Archive for the 'Security' Category

Heartbleed Statement

Sunday, April 13th, 2014

By now many people have heard about The Heartbleed Bug, last week’s internet-wide security issue based in a problem with the popular OpenSSL encryption libraries. I have put off making a public statement not because of ignorance about the bug but because I wasn’t sure it was appropriate or necessary. Over the past week I’ve […]

The Sandbox’s Big Red Button

Saturday, May 12th, 2012

If you’ve been following the debate surrounding Apple’s Application Sandbox, you know that many developers are concerned about the implications for existing apps of adopting the sandbox. Apple has been threatening for almost a year that apps for sale in the Mac App Store will need to embrace the Application Sandbox, or else further updates […]

Secure Password Storage

Tuesday, March 20th, 2012

Tony Arcieri urges developers storing user-sensitive data, such as a passwords, not to use bcrypt (via Michael Tsai) for deriving the encryption key: The first cipher I’d suggest you consider besides bcrypt is PBKDF2. It’s ubiquitous and time-tested with an academic pedigree from RSA Labs, you know, the guys who invented much of the cryptographic […]

Developer ID Gotcha

Monday, March 19th, 2012

For the upcoming Gatekeeper feature in Mac OS X 10.8, Apple will make it easy for customers to prevent software from running that has not been digitally “signed” by developers with a certificate from Apple called the Developer ID certificate. Many developers already choose to sign software using self-generated signing certificates. I wrote many years […]