Twitter officially disabled Basic authentication this week, the final step in the company's transition to mandatory OAuth authentication. Sadly, Twitter's extremely poor implementation of the OAuth standard offers a textbook example of how to do it wrong. This article will explore some of the problems with Twitter's OAuth implementation and some potential pitfalls inherent to the standard. I will also show you how I managed to compromise the secret OAuth key in Twitter's very own official client application for Android.
OAuth is an emerging authentication standard that is being adopted by a growing number of social networking services. It defines a key exchange mechanism that allows users to grant a third-party application access to their account without having to provide that application with their credentials. It also allows users to selectively revoke an application's access to their account.
Read the comments on this post
It hasn’t been the greatest summer for BlackBerry when it comes to their global enterprises. First the UAE outlawed the use of BlackBerry’s in their country while citing security concerns. Then India’s government came along and said that its own security services would ban BlackBerry devices in India if they were not able to monitor the encrypted e-mails and instant messages sent by Blackberry devices in the country. At-least for the moment, India has granted a 60 day delay on the ban while they go over some proposals from Blackberry’s maker, RIM.
One of the reasons BlackBerry’s have been such a success is because the devices are able to send secure messages over the Blackberry infrastructure which is very appealing to businesses. However, this strength is exactly is what is supposedly making India so nervous. They claim that they are afraid that the device could be potentially used by the same kind of militants that performed the 2008 attack on Mumbai to help perform a repeat attack.
Earlier this summer, when the first BlackBerry ban took place in the UAE, we were a bit miffed. But now we’re starting to feel really on edge about the whole thing, especially since India is a country whose citizens are so desperately trying to develop their technology industries. Granted, BlackBerry’s infrastructure is exceptionally secure, but who is to say that India’s security services doesn’t stop there? Will other smartphones that use Microsoft Exchange to send messages, and other encrypted services be next?
(Via BBC / image credit)
Just about every mobile operating system manufacturer can
remotely delete apps from the smartphones they help provide, but if a recent patent application is any indication, Apple's looking to lock down the whole enchilada on future devices. The basic concept is as simple as the diagram above -- certain activities trigger the phone to think it's in the wrong hands -- but the particular activities and particular remedies Apple suggests extend to audiovisual spying (to detect if a user has a different face or voice than the owner), and complete remote shutdown. While the patent mostly sounds targeted at opt-in security software and would simply send you an alert
or perform a remote wipe if your phone were stolen or hacked,
jailbreaking and
unlocking are also explicitly mentioned as the marks of an unauthorized user, and one line mentions that
cellular carriers could shut down or cripple a device when such a user is detected. Sounds great for securing phones at retail, sure, but personally we'd rather devices don't determine our authority by monitoring our heartbeat (seriously, that's an option) and we're plenty happy with the existing
Find My iPhone app.
Apple attempts to patent kill switch that roots out unauthorized users, detects jailbreaks originally appeared on Engadget on Sat, 21 Aug 2010 20:58:00 EDT. Please see our terms for use of feeds.
Permalink 
AppleInsider |
USPTO |
Email this |
Comments
Not sure how you feel about those airport scanners that
reveal your bits and pieces to under-paid guards? We think they make air travel rather titillating, but perhaps you'll be more comfortable with a conceptual scanner that skips your fleshy bits entirely and looks only at your bones. Being developed by a team of researchers at Wright State University, such a scanner could use existing technology to detect the skeletal structure of a person. The idea is that a person's bony bits are unique and, unlike one's face, impossible to disguise (short of some serious surgery). If a database of registered criminals and suspects could be created they could be identified with such a scanner, in theory even at a distance, far more reliably than via facial scan. Right now it's just a concept, but the idea is to have a working prototype by next year. After that, nobody's clavicles will be safe.
Conceptual airport identifier skips your naughty bits, scans straight to the bone originally appeared on Engadget on Sat, 21 Aug 2010 10:13:00 EDT. Please see our terms for use of feeds.
Permalink |
Physorg |
Email this |
Comments
Well, we got our copy of McAfee Antivirus for $29, but it looks like Intel had something a little more substantial in mind. The latter has picked up the Santa Clara-based security / antivirus company for a cool $7.68 billion, which works out to $48 per share in cash. Intel informs us that it will function as a wholly owned subsidiary (under the control of its Software and Services group). This comes hot on the heels of the company's acquisition of
TI's cable modem unit, and possibly signals a new focus on security for connected devices. "The cyber threat landscape has changed dramatically over the past few years, with millions of new threats appearing every month," said McAfee CEO Dave DeWalt."We believe this acquisition will result in our ability to deliver a safer, more secure and trusted Internet-enabled device experience." This has added a wonderful new phrase to the Engadget lexicon (and possibly even a name for our new garage band): Cyber Threat Landscape. PR after the break.
Continue reading Intel acquires McAfee for $7.68 billion
Intel acquires McAfee for $7.68 billion originally appeared on Engadget on Thu, 19 Aug 2010 09:20:00 EDT. Please see our terms for use of feeds.
Permalink | |
Email this |
Comments
