"But this would be a sad and pitiful rant indeed if I focused solely on the age of the protocol... No, my reasons for disparaging FTP are more substantive." A good reference to point at the next time I lose my rag at having to use insecure FTP.

Completely remarkable; a quest to decipher what's going on with a particular piece of malware ends up revealing a campaign to commit large-scale industrial sabotage of Iranian nuclear processing plants. Gripping, dense; it's a real thriller of an article.

"Sony's statement suggests that it was actually storing sensitive information in plain text format, which defies belief. The only other explanation is that hackers only got access to the hashes and may have compromised a small minority of passwords by running this data through something like a dictionary look-up. However, from the tone of Sony's apology this does not appear to be the case." Good god; they're certainly transmitted as plaintext to PSN - according to the IRC log referenced in this article - so the incompetence required to store them as plaintext is already evident. Appalling.

"The point is that making one-click tools that force the entire web to play catchup, whilst putting people at risk, just isn’t a sensible way of talking about security. There’s a reason we (most of us, anyway) don’t secure our houses with turret guns and dogs, and that’s because most of the time, a lock and key is good enough. We want just enough security to feel safe at night, and not to cause us too much hassle. And that’s why this tool makes me sad. Because it’s a symbol of an arms race – a fight to the death over unimportant things, when really, I’d rather not have to remember to lock my windows at night." Yes.

"...for reasons that baffle me, my TV can only receive the four terrestrial channels, plus a grainy feed from the building’s security cameras. Easy choice."

"...we roped in Nate McFeters, another local, and put together a security talk for indie Mac developers with no budget for security. What does a security talk for Mac developers look like? As it turns out, it’s very much like the talk we think every indie developer, Mac or not, should see, and it’s very much unlike the talk the rest of the security industry is giving." Good stuff: simple, clear, well-thought out, and very hard to argue with.

"Lose/Lose is a simple vertical-scrolling shoot'em up with a twist -- each alien appearing on your screen represents a random file on your computer. Thus, each time you kill an alien, the game will delete that sprite's associated file. If the aliens manage to destroy your ship, the Lose/Lose application is deleted." Way to make a point, but, you know, *blimey*.

This is not good. And the worst part: "Hundreds of public bodies and quangos, including local councils, will also be able to access the data to investigate flytipping and other less serious crimes." It's not the police having this that's the big worry; it's the incompetent lower echelons of civil service. who shouldn't need this.

"in other words: Please ensure that there is absolutely no way for your customer to know whether we are showing the form or you are. In fact, please train your customer to give their “Verified by Visa” password to anyone who asks for it." Eesh. I knew I never licked VBV, but this just proves, accutely, *why* I don't like it.

"The web is about sharing ... and people will share with the tools they’re given. If username and password are front and centre, then they’re the tools people will use. There’s so much usability dogma about reducing the sign-up process and throwing people into use that important details – such as explaining what all the cogs and levers do – are forgotten, or assumed as knowledge." This is excellent, and all true, and I do not know how to solve this. But Chris' comments - that this is not stupid, this is how people are - are all spot on.

Some nice tips in here, mainly about blocking access to things and security.

"This article provides a simple positive model for preventing XSS using output escaping/encoding properly. While there are a huge number of XSS attack vectors, following a few simple rules can completely defend against this serious attack." Pretty comprehensive, and some clear guidelines if, like me, you're unsure where to start when protecting against XSS.

"So we’ve progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that’s encrypted– really more just obfuscated– to an executable that doesn’t even run as an executable. It runs merely as a series of threads." Fascinating interview with a smart guy, who at one point in his life, did some bad (if not entirely unethical) work.

"It is the business of the future to be dangerous; and it is among the merits of science that it equips the future for its duties."

"..some tweets were destined for fail." - or, at least, not for public consumption. Oh dear.

I think they're wrong, you know. It's not theatre; it's protocol. Maybe people aren't used to the protocol; if yours is the first app they encounter, they'll think that it's OK to show what passwords are - and perhaps that it's OK to write them down elsewhere in plaintext. Applications have a degree of responsibility for users' interactions across the internet, and quirky and cute as this may be, it's just not the place to demonstrate your shining personality.

"Yes people use the Internet to do bad thing, and quite possibly Twitter is one of those services that bad people use. But they also plan bad things in coffee house but for the last 300 odd years we’ve realised that trying to legislate against coffee houses is a bad thing for society." I recently finished Markman Ellis' book on coffee houses, and so Tom's post had a special kind of relevance.

"...this leads up to a discussion of two things: the OAuth protocol which aims, amongst other laudable goals, to help safeguard users’ passwords, and the distinctly unnerving trend which Jeremy Keith has christened the password anti-pattern, which really doesn’t." A clear, articulate explanation of the issues around authentication.

"Given that real terrorists, and even wannabe terrorists, don't seem to photograph anything, why is it such pervasive conventional wisdom that terrorists photograph their targets?" Great article from Bruce Schneier.

"There is no way to remove workout data from the nikeplus website". Be thankful they only have cadence, and not location/geo...

"Rajesh [Thind] investigates the way we view the lens and the way it views us." Gosh, this made me very uncomfortable and somewhat angry.

"While this implementation of the API was based on publicly discoverable information (like Google's), we simply didn't feel comfortable shipping that project based on current implementations." Interesting corollary to the Social Graph API.

"The more I replay the scene, the more troublesome it is. It is the stuff of nightmares... If we conduct ourselves poorly as daily ambassadors, it is no wonder our country suffers a tarnished relationship with the world."

"...even if it costs me a contract in the short-term, I will refuse to implement any kind of interface that involves asking the user for a password from a third-party site. I urge you to do the same." Jeremy is right. No question about it.

Long, detailed, useful reference guide to all the areas that you can tighten the security of your Ralis application.

Decent explanation of this.

Fantastic collection of stuff to do with your .htaccess file, not just copied+pasted, but explained well, too.

I probably ought to get a copy of SuperDuper. It looks very good.

Ryan Lackey on the death of Havenco, the Sealand based colo, and what went wrong