[Ed. Cross-posted from Bugtraq... KRvW]
Subject: DJB's students release 44 *nix software vulnerability advisories
Date: Thu, 16 Dec 2004 01:47:12 -0800
Message-ID: [EMAIL PROTECTED]
From: Thor Larholm [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Widely deployed open source software is commonly
http://www.eweek.com/article2/0,1895,1900533,00.asp
Gee this sounds just like virus wars, using add-on products to make
up for weakness in the operating system.
A reliable operating system would not permit such modifications in
the first place
Whatever happened with Intel NX technology?
Steven M. Bellovin wrote:
I like this line: This kind of threat has not been anticipated before,
from Microsoft. Mobile code hasn't been anticipated? C'mon!
I think they meant 'features that allow you to execute code have not
been seen as a security issue before. We have no idea where and
Just last month Greta Yorsh, fresh from work in Microsoft Research over
in the US lectured to us on something related in TAUSEC
(http://www.cs.tau.ac.il/tausec - in Hebrew).
-
Title: Testing, Abstraction, Theorem Proving: Better Together.
We present a method for static program analysis
George Capehart wrote:
Yvan Boily wrote:
Hi George,
I think a much more eloquent form of what you are saying is that
validation must be performed each time data crosses a security
boundary.
Hello Yvan,
I absolutely agree. Wish I'd said it myself . . . :)
In other words, it's just
On Thu, 4 May 2006, Kenneth R. van Wyk wrote:
Stories about this (below) X bug and the DHS-sponsored project that found it
have been floating around the net all week. This story caught my eye,
though:
http://www.net-security.org/secworld.php?id=3994
The author claims, This flaw, caused
http://softwaredev.itbusinessnet.com/articles/viewarticle.jsp?id=47176
Gadi.
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at -
On Thu, 13 Jul 2006, Gary McGraw wrote:
Hi all,
Is penetration testing good or bad?
http://ddj.com/dept/security/18951
It's great, but penetration testing of the network assesment types is
useless as it takes a picture of what the network look slike TODAY, while
tomorrow it's a
On Fri, 14 Jul 2006, Daniele Muscetta wrote:
On 7/13/06, Gary McGraw [EMAIL PROTECTED] wrote:
3) never use the results of a pen test as a punch list to attain
security
You are right, but very sadly, that's how it gets used by a lot of
companies
hey, the pen testers found
On Mon, 17 Jul 2006, Peter G. Neumann wrote:
Forget the bumper sticker approach.
Hey Peter. :)
Well, one should forget the bumper-sticker approach if all us broing dry
guys keep try to explain to people how math works.
Instead, teling them:
1+1=?
Didn't learn math, eh?
Is bumper-sticker
Hi guys!
A few days ago, following the announcements by Dan from Websense and then
HD, I wrote a post covering what they have done and what the future may
gold for Google hacking for security purposes.
http://blogs.securiteam.com/index.php/archives/513
Today a guy posted a blog on using the
ou get to play with the code, in some cases anyway.Other than that and the
fact the code runs, mostly, locally, there is no difference.
The one major different is that with some services, the vulnerability is
local as everybody builds their own.
The main issue here is that web services allow
Another guy just wrote some more fun keyw ords to search for:
http://blogs.securiteam.com/index.php/archives/661
On Thu, 5 Oct 2006, Gadi Evron wrote:
playing with Google Code Search, as Lev Toger just wrote:
Google released a code search engine to catch up with Krugle, Koders, and
Codease
on the daily WTF, where the do more funny
searches:
http://thedailywtf.com/forums/thread/94630.aspx
On 10/5/06, Gadi Evron [EMAIL PROTECTED] wrote:
playing with Google Code Search, as Lev Toger just wrote:
Google released a code search engine to catch up with Krugle, Koders
So, how can we edit current basic programming college books to present
secure code, a couple of words of the correct way of doing things, and a
whole new chapter on secure coding (which may be redudndent?)
How do we start?
Some Whiley book for introduction to CS?
Any volunteers to get this on
.
This community is perfect for this job.
Gadi.
gem
-Original Message-
From: Gadi Evron [mailto:[EMAIL PROTECTED]
Sent: Wed Oct 11 20:58:12 2006
To: Kenneth Van Wyk
Cc: Secure Coding
Subject: [SC-L] re-writing college books [was: Re: A banner year for
software bugs
On Sat, 28 Oct 2006, Crispin Cowan wrote:
Gadi Evron wrote:
So, dump C, Use SML, What secure coding classes are you doing? and
we are already doing it!! are the responses I got when I started this
thread.
What did you expect from whining about the generally poor quality of
software
On Sun, 29 Oct 2006, Robert C. Seacord wrote:
Gadi,
I feel like I've been here before, but I'll give it another shot anyway.
Okay, than let's make some progress:
1. Where and who is currently involved with doing this?
2. What are they doing?
3. Can we use their experience to make it
On Sun, 5 Nov 2006, Leichter, Jerry wrote:
Much as I agree with many of the sentiments expressed in this discussion,
there's a certain air of unreality to it. While software has it's own
set of problems, it's not the first engineered artifact with security
implications in the history of the
On Mon, 6 Nov 2006, Julie J.C.H. Ryan wrote:
Folks, I've been forwarding select messages from this listserv to my
nephews, who are undergrads in CS at some fairly reknown
universities, which shall remain nameless cause it would embarrass
the heck out of them to have the following
On Wed, 8 Nov 2006, Robin Sheat wrote:
It is important to note that there is no goal of teaching students to go off
and be safe programmers. Computer science is seen to a reasonable extent to
be a theoretical persuit. Algorithms are covered, GC methods, heuristical
searchs, and so on.
On Tue, 7 Nov 2006, Matt Bishop wrote:
Folks,
A comment based on an idea we tried here.
Well, I never recieved any replies here on what's already being
done.. so
now, I am asking for ideas on how we can approach schools. What's
needed,
in order for basic CS classes to have a
[X-posted to the funsec mailing list]
http://slashdot.org/articles/06/11/09/1534204.shtml
2^24 comments ought to be enough for anyone -- CmdrTaco
Slashdot Posting Bug Infuriates Haggard Admins
Posted by CmdrTaco on Thursday November 09, @10:45AM
from the this-is-never-good dept.
CCC was amazing, and here is the video for one of the lectures.
http://video.google.com/videoplay?docid=-5897236579900914407q=23c3
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc -
On Mon, 12 Mar 2007, Crispin Cowan wrote:
Ed Reed wrote:
For a long time I thought that software product liability would
eventually be forced onto developers in response to their long-term
failure to take responsibility for their shoddy code. I was mistaken.
The pool of producers (i.e.,
lists and im still hearing
gadi
- HD Moore to Gadi Evron on IM, on Gadi's interview on npr, March 2007.
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter
On Mon, 26 Mar 2007, Kenneth Van Wyk wrote:
FYI, I saw this tool announcement and thought some folks here might
find it useful. It's a free perl-based fuzzing framework written by
Tim Brown. Follow the link to find the download site.
I didn't want to cross-post to another list, but sending here if the
moderator finds this post useful.
-- Forwarded message --
Date: Mon, 26 Mar 2007 19:05:58 -0500 (CDT)
From: Gadi Evron [EMAIL PROTECTED]
To: Kowsik [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], dailydave
I am trying to understand if this conference is cancelled or not?
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at -
On Sun, 22 Mar 2009, Gary McGraw wrote:
hi sc-l,
For what it's worth, I am involved in the project with jmr...as is Sammy
Migues. jmr was our BSIMM participant from DTCC. Their software security
initiative is most impressive.
I don't know much TOO much about supply chain issues, but I
Very interesting post by Fyodor:
http://seclists.org/nmap-dev/2010/q2/826
Gadi.
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at -
31 matches
Mail list logo