RSS feed [root] /security /weblog



title search:


Sat May 04 06:34:11 GMT 2024


(google search) (amazon search)
download zip of files only

Tue Apr 30 12:48:10 GMT 2024 From /weblog/security


Introduction to Cryptography Basic Principles -[..]01/diffie-hellman-key-exchange-algorithm[..]tography-theory-1-meaning-of-secure.html

getting-a-list-of-available-cryptographic-algorithms -[..]t-of-available-cryptographic-algorithms/

Differential privacy -

The crazy mathematical concept that underlies all your online security: zero knowledge proofs -[..]r-online-security-zero-knowledge-proofs/

(google search) (amazon search)

Mon Oct 23 12:55:06 GMT 2023 From /weblog/security


How VPNs really work -

(google search) (amazon search)

Thu May 04 12:09:46 GMT 2023 From /weblog/security


A list of diagrams to show how TLS work

Understanding TLS protocol -- handshaking kickoff -
Understanding TLS protocol -- connection states -[..]rstanding_tls_protocol_connection_states
Understanding TLS protocol -- handshaking renew -[..]rstanding_tls_protocol_handshaking_renew
Understanding TLS protocol -- handshaking resume -[..]standing_tls_protocol_handshaking_resume

Another reading, about the handshaking for HTTP protocol -[..]/06/first-few-milliseconds-of-https.html

How to get HTTPs working -[..]nt-environment-in-5-minutes-7af615770eec

The TLS Handshake Explained -

(google search) (amazon search)

Wed Jun 08 02:06:23 GMT 2022 From /weblog/security


Conducting SAST (static application security testing) for Java Applications -[..]-sast-for-java-applications-5b0ac381cb4a

How to do password hashing in Java applications the right way! -[..]shing-in-java-applications-the-right-way

(google search) (amazon search)

Sat Apr 30 13:41:20 GMT 2022 From /weblog/security


Learn Morse Code for Fun and Profit -[..]/27/learn-morse-code-for-fun-and-profit/

(google search) (amazon search)

Fri Dec 24 12:26:06 GMT 2021 From /weblog/security


How to use basic UNIX tool to steal other facebook identity -

More on BGP Attacks -

Discussion of crack protection - , introduce tools -

Ten Immutable Laws of Security
Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy
Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Law #9: Absolute anonymity isn't practical, in real life or on the Web
Law #10: Technology is not a panacea[..]s/security/essays/10imlaws.mspx?mfr=true

An example of buffer overflow attack -

hack yourself! -

How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit -[..]-anatomy-of-a-java-bytecode-exploit.html


How to Find Dangerous Log4j Libraries -

(google search) (amazon search)

Tue Dec 29 14:18:24 GMT 2020 From /weblog/security


Make sure all your passwords are 12 characters or more, Use bcrypt or PBKDF2 exclusively to hash anything you need to be secure. -

Password is only worked for one time -

crack captcha -

Java password mask -[..]er/technicalArticles/Security/pwordmask/

OpenID resource -[..]ge/spidaman/20070225#the_openid_snowball[..]_id=46569&asrc=EM_NLN_2030603&uid=703565

OpenID explain -

A technique that crack winxp password at 3 min -

Using image as password -

The other interesting idea, Evolving Password -[..]uid=79730e53-1d30-47ae-98e8-abb55201429b

Passphrase Evangelism -

Rainbow Hash Cracking - , add salt (token) to prevent it -

How to make password harder to be guessed, but I guess there should be simple way to guess "this is fun", other than take 2537 years? -

Discussion about if some old suggested rules about still valid or not -

Using quantum for password? -

Salted Password Hashing - Doing it Right -[..]w-to-encrypt-the-user-password-correctly

It sound like outsource is better -

Hash explained -[..]-passwords-in-your-next-application-4e2f

(google search) (amazon search)

Sat Sep 26 15:54:02 GMT 2020 From /weblog/security


Security Analysis of SMS as a Second Factor of Authentication -

(google search) (amazon search)

Tue Jul 18 16:22:53 GMT 2017 From /weblog/security


The NSA has open-sourced dozens of security tools

(google search) (amazon search)

Sun Dec 23 09:30:52 GMT 2012 From /weblog/security


Explanation about the Great Firewall -

(google search) (amazon search)

Sat Jun 30 16:07:02 GMT 2012 From /weblog/security


Anatomy of a Stack Smashing Attach and How GCC Prevents It -[..]cleId=240001832&siteSectionName=security

(google search) (amazon search)

Sun Apr 01 14:17:08 GMT 2012 From /weblog/security


(google search) (amazon search)

Thu Mar 01 14:41:18 GMT 2012 From /weblog/security


How to make encrytion really safe -[..]roduction-to-strong-cryptography-p1.html

Review and summary of "19 Deadly Sins of Software Security" -

Dumb idea of security and recommend fix - ... interesting to read but not much real impact

Top 25 coding issue about security -

(google search) (amazon search)

Tue Apr 05 16:25:55 GMT 2011 From /weblog/security


The story about getting hacked -[..]gers-and-why-it-will-never-happen-again/

(google search) (amazon search)

Thu Dec 06 15:33:35 GMT 2007 From /weblog/security


TJX lost customer data due to haven't update wifi code -[..].com/article/07/01/17/HNtjxbreach_1.html

(google search) (amazon search)

Wed Nov 28 05:35:27 GMT 2007 From /weblog/security

config file

Encrypting configuration, probably a good idea -

(google search) (amazon search)

Tue Jun 20 06:44:56 GMT 2006 From /weblog/security

losting notebook

Cases like that happen again and again and again... We really need to educate user about security:

(google search) (amazon search)

Sun May 07 11:57:54 GMT 2006 From /weblog/security

HK police information leakage

Look like most Government don't handle data security well. Recently HK police information leakage case is one of great example:[..]35&sid=7287851&con_type=1&d_str=20060330[..]ge+case&sourceid=opera&ie=utf-8&oe=utf-8

However, this is not only HK problem some other countries facing similar problem also:

For HK case, look like it just some idiots in Government given out real data for testing, of course the IT service provider should also check the data and keep the data secure even for test data.

But for later case, it is more trick, it turn out Googlebot is too clear to bypass the security trick which call GET HTTP command to delete link everyday. Remember, all client side security is not safe.

(google search) (amazon search)

Wed Apr 05 07:46:05 GMT 2006 From /weblog/security


An article show how to test various security bug of website using HTTP header manipulation tool. However, look like using a HTTP client is more easy and scriptable?

(google search) (amazon search)