Once every few months I get an email like this. What is it? Phishing?

I've finally looked into it, and learned two important lessons.

Here's the body of the email.

Hello there, Your page http://www.itmaybeahack.com/homepage/iblog/C364310209/E20080407095503.html has some good references to cyber security …

First, read this: 10 common security gotchas in Python and how to avoid them by Anthony Shaw

Of these, most are important, but not specific to Python at all. Only items 3, 4, 7, and 8 are pretty specific to Python. They talk about the assert statement, some timing vulnerabilities …

An excellent exposition of secure salted password hashing.

https://crackstation.net/hashing-security.htm

This was really quite nice. It didn't have a Python version, but the clarity of the exposition makes the Python easy to write.

A few months back, I had this mystery conversation: {filename}/blog/2013/06/2013_06_27-password_encryption_short_answer_dont …

Wow. Just wow. See "LANGSEC explained in a few slogans". Short, easy-to-grasp explanation of why complex protocols create new problems. I'm happy with REST and the stack of stuff under it (HTTP, TCP/IP, etc.) Once upon a time (2001), I invented by own version of a RESTful protocol outside …

This isn't the OWASP Top 10 list, but it's still very handy. Top 10 Dumb Computer Security Notions. I'm particularly fond of the "security can't be perfect; since it can't be perfect, why bother?" approach. One other notion that amuses me is the silliness of changing a password every 90 …

Just saw this for the first time today: http://cwe.mitre.org/top25/ I'd always relied on this: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Both are really good lists of security vulnerabilities. I once had to listen to a DBA tell me that "we don't know what we …

Lots of folks like to wring their hands over the Big Vague Concept (BVC™) labeled "security".

There's a lot of quibbling. Let's move beyond BVC to the interesting stuff.

I've wasted hours listening to people identify risks and costs of something that's not very complex. I've been plagued by folks …

A truly great question came up the other day.

"Why change passwords every 90 days? What is the threat scenario countered by that policy?"

Of course strong password policy means constantly changing passwords. Right?

Then I started to think about it. What -- actually -- does a password change protect you against …

I lean on the OWASP list heavily. http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

This analysis is handy also: http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf

The point is that most of the vulnerabilities are pretty clear.

1. Injection flaws: SQL, OS, and LDAP injection. Pretty clear that building SQL …