tag:blogger.com,1999:blog-91156446058333841382024-03-13T21:16:17.380+01:00X de XavierUnos y ceros. A veces, en el orden adecuado.-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-9115644605833384138.post-4793036752745954102008-11-19T10:56:00.003+01:002008-11-19T11:46:51.502+01:00Certificate-based logon to zOSDCAS (zOS Communications Server's <span style="font-weight: bold;">Digital Certificate Access Server</span>) has come to my rescue. <a href="http://publib.boulder.ibm.com/infocenter/zos/v1r9/index.jsp?topic=/com.ibm.zos.r9.halg001/f1a1f230282.htm">From the docs</a>:<br /><br /><blockquote>The DCAS can be used by providers of logon and single sign-on services where access to z/OS-based applications is needed. The DCAS is a TCP/IP server that enables clients to connect over the network and obtain a passticket and z/OS user ID from RACF.<br /><br />Clients that connect to DCAS must use the SSL protocol (DCAS supports SSL Version 3). Client authentication is performed.<br /><br />Clients can request a user ID and passticket for an application. The client sends an x.509 certificate. DCAS converts the x.509 certificate to a valid user ID, which is returned. The x.509 certificate must have been mapped to a valid user ID in RACF </blockquote>It's the second time in a few months that DCAS is the solution to the problem that I'm working on; unfortunately, I had forgotten about the first time, so it has taken my a while to get rescued. Not a complete waste of time: if learned a few things about PKI and RACF.<br /><br />The first time it was about a service to generate passtickets (strings that can be used as passwords for a short while). Despite my recommendation, the customer's choice was to not use DCAS and code it from scratch; go figure.<br /><br />Now it is about authenticating to RACF from a application that uses a smartcard reader. I'm looking forward to code the smartcard-based RACF logon, since working with smartcards has been in my wish list for very long.<br /><br />And since google and DCAS don't seem to be big friends, I'm posting this.-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com0tag:blogger.com,1999:blog-9115644605833384138.post-88180263064648878302008-09-27T22:12:00.003+01:002008-09-27T22:31:54.456+01:00sprintf_s() is not snprintf()You are compiling some legacy code with Microsoft Visual Studio. You get a warning telling you<br /><span style="font-style: italic;">warning C4996: 'sprintf': This function or variable may be unsafe. Consider using sprintf_s instead</span>.<br />Of course! So you just change that dangerous <span style="font-weight: bold;">sprintf()</span> for a <span style="font-weight: bold;">sprintf_s()</span>. The IDE tells you about an additional buffer size parameter, so you may wrongly end up thinking that you are getting the equivalent to Unix's <span style="font-weight: bold;">snprintf()</span> or the old MSV <span style="font-weight: bold;">_snprintf()</span>.<br /><br />Nope. If you read the <a href="http://msdn.microsoft.com/en-us/library/ce3zzk1k%28VS.80%29.aspx">docs</a>, you'll learn that <span style="font-weight: bold;">sprintf_s()</span> is not truncating the string, but instead invoking the run-time invalid parameter handler, and usually terminating the program. Far better than letting a buffer overflow happen, but maybe not what you were expecting.-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com0tag:blogger.com,1999:blog-9115644605833384138.post-78986214060338587692008-09-01T20:58:00.003+01:002008-09-01T21:11:16.898+01:00My bank's money and my identityHilarious and insightful <a href="http://www.youtube.com/watch?v=CS9ptA3Ya9E">radio sketch</a> (2 minutes) by <a href="http://en.wikipedia.org/wiki/Mitchell_and_Webb">Mitchell and Webb</a> on <a href="http://iandavis.com/blog/2008/04/identity-theft-its-not-your-problem">identity theft</a><br /><object height="344" width="425"><param name="movie" value="http://www.youtube.com/v/CS9ptA3Ya9E&hl=en&fs=1"><param name="allowFullScreen" value="true"><embed src="http://www.youtube.com/v/CS9ptA3Ya9E&hl=en&fs=1" type="application/x-shockwave-flash" allowfullscreen="true" height="344" width="425"></embed></object><br />via <a href="http://www.schneier.com/crypto-gram-0808.html">Bruce Schneier's Crypto-Gram</a>-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com0tag:blogger.com,1999:blog-9115644605833384138.post-79463940684411253212008-05-15T11:18:00.003+01:002008-05-15T11:43:55.337+01:00Children are viruses<blockquote>I'd love to run without anti-virus and anti-spyware, but children (especially teenagers) are incredibly adept at filling any PC with trojans and viruses in a matter of minutes. They even know how to bypass most internet filter software. I sometimes think children are viruses!</blockquote><br />Seen on <a href="http://pages.citebite.com/k5h0f1x6kybq">a comment</a> on a <a href="http://www.codinghorror.com/blog/archives/000803.html">Coding Horror post about the performance hit of antivirus software</a> (<span style="font-style: italic;">what we really need is Anti-Anti-Virus software to keep us safe from the ongoing Anti-Virus software pandemic</span>).<br /><br /><a href="http://myappsecurity.blogspot.com/2007/04/reflection-on-ory-segal.html">Ory Segal</a> (an IBMer after <a href="http://www.watchfire.com/">watchfire</a>'s acquisition) also <a href="http://blog.watchfire.com/wfblog/2008/01/celebrating-20.html">"celebrates" 20 years of anti-virus software</a>.-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com0tag:blogger.com,1999:blog-9115644605833384138.post-73017729548916926492008-04-15T21:46:00.006+01:002008-04-24T09:16:33.994+01:00A simple way to manage Firefox privilegesIf you are familiar with the 'enhanced abilities' Firefox security prompt, and you ever clicked on the 'Remember this decision' check box<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://bp3.blogger.com/_T679aggANRU/SAUV47MdTXI/AAAAAAAAAEE/btI4u5w6n4I/s1600-h/securityprompt.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://bp3.blogger.com/_T679aggANRU/SAUV47MdTXI/AAAAAAAAAEE/btI4u5w6n4I/s400/securityprompt.png" alt="" id="BLOGGER_PHOTO_ID_5189578213321166194" border="0" /></a><br />you may want to check <a href="http://firefoxprivileges.tiddlyspot.com/">http://firefoxprivileges.tiddlyspot.com</a>.<br /><br />When this prompt appears as a result of loading a file from your hard drive, you may not be aware of the exact meaning of the 'Remember this decision' check box. While you probably mean "I trust this file and I don't want you to annoy me anymore", Firefox understands "I trust every html file loaded from the hard drive". This broad trust is not a good idea from the security point of view.<br /><br />This tool allows to easily cancel that effects of "remember this", and tell Firefox that you only trust some specific files (<a href="http://www.mozilla.org/projects/security/components/per-file.html">per-file permissions</a>). Before hacking it, I used to have to mess with the <a href="http://kb.mozillazine.org/User.js_file">user.js</a> file, much less convenient.<br /><br />The tool is implemented as a TiddlyWiki plugin. If you are not familiar with <a href="http://firefoxprivileges.tiddlyspot.com/#TiddlyWiki">TiddlyWiki</a>s (super cool wikis in a single file), this is a good chance to get to know them.<br /><br /><span style="font-weight: bold;">Edit:</span><br /><span style="font-size:78%;">Some strings to make this post googleable for the right people:<br />UniversalXPConnect UniversalBrowserRead UniversalBrowserWrite UniversalFileRead CapabilityPreferencesAccess UniversalPreferencesRead UniversalPreferencesWrite<br />netscape.security.PrivilegeManager.enablePrivilege signed.applets.codebase_principal_support</span>-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com0tag:blogger.com,1999:blog-9115644605833384138.post-46096019195735766342007-10-15T18:48:00.000+01:002007-10-15T19:36:05.479+01:00Botnets, supervillains and flying monkeysThe idea of millions of computers infected waiting for a supervillain to tell them what to do is, at least, disturbing. If you want to learn more about the Storm Worm <a href="http://en.wikipedia.org/wiki/Botnet">botnet</a>, go read the <a href="http://www.schneier.com/crypto-gram-0710.html#1">excellent article in Bruce Schneier's Cryptogram</a>.<br /><br />Fortunately, reading about <a href="http://www.derangedsecurity.com/">DEranged Security</a>'s <a href="http://www.derangedsecurity.com/airport-fun-and-bluetooth-security">very fun bluetooth social-engineering experiment</a> changed my worrisome mood. This <a href="http://xkcd.com/327/">xkdc strip about Bobby Tables</a> helped too (geek humor warning for this link).-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com0tag:blogger.com,1999:blog-9115644605833384138.post-371344917933451502007-08-17T20:41:00.001+01:002007-08-17T20:59:18.527+01:00Has acercado tu mano a mi entrepierna y no me ha gustado<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.designagainstcrime.com/web/stopthief.htm" title="Stop Thief! Ply Chair, from the Smart Antitheft Furniture Range"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://www.designagainstcrime.com/web/img/chair.jpg" alt="Stop Thief! Ply Chair, from the Smart Antitheft Furniture Range" border="0" /></a><br />Una <a href="http://www.designagainstcrime.com/web/stopthief.htm">idea simple y brillante para colgar los bolsos en lugares públicos</a>. Y aunque es del año 2000, y <a href="http://moma.org/collection/browse_results.php?criteria=O%3AAD%3AE%3A27776&page_number=1&template_id=1&sort_order=1">está en el MoMA</a>, no he visto nada parecido en ningún sitio.<br /><br />vía <a href="http://www.schneier.com/crypto-gram-0708.html#4">el Crypto-Gram de Bruce Schneier</a>, que enlazaba a una <a href="http://news.bbc.co.uk/1/hi/uk/6940485.stm">noticia de la BBC</a>.-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com0tag:blogger.com,1999:blog-9115644605833384138.post-63059799618048678252007-08-04T01:04:00.000+01:002007-08-04T17:55:03.219+01:00SendTo Clipboard coolness (TiddlyWiki links to your files)The SendTo folder is a simple and powerful tool to customize Windows Explorer to simplify some recurring tasks. If you often want to link to files in your PC from your TiddlyWikis, you'll like this hack. It creates two new items in the "Send To" menu:<br /><ul><li><span style="font-family:courier new;">clipboard - file url</span>: Copies to the clipboard the file: url of the file or folder that was showing the "Send To" menu</li><li><span style="font-family:courier new;">clipboard - new tiddler javascript url</span>: Copies to the clipboard a javascript: url that, when pasted into the address bar of a Firefox tab showing a TiddlyWiki, will create a tiddler with the contents of the file that was showing the "Send To" menu<br /></li></ul><br />You can jump and just download and run the thing, <a href="http://xdexavier.googlepages.com/path2twlink.hta">a small .hta file</a>, or take less than three minutes watching it in action in one of the lamest screencasts ever:<br /><object type="application/x-shockwave-flash" data="http://vimeo.com/moogaloop.swf?clip_id=261215&server=vimeo.com&fullscreen=1&show_title=1&show_byline=1&show_portrait=0&color=00ADEF" height="300" width="400"> <param name="quality" value="best"> <param name="allowfullscreen" value="true"> <param name="scale" value="showAll"> <param name="movie" value="http://vimeo.com/moogaloop.swf?clip_id=261215&server=vimeo.com&fullscreen=1&show_title=1&show_byline=1&show_portrait=0&color=00ADEF"></object><br /><span style="font-size:78%;"><a href="http://vimeo.com/261215">SendTo Clipboard Screencast</a> from <a href="http://vimeo.com/xdexavier">Xavier Vergés</a> and <a href="http://vimeo.com/">Vimeo</a></span><br /><br /><span style="font-weight: bold;">Using it<br /></span><ul><li>Just download the .hta file and open it. No, wait! Never open .hta files unless you trust its author or you have taken a look at the code.</li><li>Provided that you trust me or that you have checked the code, you can now open it. Maybe a double click will be enough (your Windows associates .hta files to <span style="font-family:courier new;">mshta.exe</span>, a version of IE with high security privileges in your machine). Maybe you need to use the command line and type <span style="font-family:courier new;">mshta path2twlink.hta</span>.</li><li>Follow the simple steps described in the .hta file, and you can start using your new shinny Send To menu items.</li><li>You are expected to edit the file to customize what gets copied into the clipboard. It should be easy. You may get ideas to push the sendto+clipboard+javascript urls concept further; adding them to the tool should not be too hard.</li><li>You are also expected to do some dancing, since this is <a href="http://xdexavier.blogspot.com/2007/08/upcoming-dancelikematthardingware-half.html">DanceLikeMattHardingWare</a>.<br /></li></ul><span style="font-weight: bold;">Lessons learned while hacking<br /></span><ul><li>I initially wanted to use just a .js file. Getting access to the clipboard from a .js file is hard, so I went for an .hta. It turned out to be a good thing, because it ended up providing a way to avoid to the users the trouble of creating the shortcuts by hand and to me the trouble of documenting the recipe.</li><li>The problem of using an .hta file is that I found no way to keep it invisible, that it has an unusual way to receive its params, and that I had to warn you about its dangerousness.</li><li>I think that I've spent more time recording the lousy screencast and comparing video hosting services that coding. The number of times that I rerecorded the #@%! thing will remain undisclosed; I have my pride. Regarding the hosting services, after reading <a href="http://pascal.vanhecke.info/2006/10/31/screencasting-online-video-sharing-sites-compared-2">about</a> <a href="http://209.85.135.104/search?q=cache:a5H_UzfisBsJ:www.gnurou.org/blog/gnurou/2007/07/30/comparing_google_video_vimeo_and_blip_tv&hl=en&amp;amp;amp;amp;amp;amp;amp;amp;amp;ct=clnk&cd=10" title="sorry, cached version">them</a>, I posted the video to <a href="http://video.google.es/videoplay?docid=1620076739328504497">google</a>, <a href="http://blip.tv/file/327653/">blip.tv</a> and <a href="http://www.vimeo.com/261215">vimeo</a>. <del><br />I still have no winner, but google's video quality was awfull, so I had to drop it despite its super cool feature of letting you link to a specific point of the video.</del> <span style="font-weight: bold;">Update</span>: looks like the winner is <a href="http://viddler.com">http://viddler.com</a>: links, comments and tags on specific points of the video, plus the best player of all (in full screen mode, showing the original size, the quality was just perfect): <a href="http://www.viddler.com/explore/xdexavier/videos/1">http://www.viddler.com/explore/xdexavier/videos/1</a><br /></li></ul>-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com2tag:blogger.com,1999:blog-9115644605833384138.post-23529272260714394522007-03-15T11:44:00.000+01:002007-03-15T12:05:30.679+01:00¿Tu router es tuyo?Te llegó el ADSL, y, como un niño con zapatos nuevos, te pusiste a navegar al momento. Con las prisas, no te molestaste en cambiar al contraseña de tu flamante router, que es la misma que la que tienen inicialmente todos los routers del mismo fabricante. Mala idea.<br /><br />Resulta que los malos también saben que la contraseña de tu router es '1234' y que tienen mecanismos para, desde una página que estas viendo en tu navegador, conectarse a tu router; no ha hecho falta que te descargaras nada, ni has recibido ningún aviso. Y si se conectan a tu router, pueden hacer que cuando tú y tu navegador creeis estar visitando banco_tio_gilito.com esteis realmente en cueva_de_ladrones.net. Esto se llama 'Drive-By Pharming' y utiliza una técnica llamada 'Cross Site Request Forgery' (no seré yo quién se atreva a traducir esto de manera comprensible...). Más info en <a href="http://www.schneier.com/blog/archives/2007/02/driveby_pharmin.html">http://www.schneier.com/blog/archives/2007/02/driveby_pharmin.html</a>.<br /><br />Ya ha pasado la emoción del router nuevo: hora de cambiarle la contraseña.-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com4tag:blogger.com,1999:blog-9115644605833384138.post-8911765269276552032007-02-15T12:05:00.000+01:002007-02-15T22:57:24.851+01:00Intro to security on z/OSI've just read a good article from the <a href="http://www.research.ibm.com/journal/">IBM Systems Journal</a>: <a href="http://www.research.ibm.com/journal/sj/403/guski.html">Security on z/OS: Comprehensive, current, and flexible</a>. About 20 printed pages, from 2001, and written "<span style="font-style: italic;">at a high level, aimed at enterprise decision makers and application architects. The intent is to explain the comprehensive security componentry within z/OS and to show how these techniques and functions are exploited by modern distributed and Internet applications</span>".<br /><br />This is not mentioned in the article, but one thing that in the past has made me feel uneasy about z/OS security was the limited maximum password length (8 chars), giving a very small password-space by today's computing standards. No need to be concerned about this anymore: <a href="http://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=an&subtype=ca&appname=Demonstration&htmlfid=897/ENUS206-190">z/OS V1.8</a> supports <a href="http://pages.citebite.com/a1k0t8o2b8yha">RACF pass phrases from 14 to 100 characters in length</a>.<br /><br />I learned some neat things about the z/OS security capabilities that, as far as I know, are not available in other operating systems, e.g.<br /><ul><li><a href="http://pages.citebite.com/i1y0e8q3q0sgf">access control can be made dependant on time</a>.</li><li>great separation of roles: <a href="http://pages.citebite.com/l1q0x8p2k9bps">admins can administer resources without having access to them</a>, or <a href="http://pages.citebite.com/u1y0v8m3w1lun">admins cannot prevent the auditor from auditing them, while the auditors cannot authorize themselves to resources</a> (<span style="font-weight: bold;">Update:</span> <a href="http://ktn.blogsome.com/">César Gustavo Miramontes</a>, <a href="http://ktn.blogsome.com/category/domino/">Domino</a> for <a href="http://ktn.blogsome.com/category/iseries/">iSeries</a> wizard, pointed to me that iSeries also has this capability).<br /></li></ul>The article mentions that the SSL performance has dramatically increased: from 13 SSL handshakes per second in 1998 to 2,000 in 2001. Likely to be old data, but this <a href="http://pages.citebite.com/b1p0m8l3k4lug">talks about 11,000 SSL handshakes/second</a>.<br /><br />Another introductory article that I liked is <a href="http://www.bcr.com/architecture/intranets/ensuring_security_ibm_mainframes_200604011169.htm">Ensuring Security On IBM Mainframes</a>. Shorter (10 pages), but was useful for me to get a basic understanding of RACF classes and profiles.<br /><br />More <a href="http://www.ibm.com/common/ssi/rep_ca/8/897/ENUS207-018/#Security">security-related goodies comming with z/OS v1.9</a>; dear to me with what is keeping me busy today are support for <a href="http://en.wikipedia.org/wiki/PKCS11">PKCS#11</a> and a Java API for RACF administration.-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com0tag:blogger.com,1999:blog-9115644605833384138.post-16162012660920317632007-01-09T23:44:00.000+01:002007-01-10T10:35:10.857+01:00My browser, my rules, my chrome<span style="font-weight: bold;">Summary:</span> there are times when Firefox security gets in your way. Having a directory where you can place xul, html and scripts to run with chrome privileges enables you to shoot yourself in the foot and to create nice and handy hacks.<br /><br /><span style="font-weight: bold;">The itch that called for scratching:</span> I wanted to hack something to let me upload several files at once to <a href="http://googlepages.com/">googlepages</a> [1]. The problem is that, for very good reasons, you can not use JavaScript to change the value of input fields of type file: you usualy don't want scripts reading files in your disk. So, a bookmarklet, that to the browser looks as if it were part of the page, wouldn't cut it. Greasemonkey userscripts do <a href="http://diveintogreasemonkey.org/etech2006/#slide31">run sandboxed, but not under chrome privilege</a> [2], so I did not try that. I tried to give the page <a href="http://citebite.com/q6m6j4u5uvqh">UniversalFileRead privilege</a> [3][4], but failed.<br /><br /><span style="font-weight: bold;">A chrome folder.</span> From <a href="http://xulblog.de/xul/archives/7-Under-chromes-influence.html">Under chrome's influence</a>, slightly modified,<br /><blockquote><br />In the browser's installation directory, create a new file <code>chrome/mychrome.manifest</code> and put a single line into it:<br /><pre>content mychrome file:///D:/whatever/mychrome/<br /></pre>Note that the trailing slash is significant. Then create the file <code>D:\whatever\mychrome\hello.txt</code> and add some text:<br /><pre>hello world!<br /></pre>After a complete restart of your browser, you can open that file using <code>chrome://mychrome/content/hello.txt</code>.<br /></blockquote>You need to keep in mind that chrome is catched, so you may not see the changes you make immediately. Setting <a href="http://kb.mozillazine.org/Nglayout.debug.disable_xul_cache"><code>nglayout.debug.disable_xul_cache</code></a> to <code>true</code> [5] or the <a href="http://ted.mielczarek.org/code/mozilla/extensiondev/">Extension Developer's Extension</a> ability to reload chrome without restarting the browser are helpful here.<br /><br /><span style="font-weight: bold;">Future plans:</span><br /><ul><li>the bulk upload to googlepages is working nicely; needs some docu before uploading it.</li><li>I want to have a browser window with chrome privileges so that I can have more freedom of what I can do with some file: urls. Specifically<br /></li><ul><li>have known tiddlywikis granted <code>UniversalXPConnect</code> privilege <a href="http://groups-beta.google.com/group/TiddlyWikiDev/browse_frm/thread/5a8ddb015a6e738/97a25887d760a7d3?hl=en#97a25887d760a7d3">without having to grant it to everything from file:</a> and without having to mess with the <code>capability.principal.codebase</code> annoyance.</li><li>have local files use a script loaded from the web, or have a remote file load a script from my disk, so that I don't have to upload files while writing/debugging javascript.<br /></li></ul></ul><span style="font-weight: bold;">Footnotes:</span><br /><span style="font-size:85%;"><span style="font-weight: bold;">[1]</span> googlepages: yeah, I know, I'm cheap!<br /><span style="font-weight: bold;">[2]</span> Mark Pilgrim's slides on sandboxing greasemonkey have a wonderful <a href="http://diveintogreasemonkey.org/etech2006/#slide10">"how to become an expert" detour</a>. Don't miss it.<br />And, just in case you are a powerpoint author, consider <a href="http://meyerweb.com/eric/tools/s5/">S5</a> (a Simple Standards-Based Slide Show System), the tool used for Mark's slides.<br /><span style="font-weight: bold;">[3]</span> UniversalFileRead: I added to my <a href="http://kb.mozillazine.org/User.js_file">user.js</a><br /><pre>user_pref("capability.principal.codebase.googlepages1.granted", "UniversalFileRead");<br />user_pref("capability.principal.codebase.googlepages1.id", "http://pages.google.com/");<br /></pre>but still got a security exception.<br /><span style="font-weight: bold;">[4]</span> Highlighted link thanks to <a href="http://citebite.com/">http://citebite.com</a>.<br /><span style="font-weight: bold;">[5]</span> <code>nglayout.debug.disable_xul_cache</code>: I haven't tried it. As I write this,I realize that my <code>user.js</code> sets it to <code>true</code> while my <code>prefs.js</code> ignores it and keeps it to <code>false</code>. <del>I'm clueless here.</del> <span style="font-weight: bold;">Update:</span> A ";" was missing at the end of its user_pref line. Life is much better with this setting enabled!<br /></span>-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com2tag:blogger.com,1999:blog-9115644605833384138.post-1786962711896318572006-12-23T00:45:00.001+01:002006-12-23T00:45:22.870+01:00Irresponsabilidad corporativaNo escribo sobre plantar árboles, o no contaminar, o integrarse en las comunidades locales o... Mi tema es mucho más prosaico: no está bien que Google pida a los usuarios de <a href="https://www.google.com/analytics">Google Analytics</a> que tecleen su identificador de usuario y contraseña en una página sin https. No basta con que las credenciales viajen seguras porque están utilizando un iframe con https para transmitirlas.<br /><br />Nadie debería teclear su contraseña sin ver un candadito en su navegador.<br />Nadie, y, todavía menos Google, debería pedir a los usuarios que lo hagan.-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com0tag:blogger.com,1999:blog-9115644605833384138.post-29040704063020284922006-12-19T15:44:00.000+01:002006-12-19T15:45:16.905+01:00My story about youFrom Bob Blakley's <a href="http://notabob.blogspot.com/2006/01/on-absurdity-of-owning-ones-identity.html"> On The Absurdity of "Owning One's Identity"</a>:<br /><blockquote><br />There are lots of versions of your identity out there, but we'll lump them into two broad categories: <span style="font-weight: bold;">your reputation</span> (the story others tell about you), and <span style="font-weight: bold;">your self-image</span> (the story you tell about yourself).<br />(...)<br />Your reputation is my story about you. You can't own this by definition; as soon as you own it, it's no longer my story about you; it instantly becomes an autobiography instead of a reputation.<br />(...)<br />In principle, controlling the information that makes up your self-image seems easy - you just choose what you tell to whom, and under what conditions. (...) You value your privacy, of course, but you also value other things, like the ability to get a credit card and the ability to travel on airplanes. (...) You have a choice between getting a credit and controlling information about yourself - if you want the credit, you have to give up information somebody else chooses, and you have to do it on somebody else's terms.<br /></blockquote><br />I learned about <a href="http://notabob.blogspot.com/">Ceci n'est pas un Bob</a> when he <a href="http://notabob.blogspot.com/2006/08/we-interrupt-this-program.html">recently left ibm</a>. Good reading if you are interested in identity, privacy, security and risk; and everyone should have at least a mild interest in them. Although I confess that I often skip Bob Blakley and <a href="http://www.schneier.com/blog/">Bruce Schneier</a> when checking my feeds; as <a href="http://en.wikiquote.org/wiki/Bill_Watterson">Calvin says</a> (*), "<span style="font-style: italic;">Reality continues to ruin my life</span>", and I often don't feel like having my life ruined by their uncomfortable reality reports.<br /><br />(*) It is always a good thing to keep Calvin and Hobbes quotes at hand.<br /><br />(Post written while trying to cope with the huge frustration of seeing someone spreading a false and damaging story about me. Yuk.)-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com3tag:blogger.com,1999:blog-9115644605833384138.post-50154498374774013962006-11-15T12:34:00.000+01:002006-11-15T12:41:31.038+01:00Alice (heart) BobIf <a href="http://en.wikipedia.org/wiki/Alice_and_Bob">Alice and Bob</a> make you think in cryptography, you'll probably enjoy this strip: <a href="http://xkcd.com/c177.html">http://xkcd.com/c177.html</a><br /><br />via Bruce Schneier's <a href="http://www.schneier.com/crypto-gram-0611.html">Crypto-Gram</a>.-Xvhttp://www.blogger.com/profile/12954073038736466058noreply@blogger.com1