EFF Demystifies E-Book Readers Data Tracking

The EFF just posted a great breakdown of various E-book readers and their tracking/data collection policies. This summary addresses items such as:

Can they (the manufacturer) keep track of searches for books?
Do they keep a record of book purchases?  
With whom can they share the information collected in non-aggregated form?

I certainly commend the EFF for pulling together this information.  However, I'd really like to see user and industry expectations progress to the point where this kind of data is considered a requirement and is clearly provided by the manufacturer whenever  an e-book reader is launched.

From the EFF.org article

Unfortunately, unpacking the tracking and data-sharing practices of different e-reader platforms is far from simple. It can require reading through stacked license agreements and privacy policies for devices, software platforms, and e-book stores.

Lastly, data rights on e-book readers is not just a topic for privacy enthusiasts. We've seen real world actions that are surprising to say the least.   For example, the 2009 incident where Amazon suddenly removed George Orwell's "1984" and "animal farm" from many users' kindle devices. 



-Michael Coates - @_mwc

Bug Bounty Panel @ OWASP AppSecUSA

During the 2012 OWASP AppSecUSA we held a panel on bug bounty programs.  Below you'll find the video of the panel.

Panel moderator:  Jeremiah Grossman
Panelists:
Michael Coates (Mozilla)
Chris Evans (Google)
Adam Mein (Google)
Alex Rice (Facebook)
Zane Lackey (Etsy)

Bug Bounty Programs - Michael Coates, Chris Evans, Jeremiah Grossman, Adam Mein, Alex Rice from OWASP AppSec USA on Vimeo.

Bug Bounty Programs- Panel - Moderated by Jeremiah Grossman from David Hughes on Vimeo.






-Michael Coates - @_mwc http://vimeo.com/channels/appsecusa/54130349

4 OWASP Videos You Should Watch

Curious about OWASP? Want to learn more?  Here's a few quick videos about OWASP and a video from the OWASP AppSecTutorial series.

• Newly elected board member Jim Manico talking about OWASP
  
• Former board member Jeff Williams on OWASP
  
• Episode 4: HTTP Strict Transport Security - 10 minutes to learn a security topic from the OWASP AppSecTutorial Series
  
• OWASP AppSec Trailer - Just like a movie preview!

Enjoy!

-Michael Coates - @_mwc

Web Security Training with OWASP ZAP

Just a few weeks back I presented at Beaver Bar Camp in Corvalis, Portland.  I provided an introduction to web security with OWASP Broken Web App VM and OWASP ZAP.  Students learned about common application security vulnerabilities and secure design patterns.

The training lab included the following components and I distributed it to students via USB drives:

• Virtual Box
• OWASP Broken Web App
• OWASP ZAP
• Firefox

Slides and setup instructions are available at the following link:
http://people.mozilla.org/~mcoates/WebSecurityLab.html


-Michael Coates - @_mwc

HTTP Strict Transport Security - Growing Support

HTTP Strict Transport Security will soon be taken to a new level within Mozilla Firefox
Read more about HSTS preloading from this article by David Keeler.

If you're unfamiliar about HSTS then you should definitely watch this short video from OWASP on the benefits.  This video is from the OWASP AppSec Video Tutorial Series



-Michael Coates - @_mwc