If that worries you, why do you give your data to web sites of big companies? Many of them, even the big ones, show very little interest in keeping your contact detains secure. Many sites are still vulnerable to cross site scripting or SQL injections.

If anyone puts your life or privacy at risk, they are liable – except when web sites are involved. Even if they violate common sense and even the most basic rules of security, the worst that can happen is that they have to apologize. Pollute some fish? To Jail! Lose 300 million customer records? Oops, sorry about that.

Paul Venezia asked an interesting question: Should companies be accountable for the security risks they take? He says:

In the United States, at least, very specific laws govern patient information and how it is stored, accessed, and disseminated. HIPAA regulations were put into place to ensure that sensitive patient information isn’t distributed to just anyone — that is, only to the people who need that information. They also prevent health care providers from discussing any type of patient information with anyone else. They were explicitly designed to protect patients, and each patient must sign a waiver to authorize the release of that information to another person or party. Yet we have no regulations on the storage, access, and dissemination of sensitive user information on public websites — none. Thus, there’s almost no business case for providing any form of high-level security for customer accounts.

Interesting thought. I have two comments:

1. Not individual developers should be liable but the company which runs the site. It should be in their best interest to keep their data secure.

2. Today, it’s too complex to create secure web sites. Yesterday, I used renderSnake to create some HTML. If you supply a string value for output, the default is not to escape HTML special characters like <, > and &.

Creating a login component for a web site is pretty complex business and there is a no reasonable tutorial or template component which you could use that gets most security issues right like:

1. Transmitting the password via HTTPS (encrypted) instead of using plain text (which anyone in the same LAN can read)
2. Encrypting the password before it’s stored in the database
3. Storing the password with a salt to make it harder to attack it with rainbow tables
4. Escaping special characters in user names and password to prevent cross site scripting or SQL injection.
5. Avoiding security questions like “Name of your cat?” More than 50 people know the name of my cat! The name might even be on the web somewhere (possibly next to a photo on Flickr) How secure is that?

Even if you’re not one of the biggest companies out there, security starts to become important as soon as your code can be accessed from the Internet. And frankly, which code today can’t?

What’s worse, the problems are always the same: SQL injections, not validating input, using code from somewhere else which is vulnerable. These problems are neither hard to find nor hard to fix. It’s only too much effort to add the necessary checking and warning code to the existing compilers.

So here is my assumption for my “The Next Best Thing” series of articles: The programming language will allow to define patterns like FindBugs and PMD that the compiler will check at compile time and which the VM checks at runtime to fix or at least warn about such security problems.

With tools like MoDisco and Moose, it’s possible to go one step further: It could analyze and display the code in ways that you haven’t seen before (think Code City) to find patterns in the code automatically and warn you about something that you might not have realized, yet.

For example, if you use a certain call sequence everywhere in your code but one place, it’s probably worth a look.

Of course, this begs for a way to add lots of additional information to source code. As I said before, we probably want better editors than the plain text editors we have today. It should be possible to include images and formulas in code. Wiki documentation. And things like “yeah, I know, this is different from the 365 other places!”

Sounds a bit like annotations but frankly, Java source code can just get you so far. DSLs come to mind but they don’t allow to extend them with arbitrary extra bits of information. It should be possible to overlay a DSL with another DSL so you can mix various information in one place.

This article from IBM’s developerWorks explains how it works.

Basically, you can safe a reference to an object in the finalize() method. At this time, the object may even be in an inconsistent state (the finalizer will be called when the constructor threw an exception).

As for the solution: I don’t like it very much. It adds even more clutter to the existing code and doesn’t relay its purpose very well. Someone refactoring the code might feel tempted to remove the “useless additional constructor.” Worse, you need to do this in all your classes which check their parameters.

I would prefer a solution where the compiler or some other tool fixes these issues by generating the necessary code. Especially if you look at more complex cases: What happens if an exception is thrown at a later stage of object creation? Your code is still vulnerable but it seems to be safe. How would you know?

Maybe a better solution would be to check the heap for references to any finalized objects and throw an error “finalization failed”. But that’s probably impossible without breaking backwards compatibility.

Or Oracle could invent a better solution for the finalization problem (which is basically garbage collection for non-memory-resources) so we would not need finalizers anymore.

Nothing spectacular here for me. There was a nice diagram of an SSL handshake, some tips to debug SSL problems, code how to create keystores with the Java tools and how to convert a PEM key into something that Java’s keytool can use.

After that James gave an overview of DNSSEC and how to use it from Java (including code examples).

What I liked about the code examples is that they covered more than the trivial cases. For example, it showed how to specify per-key passwords (in addition to the usual per-keystore password).

Those components have access protection with the common user/password scheme. If you lost your password, the support could tell you the name and password for a backdoor, that is a login that would always work but one that isn’t visible when you, say, request a list of all known users.

Sounds good? It is. Saves a lot of hassle.

The problem? Someone posted the details for all backdoors in the public support section. Which means that crackers all over the globe now have free reign over them.

If the answer to any of these is “NO“, you should turn off automatic synchronization on your Android smartphone and never use it in open Wifi networks.

The reason is that Google uses something called a “token” to allow apps your smartphone to connect to Google services like your mail box, your calendar, etc. The token is like a key on your keychain: Anyone who has the key can open the door it fits. Unlike keys on your key chain, anyone who can pick a token out of the air knows where that door is!

Related article: Catching AuthTokens in the Wild

Image via Wikipedia

If you’re worried about security while you’re browsing the web (and you probably should), here is a simple solution that might actually work (or at least raises the bar quite a bit): BitBox (German)

In a nutshell, it’s a secured Linux system running Firefox 4 inside of VirtualBox. The browser can only access the resources of the virtual PC.

So to infect your real system, the hacker must: Break Firefox on Linux (which is hard), break Linux (hard), break through the virtual PC layer (not that easy either) to be able to infect your real PC (as opposed to just infect your PC).

Unlimited Storage

Using AeroFS, you can sync allthe data on your devices. No limits. No caps. You already have your storage, now use it!

Ultimate Privacy

AeroFS will never store your files in the cloud (unless you want to, of course . Your files will only be shared with those who you invite.

Better Security

AeroFS encrypts your data end-to-end. This way, we are able to provide better security than most online storage services. Seriously.

• Because AeroFS is completely distributed, even if we experience downtime,you won’t!

Wow. 21 … fucking … BILLION … dollars. That’s 70’000’000 PS3s. 70 million PS3s. 36 million iPhone 4s. 700’000 cars at $30’000/each. They must be doing pretty well to be able to afford such a loss.

And it’s not that they didn’t see it coming. Sony knew for months that their servers were outdated and missing crucial security patches. Well, someone decided that it wasn’t worth to fix that. So: EPIC FAIL. Again. And again. Will they ever learn?

That feels like the same arrogance which led to the lawsuit against geohot and graf_chokolo.  Which probably made someone on the Internet so angry that they decided to give Sony this wedgy. Message to Sony: It’s not smart to be arrogant in the face of overwhelming odds.

You have, say, 1’000 people working to protect your assets. The world has a population of 7 billion (and you just lost 3 dollars to every and each of them) and the probability that one of them can kick you where it really hurts is about 1. At least.

Of course, the company is now using all its power to hunt down the little bastard. Sony, if you read this: Don’t be surprised if a 13-year old kid outwitted your whole security team.

Or rather the manager, who told the team not to fix those servers. But no, managers are never wrong. So the team must be punished. Fire them! All of them! Without supper! Serves them right! And don’t forget to sue the kid! Sue him to hell! Make sure he is not allowed to touch an electronic device ever again. EVER! It’s not your fault what happened! Try to create more DMCA-like laws! So you can sue more people! Get your engineering team to build a time traveling device so you can sue in advance! Force parents to divorce so they can’t breed anything threatening your revenue! Show the world who’s boss! Dictatorships never worked before but that should not stop you! It should rather encourage you! Grow by setting challenging goals!

See where the leads and why you can never win?

Making the world-wide security community hate you even more is your best bet! Trust me, I know at least as well as the guy who created this mess. And you trusted him, didn’t you?