Browse by Tags

Tagged Content List
  • Blog Post: Images for Threat Modelling Post

    Recently I've had several folks ask me for the images for my Threat Modelling Post , which have disappeared due to various back-end changes over the years. The first few times I just e-mailed the Visio diagram, but more people are asking so I updated the post with the images.
  • Blog Post: Updating Firefox as non-admin

    Firefox , like all web browsers, needs to be regularly updated to keep up with security patches . Version 1.5 has an auto-update feature built-in, but unfortunately if you're not running as a local Administrator (at least in Windows), it doesn't work. In one way, this is no different than Windows...
  • Blog Post: When facts get in the way of a good argument

    I've wanted to write this blog for a long time, but never gotten around to it. It's a very simple observation, but one that too many people fail to make. Maybe something will come of it :-) Oftentimes you will see something like the following on a web news site: Headline : New security...
  • Blog Post: Why not use hashes for the Anti-Phishing Filter?

    Several people have asked why Internet Explorer 7 will send "real" URLs instead of hashes to the AP (Anti-Phishing) server. That's a good question, and I know it's a good question because it's the same thing just about everybody at Microsoft (including me) says the first time they hear about the feature...
  • Blog Post: Blindly trusting detection tools

    Imagine I have a house cleaner that comes in once a week to clean the house. After a while I start to notice that my house smells "fishy", but my house cleaner has just the ticket -- the all-new FishBeGone (TM) cleaner & fragrance that gets rid of fishy smells for up to seven days at a stretch! Sign...
  • Blog Post: What is Microsoft doing for security?

    A recent comment on the IE Blog made it pretty apparent that not everybody is aware of Microsoft's efforts around security. Michael Howard has mentioned the Security Developme n t Lifecyle before, but in case you don't want to read the entire document on MSDN, here's a quick introduction on the basics...
  • Blog Post: HELLO? CAN YOU HEAR ME?!?

    As most of my friends know, I'm a pretty jumpy person. And, of course, most of those same friends like to exploit that fact for their own amusement from time to time (thanks to J e f f for almost running me over the other day). The fact that I lose 5 years of my life every time one of my friends wants...
  • Blog Post: IE Blog

    For those of you who haven't already heard, the IE team has a blog and recently they've started to talk about some of the cool features to be found in IE 7 Beta 1 (or planned for RTM). I've been working pretty closely with the IE team for some time now, but the nature of this job is such that if...
  • Blog Post: The Evil Problem

    Over on the IE Blog, a commenter made a very good point -- why is it that IE flags scripts as “potentially bad”? That’s very confusing to the average user, and they have no way of knowing whether or not the script really is bad or not (and therefore whether they should enable it or not). Unfortunately...
  • Blog Post: Malicious vs Spoofed Servers

    Curious Caroline writes: Dear Peter , I have a friend who was talking to a security tester the other day, and apparently the tester said that having a "malicious server" is different than having a "spoofed" server. How is that so? My friend would really like to know, so I...
  • Blog Post: Adding URLs to an application securely

    An Anonymous Reader writes: Dear Peter, I am writing a desktop application that contains links to external websites inside the "Help" menu, as is common with many applications such as Internet Explorer and Microsoft Office. I want to make this list dynamic so that I can update...
  • Blog Post: Dear Diary...

    I haven't really blogged in a while, mostly because it's hard to blog about the kind of work I do right now (improving the security of unreleased products). But, I thought to myself, one way to share some of my experience with all you great folks would be to have a series of "Dear Diary" entries where...
  • Blog Post: So that's what happens...

    Today I did something I haven't done in a long time: I downloaded and installed some unsigned code while running as a local administrator on my home computer. I had to stare at the Security Warning dialog from Windows for quite a few moments before I decided that I really wanted to install software...
  • Blog Post: Mozilla now signs Firefox downloads

    A little bird recently told me some good news -- Mozilla Firefox is now digitally signed by "Mozilla Foundation." This means that Windows customers who want to download the self-installing executable with Internet Explorer can do so and be sure that what they downloaded was indeed Firefox and not some...
  • Blog Post: Guerrilla Threat Modelling (or 'Threat Modeling' if you're American)

    Update 12/31/2012: I updated the images since and made one very minor edit (replace 'Google' with 'Bing' ;-) ). No other changes made. Note: In a lame attempt to get Google Bing hits, I have replaced every second instance of the word "modelling" with the incorrectly spelt version "modeling" :-) ...
  • Blog Post: High-Level Threat Modelling Process

    The following is a (slightly modified) version of a document I wrote for the VSTO team way back in the day. You might find it useful as you plan threat modelling for your product(s). You should of course read the Threat Modelling book from Microsoft Press if you want to go into great details about how...
  • Blog Post: Inheritance Demands for Interfaces

    I'm cheating here by re-posting an e-mail I sent the other day... but hey, you don't expect me to come up with new content for this blog do you? :-) Here is a deliberately contrived example of why you might need to protect interfaces with inheritance demands. Say I have declared an interface...
  • Blog Post: I love Slashdot

    The comments from my last post are still coming in thick and fast. Thanks to everyone who didn't just swear at me (and if I didn't approve your comment, it was because it had too much profanity in it). First things first: I was wrong about uninstalling plug-ins. Thanks to several helpful posters, you...
  • Blog Post: How can I trust Firefox?

    [Fixed issues with images; sorry] [Removed the clear=all problem; thanks for pointing it out] [Added a follow-up post here ] Recently, a lot of volunteers donated money to the Firefox project to pay for a two-page advert in the New York Times . If only they had spent some of that money on improving the...
  • Blog Post: Career Update

    Just thought I’d let people know that I have moved from the Visual Studio Tools for Office team to the Secure Windows Initiative team. Exactly what that means for my blogging activities, I don’t yet know. I haven’t really been doing much of it lately anyway :-/
  • Blog Post: AllowPartiallyTrustedCallers and AppDomain Boundaries

    Continuing on from yesterday's post on creating pa r tially-trusted AppDomains , I had a bit of an e-mail exchange with Robert Hurlbut of Hurlbut Consulting . He wanted me to divulge all my secrets about AppDomains to him over e-mail, but I do intend to post them here as blog entries sooner or later...
  • Blog Post: Creating a partially-trusted AppDomain

    Shawn has some great blog entries on how to create restricted (or "sandboxed") AppDomains in the CLR by setting up custom AppDomain policy. Perhaps not surprisingly, this is one of the techniques used by Visual Studio Tools for Office to ensure that untrusted code doesn't run inside an Office solution...
  • Blog Post: Dr. Strongname, or: How I Learned to Stop Worrying and Love the URL

    One of the problems with the Trustworthy Computing initiative is that many of our products have become harder to use as a result, either due to configuration changes or documentation changes. For example, Windows Server 2003 now ships with pretty much everything turned off by default, but customers that...
  • Blog Post: Show me the money!

    A member of the VSTO team just came to my office and asked, "Is it bad to trust all Office documents on the Local Intranet?" That's a good question, and after answering it for him I thought it was also worth blogging about (plus I'm hanging around the office waiting until I have to leave to take...
  • Blog Post: Threat Models in Action

    As you probably know, the first Visual Studio "Whidbey" beta was released a few months ago, and we are hard at work finishing the product for release sometime... soon. ish. As you also probably know, Microsoft is now threat-modelling all new components that go into products as a way to identify...
Page 1 of 4 (85 items) 1234