Welcome to MSDN Blogs Sign in | Join | Help

Security (RSS)

NextGenHacker101 owes me a new monitor

Because I just got soda all over my current one… One of the funniest things I’ve seen in a while.    And yes, I know that I’m being cruel here and I shouldn’t make fun of the kids ignorance, but he is SO proud of his new discovery and is so Read More...
Posted Friday, January 29, 2010 9:57 AM by LarryOsterman | 79 Comments
Filed under: ,

Why are they called “giblets” anyway?

Five years ago, I attended one of the initial security training courses as a part of the XP SP2 effort.  I wrote this up in one of my very first posts entitled “ Remember the giblets ” and followed it up last year with “ The Trouble with Giblets Read More...
Posted Monday, October 26, 2009 9:05 AM by LarryOsterman | 0 Comments
Filed under: ,

Good News! strlen isn’t a banned API after all.

We were doing some code reviews on the new Win7 SDK samples the other day and one of the code reviewers noticed that the code used wcslen to compute the length of a string. He pointed out that the SDL Banned API page calls out strlen/wcslen as being banned Read More...
Posted Tuesday, June 23, 2009 10:01 AM by LarryOsterman | 6 Comments
Filed under:

Chrome is fixing the file download bug…

I just noticed that Ryan Naraine has written that Google’s fixed the file download bug in Chrome . This is awesome, but there’s one aspect of the fix that concerns me. According to the changelog : This CL adds prompting for dangerous types of files (executable) Read More...
Posted Monday, October 20, 2008 2:17 PM by LarryOsterman | 13 Comments
Filed under:

What makes a bug a security bug?

In my last post, I mentioned that security bugs were different from other bugs.  Daniel Prochnow asked : What is the difference between bug and vulnerability? In my point of view, in a production enviroment, every bug that may lead to a loss event Read More...
Posted Monday, August 18, 2008 10:29 AM by LarryOsterman | 22 Comments
Filed under:

Linus Torvalds is “Fed up with the ‘security circus’”

There’s been a lot of discussion on the intertubes about some comments that Linus Torvalds, the creator of Linux has made about security vulnerabilities and disclosure. Not surprisingly, there’s been a fair amount of discussion amongst the various MSFT Read More...
Posted Friday, August 15, 2008 1:28 PM by LarryOsterman | 23 Comments
Filed under:

More proof that crypto should be left to the experts

Apparently two years ago, someone ran a static analysis tool named " Valgrind " against the source code to OpenSSL in the Debian Linux distribution. The Valgrind tool reported an issue with the OpenSSL package distributed by Debian, so the Debian team Read More...
Posted Tuesday, May 13, 2008 9:46 AM by LarryOsterman | 41 Comments
Filed under:

Resilience is NOT necessarily a good thing

I just ran into this post by Eric Brechner who is the director of Microsoft's Engineering Excellence center. What really caught my eye was his opening paragraph: I heard a remark the other day that seemed stupid on the surface, but when I really thought Read More...
Posted Thursday, May 01, 2008 9:14 AM by LarryOsterman | 66 Comments

This is the way the world (wide web) ends...

Robert Hensing linked to a post by Thomas Ptacek over on the Matasano Chargen blog. Thomas (who is both a good hacker AND a good writer) has a writeup of a “game-over” vulnerability that was just published by Mark Dowd over at IBM's ISS X-Force that affects Read More...
Posted Wednesday, April 16, 2008 1:03 PM by LarryOsterman | 27 Comments
Filed under:

The Trouble with Giblets

I don't write about the SDL very much, because I figure that the SDL team does a good enough job of it on their blog , but I was reading the news a while ago and realized that one of the aspects of the SDL would have helped if our competitors were to Read More...
Posted Friday, March 07, 2008 8:28 AM by LarryOsterman | 26 Comments
Filed under:

Wow - We hired Crispin Cowan!!!

Michael Howard just announced that we've hired Crispin Cowan ! This is incredibly awesome, I have a huge amount of respect for Crispin , he's one of the most respected researchers out there. Among other things, Crispin's the author and designer of AppArmor Read More...
Posted Friday, January 18, 2008 10:31 AM by LarryOsterman | 5 Comments

How to lose customers without really trying...

Not surprisingly, Valorie and I both do some of our holiday season shopping at ThinkGeek. But no longer. Valorie recently placed a substantial order with them, but Instead of processing her order, they sent the following email: From: ThinkGeek Customer Read More...
Posted Thursday, November 15, 2007 3:21 PM by LarryOsterman | 25 Comments

When you're analyzing the strength of a password, make sure you know what's done with it.

Every once in a while, I hear someone making comments about the strength of things like long passwords. For example, if you have a 255 character password that just uses the 26 roman upper and lower case letters, plus the numeric digits. That means that Read More...
Posted Monday, November 12, 2007 5:47 PM by LarryOsterman | 20 Comments

Chris Pirillo's annoyed by the Windows Firewall prompt

Yesterday, Chris Pirillo made a comment in one of his posts : And if you think you’re already completely protected in Windows with its default tools, think again. This morning, after months of regular Firefox use, I get this security warning from the Read More...
Posted Friday, November 02, 2007 9:56 AM by LarryOsterman | 63 Comments
Filed under:

Every threat model diagram should tell a story.

Adam Shostack has another threat modeling post up on the SDL blog entitled " Threat Modeling Self Checks and Rules of Thumb ". In it, he talks about threat models and diagrams (and he corrects a mistake in my " rules of thumb " post (thanks Adam)). There's Read More...
Posted Monday, October 22, 2007 3:14 PM by LarryOsterman | 1 Comments
Filed under:
More Posts Next page »
 
Page view tracker