Author Archives: jspilman

SRP Won’t Protect Blizzard’s Stolen Passwords

Blizzard announced today they they have suffered a major data breach, and sensitive user data was stolen from their servers.  According to their statement the specific data stolen includes email address, the answer to the personal security question, and information relating to two-factor authentication. They also lost their SRP server-side verifier database, which is the database they use to verify user passwords.

And despite what Blizzard is claiming, I believe the majority of their users’ plain text passwords have been exposed as well.

Continue reading

Thoughts on Facebook’s Ad Platform

Note to reader, please consider the following as a DRAFT only.  I’m still working on the software which will let you collaboratively edit it with me (if you so choose) without having to register.

If you listen to Facebook’s earnings call and you read the latest from the analysts then you already know that FB is looking for the technology which will give them the boost they need in mobile advertising.

Continue reading

Google Groups spam filters suck, and you can’t turn them off

Google Groups has been an amazing asset to me for the last several years. I use it, as I’m sure many do, as an archived listserv for various groups I participate in.  What’s great is you can setup the group as invite only, but allow anyone to post.  People outside the group send email in, but only members of the group can read it.

Incredibly common, incredibly useful, but recently on Google Groups, incredibly broken.

Continue reading

The Perfect Founders

For a while now, certain venture capitalists have had an unwritten rule: a good team consists of a developer, a designer, and a CEO. But I have news. It’s not a designer you need. It’s a system architect.

Continue reading

Security isn’t a feature. Security is the product

Why are sites insecure? Because security is treated like a feature.

Continue reading

BrowserID is a step in the wrong direction

Mozilla Persona, the public face of the BrowserID initiative, is a fresh, dead simple, and compelling vision for how authentication should work on the web. Unfortunately, it’s also poorly executed and fundamentally flawed. If you are considering using BrowserID for authentication on your website, the following is my personal assessment on the shortcomings, flawed assumptions, and inherent weaknesses of the current implementation as well as the overall architecture that Mozilla has defined.

Continue reading

Don’t trade a sure thing for a gamble

A guest post, from Shawn, in response to the NY Times article titled Goldman Sachs and a Sale Gone Horribly Awry

They made two mistakes.  The first, and smallest, was paying $5M to GS without understanding what they were getting in return.

The second, and major mistake was doing an all-stock deal.  Or else, in exchange for stock, they should have granted an exclusive license instead of selling the technology outright.

Frankly, I side with GS.  They hired GS to make a deal and GS made a deal that they accepted.  The fact that the deal turned out to be a bad one is not the fault of GS.  That whole due diligence kerfluffle is what you, yourself, would call 20-20 hindsight.

My point::  An existing product is a mostly sure thing and stock is a gamble.  You don’t trade a sure thing for a gamble.  You might trade a mostly sure thing for cash and a small wager.


Concluding: A better way to store password hashes?

There’s been a lot of discussion about hash collisions and birthday attacks in response to my previous post. If you have small children, you already know a birthday attack is a 140 decibel sonic weapon that spontaneously activates sometime between when cake is served and bedtime. In the course of discussing hashing algorithms however, a birthday attack is whole different matter.

Continue reading

A better way to store password hashes?

Note to reader, this is the first of a two part series.  You can find the second part here.

Ever get that dreadful feeling after doing a password reset, when a site kindly emails your password back to you in cleartext? Nothing is more exceedingly stupid than emailing a user their own password, and yet I encounter these sites with uninspiring regularity.

We all know passwords should be salted and hashed, with a hashing algorithm that runs relatively slowly on current generation hardware. Obvious choices are scrypt, bcrypt or PBKDF2, but this isn’t a religious debate on how to hash. What I’m interested in is, what do you do next?

Continue reading

“We found a Higgs boson”

I watched the CERN webcast live at 2:00am PST, but I’m still not sure
what exactly to think about the discovery they announced,
and the particle they are calling Higgs’.

We can say we found a Higgs boson, but not the Higgs boson.
Rolf Heuer, Director General, CERN

Physicists have been testing (and confirming) parameters of the Standard Model
for more than three decades now.
So hearing that CERN has finally found “a Higgs boson” is a little bit like
NASA’s gravity probe experiment confirming Einstein’s general relativity;
entirely unsurprising.

Continue reading