The recent security weakness found in both iOS and OS X hints at flaws in coding style guidelines, unit testing, system testing, code review policies, error management strategies, and tools deployment. An overview.
Google have announced general availability of their Cloud SQL service. At launch the service comes with automatic encryption of customer data, a 99.95% uptime SLA and support for databases up to 500GB in size.
Facebook has open sourced Conceal, a set of Java APIs for file encryption and authentication on Android. Conceal uses a subset of OpenSSL’s algorithms and predefined options in order to keep the library smaller, currently being 85KB.
Following recommendations by the US National Institute of Standards and Technology, Microsoft intends to stop honoring SHA1 for SSL and Code Signing certificates. This policy will begin in 2017 and applies to Windows Vista, Windows Server 2008, and later operating systems.
Crypto Obfuscator for .Net v2013 R2 includes support for code masking, constant field removal, Visual Studio 2012. It also includes Linux and Mono support for automatic exception reporting service including several new additions, improvements, changes and bug fixes.
CryptoLicensing v2013 for .Net includes license service activation console, new methods, properties with support for Mono, Android platforms including several improvements and bug fixes.
Syncfusion has announced the availability of Orubase Version 1 which ships with Project Wizard, SQLite and Encryption Support.
A recent publication in the ACM CCS'12 proceedings titled "The Most Dangerous Code in the World:Validating SSL Certificates in Non-Browser Software" exposes critical vulnerabilities in the creation and usage of SSL libraries in non-browser applications. The lessons learnt and the ensuing recommendations to developers and testers are shared in this news item.
.NET 4.5 brings a lot of improvements in how Cryptography is handled within ASP.NET, with new APIs Protect and Unprotect and various under-the-hood changes. Levi Broderick explains the motivation, the changes and compatibility in a series of articles.
The Mobile Shell takes a number of new approaches in providing shell connections for mobile and roaming clients.
Lori MacVittie from F5 Networks provided an analysis of the recent adoption of NIST SSL Deployment Guidelines by the US Government as of January 2011. Since all commercial certificate authorities now issue only 2048-bit keys, the capacity of a server to process SSL is severely impacted and invalidates the general belief that SSL is not computationally expensive.
In a recent MSDN article entitled Crypto Services and Data Security in Windows Azure, Jonathan Wiggs provides advice on securing data stored and processed through Windows Azure. InfoQ explored the topic in more detail to understand some of the security ramifications which come with deploying an application to the cloud.
David Durham, manager of Intel's Security and Cryptography Research group, was recently interviewed on the subject of Internet and Computer Security. The interview covers a wide range of topics including the "monetization of malware," Cloud-based detection of malware, security of data stored in the Cloud, "Botnets in the Dark Cloud," and malware as a tool in geo-politics.
The JRuby team has added Ruby 1.8.7 compatibility to the current JRuby trunk. Android received some more attention with JRuby support for the Android Scripting Environment as well as a JRuby irb app. Also: the bcrypt-ruby library for hashing passwords is now available for JRuby, as well as Ruby 1.9.
An implementation of the MD5 cryptographic hashing algorithm for Silverlight has been posted on MSDN by Reid Borsuk. Delay, another MSDN user, has recently posted ComputeFileHashes, a small .NET command-line application that also works on WPF and Silverlight and is helpful to compute MD5, SHA-1, and CRC-32 hashes.