This index covers articles that appeared in LWN on various security-related topics. Articles from 2007 on are indexed here.
Android
ABS: Android security underpinnings (February 28, 2013)
Anonymity
Eavesdropping on Tor traffic (September 12, 2007)
TorProxy and Shadow (October 14, 2009)
The Amnesic Incognito Live System: A live CD for anonymity (April 27, 2011)
Phantom: Decentralized anonymous networking (June 8, 2011)
GNUnet adds VPN, direct wireless peering, and more (December 21, 2011)
Tor offers SSL obfuscation for users behind censorship walls (February 15, 2012)
Whonix for anonymity (October 17, 2012)
DeadDrop and Strongbox (May 22, 2013)
Tor and browser vulnerabilities (August 7, 2013)
Apache
Apache attacked by a "slow loris" (June 24, 2009)
Apache range request denial of service (August 31, 2011)
AppArmor
Linux security non-modules and AppArmor (June 27, 2007)
The future of AppArmor (October 17, 2007)
TOMOYO Linux and pathname-based security (April 14, 2008)
Application binary interface (ABI)
Cascading security updates (February 27, 2008)
Authentication
Fedora accepting YubiKey one-time passwords (October 13, 2010)
OATH: yesterday, today, and tomorrow (December 15, 2010)
Trusted internet identity (January 12, 2011)
The end of OpenID? (February 2, 2011)
BrowserID: A new web authentication scheme (July 27, 2011)
Password storage on Android devices (August 3, 2011)
SSSD: System Security Services Daemon (September 27, 2011)
Enforcing password strength (October 12, 2011)
A Periodic Table of password managers (November 9, 2011)
FreeIPA: centralized identity management for Linux (December 11, 2012)
PyCon: Mozilla Persona (March 20, 2013)
Biometric
Fingerprint recognition using fprint (November 21, 2007)
Biometrics for identification (April 2, 2008)
A look at PAM face-recognition authentication (November 7, 2012)
Bypass
Authentication bypass in routers (March 5, 2008)
Automotive
Linux and automotive computing security (October 10, 2012)
Backdoors
The backdooring of WordPress (March 7, 2007)
The backdooring of SquirrelMail (December 19, 2007)
A backdoor in UnrealIRCd (June 16, 2010)
Berkeley Internet Name Daemon (BIND)
Cache poisoning vulnerability found in BIND (July 25, 2007)
The dangers of weak random numbers (February 20, 2008)
Books
Book Review: Hacking VoIP (January 28, 2009)
Book review: Nmap Network Scanning (February 18, 2009)
Botnets
Storm worm gains strength (August 29, 2007)
ITU getting serious about botnets (November 28, 2007)
Storm botnet used to study spam (November 12, 2008)
Linux botnets (March 25, 2009)
SCALE 8x: Ten million and one penguins (March 10, 2010)
Browser cookies
Session cookies for web applications (May 21, 2008)
Another kind of cookie (October 29, 2008)
Should web developers say no to cookie-based authentication? (March 24, 2010)
BruCON
2009
BruCON: Can we trust cryptography? (September 30, 2009)
BSD
Capsicum: practical capabilities for UNIX (February 22, 2012)
Bug reporting
Counting vulnerabilities (June 22, 2007)
Cascading security updates (February 27, 2008)
Secrecy and the DNS flaw (July 9, 2008)
Injunction lifted against MIT students (August 20, 2008)
Partial disclosure (October 8, 2008)
Distribution advisories (November 26, 2008)
"Vishing" advisory targets Asterisk (December 17, 2008)
Vulnerability disclosure policies (July 7, 2010)
The future of vendor-sec (March 9, 2011)
Python vulnerability disclosure (April 27, 2011)
An odd vulnerability report for LibreOffice (October 5, 2011)
How long should security embargoes be? (February 8, 2012)
GitHub incidents spawns Rails security debate (March 7, 2012)
Responsible disclosure in open source: The crypt() vulnerability (June 6, 2012)
Stockpiling zero-day vulnerabilities (August 15, 2012)
A story of three kernel vulnerabilities (February 19, 2013)
Mayhem finds 1200 bugs (July 3, 2013)
Subverting Android package verification (July 10, 2013)
Capabilities
Capsicum: practical capabilities for UNIX (February 22, 2012)
CAP_SYS_ADMIN: the new root (March 14, 2012)
The trouble with CAP_SYS_RAWIO (March 13, 2013)
CAPTCHA
Breaking CAPTCHA (March 19, 2008)
CERT
GCC and pointer overflows (April 16, 2008)
Certificate Authorities (CAs)
Mozilla and CNNIC (February 3, 2010)
EFF analyzes SSL certificates and certificate authorities (August 11, 2010)
The case of the fraudulent SSL certificates (March 23, 2011)
Fallout from the fraudulent SSL certificates (March 30, 2011)
Certificates and "authorities" (September 7, 2011)
Convergence: User-controlled SSL certificate checking (October 19, 2011)
A ".secure" top-level domain (May 16, 2012)
Cyberoam deep packet inspection and certificates (July 11, 2012)
Certifications
Red Hat and IBM get certified (June 20, 2007)
Fedora and CAPP (December 10, 2008)
chroot()
What chroot() is really for (October 3, 2007)
Code scanning
Mayhem finds 1200 bugs (July 3, 2013)
Containers
Linux capabilities support for user namespaces (December 22, 2010)
LSS: Secure Linux containers (September 6, 2012)
Cross-site scripting (XSS)
Extended Validation certificates and cross-site scripting (March 12, 2008)
Mozilla's Content Security Policy (July 1, 2009)
Cross-site scripting here at LWN (November 4, 2009)
Chrome reflective XSS protection (November 4, 2009)
LCA: CSP for cross-site scripting protection (February 6, 2013)
Cryptography
BruCON: Can we trust cryptography? (September 30, 2009)
Bitcoin: Virtual money created by CPU cycles (November 10, 2010)
Desktop Summit: Crypto consolidation (August 10, 2011)
On keys, trust, and webs (October 5, 2011)
Forward secure sealing (August 22, 2012)
Desktop
Desktop malware risk gets raised and patched (February 25, 2009)
A desktop "secrets" API (July 29, 2009)
Linux malware: an incident and some solutions (December 23, 2009)
Where are the non-root X servers? (September 8, 2010)
Linux autorun vulnerabilities? (February 9, 2011)
Libsecret revealed (April 4, 2012)
The perils of desktop tracking (April 18, 2012)
GUADEC: Imagining Tor built-in to GNOME (August 8, 2012)
A look at PAM face-recognition authentication (November 7, 2012)
Security implications for user interface changes? (November 28, 2012)
Prompt-free security for GNOME (August 14, 2013)
Detecting vulnerabilities
Capturing web attacks with open proxy honeypots (July 3, 2007)
Bluepot: A honeypot for Bluetooth attacks (February 16, 2011)
Deterministic builds
Verifying the source code for binaries (June 26, 2013)
Security software verifiability (August 21, 2013)
Binary "diversity" (August 28, 2013)
Distributions
ParanoidLinux: from fiction to reality (October 1, 2008)
Tin Hat: secured by running from RAM (March 18, 2009)
BackTrack 4: the security professional's toolbox (January 20, 2010)
Fedora 13 to debut a security "spin" (March 3, 2010)
IPFire 2.5: Firewalls and more (April 28, 2010)
Qubes: security by virtualization (May 5, 2010)
Lightweight Portable Security (December 15, 2010)
Deliberately insecure Linux distributions as practice targets (April 6, 2011)
The Amnesic Incognito Live System: A live CD for anonymity (April 27, 2011)
Security testing with BackBox 2 (September 8, 2011)
Whonix for anonymity (October 17, 2012)
Distribution security
LCA: How to improve Debian security (January 17, 2007)
Security hardening for Debian (February 6, 2008)
Eee PC security or lack thereof (February 13, 2008)
Debian, OpenSSL, and a lack of cooperation (May 14, 2008)
Debian vulnerability has widespread effects (May 14, 2008)
SELinux and Fedora (July 9, 2008)
Ubuntu, security response, and community contributions (July 16, 2008)
Fedora distributes new keys (September 10, 2008)
Distribution advisories (November 26, 2008)
Fedora and CAPP (December 10, 2008)
OpenVAS replacing Nessus in Debian (August 12, 2009)
Fedora 12 and unprivileged package installation (November 20, 2009)
Fedora's privilege escalation policy proposal (February 3, 2010)
FOSDEM'10: Maemo 6 platform security (February 10, 2010)
Distribution security response times (September 22, 2010)
A high-level view of the MeeGo security landscape (November 17, 2010)
The MeeGo security framework (November 24, 2010)
CentOS 5, RHEL 5.6, and security updates (February 23, 2011)
Arch Linux and (the lack of) package signing (March 23, 2011)
MeeGo rethinks privacy protection (April 13, 2011)
UDS security discussions (May 18, 2011)
Phones and permissions (June 2, 2011)
Security testing tools for Fedora (August 10, 2011)
Six years of RHEL 4 security (August 17, 2011)
Security response: how are we doing? (November 16, 2011)
How long should security embargoes be? (February 8, 2012)
Exploring options for the openSUSE security policy (May 23, 2012)
Fedora and secure release upgrades (December 19, 2012)
Distributions face the MoinMoin and Rails vulnerabilities (January 9, 2013)
Code authenticity checking (May 1, 2013)
Package managers
Trust and mirrors (July 16, 2008)
Attacks on package managers (April 8, 2009)
LSS: Security modules and RPM (October 3, 2012)
Subverting Android package verification (July 10, 2013)
ptrace()
SELinuxDenyPtrace and security by default (April 11, 2012)
Document Object Model (DOM)
Finding bugs lurking in the DOM (January 30, 2008)
Leaking browser history (June 25, 2008)
Domain Name System (DNS)
DNSCurve: an alternative to DNSSEC (July 8, 2009)
TCP cookie transactions (December 16, 2009)
An interesting DNSSEC amplification (July 14, 2010)
SOPA and PIPA (January 18, 2012)
A ".secure" top-level domain (May 16, 2012)
ICANN adds new gTLDs (June 20, 2012)
LSS: DNSSEC (September 19, 2012)
Potential pitfalls in DNS handling (November 14, 2012)
Cache poisoning
Cache poisoning vulnerability found in BIND (July 25, 2007)
Secrecy and the DNS flaw (July 9, 2008)
Details of the DNS flaw revealed (August 13, 2008)
Email
Trustedbird: Additional email security for Thunderbird (February 24, 2010)
Potential pitfalls in DNS handling (November 14, 2012)
Spam prevention
Backscatter increase clogs inboxes (April 9, 2008)
On comment spam (July 28, 2010)
Embedded systems
Threat models for embedded devices (April 14, 2010)
BruCON: How to take over the world by breaking into embedded systems (September 29, 2010)
Default "secrets" (January 5, 2011)
Printer vulnerabilities via firmware update (November 30, 2011)
Exploiting network-enabled digital cameras (April 3, 2013)
Integrity and embedded devices (October 2, 2013)
Encryption
GUADEC: Danny O'Brien on privacy, encryption, and the desktop (August 4, 2010)
Thwarting internet censors with Collage (September 1, 2010)
Tarsnap advisory provides a few lessons (January 19, 2011)
A hole in crypt_blowfish (June 22, 2011)
Martus: Software for human rights groups (October 18, 2011)
IBM's homomorphic encryption library (May 8, 2013)
Disk
"Evil Maid" attack against disk encryption (October 28, 2009)
Attacking full-disk encryption with Inception (January 9, 2013)
DMCA
Another attempt at DMCA reform - sort of (February 28, 2007)
Documents
OpenOffice and document encryption portability (March 28, 2012)
Email
Email privacy (November 7, 2007)
Trustedbird: Additional email security for Thunderbird (February 24, 2010)
STEED: End-to-end email encryption (October 26, 2011)
Filesystems
The Tahoe secure filesystem (April 30, 2008)
Key management
Trusted and encrypted keys (October 6, 2010)
Default "secrets" (January 5, 2011)
On keys and users (June 22, 2011)
SCALE: The Hockeypuck key server (March 13, 2013)
Mobile phone
GSM encryption crack made public (January 6, 2010)
Network
Transport-level encryption with Tcpcrypt (August 25, 2010)
Blocking DPI with Dust (September 5, 2013)
Web
The future of unencrypted web traffic (January 2, 2008)
Deep packet inspection (July 23, 2008)
HTTPS Everywhere brings HTTPS almost everywhere (June 30, 2010)
LFNW: Seth Schoen stumps for SSL (May 4, 2011)
HTTPS interception in Nokia's mobile browser (January 23, 2013)
Subverting HTTPS with BREACH (August 7, 2013)
Web application data
Encrypting users' web data with Grendel (January 27, 2010)
Firefox
Firefox security status (June 7, 2007)
Firefox 3 SSL certificate warnings (August 27, 2008)
Firefox security add-ons (January 21, 2009)
Firefox locks down the components directory (November 24, 2009)
Mozilla's Plugin Check (June 9, 2010)
HTTPS Everywhere brings HTTPS almost everywhere (June 30, 2010)
Free software infrastructure
On the security of our processes and infrastructure (September 8, 2011)
Kernel.org's road to recovery (October 4, 2011)
On keys, trust, and webs (October 5, 2011)
KS2011: Kernel.org report (October 24, 2011)
Safeguarding GNOME.org with an upload lockdown (November 16, 2011)
GCC
GCC and pointer overflows (April 16, 2008)
Glibc
Two glibc vulnerabilities (October 27, 2010)
The ups and downs of strlcpy() (July 18, 2012)
Graphics
Security processes and the X.org flaw (January 25, 2012)
XDC2012: Graphics stack security (September 25, 2012)
Hardening
Security hardening for Debian (February 6, 2008)
LSS: The kernel hardening roundtable (September 15, 2011)
Debian and Suhosin (February 8, 2012)
Shadow hardening (March 21, 2012)
Hardware
Attacking network cards (May 28, 2008)
WebGL vulnerabilities (May 25, 2011)
Trusting the hardware too much (February 15, 2012)
Stealthy network penetration (July 25, 2012)
Attacking full-disk encryption with Inception (January 9, 2013)
Hijacking
X programs
OpenSSH bug falls through the cracks (April 9, 2008)
Home network
The Freedom Box gets off the ground (February 23, 2011)
LinuxCon: FreedomBox update and plans (August 24, 2011)
Can FreedomBox be an alternative to commercial home routers? (July 4, 2012)
Picking a MAC address for a FreedomBox (December 5, 2012)
Identity management
Bandit: multi-protocol identity management (September 26, 2007)
OpenID 2.0 closing in on acceptance (October 31, 2007)
OpenID Connect (June 2, 2010)
The end of OpenID? (February 2, 2011)
BrowserID: A new web authentication scheme (July 27, 2011)
SSSD: System Security Services Daemon (September 27, 2011)
FreeIPA: centralized identity management for Linux (December 11, 2012)
PyCon: Mozilla Persona (March 20, 2013)
Information leak
Our devices are spilling our secrets (August 1, 2007)
Sanitizing kernel memory (May 27, 2009)
Page sanitization, part 2 (June 3, 2009)
Integrity management
Integrity management in the kernel (March 28, 2007)
System integrity in Linux (December 3, 2008)
Integrity management using Intel TXT (April 1, 2009)
Enabling DRM in the kernel? (May 20, 2009)
Enabling Intel TXT in Fedora (April 7, 2010)
The return of EVM (June 30, 2010)
UEFI and "secure boot" (June 15, 2011)
Fedora reexamines "trusted boot" (June 29, 2011)
An update on UEFI secure boot (October 26, 2011)
IMA appraisal extension (March 28, 2012)
LSS: Integrity for directories and special files (September 19, 2012)
Integrity and embedded devices (October 2, 2013)
Internet
SCADA system vulnerabilities (June 11, 2008)
Deep packet inspection (July 23, 2008)
Pogoplug makes internet data sharing easy (December 9, 2009)
TCP cookie transactions (December 16, 2009)
Security in the 20-teens (February 1, 2010)
The Freedom Box gets off the ground (February 23, 2011)
Phantom: Decentralized anonymous networking (June 8, 2011)
Unpredictable sequence numbers (August 17, 2011)
LinuxCon: FreedomBox update and plans (August 24, 2011)
A hole in telnetd (January 4, 2012)
Cyberoam deep packet inspection and certificates (July 11, 2012)
Picking a MAC address for a FreedomBox (December 5, 2012)
Inferring TCP sequence numbers (January 3, 2013)
Censorship
Internet censorship and OONI (May 9, 2012)
Honeypots
Capturing web attacks with open proxy honeypots (July 3, 2007)
Routers
Home routers and security flaws (October 10, 2007)
Linux adds router denial-of-service prevention (March 17, 2010)
Threats
SOPA and PIPA (January 18, 2012)
Cybersecurity and CISPA (May 2, 2012)
Tor
Eavesdropping on Tor traffic (September 12, 2007)
TorProxy and Shadow (October 14, 2009)
Tor offers SSL obfuscation for users behind censorship walls (February 15, 2012)
GUADEC: Imagining Tor built-in to GNOME (August 8, 2012)
DeadDrop and Strongbox (May 22, 2013)
Tor peels back Browser Bundle 3.0 alpha (June 19, 2013)
Tor and browser vulnerabilities (August 7, 2013)
Voice over IP (VoIP)
The Skype outage (August 22, 2007)
"Vishing" advisory targets Asterisk (December 17, 2008)
Book Review: Hacking VoIP (January 28, 2009)
A trojan for Skype (September 2, 2009)
Jails
What chroot() is really for (October 3, 2007)
Javascript
Web security vulnerabilities and Javascript (January 23, 2008)
All the malware that's fit to print (September 16, 2009)
Kernel.org
On the security of our processes and infrastructure (September 8, 2011)
Kernel.org's road to recovery (October 4, 2011)
KS2011: Kernel.org report (October 24, 2011)
Legislation
SOPA and PIPA (January 18, 2012)
Cybersecurity and CISPA (May 2, 2012)
Stockpiling zero-day vulnerabilities (August 15, 2012)
Linux kernel
revoke() returns (December 18, 2007)
vmsplice(): the making of a local root exploit (February 12, 2008)
The rest of the vmsplice() exploit story (March 4, 2008)
Handling kernel security problems (July 16, 2008)
Kernel security, year to date (September 9, 2008)
System calls and rootkits (September 10, 2008)
DR rootkit released under the GPL (September 10, 2008)
The future for grsecurity (January 7, 2009)
Seccomp and sandboxing (May 13, 2009)
Sanitizing kernel memory (May 27, 2009)
Page sanitization, part 2 (June 3, 2009)
Fun with NULL pointers, part 1 (July 20, 2009)
Fun with NULL pointers, part 2 (July 21, 2009)
Null pointers, one month later (August 18, 2009)
/proc and directory permissions (October 28, 2009)
Another null pointer exploit (November 4, 2009)
The x86_64 DOS hole (February 2, 2010)
2.6.32.9 Release notes (February 21, 2010)
Linux adds router denial-of-service prevention (March 17, 2010)
Symbolic links in "sticky" directories (June 2, 2010)
An ancient kernel hole is closed (August 18, 2010)
The hazards of 32/64-bit compatibility (September 22, 2010)
Trusted and encrypted keys (October 6, 2010)
Kernel vulnerabilities: old or new? (October 19, 2010)
Pathname-based hooks for SELinux? (December 8, 2010)
Extending the use of RO and NX (January 12, 2011)
Protecting /proc/slabinfo (March 9, 2011)
Seccomp: replacing security modules? (May 16, 2011)
Kernel address randomization (May 24, 2011)
Seccomp filters: No clear path (July 7, 2011)
Reactive vs. pro-active kernel security (July 13, 2011)
LSS: The kernel hardening roundtable (September 15, 2011)
Loading signed kernel modules (December 7, 2011)
Fixing the symlink race problem (December 14, 2011)
A privilege escalation via SCSI pass-through (January 4, 2012)
Yet another new approach to seccomp (January 11, 2012)
System call filtering and no_new_privs (January 18, 2012)
A /proc/PID/mem vulnerability (January 25, 2012)
Tightening security: not for the impatient (June 27, 2012)
Preparing the kernel for UEFI secure boot (September 6, 2012)
KS2012: Module signing (September 6, 2012)
LSS: Kernel security subsystem reports (September 26, 2012)
Supervisor mode access prevention (September 26, 2012)
The module signing endgame (November 21, 2012)
A rootkit dissected (November 21, 2012)
Filtering SCSI commands (January 30, 2013)
A story of three kernel vulnerabilities (February 19, 2013)
Credentials
Credential records (September 25, 2007)
Linux/POSIX capabilities
LCA: How to improve Debian security (January 17, 2007)
Fixing CAP_SETPCAP (October 31, 2007)
Restricting root with per-process securebits (April 30, 2008)
Filesystem capabilities in Fedora 10 (January 7, 2009)
Another Linux capabilities hole found (April 15, 2009)
Linux capabilities support for user namespaces (December 22, 2010)
Capabilities for loading network modules (March 2, 2011)
CAP_SYS_ADMIN: the new root (March 14, 2012)
Modules
Loading modules from file descriptors (October 10, 2012)
Netfilter
Passive OS fingerprinting added to netfilter (June 10, 2009)
Networking
Unpredictable sequence numbers (August 17, 2011)
Inferring TCP sequence numbers (January 3, 2013)
Random number generation
On entropy and randomness (December 12, 2007)
Linux ASLR vulnerabilities (April 29, 2009)
Random numbers for ASLR (May 13, 2009)
Tools
Trusting the hardware too much (February 15, 2012)
Virtual file system (VFS)
A kernel security hole (January 16, 2008)
Linux malware
Linux malware: an incident and some solutions (December 23, 2009)
Linux Security Modules (LSM)
Linux security non-modules and AppArmor (June 27, 2007)
Smack for simplified access control (August 8, 2007)
SMACK meets the One True Security Module (October 2, 2007)
The future of AppArmor (October 17, 2007)
LSM: loadable or static? (October 24, 2007)
Kernel-based malware scanning (December 4, 2007)
TOMOYO Linux and pathname-based security (April 14, 2008)
OLS: Smack for embedded devices (August 6, 2008)
Snet and the LSM API (January 28, 2009)
Restricting the network (January 6, 2010)
FBAC-LSM (January 13, 2010)
LSM stacking (again) (June 23, 2010)
Pathname-based hooks for SELinux? (December 8, 2010)
Supporting multiple LSMs (February 9, 2011)
MeeGo rethinks privacy protection (April 13, 2011)
Seccomp: replacing security modules? (May 16, 2011)
LSS: LSM roundtable (September 14, 2011)
LSS: Security modules and RPM (October 3, 2012)
Another LSM stacking approach (October 3, 2012)
The return of loadable security modules? (November 28, 2012)
Talking Smack for Tizen security (June 5, 2013)
KPortReserve and the multi-LSM problem (August 14, 2013)
Malware
Infected Linux web servers pushing malware (May 15, 2013)
Mobile phones
Android's first vulnerability (November 5, 2008)
Android application security (February 4, 2009)
What lessons can be learned from the iPhone worms? (November 11, 2009)
GSM encryption crack made public (January 6, 2010)
FOSDEM'10: Maemo 6 platform security (February 10, 2010)
Remotely wiping mobile phones (September 15, 2010)
Questions about Android's security model (October 6, 2010)
Bluepot: A honeypot for Bluetooth attacks (February 16, 2011)
Guardian: Better privacy and security for Android (May 11, 2011)
Phones and permissions (June 2, 2011)
Password storage on Android devices (August 3, 2011)
App confinement for Ubuntu mobile devices (April 24, 2013)
Talking Smack for Tizen security (June 5, 2013)
Tizen content scanning and app obfuscation (June 12, 2013)
Subverting Android package verification (July 10, 2013)
CyanogenMod's incognito mode (July 24, 2013)
CyanogenMod Account: Remotely track or wipe phones (August 21, 2013)
Web browsers
HTTPS interception in Nokia's mobile browser (January 23, 2013)
MoinMoin
Distributions face the MoinMoin and Rails vulnerabilities (January 9, 2013)
MySQL
MySQL flaw leaves some systems wide open (June 13, 2012)
Namespaces
Linux capabilities support for user namespaces (December 22, 2010)
Anatomy of a user namespaces vulnerability (March 20, 2013)
Networking
Unpredictable sequence numbers (August 17, 2011)
Inferring TCP sequence numbers (January 3, 2013)
Filesystems
The Tahoe secure filesystem (April 30, 2008)
Obfuscation
Hiding open ports with shimmer (January 9, 2008)
Wireless
USB device authorization (July 17, 2007)
Network Time Protocol (NTP)
The leap second of doom (August 1, 2012)
One Laptop Per Child (OLPC)
Bitfrost: the OLPC security model (February 7, 2007)
OLPC's software update problem (July 3, 2007)
OpenOffice.org/LibreOffice
BadBunny? Only if you invite it in (June 12, 2007)
An odd vulnerability report for LibreOffice (October 5, 2011)
OpenOffice and document encryption portability (March 28, 2012)
OpenSSH
OpenSSH bug falls through the cracks (April 9, 2008)
OpenSSH and keystroke timings (September 17, 2008)
SSH plaintext recovery vulnerability (November 19, 2008)
Crying wolf over OpenSSH (July 15, 2009)
Distributed brute force ssh attacks (October 21, 2009)
SSH: passwords or keys? (January 13, 2010)
Trust, but verify (February 17, 2010)
What's new in OpenSSH 6.2 (March 27, 2013)
OpenSSL
Debian, OpenSSL, and a lack of cooperation (May 14, 2008)
Debian vulnerability has widespread effects (May 14, 2008)
OpenSSL and IPv6 (March 14, 2012)
Organizations
oCERT and oss-security (June 4, 2008)
Password hashing
A hole in crypt_blowfish (June 22, 2011)
Passwords
Enforcing password strength (October 12, 2011)
A Periodic Table of password managers (November 9, 2011)
Shadow hardening (March 21, 2012)
Responsible disclosure in open source: The crypt() vulnerability (June 6, 2012)
MySQL flaw leaves some systems wide open (June 13, 2012)
Phishing
Redirecting browser tabs via "tabnabbing" (May 26, 2010)
Oxford blocks Google Docs as a phishing countermeasure (March 7, 2013)
PHP
Debian and Suhosin (February 8, 2012)
Tools
Scanning for PHP vulnerabilities with Pixy (June 27, 2007)
Physical security
"Evil Maid" attack against disk encryption (October 28, 2009)
Attacking full-disk encryption with Inception (January 9, 2013)
PostgreSQL
SE-PostgreSQL uses SELinux for database security (July 18, 2007)
Privacy
Our devices are spilling our secrets (August 1, 2007)
Eavesdropping on Tor traffic (September 12, 2007)
Email privacy (November 7, 2007)
Another kind of cookie (October 29, 2008)
GUADEC: Danny O'Brien on privacy, encryption, and the desktop (August 4, 2010)
Thwarting internet censors with Collage (September 1, 2010)
Private browsing: not so private? (September 22, 2010)
Web tracking and "Do Not Track" (January 26, 2011)
Developments in web tracking protection (April 20, 2011)
The Amnesic Incognito Live System: A live CD for anonymity (April 27, 2011)
Phantom: Decentralized anonymous networking (June 8, 2011)
GNUnet adds VPN, direct wireless peering, and more (December 21, 2011)
LCA: Jacob Appelbaum on surveillance and censorship (January 25, 2012)
Tracking users (February 8, 2012)
The perils of desktop tracking (April 18, 2012)
The perils of big data (August 29, 2012)
Do Not Track Does Not Conquer (October 17, 2012)
Privacyfix (October 24, 2012)
Mozilla versus the cookie monster (June 26, 2013)
NSA surveillance and "foreigners" (July 17, 2013)
Python
Reviving Python restricted mode (March 4, 2009)
Race conditions
Exploiting races in system call wrappers (August 15, 2007)
Exploiting symlinks and tmpfiles (September 19, 2007)
Symbolic links in "sticky" directories (June 2, 2010)
Seunshare, /tmp directories, and the "sticky" bit (March 2, 2011)
Fixing the symlink race problem (December 14, 2011)
Random number generation
On entropy and randomness (December 12, 2007)
The dangers of weak random numbers (February 20, 2008)
Debian, OpenSSL, and a lack of cooperation (May 14, 2008)
Debian vulnerability has widespread effects (May 14, 2008)
Linux ASLR vulnerabilities (April 29, 2009)
Random numbers for ASLR (May 13, 2009)
Quantum random numbers (April 25, 2012)
Random numbers for embedded devices (July 17, 2012)
LCE: Don't play dice with random numbers (November 20, 2012)
Sharing random bits with Entropy Broker (April 10, 2013)
Reference
The Application Security Desk Reference (June 18, 2008)
Research
A white paper on comparative browser security (December 14, 2011)
Auctions
Security research: buy low, sell high? (July 11, 2007)
Rootkits
System calls and rootkits (September 10, 2008)
DR rootkit released under the GPL (September 10, 2008)
A rootkit dissected (November 21, 2012)
Ruby
Ruby security flaws expose release process problems (July 2, 2008)
on Rails
GitHub incidents spawns Rails security debate (March 7, 2012)
Distributions face the MoinMoin and Rails vulnerabilities (January 9, 2013)
Samba
Eee PC security or lack thereof (February 13, 2008)
Sandboxes
A library for seccomp filters (April 25, 2012)
Secure boot
UEFI and "secure boot" (June 15, 2011)
Fedora reexamines "trusted boot" (June 29, 2011)
An update on UEFI secure boot (October 26, 2011)
Fedora, secure boot, and an insecure future (June 5, 2012)
Ubuntu details its UEFI secure boot plans (June 27, 2012)
Preparing the kernel for UEFI secure boot (September 6, 2012)
LSS: Secure Boot (September 12, 2012)
Another approach to UEFI secure boot (October 17, 2012)
UEFI secure boot kernel restrictions (November 7, 2012)
The trouble with CAP_SYS_RAWIO (March 13, 2013)
Secure Sockets Layer (SSL)
TLS renegotiation vulnerability (November 18, 2009)
Postfix TLS plaintext injection (March 16, 2011)
Certificates
Extended Validation certificates and cross-site scripting (March 12, 2008)
Firefox 3 SSL certificate warnings (August 27, 2008)
SSL man-in-the-middle attacks (December 24, 2008)
SSL certificates and MD5 collisions (January 14, 2009)
SSL flaws revealed at Black Hat (August 5, 2009)
GUADEC: Danny O'Brien on privacy, encryption, and the desktop (August 4, 2010)
EFF analyzes SSL certificates and certificate authorities (August 11, 2010)
The case of the fraudulent SSL certificates (March 23, 2011)
Fallout from the fraudulent SSL certificates (March 30, 2011)
Certificates and "authorities" (September 7, 2011)
Convergence: User-controlled SSL certificate checking (October 19, 2011)
Sovereign Keys for certificate verification (November 23, 2011)
TACK: TLS key pinning for everyone (May 31, 2012)
Holes discovered in SSL certificate validation (October 31, 2012)
Security Enhanced Linux (SELinux)
SE-PostgreSQL uses SELinux for database security (July 18, 2007)
SELinux and Fedora (July 9, 2008)
OLS: SELinux from academia to your desktop (July 30, 2008)
Newer kernels and older SELinux policies (September 24, 2008)
SELinux permissive domains (October 15, 2008)
MeeGo rethinks privacy protection (April 13, 2011)
SELinuxDenyPtrace and security by default (April 11, 2012)
LSS: Secure Linux containers (September 6, 2012)
SHA-1
Dealing with weakness in SHA-1 (June 17, 2009)
Signing code
Java cryptography and free distributions (March 14, 2007)
Integrity management in the kernel (March 28, 2007)
Enabling DRM in the kernel? (May 20, 2009)
Enabling Intel TXT in Fedora (April 7, 2010)
UEFI and "secure boot" (June 15, 2011)
An update on UEFI secure boot (October 26, 2011)
Loading signed kernel modules (December 7, 2011)
KS2012: Module signing (September 6, 2012)
The module signing endgame (November 21, 2012)
Software updates
Forcing updates (February 11, 2009)
The Firefox extension war (May 6, 2009)
Spam
Backscatter increase clogs inboxes (April 9, 2008)
Storm botnet used to study spam (November 12, 2008)
On comment spam (July 28, 2010)
A decline in email spam? (July 7, 2011)
Surveillance
Security software verifiability (August 21, 2013)
Talpa
Kernel-based malware scanning (December 4, 2007)
The TALPA molehill (August 6, 2008)
TALPA strides forward (August 27, 2008)
TOMOYO Linux
TOMOYO Linux and pathname-based security (April 14, 2008)
Tools
Finding buffer overflows with Parfait (July 29, 2009)
Deliberately insecure Linux distributions as practice targets (April 6, 2011)
Binary "diversity" (August 28, 2013)
Access control
Smack for simplified access control (August 8, 2007)
Attack detection
Forward secure sealing (August 22, 2012)
Browser exploit detection
Finding bugs lurking in the DOM (January 30, 2008)
Firewall
All aboard the SmoothWall Express (August 29, 2007)
Hiding open ports with shimmer (January 9, 2008)
IPFire 2.5: Firewalls and more (April 28, 2010)
Fedora introduces Network Zones (February 29, 2012)
Fuzzing
Fusil: a Python fuzzing library (March 11, 2009)
Intrusion detection
OSSEC for host-based intrusion detection (April 21, 2010)
Network vulnerability scanner
OpenVAS replacing Nessus in Debian (August 12, 2009)
OS detection
Passive OS fingerprinting added to netfilter (June 10, 2009)
Password cracking
John the Ripper (July 18, 2012)
Password guessing prevention
Preventing brute force ssh attacks (October 24, 2007)
Distributed brute force ssh attacks (October 21, 2009)
Penetration testing
Mobile phone or penetration tool? (September 24, 2008)
Security testing with BackBox 2 (September 8, 2011)
Stealthy network penetration (July 25, 2012)
PHP code scanning
Scanning for PHP vulnerabilities with Pixy (June 27, 2007)
Policy management
Centralizing policy rules with PolicyKit (November 14, 2007)
SQL injection scanning
Find SQL injection vulnerabilities with sqlmap (September 3, 2008)
Web application scanning
Web application scanning with skipfish (March 31, 2010)
Tradeoffs
Reactive vs. pro-active kernel security (July 13, 2011)
Blender security vs. usability (July 20, 2011)
Transport Layer Security (TLS)
TLS renegotiation vulnerability (November 18, 2009)
Postfix TLS plaintext injection (March 16, 2011)
Virtualization
LinuxCon: Secure virtualization with sVirt (September 23, 2009)
Qubes: security by virtualization (May 5, 2010)
Virus scanning
DazukoFS: a stackable filesystem for virus scanning (February 11, 2009)
ClamAV 0.96 adds executable virus signatures and more (May 12, 2010)
Voting machines
Securing our votes (August 8, 2007)
Voting machine integrity through transparency (March 26, 2008)
Vulnerabilities
Striking back against web attackers (June 23, 2010)
Authentication bypass
Authentication bypass in routers (March 5, 2008)
Buffer overflow
The ups and downs of strlcpy() (July 18, 2012)
Code execution
A hole in telnetd (January 4, 2012)
Cross-site request forgery (CSRF)
Cross-site request forgery (October 17, 2007)
Cryptographic splicing
Cryptographic splicing makes for a Wordpress vulnerability (May 7, 2008)
Denial of service
Apache attacked by a "slow loris" (June 24, 2009)
Using HTTP POST for denial of service (December 1, 2010)
Denial of service via hash collisions (January 11, 2012)
Format string
Format string vulnerabilities (February 1, 2012)
HTTP range headers
Apache range request denial of service (August 31, 2011)
HTTP response splitting
HTTP response splitting (October 17, 2008)
Image handling
Image handling vulnerabilities (April 23, 2008)
Information leak
Linux ASLR vulnerabilities (April 29, 2009)
Macro language (ab)use
BadBunny? Only if you invite it in (June 12, 2007)
Blender security vs. usability (July 20, 2011)
Privilege escalation
vmsplice(): the making of a local root exploit (February 12, 2008)
The rest of the vmsplice() exploit story (March 4, 2008)
Standards, the kernel, and Postfix (August 20, 2008)
Another Linux capabilities hole found (April 15, 2009)
A privilege escalation flaw in udev (April 22, 2009)
Fun with NULL pointers, part 1 (July 20, 2009)
Fun with NULL pointers, part 2 (July 21, 2009)
Null pointers, one month later (August 18, 2009)
Attacks against WordPress installations (September 9, 2009)
On the importance of return codes (December 2, 2009)
Two glibc vulnerabilities (October 27, 2010)
Calibre and setuid (November 2, 2011)
A /proc/PID/mem vulnerability (January 25, 2012)
Anatomy of a user namespaces vulnerability (March 20, 2013)
Race conditions
Exploiting races in system call wrappers (August 15, 2007)
SQL injection
Find SQL injection vulnerabilities with sqlmap (September 3, 2008)
Temporary files
Exploiting symlinks and tmpfiles (September 19, 2007)
Symbolic links in "sticky" directories (June 2, 2010)
Fixing the symlink race problem (December 14, 2011)
Vulnerabilty hoarding
Stockpiling zero-day vulnerabilities (August 15, 2012)
Web application flaws
The backdooring of WordPress (March 7, 2007)
Home routers and security flaws (October 10, 2007)
Cross-site request forgery (October 17, 2007)
The backdooring of SquirrelMail (December 19, 2007)
Web security vulnerabilities and Javascript (January 23, 2008)
Cryptographic splicing makes for a Wordpress vulnerability (May 7, 2008)
Attacks against WordPress installations (September 9, 2009)
Striking back against web attackers (June 23, 2010)
Web browsers
Leaking browser history (June 25, 2008)
The Firefox extension war (May 6, 2009)
Google's Native Client (June 3, 2009)
Mozilla's Content Security Policy (July 1, 2009)
Google's Chromium sandbox (August 19, 2009)
Firefox extension vulnerabilities (August 26, 2009)
Firefox locks down the components directory (November 24, 2009)
Google Chrome and master passwords (May 19, 2010)
Redirecting browser tabs via "tabnabbing" (May 26, 2010)
Mozilla's Plugin Check (June 9, 2010)
HTTPS Everywhere brings HTTPS almost everywhere (June 30, 2010)
A trojan in a Firefox security add-on (July 21, 2010)
Private browsing: not so private? (September 22, 2010)
Gathering session cookies with Firesheep (November 3, 2010)
Web tracking and "Do Not Track" (January 26, 2011)
Developments in web tracking protection (April 20, 2011)
LFNW: Seth Schoen stumps for SSL (May 4, 2011)
WebGL vulnerabilities (May 25, 2011)
A white paper on comparative browser security (December 14, 2011)
Tracking users (February 8, 2012)
Do Not Track Does Not Conquer (October 17, 2012)
Privacyfix (October 24, 2012)
Security implications for user interface changes? (November 28, 2012)
HTTPS interception in Nokia's mobile browser (January 23, 2013)
LCA: CSP for cross-site scripting protection (February 6, 2013)
Mixed web content (April 17, 2013)
Mozilla PiCL and multi-level security (July 31, 2013)
Tor and browser vulnerabilities (August 7, 2013)
Web frameworks
Denial of service via hash collisions (January 11, 2012)
Web servers
Infected Linux web servers pushing malware (May 15, 2013)
Web sessions
Session cookies for web applications (May 21, 2008)
Should web developers say no to cookie-based authentication? (March 24, 2010)
X client
Pondering the X client vulnerabilities (May 27, 2013)
X server
Security processes and the X.org flaw (January 25, 2012)
XDC2012: Graphics stack security (September 25, 2012)
