Welcome to MSDN Blogs Sign in | Join | Help

Security (RSS)

Friday, April 14, 2006 4:35 PM

Updating Firefox as non-admin

Firefox , like all web browsers, needs to be regularly updated to keep up with security patches . Version 1.5 has an auto-update feature built-in, but unfortunately if you're not running as a local Administrator (at least in Windows), it doesn't work.
Posted by ptorr | 2 Comments
Filed under:
Friday, April 07, 2006 8:26 PM

When facts get in the way of a good argument

I've wanted to write this blog for a long time, but never gotten around to it. It's a very simple observation, but one that too many people fail to make. Maybe something will come of it :-) Oftentimes you will see something like the following on a web
Posted by ptorr | 3 Comments
Filed under: ,
Monday, September 12, 2005 7:50 PM

Why not use hashes for the Anti-Phishing Filter?

Several people have asked why Internet Explorer 7 will send "real" URLs instead of hashes to the AP (Anti-Phishing) server. That's a good question, and I know it's a good question because it's the same thing just about everybody at Microsoft (including
Posted by ptorr | 0 Comments
Filed under:
Tuesday, August 16, 2005 11:00 PM

Blindly trusting detection tools

Imagine I have a house cleaner that comes in once a week to clean the house. After a while I start to notice that my house smells "fishy", but my house cleaner has just the ticket -- the all-new FishBeGone (TM) cleaner & fragrance that gets rid of
Posted by ptorr | 6 Comments
Filed under:
Tuesday, August 16, 2005 10:29 PM

What is Microsoft doing for security?

A recent comment on the IE Blog made it pretty apparent that not everybody is aware of Microsoft's efforts around security. Michael Howard has mentioned the Security Developme n t Lifecyle before, but in case you don't want to read the entire document
Posted by ptorr | 5 Comments
Filed under:
Wednesday, August 10, 2005 8:58 PM

HELLO? CAN YOU HEAR ME?!?

As most of my friends know, I'm a pretty jumpy person. And, of course, most of those same friends like to exploit that fact for their own amusement from time to time (thanks to J e f f for almost running me over the other day). The fact that I lose 5
Posted by ptorr | 0 Comments
Filed under: ,
Friday, August 05, 2005 3:20 AM

IE Blog

For those of you who haven't already heard, the IE team has a blog and recently they've started to talk about some of the cool features to be found in IE 7 Beta 1 (or planned for RTM). I've been working pretty closely with the IE team for some time now,
Posted by ptorr | 2 Comments
Filed under:
Friday, August 05, 2005 3:08 AM

The Evil Problem

Over on the IE Blog, a commenter made a very good point -- why is it that IE flags scripts as “potentially bad”? That’s very confusing to the average user, and they have no way of knowing whether or not the script really is bad or not (and therefore whether
Posted by ptorr | 6 Comments
Filed under: ,
Sunday, July 24, 2005 3:20 PM

Malicious vs Spoofed Servers

Curious Caroline writes: Dear Peter , I have a friend who was talking to a security tester the other day, and apparently the tester said that having a "malicious server" is different than having a "spoofed" server. How is that so? My friend would really
Posted by ptorr | 0 Comments
Filed under:
Sunday, July 17, 2005 3:09 PM

Adding URLs to an application securely

An Anonymous Reader writes: Dear Peter, I am writing a desktop application that contains links to external websites inside the "Help" menu, as is common with many applications such as Internet Explorer and Microsoft Office. I want to make this list dynamic
Posted by ptorr | 1 Comments
Filed under:
Sunday, July 17, 2005 3:18 PM

Dear Diary...

I haven't really blogged in a while, mostly because it's hard to blog about the kind of work I do right now (improving the security of unreleased products). But, I thought to myself, one way to share some of my experience with all you great folks would
Posted by ptorr | 0 Comments
Filed under:
Wednesday, June 15, 2005 1:39 AM

So that's what happens...

Today I did something I haven't done in a long time: I downloaded and installed some unsigned code while running as a local administrator on my home computer. I had to stare at the Security Warning dialog from Windows for quite a few moments before I
Posted by ptorr | 2 Comments
Filed under: ,
Saturday, March 26, 2005 9:52 PM

Mozilla now signs Firefox downloads

A little bird recently told me some good news -- Mozilla Firefox is now digitally signed by "Mozilla Foundation." This means that Windows customers who want to download the self-installing executable with Internet Explorer can do so and be sure that what
Posted by ptorr | 13 Comments
Filed under:
Tuesday, February 22, 2005 11:30 PM

Guerrilla Threat Modelling (or 'Threat Modeling' if you're American)

A crash-course in developing Data Flow Diagrams in support of software threat models
Posted by ptorr | 20 Comments
Filed under:
Tuesday, February 08, 2005 3:20 AM

High-Level Threat Modelling Process

The following is a (slightly modified) version of a document I wrote for the VSTO team way back in the day. You might find it useful as you plan threat modelling for your product(s). You should of course read the Threat Modelling book from Microsoft Press
Posted by ptorr | 10 Comments
Filed under:
More Posts Next page »
 
Page view tracker