Why do we bother with SSL? I mean what’s the risk that we’re trying to protect against by using certificate authorities and serving up traffic over HTTPS? Usually it’s men (or possibly even women) in the middle or in other words, someone sitting somewhere between the client and the server and getting their hands on the data. Do we all agree with this? Yes? Good, then why on earth would you possibly say this? [https://twitter.com/HoytsAustralia/status/478320507402465281] This was in response t...

For some years now, one of the first things I’ve dropped into any new project has been ELMAH [https://code.google.com/p/elmah/]. Grab it from NuGet, provision yourself a SQL database table and watch magic happen as every unhandled error gets dumped into the DB and is reviewable via a handler which exposes the original stack trace amongst other info such as server variables and POST data. In theory, you also secure this. In practice, many people don’t [https://www.google.com/search?q=inurl%3Aelma...

Here was the original plan: propose two talks for NDC, travel over to the other side of the world and do them both then make the long trek home (each trip taking about 33 hours, thank you very much). That was pretty much how it went except that only one of the proposed talks made the cut (I later learned that they seemed too similar which is a perfectly reasonable assessment). So I did the only sensible thing and took the very best parts out of the talk that didn’t make the cut and rolled them i...

If you’re an Aussie with an iPhone, there’s a chance you’ve been woken up in the middle of the night by this: Oh boy. What we’re looking at is an iPhone that has been remotely locked by “Oleg Pliss”. What we’re looking at is a modern incarnation of ransomware [http://en.wikipedia.org/wiki/Ransomware] executed via Apple’s iCloud and impacting devices using the “Find my iPhone” feature. Perplexingly, this is predominantly impacting Aussie iCloud users and to date, there’s no clear reason why, r...

I’m used to seeing short-sighted responses on Twitter when it comes to security, but admittedly this one took me by surprise: [https://twitter.com/vBZachery/status/471161211401555968] This was from a vBulletin “Tech Support Guy” as part of a thread about the security profile of the website MMO Champion [http://www.mmo-champion.com/], a World of Warcraft discussion site. This is a site that allows you to register with a username and password, store your date of birth (and hide it from public v...

Be honest now – how many of you are metaphorically shackled to your PCs day in and day out? Keeping in mind that I largely speak to an audience that earns a living by spending the majority of their day in front of screens, a great deal of people reading this just aren’t making enough time to literally see the light of day. Admittedly, I’m one of those screen-bound people that puts in a whole lot of hours coding, blogging, recording, emailing and partaking in all sorts of other byte-driven activi...

Last month I headed over to the totally awesome conference that was Codemania in Auckland, New Zealand (for international readers, it’s like Australia but with stranger accents and more hobbits). I spoke on… security! Imagine that? More specifically, I spoke about “Hacking Yourself First” which is all about teaching developers to identify risks in their own software before someone else does! If this sounds interesting (and if you’re building software for the web, it should), the talk is based...

Here’s how it usually works: someone big gets hacked or a serious risk gets disclosed then all sorts of articles pop up with journos quoting people like myself on all the same questions that inevitably get asked. I’ve been doing a bit of that today in the wake of the eBay attack so I thought that rather than just have these one on one conversations which then get dispersed all over the place, I’d capture a bunch of responses from discussions I’ve had here. Just one more thing – it’s very early...

Back in the day when the British had a penchant for conquering the world, they ran into a little problem on the subcontinent; cobras. Turns out there were a hell of a lot of the buggers wandering around India and it also turned out that they were rather venomous which didn’t sit well with the colonials. Ingenious as the British were, they decided to offer the citizens a bounty – you hand in dead cobras that would otherwise have bitten some poor imperialist and you get some cash. Problem solved....

Remember view state? This was the massive kludge of hidden input data in an ASP.NET web forms page which tried to create quasi-persistence between requests in what is otherwise the stateless world of HTTP. Actually saying “was” isn’t that fair as indeed web forms apps make up the vast majority of ASP.NET sites out there today, but Microsoft’s implementation of MVC tends to be viewed as the new shiny thing that many of us have gravitated towards in recent years. That said, when I created my recen...