Dette er et innlegg publisert i Kapital nr. 11 2010 som svar på et innlegg i nr. 9 av Petter Berge i North Capital I en gjestekommentar i Kapital nr. 9 i år skriver Petter Berge i North Capital at passiv forvaltning ikke er et reelt alternativ fordi det ikke er mulig å oppnå indeksens avkastning....
Intrusion detection: doing it wrong
Quite a few thick volumes have been written on the topic of securing corporate environments - but most of them boil down to the following advice: Reduce your attack surface by eliminating non-essential services and sensibly restricting access to data, Compartmentalize important services to lower the...
Yeah, about that address bar thing...
As promised, here's another interesting browser bug, showing the perils of being user-friendly.You are probably familiar with the usual behavior of the address bar: when you click on a link, the browser keeps showing the old location up until the new content is retrieved and actually replaces the previous...
HTTPS is not a very good privacy tool
Today, EFF announced HTTPS Everywhere - a browser plugin that automatically "upgrades" all requests to a set of predefined websites, such as Wikipedia, to HTTPS. This is done in a manner similar to Strict Transport Security.Widespread adoption of encryption should be praised - but the privacy benefits...
Browser-side XSS detectors of doom
The prevalence of cross-site scripting - an unfortunate consequence of how the web currently operates - is one of the great unsolved challenges in the world of information security. Short of redesigning HTML from scratch, browser developers are not particularly well-positioned to fix this issue; but...
The curse of inverse strokejacking
This is the third interesting bug I had in my pipeline for a while. It's far less scary than the previous ones, but nevertheless, probably amusing enough.A while ago, I posted a whimsical proof of concept for what I greatly enjoy calling strokejacking. The problem amounts to this: a rogue site can put...
Announcing ref_fuzz, a 2 year old fuzzer
Somewhere in 2008, I created a relatively simple DOM binding fuzzer dubbed ref_fuzz. The tool attempted to crawl the DOM object hierarchy from a particular starting point, collect object references discovered during the crawl by recursively calling methods and examining properties, and then reuse them...
Safari: a tale of betrayal and revenge
Looks like I am finally free to discuss the first interesting browser bug on my list - so here we go. I really like this one: its history goes back to 1994, and spans several very different codebases. The following account is speculative, but probably a pretty good approximation of what went wrong.Let's...
Sikring og gambling
Det går et hårfint skille mellom å sikre seg og å spekulere. Å gjøre det enkelt og å holde hodet kaldt gjør hele forskjellen. En avtale om fastrente er et eksempel på det vi kaller sikring. Fast rente gir mer forutsigbare fremtidige renteutgifter. Det mange ikke vet er at man kan gå ut av en slik avtale...
