Root - rdist.root.org - root labs rdist
General Information:
Latest News:
Keeping skills current in a changing world 6 May 2013 | 11:00 pm
I came across this article on how older tech workers are having trouble finding work. I’m sure many others have written about whether this is true, whose fault it is, and whether H1B visas should be i...
History of memory corruption vulnerabilities and exploits 28 Jan 2013 | 06:12 pm
I came across a great paper, “Memory Errors: The Past, the Present, and the Future” by van der Veen et al. The authors cover the history of memory corruption errors as well as exploitation and counter...
Has HTML5 made us more secure? 4 Dec 2012 | 05:19 pm
Brad Hill recently wrote an article claiming that HTML5 has made us more secure, not less. His essential claim is that over the last 10 years, browsers have become more secure. He compares IE6, Active...
Toggl time-tracking service failures 7 Sep 2012 | 11:33 pm
A while ago, we investigated using various time-tracking services. Making this quick and easy for employees is helpful in a consulting company. Our experience with one service should serve as a cautio...
Cyber-weapon authors catch up on blog reading 15 Aug 2012 | 04:51 am
One of the more popular posts on this blog was the one pointing out how Stuxnet was unsophisticated. Its use of traditional malware methods and lack of protection for the payload indicated that the au...
RSA repeats earlier claims, but louder 29 Jun 2012 | 09:13 pm
Sam Curry of RSA was nice enough to respond to my post. Here’s a few points that jumped out at me from what he wrote: RSA is in the process of fixing the downgrade attack that allows an attacker to c...
Why RSA is misleading about SecurID vulnerability 28 Jun 2012 | 09:01 pm
There’s an extensive rebuttal RSA wrote in response to a paper showing that their SecurID 800 token has a crypto vulnerability. It’s interesting how RSA’s response walks around the research without di...
SSL optimization and security talk 28 Feb 2012 | 04:12 am
I gave a talk at Cal Poly on recently proposed changes to SSL. I covered False Start and Snap Start, both designed by Google engineer Adam Langley. Snap Start has been withdrawn, but there are some in...
Why stream ciphers shouldn’t be used for hashing 1 Feb 2012 | 08:48 am
I recently saw a blog post that discussed using RC4 as an ad-hoc hash in order to show why CBC mode is better than ECB. While the author’s example is merely an attempt to create a graphic, it reminded...
More on the evolution of password security 19 Jan 2012 | 03:22 am
Last time, we covered three factors that affect actual security of a password: Entropy — How many possibilities does the attacker need to consider? Guess rate — How quickly can the attacker try gues...
