Re: [SC-L] Missing the point?

2004-04-20 Thread Nash
e, has an interesting argument in favor of the "Not Invented Here Syndrome": http://www.joelonsoftware.com/articles/fog07.html l8r, -nash

Re: [SC-L] Top security papers

2004-08-10 Thread Nash
On Sat, Aug 07, 2004 at 06:41:49PM -0700, Matt Setzer wrote: > Specifically, what are the top five or ten > security papers that you'd recommend to anyone wanting to learn more about > security? What are the papers that you keep printed copies of and reread > every few years just to get a new pers

Re: [SC-L] Theoretical question about vulnerabilities

2005-04-11 Thread Nash
oughts on this? Any references to relevant theories of failures and > errors, or to explorations of this or similar ideas, would be welcome. There are academics active in this field of research. Here's a few links: http://cm.bell-labs.com/cm/cs/what/spin2005/ http://www.google.com/sea

Re: [SC-L] Theoretical question about vulnerabilities

2005-04-13 Thread Nash
int Theory. I read about it briefly, but can't really comment on how well it addresses this problem. It seems to be a promising possibility, though. See Nielson for more. ciao, -nash "Semantics with Applications", Nielson & Nielson, Wiley, 1992. Available as a PDF her

Re: [SC-L] Java keystore password storage

2005-04-25 Thread Nash
t way the strings command didn't find them. Didn't help much if your hackers had read the HHGTTG, though. -nash On Mon, Apr 25, 2005 at 07:55:43AM +, john bart wrote: > Hello to all the list. > I need some advice on where to store the keystore's password. > Right now,

Re: [SC-L] Java keystore password storage

2005-04-27 Thread Nash
#x27;t mean that "chances are very good" attackers can compromise the credentials. Not all identities have to be perfectly defended. -nash -- An ideal world is left as an exercise for the reader. - Paul Graham

Re: [SC-L] ddj: beyond the badnessometer

2006-07-13 Thread Nash
sign stage. Getting a security architecture in place that matches your risk tolerance and functional requirements is the single best way to prevent intrusions, bar none. nash e. foster Stratum Security, LLC -- "the lyf so short, the craft so long to lerne."

Re: [SC-L] Resource limitation

2006-07-17 Thread Nash
ystems. They're more flexible and should have all the features you want, but are still largely theoretical. http://en.wikipedia.org/wiki/Capability-based_security That said, every decent Unix system I'm aware of has ulimit, which you can use to restrict virtual memory allocations, total op

Re: [SC-L] Web Services vs. Minimizing Attack Surface

2006-08-15 Thread Nash
ing it. It's a great opportunity to reintegrate seurity in a way that we just never had with the Web 1.0 universe. -nash On Tue, Aug 15, 2006 at 10:03:07AM +0200, John Wilander wrote: > Hi! > > The security principle of minimizing your attack surface (Writing > Secure Code, 2