Shostack + Friends Blog Archive


Small Bits of Chaos: Passwords, Metrics, Self-Awareness, Mozilla

Bruce Schneier has a nice article on the risks of e-commerce sites that make you establish an account, rather than just giving them money.

Pete Lindstrom has an article in Information Security magazine about security metrics.

Roger McNamee has an insightful post at his new blog about the importance of self-awareness generally. It’s especially applicable to entrepreneurs, who are often required to operate outside the bounds of their experience or skills. Knowing that you’re doing that, and getting the right advice is very important. (Hi Roger!)

People have been congratulating Mozilla for patching the IDN vulnerability in 12 hours. However, what’s gotten a lot less press is that Mozilla hasn’t released a 1.01 for this, just added a fix to the nightly builds. I hadn’t noticed that until Mort mentioned it to me. Would you congratulate Microsoft for releasing a new beta IE and saying ‘problem solved?’ The Firefox folks ought to backport the patch to 1.0, and release 1.01. The main use case that’s driving conversion is security, and they’re not doing the right thing for the security of their users.

2 comments on "Small Bits of Chaos: Passwords, Metrics, Self-Awareness, Mozilla"

  • Hmm. Maybe it’s just me, but I was a bit underwhelmed by the security metrics article – the concept seemed a bit dated, by any means no eye-opener..

  • adam says:

    I think metrics driven approaches are rare enough in the popular security press that it deserved a mention. The usual article seems to be “rah rah, you need product category X. We reviewed 9 of them…”

Comments are closed.