Re: [SC-L] Why Software Will Continue to Be Vulnerable

2005-05-03 Thread Michael Silk
On 5/2/05, Kenneth R. van Wyk [EMAIL PROTECTED] wrote:
 Michael Silk wrote:
 I honestly don't believe that the consumers will _EVER_ care, and I
 don't believe that should have to. At most maybe they should just need
 to keep an eye out for a sticker, or star-rating (government approved)
 or something. But as you say, 'security' is 'hard to measure', so an
 approach like that won't work.
 
 As the saying goes, give the consumer the choice between security and
 dancing pigs, and they'll pick dancing pigs every single time.  There's
 probably more than just a grain of truth to that.

I would too; I've never seen a dancing pig ... :)

 
 Yet, despite that pessimistic outlook -- and the survey that forked this
 thread -- I do think that companies are demanding more in software
 security, even though consumers are not.  I'm not aware of surveys that
 directly address that, but it sure seems obvious to me that they are.

Demanding more maybe, but getting charged for it too... so the problem
is still there: security as a 'feature'. 'Security' needs to become a
baseline, just like any other programming construct (maths, ...) But
anyway, ...


 Here's to wishful thinking, anyway!

Agreed!

-- Michael




Re: [SC-L] re: Why Software Will Continue to Be Vulnerable

2005-05-03 Thread Blue Boar
Bill Cheswick wrote:

Probably like many of you, I'm the local friends-and-family computer
fixit guy.

 My father has repeatedly asked why he should care that his computer is totally
 owned.  I've told him that his CPU engine is blowing blue smoke all over the 
 Internet,
 but that doesn't help.

I think people would care if they knew, but they don't know.

 An outbreak of user-obvious malware might change the equation, but I am not 
 suggesting
 that someone run the experiment.

I think just about the only time I've been called out to lay hands on
someone's computer in the last two years (with one exception I can think
of), the problem has been malware/spyware.  I.e. it had misbehaved to
the point where it was untolerable.  The browser no longer works, the
machine grinds to a halt, the screen goes wonky (screwed up the video
drivers), it's popping porn ads at the kids, etc...

So my assertion is that much of the malware is very obvious.  I'll avoid
the temptation to rant at the poor quality of the malware/spyware code
itself.  I'll also add that I think this is the current big problem for
Windows users.  Windows itself (XP+) has become reliable *enough*, and
the hardware reliable enough (or cheap enough to suffer a forklift
upgrade), that it works great... except for the damn malware.

The typical reaction I get is incredulity that there are people who sit
around all day writing this stuff (malware/spyware.)  Any consideration
that there's a fault with the OS that allows it in is waaay down the list.

So if MS can find a way to make the effects of malware unobservable,
then they just about have that market sewn up.

Ryan




Re: [SC-L] Why Software Will Continue to Be Vulnerable

2005-05-03 Thread Crispin Cowan
ljknews wrote:
At 8:05 AM -0400 5/2/05, Kenneth R. van Wyk wrote:
  
Yet, despite that pessimistic outlook -- and the survey that
forked this thread -- I do think that companies are demanding
more in software security, even though consumers are not.

Companies value time spent on cleanup more than consumers do.
  

And in this morning's mailbox, we see some evidence to support the claim
that business is considerably less impressed with software quality
http://www.informationweek.com/story/showArticle.jhtml;jsessionid=IMYCZLJPHKPNMQSNDBCSKH0CJUMEKJVN?articleID=161601417

Crispin
-- 
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix  http://immunix.com




[SC-L] Re: Java keystore password storage

2005-05-03 Thread Mark
Entering the password on the command line could be an option if you
choose the Java Invocation API.  I have done this in the past and it
has worked really well.

On 4/25/05, john bart [EMAIL PROTECTED] wrote:
 Hello to all the list.
 I need some advice on where to store the keystore's password.
 Right now, i have something like this in my code:
 
 keystore = KeyStore.getInstance(JKS);
 keystore.load(new FileInputStream(keystore.jks),PASSWORD);
 
 the question is, where do i store the password string? all of the
 possibilities that i thought about are not good enough:
 1) storing it in the code - obviously not.
 2) storing it in a seperate config file is also not secure.
 3) entering the password at runtime is not an option.
 4) encrypting the password - famous chicken and egg problem (storing the
 encryption key)
 
 Any ideas?
 
 _
 Express yourself instantly with MSN Messenger! Download today it's FREE!
 http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/