* Gary McGraw: > My darkreading column this month is devoted to insiders, but with a > twist. In this article, I argue that software components which run > on untrusted clients (AJAX anyone? WoW clients?) are an interesting > new flavor of insider attack.
I really wish this were something new. 8-( In client/server applications, it's not too uncommon that the client connects to the server with a hard-coded password, uses that to download some kind of authentication table, and looks up a user-supplied password in it. If it's not found, the authentication fails. Apparantly, you can save some client licenses with such a setup. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
