Accepting the invitation of the Progress and Freedom Foundation to speak during their annual Aspen Summit, I decided to make the trip to the Rocky Mountains this year to participate in this almost legendary forum thousands of feet above sea level. This was my first year of making the trek west to the Summit,...
Read more »

The virtual world of the Internet inherited the term “trust” from the physical world, but the same notion of trust that consumers are accustomed to in the physical world has yet to be clearly established online. Consumers’ trust in the physical “bricks and mortar” world is based on their human experience of entering real banks...
Read more »

It was announced last week at the 25th Annual International Cryptology Conference in California that there has been a further breakthrough in the cryptanalysis of the SHA-1 algorithm. Professor Xiaoyun Wang, Andrew Yao and Frances Yao have demonstrated that collisions can be found in 2^63 operations, improving upon the 2^69 findings announced in February...
Read more »

In true Martin Luther King "I have a dream"-style, I recently wrote about the nirvana of securing consumers who shop and do their banking online. I questioned why we all still use passwords to secure our online identities and possessions, and looked forward to the day when strong-authentication is available and familiar to the...
Read more »

The most effective way of getting a developer to focus on reducing bugs in their code is to teach them how to write the exploits which will be written after their code is released. Why wait for a cracker to write an exploit when you can do it yourself as part of the normal...
Read more »

The saga of the SHA-1 hash function continued last week in Paris. Attendees at the 63rd IETF meeting discussed proposals to update IETF standards in light of the recent collision attacks on SHA-1. Three main options were discussed: Move over to SHA-256 and other stronger hash functions, possibly truncating the longer hash output to match...
Read more »

Over the years, I have heard some in our community say that cyber security awareness for consumers really doesn’t matter — that improving software security is really the only way to improve cyber security. What are your thoughts? How can we better educate the consumer and make tools more available to improve...
Read more »

Paying a bounty for finding application bugs is a rather slippery slope to head down. There will always be application bugs (see previous blog entry), and effectively providing financial incentives to leave bugs in applications is a very unwise strategy. Original post by blog@rsa.com (Tim Hudson) and software by Elliott
Read more »

The new edition of Information Storage & Security Journal features an article with my byline discussing the pros and cons of standardizing around a single one-time password (OTP) algorithm. The issue drew particular attention following the discovery in February that the SHA-1 hash function is not as secure as had been believed, given that...
Read more »