Bruce Schneier asks Why not improve security by "[taking] those critical electrical grid computers off the public Internet?", and the discussion that follows is reasonably good ( Read more... )

What sort of lame decisionmaking process at Sun arrived at a conclusion that the best way to "protect" against DNS spoofing was to keep successful lookups cached for the duration of the process ( Read more... )

An essay by Dan Greer, Chief Information Security Officer at In-Q-Tel, debases an otherwise thoughtful (if jargon-ridden) essay with this howler:

At the same time, the recent decision of the Internet Corporation for Assigned Names and Numbers (ICANN) to wildly proliferate the number of top-level domains and the character sets in which domains can ( Read more... )

A classmate of mine at Stanford, Neil Daswani, announced that he's left Google to start Dasient, a company "that is helping businesses with revenue loss problems that can arise as a result of cyber-criminal activity."

My friend Nathan Spande has a new Dark Reading column up--- a short introduction to SwiftSwift is yet another entry in the "augment the language for security" contest. The goal here, though, seems too narrow for me. They concentrate on making the client-side/server-side split of application data secure. Yet it seems (to my semi-informed opinion ( Read more... )

Lauren Weinstein proclaims http Must Die and issues a challenge for all web traffic to start moving over https (TLS), via self-signed certificates if necessary ( Read more... )

I learned today that my college friend Nathan "Ed" Spande has been doing a series of columns for Dark Reading, an online computer security magazine.

A recent column: Rethinking VulnerabilitiesI'd like to set up an RSS feed but there doesn't seem to be a way to get just Ed's columns; but you can search for "Spande" on the site and see all the ( Read more... )