Domain: imperva.com
Stories and comments across the archive that link to imperva.com.
Comments · 7
-
Obsolete crypto shows problem of software patents
It's worth noting that there are known attacks against RC4 (especially SSL using RC4). While these aren't quite practical yet, it is clear that RC4 is obsolete, and that current programmers should choose other stream cyphers (AES). Even supposing the patent was legitimate, the technology it covers has become obsolete well within its lifetime.
This illustrates one of the key reasons software (that is, algorithms) shouldn't be patentable: the field moves so fast that 20-year patent protection isn't useful. Even supposing the authors of software need patent protection to recoup their "investment" in inventing the algorithm, 20-year protection is effectively an infinite term, since by the time the protection ends, the technology is obsolete.
As an aside, note that patenting a protocol (such as RC4) automatically ends its usefulness. Protocols are only useful if the other party to the communication can participate, and interoperability is very important in software. Patents are ill-suited for this. Copyright, on the other hand, works well: the code you write is protected, but anyone else can write their own code to implement the protocol and communicate with you.
-
Re:This number might be too high.....
It seems you don't actually understand the topic you're speaking on here. Various bridged (inline) WAFs are capable of blocking Heartbleed attacks; Imperva offers one such solution. It is not necessary for the WAF to operate in a conventional proxy mode to accomplish this task, and there is no race condition involved. Why are you posting in an authoritative tone when you have no idea what you're talking about?
-
Re:What's a WAF?
To be fair, googling the term isn't very helpful here.
Result #1 is a google code project for git.
#2 is wikipedia's wife acceptance factor quoted by GP
#3 is the wikipedia article covering #1
#4 is acronyms.dictionary showing: WAF, Women in the Air Force (USAF; obsolete). WAF, Warendorf. WAF, WAF, We Are Family ...
#5 is urban dictionary showing "Wack As Fuck"
#6 is a website for World Architecture Festival
#7 is WPF Application Framework, "The WPF Application Framework (WAF) is a lightweight Framework that helps you to create well structured WPF Applications"
#8 is a sub-page of #1 containing documentation#9, the last result on the search, is finally "Web Application Firewall (WAF) - Real time protection from Web
..." from http://www.imperva.com/products/wsc_web-application-firewall.htmlYour snarky "let me google that for you" provides eight incorrect answers to his question!
If you don't even know the answer and can't be bothered to even pretend to, perhaps you should stop complaining about others who actually put in effort to remove part of their ignorance. -
Re:Welp
A friend of mine used to sit on the PCI board. He linked me to this recently:
http://blog.imperva.com/2011/04/pcis-impact-on-security-quantified.html
PCI is one of the most defined and effective standards I've ever seen. Compare that to other standards some companies tout like ISO27001 or SAS70, which are absolutely toothless. (Because they assess only what you SAY that access, as they are standards for evaluating your declared controls.)
PCI varies a lot depending on what tier the merchant is. If they are Tier 2 - Tier 4, the assessment is really only as good as their self-assessment/scan. The scan can be gamed simply by giving out a host or two which is properly locked down, and using that certificate. Tier 1 merchants (6 million+ transactions/year) have to undergo an audit with a certified assessor. I guess PSN doesn't do that many transactions per year? If the assessor does a bad job they will lose their certification.
Also, if Sony lied about the state of their compliance, then they are exposed to enormous amounts of liability.
-
One had to dig deep for this gem...
I don't know if anyone bothered to read the full report, but I found this recommendation tucked in at the end of the report:
ast character in the password. (pg. 3)Allow and encourage passphrases instead of passwords. (pg. 5)
And I say amen, amen to that. I've done quite a bit of personal research in this area, and have found passphrase systems to be far superior in terms of security and ease of use/recall over random combinations of characters. For years I've used the list provided at Diceware to generate my passphrases, and I have no problem still recalling little-used 5- or 6-phrase passphrases years later.
The idea that random sequences of characters is somehow superior to a passphrase of equal entropy is a myth borne of ignorance and a resistance to change. So long as companies that know better keep forcing their minions to adhere to a strict range of letter/number combinations, we'll continue to be saddled with the problem presented by the Rockyou.com crack.
-
Re:Look at the user base for RockYou...
From the source report (PDF, 387kb), we also read this: "Passwords were stored in cleartext in the database and were extracted through a SQL Injection vulnerability."
So RockYou was rather security unconcious from the beginning. Cleartext instead of hashed? C'mon.
-
Re:No way to tell?