Security Archives - Software Engineering Daily

When Aran Khanna was a college student, he accepted an internship to work at Facebook. Even before his internship started, he started playing around with Facebook’s APIs and applications. Aran built a Chrome extension called Marauder’s Map, which used Facebook Messenger’s web APIs to track where people lived, what their schedule was, and other highly The post Digital Privacy with Aran Khanna appeared first on Software Engineering Daily.

If you have ever stayed in a short-term rental (like an Airbnb, HomeAway, or CouchSurfing), you have probably used the wifi network at that rental property. Why wouldn’t you? It’s no different than hopping on an open wifi network at an airport, or a Starbucks, or your friend’s house, right? One major difference: the hardware The post Hacking Your Short-Term Rental with Jeremy Galloway appeared first on Software Engineering Daily.

Last year, the WannaCry ransomware attack shut down hospitals, public transportation systems, and governments, demanding payment to unlock key computer systems. A programmer named Marcus Hutchins was able to stop WannaCry by registering a DNS entry buried in the WannaCry code. Not long after he stopped the WannaCry attack, Marcus Hutchins was arrested at a The post WannaCry’s Gray Hat with Reeves Wiedeman appeared first on Software Engineering Daily.

Employees often find themselves needing to do work outside of the office. Depending on the sensitivity of your task, accessing internal systems from a remote location may or may not be OK. If you are using a corporate application that shows the menu of your company’s cafe on your smartphone, your workload is less sensitive. The post Google BeyondCorp with Max Saltonstall appeared first on Software Engineering Daily.

Last month, Software Engineering Daily had our 4th Meetup at Cloudflare in San Francisco. For this Meetup, the format was short interviews with security specialists from Pinterest, Cloudflare, and Segment. Each of these companies has unique security challenges, but they also have overlap in their security strategies. Nick Sullivan, Amine Kamel, and Evan Johnson are The post Web Security at Cloudflare, Pinterest, and Segment appeared first on Software Engineering Daily.

Military force is powered by software. The drones that are used to kill suspected terrorists can identify those terrorists using the same computer vision tools that are used to identify who is in an Instagram picture. Nuclear facilities in Iran were physically disabled by the military-sponsored Stuxnet virus. National intelligence data is collected and processed The post Modern War with Peter Warren Singer appeared first on Software Engineering Daily.

When I log into my bank account from my laptop, I first enter my banking password. Then the bank sends a text message to my phone with a unique code, and I enter that code into my computer to finish the login. This login process is two-factor authentication. I am proving my identity by entering The post Secure Authentication with Praneet Sharma appeared first on Software Engineering Daily.

Public key encryption allows for encrypted, private messages. A message sent from Bob to Alice gets encrypted using Alice’s public key. Public key encryption also allows for signed messages–so that when Alice signs a message, Alice uses her private key and Bob can verify it if Bob has her public key. In both cases, Bob The post Keybase with Max Krohn appeared first on Software Engineering Daily.

A smart contract is a program that allows for financial transactions. Smart contracts are usually associated with the Ethereum platform, which has a language called Solidity that makes it easy to program smart contracts. Someday, we will have smart contracts issuing insurance, processing legal claims, and executing accounting transactions. Smart contracts involve money, and they The post Smart Contract Security with Emin Gün Sirer appeared first on Software Engineering Daily.

Static analysis is the process of evaluating code for errors, memory leaks, and security vulnerabilities. The “static” part refers to the fact that the code is not running. This differentiates it from unit tests and integration tests, which evaluate the runtime characteristics of code. If you use an IDE or a linter, you are using The post Static Analysis with Paul Anderson appeared first on Software Engineering Daily.

Online advertising enables free content and services of the Internet. One of the free services that is powered by advertising is the browser. 60% of web browsing is done through Chrome, which is owned by Google, which is powered by advertising. The application that most of us use to explore the web is made by The post Brave Browser with Jonathan Sampson appeared first on Software Engineering Daily.

When a cyber attack occurs, how do we identify who committed it? There is no straightforward answer to that question. Even if we know Chinese hackers have infiltrated our power grid with logic bombs, we might not be able to say with certainty whether those hackers were state actors or rogue Chinese hackers looking for The post Attack Attribution with John Davis appeared first on Software Engineering Daily.

Ransomware and DDoS attacks happen all the time. Sometimes they affect large swaths of users. WannaCry ransomware froze the computer systems in hospitals. Mirai botnet DDoS attacks took down a DNS provider, making Netflix and Twitter inaccessible for a short period of time. These are innocent attacks compared to what we could face from a The post Car and IoT Security with Chris Craig appeared first on Software Engineering Daily.

Quality assurance testing is a form of testing that closely mirrors user behavior. Sometimes it is manual, sometimes it is automated. Automated QA tests are scripts that validate correct data representation as the application mechanically runs through high-level workflows–like a login page. Manual QA testers act out use cases of an application to see if The post QA Testing with Jonathan Alexander appeared first on Software Engineering Daily.

Shopify is a company that helps customers build custom online storefronts. Shopify has built upon the same Ruby on Rails application since the founding of their business 12 years ago starting with Rails 0.5 and moving all the way to Rails 5. MRuby is a lightweight implementation of the Ruby language. Shopify made the The post MRuby and Language Security with Daniel Bovensiepen appeared first on Software Engineering Daily.

At Coinbase, security is more important than anything else. Coinbase is a company that allows for storage and exchange of cryptocurrencies. Protecting banking infrastructure is difficult, but in some ways the stakes are higher with Coinbase, because bitcoin is fundamentally unregulated. If a hacker were able to syphon all of the money out of Coinbase The post Coinbase Security with Philip Martin appeared first on Software Engineering Daily.

A cryptocurrency exchange faces a uniquely difficult fraud problem. A hacker who steals my credentials can initiate a transfer of all my bitcoin to another wallet, and it is a non-reversible, non-identifiable payment. So it is really important to prevent those kinds of fraudulent transactions. At the third Software Engineering Daily Meetup, Coinbase director of The post Fighting Fraud at Coinbase with Soups Ranjan appeared first on Software Engineering Daily.

Ransomware uses software to extort people. A piece of ransomware might arrive in your inbox looking like a PDF, or a link to a website with a redirect. Ransomware is often distributed using social engineering. The email address might resemble someone you know, or a transactional email from a company like Uber or Amazon. Tim The post Ransomware with Tim Gallo and Allan Liska appeared first on Software Engineering Daily.

The online advertising industry is a giant casino. Giant technology companies are the casino owners, online publishers are the casino employees, the brand advertisers are the victims who keep returning to the casino to lose their money, and the small adtech companies are the sharks who make lots of money exploiting the inefficiencies of the The post Ad Fraud In Our Own Backyard with Shailin Dhar appeared first on Software Engineering Daily.

The Internet is decreasing in privacy and increasing in utility. Under some conditions, this tradeoff makes sense. We publicize our profile photo so that people know what we look like. Under other conditions, this tradeoff does not make sense. We do not want a television that costs less to purchase because it is silently recording The post Web Tracking with Bill Budington appeared first on Software Engineering Daily.

Thursday February 23rd was a big day in security news: details were published about the Cloudbleed bug, which leaked tons of plaintext requests from across the Internet into plain view. On the same day, the first collision attack against SHA-1 was demonstrated by researchers at Google, foretelling the demise of SHA-1 as a safe hashing The post Cloudbleed and SHA-1 Collision with Max Burkhardt appeared first on Software Engineering Daily.

Security vulnerabilities are an important concern in systems. When we specify that we want certain information hidden, for example our phone number or our date of birth, we expect the system to hide the information. However, this doesn’t always happen due to human error in the code because programmers have to write checks and filters The post Security Language with Jean Yang appeared first on Software Engineering Daily.

Vulnerabilities exist in every computer system. As a system gets bigger, the number of vulnerabilities magnifies. The web is the biggest, most complex computer system we have–but fortunately, the steps we can take to secure our web applications are often quite simple. Jared Smith is a cyber security research scientist with Oak Ridge National Laboratory. The post Cyber Warfare with Jared Smith appeared first on Software Engineering Daily.

Every digital system has vulnerabilities. Cars can be hacked, locked computers can be exploited, and credit cards can be spoofed. Security researchers make a career out of finding these types of vulnerabilities. Samy Kamkar’s approach to security research is not just about dissection–it’s also about creativity. For many of the technologies he hacks on, Samy The post Security Research with Samy Kamkar appeared first on Software Engineering Daily.

A huge percentage of online advertisements are never seen by humans. They are viewed by bots–automated scripts that are opening web pages in a browser and pretending to be a human. Advertising scammers set up web pages, embed advertisements on those pages, and then pay for bot traffic to come and view those advertisements. This The post Ad Fraud Research with Augustine Fou appeared first on Software Engineering Daily.

Advertising fraud is easy, legal, and extremely profitable. A fraudster can set up a website, scrape content from the internet, and run programmatic advertisements against that website. The fraudster can then purchase bot traffic. Those bots will visit the page, consume advertisements, and return profit to the owner of the page. In a past life, The post Ad Fraud Everywhere with Shailin Dhar appeared first on Software Engineering Daily.

Botnets have a massive influence on the Internet. As we have seen recently with the Mirai Botnet, IOT bots can take down companies as big as Netflix. In our recent episodes about advertising fraud, we’ve talked about how bots are being used to take billions of dollars of revenue from advertisers. Derek Muller is one The post Botnet Facebook Likes with Derek Muller appeared first on Software Engineering Daily.

When Facebook acquired Instagram, one of the first systems Instagram plugged into was Facebook’s internal spam and fraud prevention system. Pete Hunt was the first Facebook engineer to join the Instagram team. When he joined, the big problems at Instagram were around fake accounts, harassment, and large volumes of spammy comments. After seeing the internal The post Fraud Prevention with Pete Hunt appeared first on Software Engineering Daily.

When you visit a web page, that web page can write data to a file on your computer, known as a cookie. Scripts on that page can also read from your cookie file to understand where you have been in the past. All of this data about you is getting shared between advertising companies like The post Ad Tracking with Larry Furr appeared first on Software Engineering Daily.

Advertising fraud takes billions of dollars out of the economy every year. We don’t know exactly how much money is being lost, because we don’t know what percentage of Internet users are bots. Are You A Human is a company designed to solve that exact problem and provide a service for verifying whether a user The post Ad Fraud with Ben Trenda appeared first on Software Engineering Daily.

Containers have become the unit of infrastructure that many technology stacks deploy to. With the shift to containers, the attack surface of an application has changed, and we need to reconsider our security models; the resource allocation of our containers, the interactions between different containers on a single machine, and the big picture–how the external The post Container Security with Phil Estes appeared first on Software Engineering Daily.

Security for the popular chat application Slack is a major focus for the company. A corporate Slack account is as valuable to a hacker as a corporate email account. In today’s episode, Ryan Huber and I talk through Slack’s approach to security–from philosophical discussions of how to company approaches security to the technical practices of The post Slack Security with Ryan Huber appeared first on Software Engineering Daily.

When the US government hacks its own citizens, The Electronic Frontier Foundation is often the best source of reporting to find out what laws the government has broken. When a change to the privacy policy of Google or Facebook is made, the Electronic Frontier Foundation is the best place to find out how that change The post Electronic Frontier Foundation with Nate Cardozo appeared first on Software Engineering Daily.

When you hear about massive data breaches like the recent ones from LinkedIn, MySpace, or Ashley Madison, how can you find out whether your own data was compromised?   Troy Hunt created the website HaveIBeenPwned.com to answer this question. When a major data breach occurs, Troy acquires a copy of the stolen data and provides The post Data Breaches with Troy Hunt appeared first on Software Engineering Daily.

Call centers are a vulnerable point of attack for large enterprises. Fraud accounts for more than $20 billion in lost money every year, and a significant portion of that fraud is due to customer service representatives being fraudulent social engineering attacks.   Chris Halaschek joins the show today to discuss how Pindrop Security is addressing The post Security and Machine Learning in the Call Center with Pindrop Security’s Chris Halaschek appeared first on Software Engineering Daily.

Every software application has secrets. User passwords and database credentials must be managed carefully, because poor access controls can lead to disaster scenarios. Vault is a tool for secret management, developed at Hashicorp, a company that builds software tools for application delivery and infrastructure management. Seth Vargo is a software engineer and open source advocate The post Secret Management and Vault with Hashicorp’s Seth Vargo appeared first on Software Engineering Daily.

“The three legs of the stool are culture, process, and tooling, and I think process and tooling are the easy ones.” Continue reading… The post Internet of Things and DevOps with Anders Wallgren appeared first on Software Engineering Daily.

“If everyone is going to use TLS, people need to trust their certificate authority, and the way to gain trust is through openness.” Continue reading… The post Let’s Encrypt with Josh Aas appeared first on Software Engineering Daily.

Modern automated attacks using widespread botnets have evolved in sophistication, making cybercrime an increasingly relevant threat in today's internet. Security researchers and organizations have to stay vigilant in this cat-and-mouse game. Shuman Ghosemajumder is the VP of Product at Shape Security, which defends applications from malware and bots. He is the former click fraud czar at Google, and he will be speaking at QCon San Francisco. Continue reading… The post Botnets and Cybercrime with Shuman Ghosemajumder appeared first on Software Engineering Daily.

“If you don’t like what you see sometimes when you look at the world, it’s incumbent on you - you do something about it.” Adrián Lamo is a threat analyst, hacker, and writer. In the early 2000's, Adrián was a hobbyist white-hat hacker, breaking into companies to expose vulnerabilities and fix them. Continue reading… The post Intelligence and National Security with Adrián Lamo appeared first on Software Engineering Daily.

Keybase is an open-source key directory that allows users to encrypt messages and verify identities. Max Krohn is the co-founder of Keybase, and previously co-founded OKCupid and SparkNotes. Continue reading… The post Identity and Encryption with Keybase Founder Max Krohn appeared first on Software Engineering Daily.

"What we learn again and again is that security is less about what you think of, and more about what you didn't think of." Bruce Schneier is a security researcher and author of Data and Goliath. Continue reading… The post Security and Privacy with Bruce Schneier appeared first on Software Engineering Daily.

Automobiles are now computers with security vulnerabilities. Reverse engineers have begun to dissect car security. Craig Smith is the author of The Car Hacker's Handbook and the founder of Theia Labs, a research and consulting firm. Continue reading… The post Car Hacking with Craig Smith appeared first on Software Engineering Daily.