Posts
  • David LeBlanc's Web Log

    Fun with Template Specialization

    • 5 Comments
    Hannes Reuscher of the PowerPoint team turned me on to this cool C++ trick, and I used it extensively in SafeInt 2.0. There's a bunch of neat things about it – for one thing, it's the only way in C++ to actually overload something based on return type...
  • David LeBlanc's Web Log

    Why Threads Are A Bad Idea

    • 5 Comments
    My friend Tim Dodd found this presentation back when we worked together at ISS somewhere around '96-'97. It's by John Ousterhout, who worked at Sun Microsystems Laboratories – the deck is dated 9/28/95. We found it hilarious, because we worked with a...
  • David LeBlanc's Web Log

    Some Failures Are Better Than Others

    • 0 Comments
    I was presenting at the Software Security Summit yesterday – good little conference. It's a shame that conferences that show off ways to be a problem draw huge crowds, and this one is all about being part of the solution, but it's still really small after...
  • David LeBlanc's Web Log

    Crashes Are Bad, OK?

    • 3 Comments
    It's interesting to see what happens when you get slashdotted… Let's go back and see what I said in the first place, and let me elaborate just a little – if the code crashes, we have roughly the following scenarios: It's exploitable, customers aren...
  • David LeBlanc's Web Log

    It Might Not Be A Vulnerability If…

    • 3 Comments
    There's some things that just aren't vulnerabilities. If the exploit starts with "First become admin…", it might not be a vulnerability. Likewise, if the exploit starts with "First, you steal the computer, boot a rogue operating system, and then, BWAHAHAHAHA...
  • David LeBlanc's Web Log

    Don’t Impersonate If You Don’t Have To

    • 3 Comments
    Previously, I claimed that impersonation wasn't dangerous - to the impersonator – this is NOT true for the one being impersonated if it's a high level account – it's actually a fairly hazardous thing to be doing, since a lot of people make mistakes doing...
  • David LeBlanc's Web Log

    What’s Exploitable?

    • 3 Comments
    As I alluded to previously, this has gotten to be a more and more interesting question lately. One of the things I've been kicking around is a sort of flowchart so that people who don't study this stuff will come to the correct conclusion more often....
  • David LeBlanc's Web Log

    Exception Handlers Are Baaad

    • 3 Comments
    I've said a lot of times that incorrect use of exception handlers will get you hacked. I go into some detail on this in WSCV, due out shortly. It's recently come up in regards to the .ani issue currently making the rounds. From the full disclosure list...
  • David LeBlanc's Web Log

    Don’t Forget the Document Password!

    • 1 Comments
    Some interesting tid-bits from the password crackers: http://www.lostpassword.com/office.htm Word 2007 and Excel 2007 use an industry-strength AES encryption algorithm that makes password search speed slow: 20-100 passwords per second on an average...
  • David LeBlanc's Web Log

    Even More Cool Integer Tricks

    • 2 Comments
    OK, so this is just utterly geeky, and would really only come in handy if you're writing something like SafeInt – How to tell if a numeric template type is a bool at compile time: isBool = ((T)1 == (T)2) if type T is a bool, then this is true...
  • David LeBlanc's Web Log

    Being Part of the Solution

    • 2 Comments
    One of the comments to my last post asked how someone could be part of the solution, as opposed to part of the problem. Here are some thoughts on the issue, based on my experiences of being one of the people finding problems from outside, and one of the...
Page 1 of 1 (11 items)