There's quite a bunch of interesting comments in Bruce Schneier's blog. Basically, everyone seems to think that such measures are just plain stupid. I tend to agree.
I notice more and more misdirected efforts to "secure" our world. I'll tell you a secret: terrorists most probably won't publicly photograph any targets, they'll do it covertly, using cell phone cameras or very small miniature cameras, or whatever. Measures such as forbidding photography of public buildings simply annoy tourists, artists, or random people who like photography.
What's next? Forbid email, because terrorists could use it to communicate? Forbid planes, because terrorists could use them to destroy buildings? Forbid snail mail, because terrorists could send letter bombs? Forbid cars, because terrorists could crash them into shopping malls?
Can you spot a pattern here? You can't just forbid perfectly sound and non-malicious activities or technologies to "battle terrorism" — that's just plain stupid. You will piss off a lot of people. And it won't help anything to stop terrorists.
Update: Waaaaah! Now they try to abolish broadband Internet on planes (or at least they want to spy on you) — after all, terrorists could trigger bombs using the Internet. Yeah... I can't believe how fucking stupid some people can be.
Michael Howard, David LeBlanc and John Viega have written a book called The 19 Deadly Sins of Software Security, which is to be published soon.
It explains the most important security issues one encounters in the software industry in a Design Patterns-like format. Each software security Sin is structured according to the following sections: Overview, The Sin Explained, Sample Code Defect, Spotting the Defect Pattern, Spotting the Defect during Code Review, Testing the Defect during Test, Example Defects, Redemption Steps, Extra Defensive Measures, Other Resources, Summary.
The 19 chapters, or Sins, each 10-15 pages long:
(via Dana Epp)
The new release fixes a few bugs, but more importantly it fixes a security issue. All users are advised to upgrade.
Somebody got hacked by a complete fool without any sort of clue. What the attacker (i.e. script kiddie) tried to do (and how he failed) is actually quite funny IMHO.
E.g., after trying
rm -rf bash_history
(notice the missing dot in the filename) he wanted to be really sure and issued
Surely, his tracks are perfectly covered now. Nobody will ever know.
(via EDV - Ende Der Vernunft)
As most of you probably noticed, the design and structure of my homepage and my blog changed quite a bit a few days ago.
That was me upgrading to Drupal 4.6.1, which makes my life a lot easier, has a bunch of new features (e.g. my blog now has del.icio.us-like tags) and bugfixes, and most importantly fixes a serious security issue.
Two days ago I tried to help a bit with the new Drupal 4.6.2 release, which mainly fixes two major security problems. The first one is an issue with incorrect input validation, resulting in the DRUPAL-SA-2005-002 security advisory. The second one fixes a problem in the XML-RPC library shipped with Drupal (and Wordpress, and PostNuke, and...), resulting in DRUPAL-SA-2005-003.
It was quite a fun experience for me, the release was coordinated and discussed on IRC, we had lots of peer-review of the advisories and release-announcement, testing the patches etc. Thanks to all who participated and made this such a great experience.