Tag Archives: security


Like a lot of people, most of my Unix knowledge comes from an early reading of Advanced Programming in the UNIX Environment. This is an excellent tome on the interfaces provided by the kernel to programs on a Unix system. Unfortunately, it’s over 15 years old now, and things have moved on. Naturally, I haven’t […]

Cross Site Scripting, again

Twitter all clear after worm wave Twitter has been given the all clear after a worm infected “tens of thousands of users”. But experts say the attack could have been much worse. Another day, another XSS hole. It reminds me of something (probably apocryphal) that I heard about lung cancer research. There’s no real need […]


Once again, jasypt (“Java Simplified Encryption”) makes me smile. Java comes with a comprehensive set of encryption utilities: JCE. I had to do some decryption the other day and ended up with this code. public class Decryptor { private static final String ALGORITHM = "PBEWithMD5AndDES";   private final Base64 base64 = new Base64(); private final […]

Postfix 2.5.1 TLS on FreeBSD

This is one of those things that I have to put up there in case anybody else has the same obscure setup that I do… I run postfix on FreeBSD, using the ports system. This means I have a tendency to just use portupgrade to upgrade to the latest version of anything I happen to […]


One more little library that I’ve come to love: jasypt. It’s a simplified veneer over the top of the gargantuan java security apparatus. All I wanted to do was encrypt a String before putting it in a Cookie. BasicTextEncryptor encryptor = new BasicTextEncryptor(); encryptor.setPassword(key); String cipherText = encryptor.encrypt(clearText); It nicely base64 encodes the result, which […]

Cross Site Scripting

I’ve just been listening to Security Now about Cross-Site Scripting. It makes my blood boil. No, not all the ads and endless, aimless waffling. The talk about Cross-Site Scripting (aka XSS) being a problem because code and data can be intermingled in the page. No, it’s not. XSS is a problem because we have dumb […]

mod_security now switched off

Last night, I spent a long while trying to get mod_security working on this web server. Installation was simple, thanks to the FreeBSD ports system. Configuration was another matter entirely. Not having much experience of web application firewalls, I opted for the ModSecurity Core Rules to give me a head start. These are essentially some […]

System Keychain

This morning I was trying to add a new machine to my wireless network. Unfortunately, I’d forgotten the password… To the Keychain Access batcave! Unfortunately, the “Airport network password” is stored in the system keychain, instead of my login keychain. Whilst I can unlock the system keychain, when I ask it to show me the […]

Rails Security Hole

Working round the Rails showstopper. (pdcawley)++ (svk)++ I now have the fixed version of typo (soon to be 4.0.2), around an hour after it was committed. As to the whole “full disclosure” thing by the rails team? They handled it pretty badly. As somebody else commented, it didn’t work for OpenBSD a while back and […]

Rails gets sane

Some time ago, I wrote about The Wrong Defaults, explaining how nearly all templating systems for the web default to “insecure”. Well, it looks like some rails people are paying attention: Auto sanitized templates with Erubis