[SC-L] "Active Defense" is Irresponsible

[Gary McGraw]

hi sc-l,

This morning, NPR did a story 

 about the idea of "Active Defense" which basically boils down to attacking the 
people who (may have) attacked you.  (Key question: who is it that REALLY 
attacked you and how do you know that?)  At Cigital, we believe this is a 
recipe for disaster.  The last thing we need in computer security is a bunch of 
vigilante yoo-hoos and lynch mobs.  Rule of law anyone?

I talked all about this in my SearchSecurity column in November: Proactive 
defense prudent alternative to 
cyberwarfare
 (November 1, 2012)

In fact, I have been a vocal opponent to the Cyber War drum beating that seems 
to pervade Washington.  Here's what I had to say to Threatpost about the issue 
(warning: poor sound quality): 
http://threatpost.com/en_us/blogs/gary-mcgraw-cyberwar-and-folly-hoarding-cyber-rocks-111312

I have also been voicing these thoughts at think tanks like CNAS and in 
academic venues.  Here are three pointers to recent talks: 
http://www.ists.dartmouth.edu/events/abstract-mcgraw.html
http://www.kcl.ac.uk/sspp/departments/warstudies/newsevents/eventsrecords/mcgraw.aspx
http://www.eecs.umich.edu/eecs/etc/events/showevent.cgi?2626

FWIW, I am going to be on a panel about this at a private event during RSA with 
the founders of CrowdStrike on the opposing side.   Should be interesting.  
Given their dunderheaded philosophy, maybe I should bring a security detail 
along.

If you feel as strongly as we do about this issue, please send this to your 
Representatives.  They need to read it:
Separating the Threat from the Hype: What Washington Needs to Know About Cyber 
Security in 
AMERICA'S CYBER FUTURE: SECURITY AND PROSPERITY IN THE INFORMATION AGE VOLUMES 
I AND 
II, 
Center for a New Amercian Security (June 2011).

What's the alternative to throwing rocks?  Making sure our houses are not glass 
by building security in.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Pinning Cheat Sheet - OWASP

[Kenneth R. van Wyk]

If you're looking for a concise yet detailed guide to certificate pinning, 
along with code examples, look no further:

https://www.owasp.org/index.php/Pinning_Cheat_Sheat 

Superb work by Jeffery Walton et al. Thanks all!


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: @KRvW or @KRvW_Associates



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] CFP: W2SP 2013 - Web 2.0 Security and Privacy workshop (3rd call)

[Larry Koved]

On behalf of the workshop co-chairs and program chair, we would like to 
invite you participate in the seventh Web 2.0 Security and Privacy 
workshop. 
http://w2spconf.com/2013/cfp.html

Web 2.0 Security and Privacy workshop is co-located with 
The 34th IEEE Symposium on Security and Privacy (IEEE S&P 2013) 
http://www.ieee-security.org/TC/SP2013/

and is an event of
The IEEE Computer Society's Security and Privacy Workshops (SPW 2013)  
chaired by L. Jean Camp
http://ieee-security.org/TC/SPW2013

W2SP brings together researchers, practitioners, web programmers, policy 
makers, and others interested in the latest understanding and advances in 
the security and privacy of the web, browsers and their eco-system. We 
have had six years of successful W2SP workshops.

W2SP is held in conjunction with the IEEE Symposium on Security and 
privacy, which will take place from May 19-22, 2013, at the Westin St. 
Francis Hotel in San Francisco. W2SP will continue to be open-access: all 
papers will be made available on the workshop website, and authors will 
not need to forfeit their copyright.

We are seeking both short position papers (2–4 pages) and longer papers (a 
maximum of 10 pages). Papers must be formatted for US letter (not A4) size 
paper with margins of at least 3/4 inch on all sides. The text must be 
formatted in a two-column layout, with columns no more than 9 in. high and 
3.375 in. wide. The text must be in Times font, 10-point or larger, with 
12-point or larger line spacing. Authors are encouraged to use the IEEE 
conference proceedings templates.

The scope of W2SP 2013 includes, but is not limited to:

- Trustworthy cloud-based services
- Privacy and reputation in social networks
- Security and privacy as a service
- Usable security and privacy
- Security for the mobile web
- Identity management and psuedonymity
- Web services/feeds/mashups
- Provenance and governance
- Security and privacy policies for composible content
- Next-generation browser technology
- Secure extensions and plug-ins
- Advertisement and affiliate fraud
- Measurement study for understanding web security and privacy

Any questions should be directed to the program chair: ka...@us.ibm.com.


IMPORTANT DATES

Paper submission deadline: March 1, 2013 (11:59pm US-PST)
Workshop acceptance notification date: March 30, 2013
Workshop date: Friday, May 24, 2013


WORKSHOP CO-CHAIRS

Larry Koved (IBM Research) 
Matt Fredrikson (University of Wisconsin - Madison)

PROGRAM CHAIR

Kapil Singh (IBM Research)

PROGRAM COMMITTEE

Adam Barth (Google) 
Suresh Chari (IBM Research) 
Hao Chen (University of California, Davis) 
Mihai Christodorescu (IBM Research) 
David Evans (University of Virginia) 
Matt Fredrikson (University of Wisconsin - Madison) 
Vinod Ganapathy (Rutgers University) 
Collin Jackson (Carnegie Mellon University) 
Rob Johnson (Stony Brook) 
Ben Livshits (Microsoft Research) 
Alexander Moshchuk (Microsoft Research) 
Charlie Reis (Google) 
V.N. Venkatakrishnan (University of Illinois at Chicago) 


Please consult the workshop website (http://w2spconf.com/2013/cfp.html) 
for additional details.
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] CFP: MoST 2013 - Mobile Security and Technology workshop (3rd call)

[Larry Koved]

On behalf of the workshop co-chairs and program chair, we would like to 
invite you participate in the second Mobile Security Technologies (MoST) 
Workshop. 
http://mostconf.org/2013/

Mobile Security Technologies (MoST) 2013 is co-located with 
The 34th IEEE Symposium on Security and Privacy (IEEE S&P 2013) 
http://www.ieee-security.org/TC/SP2013/

and is an event of
The IEEE Computer Society's Security and Privacy Workshops (SPW 2013) 
chaired by L. Jean Camp 
http://ieee-security.org/TC/SPW2013

Mobile Security Technologies (MoST) brings together researchers, 
practitioners, policy makers, and hardware and software developers of 
mobile systems to explore the latest understanding and advances in the 
security and privacy for mobile devices, applications, and systems.

Topics

We are seeking both short position papers (2-4 pages) and longer papers (a 
maximum of 10 pages). The scope of MoST 2013 includes, but is not limited 
to, security and privacy specifically for mobile devices and services 
related to:

- Device hardware
- Operating systems
- Middleware
- Mobile web
- Secure and efficient communication
- Secure application development tools and practices
- Privacy
- Vulnerabilities and remediation techniques
- Usable security
- Identity and access control
- Risks in putting trust in the device vs. in the network/cloud
- Special applications, such as medical monitoring and records
- Mobile advertisement
- Secure applications and application markets
- Economic impact of security and privacy technologies


Important Dates

- Paper submission deadline: February 22, 2013 (11:59pm US-PST).
- Acceptance notification: March 18, 2013.
- Camera-Ready & Early Registration Deadline: April 1, 2013
-

Organizing Committee

- Hao Chen, University of California, Davis
- Larry Koved, IBM Research


Program Committee

- Hao Chen, University of California, Davis
- Yan Chen, Northwestern University
- Adrienne Porter Felt, Google Inc.
- Markus Jakobsson, PayPal, Inc.
- Xuxian Jiang, North Carolina State University
- Wenjing Lou, Virginia Polytechnic Institute and State University
- Adrian Ludwig, Google Inc.
- Ahmad-Reza Sadeghi, Ruhr University Bochum
- Kapil Singh, IBM Research
- Larry Koved, IBM Research
- David Wagner, University of California, Berkeley


Please consult the workshop website (http://www.mostconf.com) for 
additional details.___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___