Michael Howard's Web Log

I really got a chuckle out of this news item , especially this line: “Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects...

One of the guys in our group, Robert Hensing has an interesting post about VBootkit and whether BitLocker in TPM offers any defense. Short answer: yes, it does. Slightly longer answer: The BitLocker guys anticiated this attack and the really long answer...

I just posted some commentary on the SDL blog about some recent Symantec and IBM vulnerabilities, and how the SDL *may* have found them.

My colleague, Eric Bidstrup, has posted a thought provoking commentary about the Common Criteria. I think it's fair to say Eric is simply voicing what a great many people think about the (lack of) value of CC.

I think I'm a girl-elf in this , however!

David has an interesting counterpoint post to my SDL post this morning. As expected he makes some valid observations.

I just posted an article about the SDL goals over on the SDL blog. http://blogs.msdn.com/sdl/archive/2007/12/17/security-is-not-all-about-security-updates.aspx

Perhaps I should change my name to "Mordac" From http://www.dilbert.com/comics/dilbert/archive/images/dilbert2007113333116.gif

Wednesday, November 07, 2007 10:00 AM Pacific Time Support WebCast: Microsoft Security Intelligence Report: Latest trends in vulnerabilities, malware, and potentially unwanted software

I know a lot of you have heard of, or know of, Oracle’s Unbreakable claims. I’m not going to get into the religious, technical or emotional claims around “Unbreakable”, but a few days ago I went to dig up the paper and couldn’t find it, so I searched...

I'll be there all week, I have a bunch of talks: SEC201 - The Security Development Lifecycle (5 November 2007 Start: 17:45 Finish: 19:00 Room: Room 123 ) SEC202 - Threat Modeling (6 November 2007 Start: 10:45 Finish: 12:00 Room: Room 116 ) ...

The latest Security Intelligence Report is now available. To quote the Web page: The Microsoft Security Intelligence Report (SIR) provides an in-depth perspective on the changing threat landscape including software vulnerability disclosures and...

When I'm writing code, there's one file I need to access constantly - WinError.h, the file that lists all the Windows errors constants. SSSSoooo... I had to find a way to get to the file which is buried somewhere in the C:\Program Files\blah blah\Visual...

Each week (ok, mostly every week!) I'll post news items that interested me... Security analysis of Checkpoint firewall Of interest is the way around RedHat's ExecShield buffer overflow defense. http://www.pentest.es/checkpoint_hack.pdf Abusing chroot...

The annual Security issue of MSDN Magazine is now available. This year I wrote a piece about some of the lessons we've learned about building more secure software. I think this is the first article I have written in a long time that has no code samples...

At Microsoft, we have been using various forms of threat modeling for years now, and we're always learning new ways to improve the process. By "improve" I mean make the process faster, a more efficient use of time and easier to understand. Heading this...

http://download.microsoft.com/download/3/2/0/3205AD8C-A0AA-40F0-8998-256B7583D400/DanKaminsky.wma http://download.microsoft.com/download/3/2/0/3205AD8C-A0AA-40F0-8998-256B7583D400/HalvarFlake.wma http://download.microsoft.com/download/3/2/0/3205AD8C...

AppVerif is one of my favorite run-time analysis tools for unmanaged Windows apps, it's also an SDL-required tool. An update is now available at http://www.microsoft.com/downloads/details.aspx?familyid=bd02c19c-1250-433c-8c1b-2619bd93b3a2&displaylang...

It's been a long time since I looked at DropMyRights, a little tool I wrote forever ago to lower a user's privilege level on versions of WIndows prior to Windows Vista. Michael Horowitz has just posted a couple of blog posts about DMR stating that everyone...

I'm stunned at how much private data the average citizen will divulge. I was buying some stuff yesterday, and the clerk at the checkout asked the customer in front of me for her phone #, which she was quite happy to give. Next, I was signing up for gym...

I am sitting at Austin airport about to catch a plane to Redmond to help a cadre of us deliver Windows 7 security training, and I just realized something. Yet again, and highly reminiscent of my post from last year , I won't be at Blackhat this year...

Eric Bidstrup has just posted some commentary about Iron Chef at Blackhat event over on the SDL blog. By the way, what the heck is an "iron chef" anyway?

Dave Ross and I recently wrote an article on the in's & out's of writing secure gadgets for Windows Vista. Because gadgets are considered full-trust applications, you must understand some gadget security basics.

Howdy from a little coffee shop (no, not Starbucks) at the entrance to our subdivison in Austin! I can't wait to get broadband up and running at the house! Peter Brundrett, the PM behind the integrity levels work in Windows Vista has written a very...

Well, today is my last day in Redmond. It's pretty sad, but I'm really looking forward to being in Austin. It's been a long stretch selling the house, buying a house, dealing with builders (if you're considering building, let me know, and I'll give you...