach/ lacoste/ timbland :$35
gucci/ ed hardy/ coogi/ evisu/ prada jeans:$30
New era/ gucci/ ed hardy cap:$13
Okely/ gucci/ D&G/ fendi/ coach/ armani sunglass:$15

nike shoes: 32 $, des jeans: 30 $, ed hardy, t-shirts: 12 $, NLF: 20 $, un entra?neur à main: 35 $, bottes UGG: 50 $

By: RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence | Submitter

Tue, 08 Sep 2009 14:35:01 +0000

[...] was only three days ago that I wrote about the almost hopeless challenge of web security, specifically around new vectors [...]

By: RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence | Codedstyle

Sat, 05 Sep 2009 12:01:23 +0000

[...] was only three days ago that I wrote about the almost hopeless challenge of web security, specifically around new vectors [...]

By: BlogBuzz September 5, 2009

BlogBuzz September 5, 2009 — Sat, 05 Sep 2009 10:24:56 +0000

[...] The Almost Hopeless Challenge Of Web Security [...]

By: RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence | Technology

Sat, 05 Sep 2009 01:01:57 +0000

[...] was only three days ago that I wrote about the almost hopeless challenge of web security, specifically around new vectors [...]

By: Techcrunch » Blog Archive » RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence

Fri, 04 Sep 2009 22:15:13 +0000

[...] was only three days ago that I wrote about the almost hopeless challenge of web security, specifically around new vectors [...]

By: Rick Lebherz

Rick Lebherz — Fri, 04 Sep 2009 19:14:26 +0000

Good article.

I think the nature of the challenge isnt just with in IT and the Tech world. It comes down to human nature and pushing the limits of what is possible.

As long as someone creates something of value, someone else will be there trying to pick it a part and poke holes in it. Hopefully the intention is to improve and alert the community and not leverage this for personal gain. But many people are selfish creatures. All you can do is try and stay ahead of the curve.

Also along the same lines in case you missed it, OpSource is improving Cloud Security and performance to meet enterprise expectations and requirements. A multitiered architecture, firewalls and load balancing standard (not an option), dedicated private VLANs, Encryptions, SAS 70…yada yada yada…check it out

http://www.techcrunchit.com/2009/08/27/opsource-unveils-hybrid-cloud-solution-for-the-enterprise/

By: RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence

RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence — Fri, 04 Sep 2009 06:59:52 +0000

[...] was only three days ago that I wrote about the almost hopeless challenge of web security, specifically around new vectors [...]

By: SpaceMan

SpaceMan — Fri, 04 Sep 2009 02:34:53 +0000

If PHP is the center of Web technology… PHP will stand for Pretty Hopeless PHP

By: Today Free Tips

Today Free Tips — Wed, 02 Sep 2009 16:19:34 +0000

[...] has dropped over the years as our trust in our favorite services grows Yet all the while the… read more or search more on challenge hopeless web » Other posts in Marketing”TheTime is Now” For [...]

By: The Almost Hopeless Challenge Of Web Security « Jared Rimer’s Technology blog and podcast

Wed, 02 Sep 2009 05:51:23 +0000

[...] The Almost Hopeless Challenge Of Web Security. [...]

By: David Koretz

David Koretz — Wed, 02 Sep 2009 03:14:44 +0000

There are a lot of smart people working on this problem such as White Hat Security, Mykonos Software, Fortify, and others.

The end result is going to be a strategy that attacks multiple layers via code scanning, code-level protection, intrusion detection, etc.

It’s no different than physical security: you lock your doors, and buy an alarm system.

The real problem is that the average developer is not trained on application security, and under the pressure of corporate deadlines builds features, not security.

By: sh

sh — Tue, 01 Sep 2009 21:23:26 +0000

Federal Authority Over the Internet? The Cybersecurity Act of 2009

http://www.eff.org/deeplinks/2009/04/cybersecurity-act

By: sh

sh — Tue, 01 Sep 2009 21:20:03 +0000

Read this about another security issue:

http://www.eff.org/deeplinks/2009/04/cybersecurity-act

Federal Authority Over the Internet? The Cybersecurity Act of 2009

By: Hristo Bojinov

Hristo Bojinov — Tue, 01 Sep 2009 19:22:07 +0000

To add to the problem, many devices now feature multiple interfaces that can be used as alternative injection points into the browser. We call this cross-channel scripting (XCS) in a recent talk:

http://bojinov.org/professional/BH09_EMI.pdf
http://seclab.stanford.edu/websec/embedded/

By: ambert ho

ambert ho — Tue, 01 Sep 2009 17:48:47 +0000

“browser manufacturers themselves do not completely understand the issues involved, and in some cases are moving backwards (ie. the new IE8 is now allowing XmlHttpRequest across-ports)”

Curious, what’s the big deal with allowing XHRs to any port?

The API only allows you to initialize the xhr to make HTTP requests with HTTP headers (so it’s not like I can open an FTP request, or start arbitrarily talking SQL to port 3306) and even with the IE8 change it’s not like you can open connections to other servers – Same-Origin-Policy is still enforced, just not to the same port.

So I don’t really see how this makes the browser less secure – seems like it was just a feature added to better support SOAP, REST, etc. since some people are going to have their web services listening on nonstandard ports.

By: Angela Hayden

Tue, 01 Sep 2009 17:44:04 +0000

I’m just a simple graphic designer trying to start an online audio tour business and it has been HELL! I can’t express in words how much I hate Dreamweaver, Notepad++, CSS, PHP, etc. I’m a starving artist so I have to do everything myself and I also wanted to host everything myself. Instead I’m having to pay E-Junkie to host my mp3 files. My hosting company can’t even send me instructions on how to stop someone from sending emails from my business account. My head is spinning from all the e-cart solutions.

AnyHoo, thanks for listening. I have to go produce 100 images in photoshop for another project. Oh yea, my shitty site is http://www.hereandthereaudiotours.com I’m editing the page now with a set-up css template using notepad++. I have much work to do.

Okay, now I’m crying. Damn it. And another thing, in the last year and a half I’ve lost data on 3 external hard drives. I’m going to bomb my office. I really have to go now.

By: The Almost Hopeless Challenge Of Web Security | BIT Blog

The Almost Hopeless Challenge Of Web Security | BIT Blog — Tue, 01 Sep 2009 14:19:22 +0000

[...] at ‘cross-site scripting’ one of the latest ‘online security can-of-worms’. Click here to read the original [...]

By: ScriptBasic

ScriptBasic — Tue, 01 Sep 2009 12:00:04 +0000

It is when you use something BCX Basic to C or BaCon Basic to C to produce fast, small CGI (compiled) scripts.

By: Mike

Mike — Tue, 01 Sep 2009 11:57:21 +0000

C is not a scripting solution.

By: ScriptBasic

ScriptBasic — Tue, 01 Sep 2009 11:19:59 +0000

Or use a non-html parsing scripting solution. I remember when php would parse fake gif files and execute embed code skipping the binary headers.

Your much safer using something like C, Python, Perl or my favorite ScriptBasic. These scripting solutions are real programs that do what they are intended to do instead of parsing /executing whatever is passed their way.

By: James Grinter

James Grinter — Tue, 01 Sep 2009 10:08:10 +0000

Even if you don’t “trust the web”, someone else probably is on your behalf. Or, someone else you’ve had contact with will do something stupid that has an impact upon you. That’s the power of computer networks.

(Cross-site scripting attacks are, of course, merely attacks of the defensive programming stratagem “sanitise your input”. Just rather a sneaky one, where some thought they could safely sanitise all HTML.)

By: Jonathan

Jonathan — Tue, 01 Sep 2009 09:25:58 +0000

I also do not.

By: @Nope

@Nope — Tue, 01 Sep 2009 09:25:04 +0000

This problem is not about you or me Nope. It’s about the safety of the majority. Cloud computing is THE solution for it makes problems the size that can’t be ignored ;-)
Asking individuals to accepts responsibility is a losing strategy at this point. We need collective solutions so developers & start-ups can start using cloud based services that are safe.

By: Dog Training Issues – Refusing to Come When Called Pets

Dog Training Issues – Refusing to Come When Called Pets — Tue, 01 Sep 2009 05:32:59 +0000

[...] Today we are trusting the web with our most personal and important data, from private photos and social graphs to finances and key work documents. Our hesitation to share such information has dropped over the years as our trust in our favorite services grows. Yet all the while, the web is actually growing less secure, as sites are left open to new attacks that can spread easily and leave users…Read more » [...]