Stories by Carl Jongsma

Cutting Through the Spin of Recent Vulnerability Disclosures

There are a few highly publicised vulnerabilities at the moment which haven't completely been disclosed and which, it is claimed, could threaten the whole Internet as-we-know-it. Only, when the vulnerabilities are finally disclosed, it seems that the whole incident has been somewhat Chicken Little.

Strange account management at Amazon

Via the RISKS mailing list comes an interesting tale of poor online account management at a major online retailer. According to Graham Bennett, accounts with Amazon display an odd behaviour that doesn't seem to have attracted much attention in the past.

Are international standards organisations no longer incorruptible?

For the last several months Microsoft has been pushing for their Office Open XML (OOXML) office suite file specification to be accepted as an international standard by ISO, presumably to help them gain traction for future government contracts (look, this file specification is an ISO standard, it must be good).

Upcoming PHP 5.3 beefs up security

PHP security guru Stefan Esser recently posted on some of the changes and important security issues that are likely to have significant effects for the everyday PHP coder (and user) with the release of the upcoming PHP 5.3.

Partially disclosing vulnerabilities does no one any good

What if I was to tell you that I have a secret that could end the Internet as you know it? What if I was only going to tell you at a fee-based conference once speculation had gone on for a month or more? How would you respond to that?

Who is behind that Gmail account?

Who is the real identity behind that Gmail account? While finding out may not be as easy as knowing who is behind (Homer Simpson, for the curious), it apparently isn't much harder.

The mobile Internet you'll be using in 10 years

After being plagued with project overruns and a scaling back of the final system, the US military's next generation satellite communications network is another step closer to reality, with completion of the payload module for the third and final Advanced Extremely High Frequency (EHF) satellite.

Sarah Palin demonstrates the peril of webmail

If you needed any more reminders about why it isn't a good idea to use external mail services to conduct critical business, the recent break-in to US Republican Vice-Presidential candidate Sarah Palin's Yahoo inbox should be it. Of note is that following the disclosure of the inboxes the compromised address and another address,, have been suspended.

Due diligence works, onenote patch reveals

Last week Microsoft released MS08-055 [1], patching a remote code execution vulnerability affecting the handling of onenote:// URLs in different versions of Office. What was surprising about the patch is that the vulnerability being fixed only bore a passing resemblance to the one that was notified to Microsoft in March of this year.

USAF: Cyberspace represents a fifth, costly, realm of warfare

Once the USAF Cyber Command was effectively put on ice recently, coverage of the US military's approach to network warfare and defence also went away. The existing infrastructure and systems that had been in place prior to the attempted set up of Cyber Command still continue to operate and the head of US Strategic Command, General Kevin Chilton, recently spoke about a range of the issues being faced in operating the US military's lesser-classified networks.

Google Fixes Major Weakness in Google Apps

Something that might have gone unnoticed from Google this week is the patching of a serious vulnerability that previously allowed an attacker to exploit a weakness in Google's Single Sign-On service used with Google Apps to take over a victim's Google account.

Why it's important to defend against historical vulnerabilities

How do you justify maintaining a defence against historical vulnerabilities that should be well out of common circulation or not viable against a modern system? An infected system on the International Space Station has demonstrated the importance of maintaining such a posture just last week when it was infected with a worm that was more than a year old.

Wider implications of the Red Hat breach

Reports of data losses and system breaches are almost becoming passe but from time to time events happen that take on a life of their own and have effects far beyond what the initial breach would normally represent.

Internet Explorer 8's XSS Filter examined

Microsoft's Security Vulnerability Research & Defense team (SVRD) have recently posted information online about the Cross Site Scripting (XSS) filter to be incorporated into Internet Explorer 8 when it is released.

New attack against multiple encryption functions

Unless you're a dyed in the wool cryptographic geek you probably didn't know that there was a Crypto conference, or even a chain of worldwide crypto conferences that take place each year. Fortunately, for the most of us that aren't crypto geeks there are a handful of very highly skilled people who are; they can take the highly theoretical and complex mathematical proofs and arguments that make up most of modern cryptographic and cryptanalytic research and put it into plain language.