Author Archives: Graham

About Graham

I make it faster and easier for you to create high-quality code.

On localisation and security

Posted on 2010-05-09 by Graham

Hot on the heels of Uli’s post on the problems of translation, I present another problem you might encounter while localising your code. This is a genuine bug (now fixed, of course) in code I have worked on in the … Continue reading →

Posted in buffer-overflow, l10n, Mac, Vulnerability | 2 Comments

Which vendor “is least secure”?

Posted on 2010-04-30 by Graham

The people over at Intego have a blog post, Which big vendor is least secure? They discuss that because Microsoft have upped their game, malware authors have started to target other products, notably those produced by Adobe and Apple. That … Continue reading →

Posted in Business, Responsibility, threatmodel, Vulnerability | 2 Comments

Why passwords aren’t always the right answer.

Posted on 2010-04-29 by Graham

I realised something yesterday. I don’t know my master password. Users of Mac OS X can use FileVault, a data protection feature that replaces the user’s home folder with an encrypted disk image. Encrypted disk images are protected by AES-128 … Continue reading →

Posted in Encryption, Keychain, Mac, password | 3 Comments

Regaining your identity

Posted on 2010-04-05 by Graham

In my last post, losing your identity, I pointed out an annoying problem with the Sparkle update framework, in that if you lose your private key you can no longer post any updates. Using code signing identities would offer a … Continue reading →

Posted in Codesign, Crypto, PCAS, Updates | Leave a comment

Losing your identity

Posted on 2010-04-04 by Graham

Developers make use of cryptographic signatures in multiple places in the software lifecycle. No iPad or iPhone application may be distributed without having been signed by the developer. Mac developers who sign their applications get to annoy their customers much … Continue reading →

Posted in Codesign, Crypto, iPad, iPhone, Mac, PCAS, Policy, Updates | Comments Off

Security flaw liability

Posted on 2010-03-29 by Graham

The Register recently ran an opinion piece called Don’t blame Willy the Mailboy for software security flaws. The article is a reaction to the following excerpt from a SANS sample application security procurement contract: No Malicious Code Developer warrants that … Continue reading →

Posted in Malware, Policy, Responsibility, Vulnerability | Comments Off

One Window that is good for Mac security

Posted on 2010-03-27 by Graham

I realise now that I didn’t cover this when it happened back at the beginning of March, but that not everyone in either the Apple world nor the general infosec community is aware of it. Nearly one month ago, Apple … Continue reading →

Posted in AAPL | Comments Off

Why do we annoy our users?

Posted on 2010-03-25 by Graham

I assume that, with my audience being mainly Mac users, you are not familiar with Microsoft Security Assessment Tool, or MSAT. It’s basically a free tool for CIOs, CSOs and the like to perform security analyses. It presents two questionnaires, … Continue reading →

Posted in brute-force, password, tool-support | 2 Comments

So it’s not just the Department of Homeland Security, then

Posted on 2010-03-12 by Graham

What is it about government security agencies and, well, security? The UK Intelligence and Security Committee has just published its Annual Report 2008-2009 (pdf, because if there’s one application we all trust, it’s Adobe Reader), detailing financial and policy issues … Continue reading →

Posted in Data Leakage, government, Policy | Leave a comment

Integrating SSH with the keychain on Snow Leopard

Posted on 2010-03-08 by Graham

Not much movement has occurred on projects like SSHKeychain.app or SSHAgent.app in the last couple of years. The reason is that it’s not necessary to use them these days; you can get all of the convenience of keychain-stored SSH passphrases … Continue reading →

Posted in Encryption, Keychain, Mac, ssh | 8 Comments