Michael Howard's Web Log

A Simple Software Security Guy at Microsoft!

Browse by Tags

Tagged Content List
  • Blog Post: Kim Cameron on GOOGs single sign on design vulnerability

    I spoke with Kim Cameron a few days ago about Google's single sign-on (SSO) design bug . I wanted his take on the bug because he's one of the best in the area of identity, single sign-on etc etc... his response can only be described as scathing.
  • Blog Post: The First Step on the Road to More Secure Software is admitting you have a Problem

    I just wrote an article over on the SDL blog about my observations from the industry to Jeff Jones' vulnerability analysis and the lack of security progress by our competitors.
  • Blog Post: "Open-source projects certified as secure" – huh?

    I really got a chuckle out of this news item , especially this line: “Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects.” So we finally have the security silver bullet...
  • Blog Post: Common Criteria: Is it Safe?

    My colleague, Eric Bidstrup, has posted a thought provoking commentary about the Common Criteria. I think it's fair to say Eric is simply voicing what a great many people think about the (lack of) value of CC.
  • Blog Post: Recent CRN Article comparing Windows XP SP2 and Windows Vista

    Jeff has a post about the recent CRN and Ars Technica articles comparing XPSP2 and Vista security. One thing I love about Jeff is he's blunt. Damned blunt.
  • Blog Post: Security Education v. Security Training

    David Ladd, a partner in crime, has just made a post on the SDL blog about Security Education. He starts: "There has been a lot of hoopla lately around "secure programming skills" – with not-so-thinly veiled condemnations of academicians and the role of the university in addressing the IT security...
  • Blog Post: My Take on Windows Vista Security “Vulnerabilities”

    I love looking at and analyzing security bugs, but I also enjoy observing how people react to knowledge of security bugs. Over the last few weeks, I’ve seen a number of interesting articles about Windows Vista security that made me smile. So I thought I would paraphrase the articles and re-write them...
  • Blog Post: UAC BS

    Howdy once again from RSA. It's raining. So much for sunny California! Jeff and I just gave our talk about Windows Vista Security Engineering. It was a packed room. In fact, when we got to the room we saw a bunch of people milling around outside. We went to the door to enter and we were told we could...
  • Blog Post: What is it that makes security hard?

    I’ve been asked this question numerous times, often in the guise of a question like, “why can’t you guys simply fix the security problem?” or “reliability and scalability problems are understood and solvable, why can’t you do the same with security?” or my favorite variant, “what the heck keeps you interested...
  • Blog Post: A couple of interesting security blog posts

    Jeff has an uncanny ability to dig into details that most folks gloss over: Exposed? : Examining Secunia Unpatched Warnings - Part 3 I have to concur with Kai: People like this just frost me: Security considered a burden for users
  • Blog Post: My Take on Visual Studio 2005 SP1 and Windows Vista

    Over the last couple of days, many people have asked for my take on the fact that Visual Studio 2005 SP1 requires admin privileges to run on Windows Vista, and pops up a dialog saying so when it starts up. So, here’s my take, and I don't work for the Developer Division! VS2005SP1 was developed...
  • Blog Post: NNNNNOOOOooooo......!

    From "Making Windows XP Start Faster" at http://www.pcmag.com/article2/0,1759,1768883,00.asp Two of the services listed under "Stopping Unneeded Startup Services" Automatic Updates: This service enables Windows XP to check the Web automatically for updates. If you don't want to use Automatic Updates...
Page 1 of 1 (12 items)