Don't forget about the millionaire cyber-terrorist, osama:/bin/login. ;-)
--
Dave Aronson - Have Pun, Will Babble | Work: davearonson.com | /\ ASCII
-+ Play: davearonson.net | \/ Ribbon
"Specialization is for insects." | Li
n) and maybe "does it do the right job"
(validation), but should also ask (for security) "does it Do The Right
Thing (whatever that may be) in the face of all forseeable types of
attacks", and (for quality) "diDTRT(wtmb)itfoafto *errors*" (including
those forced by an att
probably a week or
two. I will no longer be in a position related to security, but will
still participate here, and in the broader secure coding community, as
time allows -- and keep trying to spread the gospel. ;-)
Thanks for all your help,
Dave
--
Dave Aronson - Have Pun, Will Bab
just fine under
Linux (even without SE) or even Windows.
-Dave
--
Dave Aronson - Have Pun, Will Babble | Work: davearonson.com | /\ ASCII
-+ Play: davearonson.net | \/ Ribbon
"Specialization is for insects." | Life: dare2xl.com |
ext* time? Again, N times out of
N+1, for almost as large values of N, no.
-Dave
--
Dave Aronson, software engineer or trainer for hire.
Looking for job (or contract) in Washington DC area.
See http://davearonson.com/ for resume & other info.
___
Secure
ng is a bit out of
style... by 70 years or so)
-Dave
--
Dave Aronson, software engineer or trainer for hire.
Looking for job (or contract) in Washington DC area.
See http://davearonson.com/ for resume & other info.
___
Secure Coding mailing l
true of any email list. I run a few where the same
couple dozen or so names keep popping up in the From lines... out of
thousands of members.
-Dave
--
Dave Aronson, software engineer or trainer for hire.
Looking for job (or contract) in Washington DC area.
See http://davearonson.c
done in
language X or Y. Usually, it's about what's *easier* to do in X or Y.
Sometimes the security tradeoff is worth taking the hard way, but
sometimes the choice is to the point of being at all practical or not.
-Dave, making good progress on the job hunt, thanks in part to people here
-
Y'all-
I think I've finally found the right certification for me! Check out
the Institute for
Certified Application Security Specialists, at http://www.asscert.com/ today!
-Dave
--
Dave Aronson: Have Pun, Will Babble | Work: davearonson.com
is will at least point me down some path.
> Karen Mercedes Goertzel, CISSP
,,,and contributor and Coordinating Editor of the above report. :-)
Thanks,
Dave
--
Dave Aronson: Have Pun, Will Babble | Work: davearonson.com | /\ ASCII
| Play: davearonson.net |
the teachers would say
Thanks,
Dave
--
Dave Aronson: Have Pun, Will Babble | Work: davearonson.com | /\ ASCII
| Play: davearonson.net | \/ Ribbon
"Specialization is for insects."| Life: dare2xl.com | /\ Campaign
-Robert A. Heinlein
oday in which I mention "PMPs,
CISSPs, MCSEs, MDs, JDs, DDSes, and other assorted CAS -- that's
Certified Alphabet Soup".
-Dave
--
Dave Aronson: Have Pun, Will Babble | Work: davearonson.com | /\ ASCII
| Play: davearonson.net | \/ Ribbon
"Speci
Jim Manico wrote:
> Datacenters -> suck up 3% of word power
Oh, that must explain why, as we become more and more dependent on
companies with data centers, we find ourselves less and less able to
actually communicate clearly with each other ;-)
-Dave
--
Dave Aronson
"Specia
rest
> of folks here to get vendors to ignore developer specific licensing and
> instead focus on enterprise concerns?
Unfortunately, that often means that ANY license at all for it will be
horrendously expensive, so that small shops are totally cut out.
-Dave
--
Dave Aronson
"Speci
quot;separate".
They can "play nicely together" if they adhere to relevant standards for
interoperability. Witness how you can develop a lot of software without
leaving Emacs, or Eclipse.
However, I don't think that's all that relevant to software security in
particular
your protection, under the above scheme.
Also, just how secure do you need it to be? Don't waste a thousand-dollar lock
on a fifty-dollar bicycle. Is this data actually a tempting target for
attackers who are clueful and resourceful (in both the senses of "clever" and
- Java Developers Journal
> - Insurance & Technology
> - DMReview
> - Intelligent Enterprise
> - CIO
> - Insurance Networking News
I'd also suggest Software Development, and maybe Information Security.
-Dave
--
Dave Aronson
"Specialization is for insects." -H
[EMAIL PROTECTED] writes:
> certifications such as CISSP whereby the exams that
> prove you are a security professional talk all about
> physical security and network security but really don't
> address software development in any meaningful way.
Perhaps what is needed is a separate certification
has BEEN REMOVED, so as to at least dampen the
combinatorial explosion of replies to replies to replies ad infinitum.
-Dave
--
Dave Aronson
"Specialization is for insects." -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/
grammers (even so-called software engineers), let alone
people in any position of authority to set such policies. :-(
-Dave
--
Dave Aronson
"Specialization is for insects." -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/
___
ialites" and other such
much more important news. Without this little bit of trivia, the sheeple will
just ass-u-me that the demo-giver was, as the PTBs will insinuate, a malefactor
in league with $ENEMY[$YEAR], and deserves to be shipped off to the Git-lag.
-Dave
--
Dave Aronson
"Sp
ut more than security).
Well, *most* people anyway. The avionics, medical, and suchlike fields
are quite another story.
> Bill Anderson
Is this perchance the Bill Anderson who was my "great grandboss" until
he left BAE for Cryptek?
--
Dave Aronson
http://www.davearonson.com/
Pete Shanahan [mailto:[EMAIL PROTECTED] writes:
> I'm just wondering how flawed the implementation of the windows
> paging model is that it would allow for this kind of breach. The
> standard model I'm familiar with would simply flush the page from
> memory, and would not keep a copy in the ex
Paolo Perego [mailto:[EMAIL PROTECTED] writes:
> "Software is like Titanic, pleople claim it was unsinkable. Securing is
> providing it power steering"
But power steering wouldn't have saved it. By the time the iceberg was
spotted, there was not enough time to turn that large a boat. Perhaps
Jeremy Epstein [mailto:[EMAIL PROTECTED] writes:
> "Software Security Keeps the Bad Guys Out"
That's certainly one important aspect, but this slogan doesn't address issues
such as staying up, producing correct output, etc. It also can blur the
already much too fuzzy (in the public mind) line
Gary McGraw [mailto:[EMAIL PROTECTED] wrote:
> I wrote a book with viega a few years ago called "building secure
> software"...
Yes, John gave us all copies. Didn't bother to get it autographed though. :-)
> it was not about that company (at all).
It certainly was not about the horribly br
mikeiscool [mailto:[EMAIL PROTECTED] writes:
> The point remains though: trimming this down into a friendly little
> phrase is, IMCO, useless.
One of the common problems in trying to persuade the masses of ANYTHING, be it
the importance of secure software, the factual or moral correctness of y
Goertzel Karen wrote:
> Secure software is software that remains dependable despite efforts
> to compromise its dependability.
If you really want to compress that to bumper-sticker size, how about
"Secure Software: Does what it's meant to. Period."
This encompasses both "can't be forced NOT
Christopher Canova <[EMAIL PROTECTED]> wrote:
> It seems to me that they may be shifting from a
> Deploy-first-ask-questions-later tactic to a
> Code-it-right-before-its-out-the-door.
They always did "code it right before it's out the door". It's just a
question of where you put the comma.
ljknews <[EMAIL PROTECTED]> wrote:
> The overarching bug seems to be the assertion that there is only one
> bug, since those offering comments found two right off.
What did you expect from MS?
> The less excusable of the two bugs appears at first glance to be an
> out of bounds reference to
"Gizmo" <[EMAIL PROTECTED]> wrote:
> the efficacy of the encryption is of some question.
> Basically, it keeps honest people honest.
Sounds a little better than I thought, but I'd still be worried about the
owner name leaking into less honest hands.
> 1) The app is architected around the Bt
"Gizmo" <[EMAIL PROTECTED]> wrote:
> I have a similar situation in one of my applications. The
> customer wishes to secure the database. Since we use a Btrieve
> database, the only way to do
> this is be setting an owner name on the DB, and then
> encrypting using the owner name as the pass
Crispin Cowan <[EMAIL PROTECTED]> wrote:
> ISPs could also position a non-restricted account as an "expert"
> account and charge extra for it.
That already happens in many cases, except they call it a "business
class" account. The only one I've heard called some kind of "expert"
account is t
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
Precedence: bulk
Mailing-List: contact <[
Nash <[EMAIL PROTECTED]> wrote:
> _Cuckoo's_Egg_, Clifford Stall.
>
> http://www.amazon.com/exec/obidos/tg/detail/-/0671726889/102-7543362-
>2026532?v=glance
>
> [Ed. That's Cliff Stoll, not Stall. Great book, though -- IMHO!
> KRvW]
For more on what Cliff's been up to lately, see:
ht
"Michael S Hines" <[EMAIL PROTECTED]> wrote:
> I've been compiling a list of programming languages..
You missed FORTRAN, ICON, REXX, SNOBOL, and the assorted OS-based shell
scripting languages (bash/csh/ksh/etc., VMS DCL, DOS .bat, etc.). I've
heard of JOVIAL, which I *think* is a programming
On Tue April 20 2004 12:34, Michael A. Davis wrote:
> It is not the source code that is the
> problem -- it is the developer.
The proof of the developer's grokking of secure coding, is in the code.
--
Dave Aronson, Senior Software Engineer, Secure Software Inc.
Email me at: work
On Thu March 4 2004 17:45, Andreas Saurwein wrote:
> At 4/3/2004 18:16 Thursday, Dave Aronson wrote:
> > Either way (especially if the manual forwarding is done with the
> > help of pulling up the contact list), you can bet some jackass
> > will attach a malicious payloa
ling his attention
to how incredibly stupid he has just been, and you've got something.
B-)
--
Dave Aronson, Senior Software Engineer, Secure Software Inc.
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
(Opinions above NOT those of securesw.com unless so stated!)
WE'RE HIRING developers, auditors, and VP of Prof. Services.
On Thu February 26 2004 19:32, Mark Curphey quoted:
> According to Gordon, if developers could reduce the error and
> vulnerability rate by a factor of 10, it would "probably eliminate
> something like 90 percent of the current security threats and
> vulnerabilities.
This factoid brought to y
ease at least warn us about the
registration requirement. It would certainly be appreciated. KRvW]
--
Dave Aronson, Senior Software Engineer, Secure Software Inc.
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
(Opinions above NOT those of securesw.com unless so stated!)
WE'RE HIRING developers, auditors, and VP of Prof. Services.
41 matches
Mail list logo
