March 2007 - Posts

Word 2007 Blog Feature’s Password Handling
I knew about the blog feature – hard not to notice when every time you go to make a new document, it gives you the option of making a blog post. I'd known about it for quite a while, as I was part of the group reviewing the threat model. Last night was Read More...
Posted 29 March 07 08:36 by david_leblanc | 3 Comments   
Attackers, Vuln Finders and Exploits – It just ain’t fair!
Recently took a look at "The Vulnerability Disclosure Game: Are We More Secure?" ( http://www2.csoonline.com/exclusives/column.html?CID=28072 ) by Marcus Ranum, which in turn links to "Schneier: Full Disclosure of Security Vulnerabilities a 'Damned Good Read More...
Posted 29 March 07 12:31 by david_leblanc | 7 Comments   
What's still exploitable?
OK, just throwing this out, hoping for some interesting comments - if you have NX, ASLR, and SafeSEH, what's still exploitable? Please note I'm absolutely, positively NOT NOT NOT saying that stuff compiled with all this is unbreakable or any such silliness. Read More...
Posted 26 March 07 09:37 by david_leblanc | 2 Comments   
Impersonation isn't dangerous
I was called to task because in Writing Secure Code for Windows Vista, I asserted that from the standpoint of a service , the impersonation privilege isn't dangerous. SeImpersonate is one of the newer privileges in Windows, and has only been put there Read More...
Posted 25 March 07 07:27 by david_leblanc | 12 Comments   
Economics of the Vulnerability Finding Game
A friend of mine loaned me a book - "Hidden Order: The Economics of Everyday Life", by David Friedman - It's an interesting read - the overall point is that a lot of human behavior can be explained with economic theory. Basically, it amounts to what we Read More...
Posted 21 March 07 09:24 by david_leblanc | 3 Comments   
More Fun with Integers
Just a quick note this morning to share something I found while finishing up SafeInt 3.0. This is something more helpful with 64-bit porting than with general security, though it does have some security side effects. Warning - heavy C++ programming geek Read More...
Posted 21 March 07 08:45 by david_leblanc | 2 Comments   
Filed under
Finally starting a blog
I have been putting this off for a while. Not out of concern with sharing myself in public - I've been posting on the net in various forums for around the last 15 years, and anyone good with a search engine can find all sorts of things I've said and done. Read More...
Posted 19 March 07 10:07 by david_leblanc | 6 Comments   

Search

This Blog

Syndication

Page view tracker