Latest Comments

In response to: Why secure e-voting is so hard to get

Comment from: James A Bevacqua [Visitor]  

This is the most informative such article I’ve read thus far.

2016-11-11 @ 18:40

In response to: Protecting network neutrality: both important and hard

Comment from: Alyse [Visitor]

Excellent explanation. Started out thinking there was no way this was going to make sense then it all came together

2016-07-14 @ 04:57

In response to: Book review: "Creativity, Inc." by Ed Catmull

Comment from: Suzie Nien [Visitor]  

For someone like me who have watched all animation movies produced by Pixar will try not to treat this book as regular management tool but a book to get closer to how they create those beloved films insde Pixar!

Ed did put efforts and has great senses for management, so he can face fears and failures calmly, lead employee how to make it safe to take risks! I still have to say, even Ed wrote “Making something great is the goal” , it actually just presents the sprint of Steve Jobs who did this in his entire life. (so I can have both iPhone and Pixar to cheer up my life for years)

Quoted what Neil Gaiman (author of “The Ocean at the End of the Lane") said at school graduation (I also take it for myself):
“Make New Mistakes. Make glorious, amazing mistakes. Make mistakes nobody’s ever made before. Don’t freeze, don’t stop, don’t worry that it isn’t good enough, or it isn’t perfect, whatever it is: art, or love, or work or family or life.

Whatever it is you’re scared of doing, Do it.

Make your mistakes, next year and forever.”

2015-05-25 @ 18:49

In response to: Running an effective security research team

Comment from: Jeff K. [Visitor]

Fabulously enlightening.
Will you talk about conflict resolution?

2015-05-20 @ 17:35

In response to: Running an effective security research team

Comment from: Naftali [Visitor]

Hi Hagai, like the insights just want to add on that in parallel to the above there is also an evaluation in the nature of the management positions and expectation from them towards the activity of security, and security research just as an example the logging topic, or any data related topic there is a strong need to bring value and intelligence rather than mastering the ability to create correlations etc. etc.

2015-05-20 @ 14:28

In response to: Running an effective security research team

Comment from: Suzie Nien [Visitor]  

A brilliant article, has extremely depth understanding on executing and running a security team in real business.

Hiring based on task-centric capabilities rather than on subject matter familiarity is an excellent point. It shouldn’t be limited and only applied for engineering domains but all.

The sweet spot of this article that I enjoy is to the joint and balance of academic and non-academic!

2015-05-20 @ 11:20

In response to: My blog's 10th anniversary

Comment from: Raviv [Visitor]

Thanks!

2015-03-31 @ 23:47

In response to: Bitcoin does not provide anonymity

Comment from: David Luther [Visitor]

Bitcoin is not anonymous and it is so boring and old. There are some real anonymous crypto. This year anonymymous cryptocurrencies will be in trend.
Just look at duckNote, one of my favorite crypto. duckNote!
duckNote brings idea of mixing and ASIC-resistance. Best crypto ever! Sorry for my emotions, but
http://ducknote.cc http://ducknote.org
duckNote is a true anonymous coin.

2014-08-30 @ 12:57

In response to: CAcert as a certification alternative

Comment from: Soumen Sarkar [Visitor]

{quote}Unexpectedly, this post, titled “The Inevitable Collapse of the Certificate Model”, quickly became the favorite post on my blog, pulling more views than all other individual posts.{quote}

The reason for increased visit is Wikipedia entry on Extended Validation Certificate refers to your blog post:

http://en.wikipedia.org/wiki/Extended_Validation_Certificate

2014-06-04 @ 20:31

In response to: The Inevitable Collapse of the Certificate Model

Comment from: Soumen Sarkar [Visitor]

Google built a trust model for documents on Internet through PageRank algorithm for effective keyword/phrase search. Can this crowd sourcing model of trust building be somehow be applied to certificate trust building.

2014-06-01 @ 19:32

In response to: The status of TrueCrypt

Comment from: ronys [Visitor]

Hi Hagai,

“The page, […] seemed too pragmatic and unemotional to be written by an open source developer who discontinues his masterpiece development after more than a decade […]”

You’re assuming that the developer who took down the project is the same one that accompanied the project from the start. Ain’t necessarily so.
This thread’s the most reasonable I’ve read so far:
http://it.slashdot.org/comments.pl?sid=5212985&cid=47115785

A Lavabit scenario seems to me less likely than programmer fatigue, especially since we’ve no idea if the developers are in the US or not.

Could be that we’ll never know, though.

2014-05-30 @ 16:39

In response to: OpenSSL "Heartbleed" bug: what's at risk on the server and what is not

Comment from: Hagai Bar-El [Member]

The bug is not new. It is there for more than two years. The only question is whether it was known to black-hats before it was “officially” discovered or not. It is not trivial to determine if it was exploited or not on a given system, because the typical HTTP logs Apache keeps do not show heartbeat packets.

Here you can find possible evidence to past exploitation:
https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013

2014-04-22 @ 21:06

In response to: OpenSSL "Heartbleed" bug: what's at risk on the server and what is not

Comment from: Dan Feekes [Visitor]

Hi Hagai,

I was talking to a colleague last week who said that their IT security co-workers were examining their logs and traffic over the last couple weeks and have not seen any attempts to exploit the Open SSL issue. Is the bug too new and black hats have not yet had the time to write the code to exploit it yet. If what I’ve been told is true, does anyone have suggestions why we’re not hearing about open SSL attacks yet.

2014-04-21 @ 21:34

In response to: OpenSSL "Heartbleed" bug: what's at risk on the server and what is not

Comment from: Hagai Bar-El [Member]

Replacing the SSL keys (yes, you need to replace the keys and the certificates, not just the certificate) is done by repeating the same process of installing SSL in the first place.

The technicality depends only on your web server and OS. Search for “set up ssl apache” or “set up ssl iis” to get hundreds of useful guides.

A good one for SSL on Linux/Apache is at: http://www.htmlgoodies.com/beyond/security/article.php/3774876

2014-04-12 @ 09:59

In response to: OpenSSL "Heartbleed" bug: what's at risk on the server and what is not

Comment from: Ria [Visitor]  

Hello, thank you for this article.
I would like to draw your attention to something else.
The sad fact is, that I understand some of this and still would not know how to change keys. Worse is, that in my neighborhood I am the Nurde .. So I would like to ask if anyone would be willing and able to give a “How to” instruction to all the oblivious users that really do not know how to help themselves with this?

2014-04-11 @ 23:28

In response to: OpenSSL "Heartbleed" bug: what's at risk on the server and what is not

Comment from: Hagai Bar-El [Member]

@Joe
In this case, all bets are off…
The sentence that follows the one you quoted reads: “An obvious exception would be if a password that was captured happens to open the door to other attack venues.”

2014-04-10 @ 15:34

In response to: OpenSSL "Heartbleed" bug: what's at risk on the server and what is not

Comment from: Joe [Visitor]

“The integrity of the system. This is probably the most important point. The attack is passive in the sense that it gets data out, but cannot change anything in the system.”

What if the exfiltrated data allows a hacker to then log in to the server and install a rootkit, or exploit some other installed software to do this?

2014-04-10 @ 15:20

In response to: Bitcoin does not provide anonymity

Comment from: rotemmiz [Visitor]  

There are solutions for the lack of anonymity. Use coin remixers like coinjoin. blockchain.info provide a free, hassle free, opt-in remixer service.

2014-04-06 @ 08:37

In response to: Bitcoin does not provide anonymity

Comment from: Hagai Bar-El [Member]

Bitcoin is never officially claimed to be anonymous. However, it is rightfully claimed to be decentralized and unbacked by any state or financial institution. These features led to an implicit assumption of anonymity by some people. For example, Bitcoin is accepted by some websites that sell illegal goods over the net as well as by criminals running extortion activities.
Also, the common idea that Bitcoin will prevent sanctions and taxation has its roots based on an assumption of anonymity.

2014-04-04 @ 15:43

In response to: Bitcoin does not provide anonymity

Comment from: Danny [Visitor]  

Is Bitcoin pretending to be as anonymous as cash ?

If yes, your essay is quite amazing !!

Danny

2014-04-04 @ 12:05