iGrapher. Neal Poole » Reports from Google’s Vulnerability Reward Program. Over the past several weeks, I’ve been an active participant in Google’s Web Vulnerability Reward Program. I’ve been writing blog posts about each of the vulnerabilities I’ve reported, publishing them once I’m told that the vulnerability has been patched. I’ve also been keeping up with posts that others have written and submitted to places like /r/netsec, /r/xss, and Hacker News. The posts, in aggregate, have explored many areas of web application security: XSS attacks of varying design, CSRF vulnerabilities, HTTP response splitting, clickjacking, etc. However, the program has attracted quite a large number of participants; I’m sure that I’ve seen only a small fraction of what people have posted. Thus, the idea for this post came into being.
Let me know what you think in the comments! Update (12/21/2010): The comments have spoken and I’ve added a new vulnerability to the list. Update 2 (12/21/2010): Adding another vulnerability that I reported to the list. Best of Design 2010. As 2010 is wrapping up, it is about time do a sum up of the best sites that I've featured on Best Web Gallery. Again I've selected 50 sites from different categories: personal blog, commercial, agency, portfolio, and software.
In 2010, CSS design is getting more interactive. People are using jQuery and CSS animation to add interaction in their design. More designers are using custom font faces. Some have incorporated responsive web design using media query. Responsive design is definitely the next big thing that we should look forward to. 20 Things I Learned Jax Sven Prim Future of Web Design Stephen Caver Version Teixido Pictory Riot Industries Brizk The Many Faces of Tobias Ahlin Haus Nike Snowboarding Living Principles Forever Heavy Christoph Zillgens Foundation Six Cargo Collective Mobile Roadie Donq 37 Signals Courier Rainy Pixels Simo Analog Veerle Kaleidoscope Joyent Hicksdesign Marie Catribs dConstruct Buffalo Galp Lost World's Fairs Fiell Image Mechanics Infinvision Grand People Crush Lovely Rokkan Cutler Yaron Schoen. How To Safely Store A Password | codahale.com. 31 Jan 2010 Use bcrypt Use bcrypt. Use bcrypt. Use bcrypt. Why Not {MD5, SHA1, SHA256, SHA512, SHA-3, etc}?
These are all general purpose hash functions, designed to calculate a digest of huge amounts of data in as short a time as possible. A modern server can calculate the MD5 hash of about 330MB every second. And that’s without investing anything. If you’re willing to spend about 2,000 USD and a week or two picking up CUDA, you can put together your own little supercomputer cluster which will let you try around 700,000,000 passwords a second. Salts Will Not Help You It’s important to note that salts are useless for preventing dictionary attacks or brute force attacks. Salt or no, if you’re using a general-purpose hash function designed for speed you’re well and truly effed. bcrypt Solves These Problems How? How much slower is bcrypt than, say, MD5? So we’re talking about 5 or so orders of magnitude. Tl;dr Use bcrypt. Updated February 24th, 2011 Isn’t bcrypt just Blowfish?
A Guide to GIT using spatial analogies. Some developers find Git takes a little getting used to, claiming that it is conceptually convoluted compared to other distributed version control systems. I used to number myself amongst them. Happily, I’ve found that a couple of simple spatial analogies have made me proficient and fluent in using Git’s command-line interface. One of the things that tripped me up as a novice user was the way Git handles branches. Unlike more primitive version control systems, git repositories are not linear, they already support branching, and are thus best visualised as trees in their own right. Branches thus become trees of trees. To visualise this, it’s simplest to think of the state of your repository as a point in a high-dimensional ‘code-space’, in which branches are represented as n-dimensional membranes, mapping the spatial loci of successive commits onto the projected manifold of each cloned repository.
The authors of the git manuals clearly had this in mind. Update: Thanks folks. Hacker News | Ask HN: How do you make your website mobile friendly? Google's AROUND Operator for Proximity Search. Four software design mistakes that Diaspora needs to fix. Fast. | buddycloud channels: open federated social networking.