Zynga Hacked: Guy gets £50,000 from virtual money
Ashley Mitchell, an IT professional from Paignton, Devon, England was recently charged with hacking Zynga's Facebook poker game. He admitted accessing Zynga's computers and putting 400 billion credits into fake facebook accounts, which he was then selling for real money. I think Zynga is trying to have its cake and eat it, too. On the one hand, they do not put vigorous security controls in place because it's just a game and it's play money. On the other hand, they want to cry foul and make analogies between virtual currency and real currency when someone bypasses their weak security and starts making money.
Portrait of a Failed Security Dashboard
The Department of Homeland Security announced that it was discontinuing its color-coded security advisory system today. In the software security world we often try to have big dashboards with red, yellow, and green indicating important things about our software. This is a great example of where such dashboards fail.
Touching my junk, privacy and all that
There has been a lot of backlash against the advanced imaging technology, and a lot of ink spilled both in favor and against, including an article suggesting that the technology might be unconstitutional. Given how invasive both the pictures and the pat-downs are, my favorite comment came from my wife who remarked "Security theatre now has an R rating."
Security online: Click Yes if Prompted
Most people have probably heard of Citirix's GoToMeeting. It's collaboration software that allows you to remotely view the screen of another person. It's prinicpal competition is WebEx from Cisco and free services like DimDim. They completely undermine the notion of security on the web by telling their users "click yes if prompted." They're not alone, though. Microsoft, Cisco, and others all do this.
Security and Usability
I happened to go to (ISC)2's web site and visit the member's login page. I saw quite a few usability issues that escape the average security person.