Accepting the invitation of the Progress and Freedom Foundation to speak during their annual Aspen Summit, I decided to make the trip to the Rocky Mountains this year to participate in this almost legendary forum thousands of feet above sea level. This was my first year of making the trek ...

The virtual world of the Internet inherited the term “trust” from the physical world, but the same notion of trust that consumers are accustomed to in the physical world has yet to be clearly established online. Consumers’ trust in the physical “bricks and mortar” world is based on their human experience ...

It was announced last week at the 25th Annual International Cryptology Conference in California that there has been a further breakthrough in the cryptanalysis of the SHA-1 algorithm. Professor Xiaoyun Wang, Andrew Yao and Frances Yao have demonstrated that collisions can be found in 2^63 operations, improving upon the 2^69 ...

In true Martin Luther King "I have a dream"-style, I recently wrote about the nirvana of securing consumers who shop and do their banking online. I questioned why we all still use passwords to secure our online identities and possessions, and looked forward to the day when strong-authentication is available ...

The most effective way of getting a developer to focus on reducing bugs in their code is to teach them how to write the exploits which will be written after their code is released. Why wait for a cracker to write an exploit when you can do it yourself as ...

The saga of the SHA-1 hash function continued last week in Paris. Attendees at the 63rd IETF meeting discussed proposals to update IETF standards in light of the recent collision attacks on SHA-1. Three main options were discussed: Move over to SHA-256 and other stronger hash functions, possibly truncating the longer ...

Over the years, I have heard some in our community say that cyber security awareness for consumers really doesn’t matter — that improving software security is really the only way to improve cyber security. What are your thoughts? How can we better educate the consumer and make tools ...

Paying a bounty for finding application bugs is a rather slippery slope to head down. There will always be application bugs (see previous blog entry), and effectively providing financial incentives to leave bugs in applications is a very unwise strategy. Original post by blog@rsa.com (Tim Hudson) and software by ...

The new edition of Information Storage & Security Journal features an article with my byline discussing the pros and cons of standardizing around a single one-time password (OTP) algorithm. The issue drew particular attention following the discovery in February that the SHA-1 hash function is not as secure as had ...