Saturday, November 23, 2013

Software : Twitter adds another layer of security to keep out the government snoops

Software : Twitter adds another layer of security to keep out the government snoops

Twitter adds another layer of security to keep out the government snoops

Posted:

Twitter adds another layer of security to keep out the government snoops

Twitter has joined the likes of Google and Facebook, by implementing "forward secrecy," a security tool that will aid the effort to keep out government agencies like the NSA and and GCHQ.

The social network says the added layer of security will prevent data intercepted by what it calls 'adversaries' (i.e. the governments) being decrypted.

Previously, unwanted parties who intercepted this user data could interpret it if they were also able to get hold of the master key a website uses to decrypt the data.

Forward Secrecy isn't a new tech, but has been rarely implemented until recently. It gives that master key a huge security boost by creating random session keys that don't travel across the network.

Protecting voices

Twitter's use of Forward Secrecy comes after Google's implementation in 2011 and Facebook's in June of this year, following the Edward Snowden revelations.

"Security is an ever-changing world. Our work on deploying forward secrecy is just the latest way in which Twitter is trying to defend and protect the user's voice in that world," the company wrote on its official blog.

Interview: Mozilla's web security guru talks open source

Posted:

Interview: Mozilla's web security guru talks open source

Mozilla is about more than just web browsers - it's an organisation committed to making the web a better place for users. As part of this, it's funding development of a tool to help web developers make their sites more secure: the Zed Attack Proxy (or ZAP).

Our sister magazine Linux Format met lead developer and security campaigner Simon Bennets to talk about ZAP, Mozilla and black hats.

LXF: Can you let us a little bit about how you started using open source software?

SB: I've been using open source for many years as a developer. I really like it, and I like the principals behind it, but I'd never had the opportunity to contribute to any. I'd tried to convince previous companies that some of our products should be open, but to no effect. Those are commercial decisions, which I typically don't get involved in. I wanted to have a project to work on, and I wanted to learn about security, so I decided to start work on ZAP, as it became. It all came from there, really.

LXF: And you're now working for Mozilla. What's the culture like?

SB: Completely bizarre. Really strange. I've come from a commercial background, and the discussions we have are completely different. You have discussions about whether you should have the discussions in public or not. It's all about what's best for the users - what's best for people who use the internet. It's a very accepting culture and it's a very supportive culture. It's all about doing the right thing, which is really nice to be part of.

LXF: Can you tell us a bit about ZAP. What's it for? Who is it aimed at?

SB: I'm trying to aim it at as wide an audience as possible. It's a tool for finding vulnerabilities in web applications. It's used by security teams - professional penetration testers - but my focus is to get developers, functional testers and quality assurance using it because I think it's important that they understand security.

I believe that you can't create secure web applications unless you have some understanding of web application security. This is a way of understanding that. It allows you to hack your own web applications and get some understanding of what the bad guys are going to do.

LXF: What's the thing that's surprised you most about working on an open source project?

SB: I suppose the willingness of people to help. I wanted ZAP to be a community project because I think the strength of open source comes from when anyone can contribute. It's been great getting people involved, people to helping out and people doing some really great work. Dealing with the people has been a real pleasure.

LXF: How many contributors are there?

SB: Quite a lot. We have a list of credits on the website that's included with ZAP as well. There are 30 or 40 names on there. About half a dozen contribute code regularly, and some people as and when. It is a community project, so I want people to get involved.

We're very supportive of new people, so whether you're a developer who wants to learn about security or an expert in security who wants to learn more, then we're happy to help you. I'm happy to spend an hour helping someone do something that would take me 20 minutes to do myself, because that means that the person can do more in the future.

Mozilla is diversifying into mobile

LXF: Are there any skills shortages you've found in the open source community?

SB: Documentation! I haven't found a shortage of security skills; surprisingly. ZAP has taken off in the security community, so there's people working on ZAP that know a lot more about security than I do. I'm still learning. I guess we all are!

I suppose there's less of a testing background, but Björn Kimminich has just joined the team and he's from a QA background. He pointed out that there aren't many ZAP regression tests. He's right, and he's started writing them. So we're finally getting some unit tests, which I'd been meaning to do for some time. We could use more people working on the tests, working on the documentations and working on it generally, but that's always the case.

LXF: If there was one piece of advice for people to develop secure web apps, what would it be?

SB: Start learning about security. If you don't know anything about security, you can't build secure web apps. Something like the Open Web Application Security Project (OWASP) top ten risks to web applications is a great place to start. You can start learning about cross-site request forgeries and things like that, which a lot of developers don't know about.

LXF: How do you deal with the issue that ZAP will be used by some bad guys?

SB: That was something I worried about before releasing ZAP. The justification I've got, and the one I still think is valid, is that the bad guys already know how to do all this. The bad guys know the techniques, and they've got their own tools.

A lot of it is knowledge - the bad guys have it and the good guys don't - so I'm aiming this at the good guys. I'm trying to make it as easy as possible with things like integrating ZAP in a continuous integration environment - things that the bad guys aren't interested in. We focus on things that the good guys can use, and it's levelling the playing field to give them a fighting chance.

LXF: Have you made any design decisions that make it harder for black hats to use?

SB: There are certain things that people have asked for that I don't really want to develop - other people can develop them - so there are definitely things that I can think of (which I won't mention) that I would not be comfortable implementing. But in the end, the bad guys will have the tools, and theywill use them to attack your web applications. They're attacking your web applications right now.

Instagram to become IM-stagram with new instant messaging feature?

Posted:

Instagram to become IM-stagram with new instant messaging feature?

Instagram has become a household name thanks to its filter-friendly photo and video sharing tools, but the Facebook-owned company reportedly has no plans to stop there.

Sources within the company have told Gigaom that the next version of the app will feature a private instant messaging feature that will allow users to converse beyond the current commenting mechanism.

The feature is likely to be integrated into an update before the end of the year, according to the "well-placed sources," and could even enable group messaging, which the site has reportedly experimented with.

Integrating messaging could give the photo sharing network a shot at competing with apps like Snapchat, which are proving popular with the younger sectors of Instagram's audience.

The Snapchat effect

Indeed, Facebook itself reportedly attempted to buy Snapchat for $3 billion recently amid a significant surge in its popularity, so may be operating under a 'If you can't beat of buy 'em, join 'em' strategy.

An Instagram spokesperson declined to comment on the report.

Is instant messaging to 2013 what filtered photos were to 2013? Would you welcome IM within Instagram? Let us know in the comments section below.

BBC iPlayer available on day one for Sony PS4 buyers, unlike Xbox One

Posted:

BBC iPlayer available on day one for Sony PS4 buyers, unlike Xbox One

The Sony PS4 console will arrive in the UK packing the BBC iPlayer app when it goes on sale next Friday 29 November, reports have confirmed.

The Sixth Axis website, which has a pre-release PS4 console, says the iPlayer, BBC Sport, IGN and Demand 5 apps have already shown up on the console.

The site said there's no sign of Netflix, Lovefilm, 4oD, Blinkbox and NowTV, but there's a chance those apps will arrive in the week leading up to the console going on sale.

With iPlayer on board on day one, Sony can claim a minor victory over the Xbox One, with the BBC still in the process of developing its version of the on-demand portal for Microsoft's new console.

No Auntie

The Xbox One went on sale in the UK today without Auntie's app, but with 4oD, Netflix, Lovefilm and Demand 5 all on board the console.

Currently Sky says it has no immediate plans to bring Sky Go to the next-gen consoles, but the company is likely to roll out the on-demand portal to the Xbox One sometime next year. Now TV will arrive on the Xbox One next summer.

Does the presence of the iPlayer affect which console you'd prefer to have in your living room? Let us know your thoughts in the comments section below.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)