The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery. More precisely, the current version of SPF — called SPFv1 or SPF Classic — protects the envelope sender address, which is used for the delivery of messages. See the box on the right for a quick explanation of the different types of sender addresses in e-mails.

Even more precisely, SPFv1 allows the owner of a domain to specify their mail sending policy, e.g. which mail servers they use to send mail from their domain. The technology requires two sides to play together: (1) the domain owner publishes this information in an SPF record in the domain's DNS zone, and when someone else's mail server receives a message claiming to come from that domain, then (2) the receiving server can check whether the message complies with the domain's stated policy. If, e.g., the message comes from an unknown server, it can be considered a fake.

DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message while it is in transit.

The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for delivery. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.

Now, we move on to creating a private Certificate Authority (CA). First, some explanation. The CA is used in SSL to verify the authenticity of a given certificate. The CA acts as a trusted third party who has authenticated the user of the signed certificate as being who they say. The certificate is signed by the CA, and if the client trusts the CA, it will trust your certificate. For use within your organization, a private CA will probably serve your needs. However, if you intend use your certificates for a public service, you should probably obtain a certificate from a known CA.

Salt or no, if you’re using a general-purpose hash function designed for speed you’re well and truly effed.

bcrypt Solves These Problems.

How? Basically, it’s slow as hell. It uses a variant of the Blowfish encryption algorithm’s keying schedule, and introduces a work factor, which allows you to determine how expensive the hash function will be. Because of this, bcrypt can keep up with Moore’s law. As computers get faster you can increase the work factor and the hash will get slower.

Packet Storm is a unique computer security resource that offers both current and historical security tools, exploits, advisories, and white papers. Since it first came online over ten years ago, Packet Storm has grown to include over fifteen mirrors in four continents, as part of a global effort to keep full disclosure principles alive. Packet Storm is fueled by and for the community.

In an e-mail sent to BSD project leader Theo de Raadt, former NETSEC CTO Gregory Perry has claimed that NETSEC developers helped the FBI plant "a number of backdoors" in the OpenBSD cryptographic framework approximately a decade ago.

Perry says that his nondisclosure agreement with the FBI has expired, allowing him to finally bring the issue to the attention of OpenBSD developers. Perry also suggests that knowledge of the FBI's backdoors played a role in DARPA's decision to withdraw millions of dollars of grant funding from OpenBSD in 2003.

...

The e-mail became public when de Raadt forwarded it to the OpenBSD mailing list on Tuesday, with the intention of encouraging concerned parties to conduct code audits. To avoid entanglement in the alleged conspiracy, de Raadt says that he won't be pursuing the matter himself. Several developers have begun the process of auditing the OpenBSD IPSEC stack in order to determine if Perry's claims are true.

The Department of Homeland Stupidity is hard at work as usual:

In addition, no high risk cargo will be allowed on passenger aircraft. Toner and ink cartridges over 16 ounces will be prohibited on passenger aircraft in both carry-on bags and checked bags on domestic and international flights in-bound to the United States.

(Emphasis mine.)

I can’t wait to see what “high risk cargo” they will ban next. Didn’t that guy a while back have explosives hidden in his underwear? Maybe they should ban underwear.

I found this via an NYT interview with security expert Bruce Schneier, in which he says:

It’s not that the terrorist picks an attack and we pick a defense, and we see who wins. It’s that we pick a defense, and then the terrorists look at our defense and pick an attack designed to get around it. Our security measures only work if we happen to guess the plot correctly. If we get it wrong, we’ve wasted our money. This isn’t security; it’s security theater.

Word.

The short answer is that OpenID is the worst possible "solution" I have ever seen in my entire life to a problem that most people don't really have.

That's what's "wrong" with it.

...

OpenID is not flawed in some minor product way that requires just a few tweaks, it is so massively flawed (perhaps in its very conception) that anyone in their right mind would immediately know that it could never possibly be successful, the very notion that there's merely "something wrong" with it is a Joseph Goebbels -"Big Lie"-style question wherein the nerds who came up with it have somehow been brainwashed into thinking that it could somehow ever be a viable thing that real people would want to adopt.

SSH is an awesome powerful tool, there are unlimited possibility when it comes to SSH, heres the top Voted SSH commands.

FBI Director Robert Mueller traveled to Silicon Valley this week to convince major Internet players to build "back doors" into their software that will allow law enforcement to wiretap data on their networks, says a news report.

It's part of an effort to expand the FBI's wiretapping powers to include the latest communications technologies, including social networking sites, voice-over-Internet (VoIP) telephone services and BlackBerries.

But privacy and civil rights advocates are raising the alarm about the proposal, saying that the proposed wiretapping tools could just as easily be used by hackers to steal personal information, or by oppressive governments to track political dissidents.