Re: [SC-L] how far we still need to go

2007-07-25 Thread Blue Boar
William L. Anderson wrote: I am flabbergasted. When I first encountered Unix in 1983 I was taught that you always run as an ordinary user, and only use admin (root) privileges when needed. If OS X developers are running as admin, and building and testing their products as admin, well ...

Re: [SC-L] Harvard vs. von Neumann

2007-06-12 Thread Blue Boar
Crispin Cowan wrote: Do you suppose it is because of the different techniques researchers use to detect vulnerabilities in source code vs. binary-only code? Or is that a bad assumption because the hax0rs have Microsoft's source code anyway? :-) I'm in the process of hiring an outside firm for

Re: [SC-L] Harvard vs. von Neumann

2007-06-11 Thread Blue Boar
der Mouse wrote: Like it or not, the Web doesn't work right without Javascript now. Depends on what you mean by the Web and work right. Fortunately, for at least some people's values of those, this is not true. Obviously, I'm oversimplifying. I claim that there are enough web sites that

[SC-L] Harvard vs. von Neumann

2007-06-10 Thread Blue Boar
ljknews wrote: It amazes me that someone in a discussion of software security would point to a page that requires Javascript to be viewed. I'm on a couple of mailing list with Dr. Solly, an early antivirus researcher. he likes to talk about this idea of Grannyx an (hypothetical) operating

Re: [SC-L] Best practices for encrypting client-side data

2007-05-09 Thread Blue Boar
Robin Sheat wrote: Basically, I needed to encrypt the on-disk format of some data that is accessed as a seekable file (it's actually a Lucene index, but the details aren't too relevant). The use case for this is to ensure the data is kept private, even if the disk or computer the data is on

Re: [SC-L] [Full-disclosure] Chinese Professor Cracks Fifth Data Security Algorithm (SHA-1)

2007-03-21 Thread Blue Boar
3APA3A wrote: First, by reading 'crack' I thought lady can recover full message by it's signature. After careful reading she can bruteforce collisions 2000 times faster. Cracking a hash would never mean recovering the full original message, except for possibly messages that were smaller

Re: [SC-L] [Full-disclosure] Chinese Professor Cracks Fifth Data Security Algorithm (SHA-1)

2007-03-21 Thread Blue Boar
3APA3A wrote: I know meaning of 'hash function' term, I wrote few articles on challenge-response authentication and I did few hash functions implementations for hashtables and authentication in FreeRADIUS and 3proxy. Can I claim my right for sarcasm after calling

Re: [SC-L] [Full-disclosure] Chinese Professor Cracks Fifth Data Security Algorithm (SHA-1)

2007-03-21 Thread Blue Boar
to believe I was wrong about that. BB 3APA3A wrote: Dear Blue Boar, It's not clear if this 'crack' cam be applied to birthday attack. My in-mind computations were: because birthday attack requires ~square root of N computations where bruteforce

Re: [SC-L] Disclosure: vulnerability pimps? or super heroes?

2007-03-06 Thread Blue Boar
Kenneth Van Wyk wrote: So, I applaud the public disclosure model from the standpoint of consumer advocacy. But, I'm convinced that we need to find a process that better balances the needs of the consumer against the secure software engineering needs. Some patches can't reasonably be produced

Re: [SC-L] Disclosure: vulnerability pimps? or super heroes?

2007-02-27 Thread Blue Boar
J. M. Seitz wrote: On a related note, does anyone have an example where Company A was disclosing vulnerabilities about competing Company B's product and got into trouble over it? Is this something that could be litigated? In fact, Tom Ptacek found a hole in one of Marcus' products while

Re: [SC-L] On exploits, hubris, and software security

2006-11-03 Thread Blue Boar
Gary McGraw wrote: The main thing I wonder is, what do you think? When you have a hot demonstration of an exploit, how do you responsibly release it? What role do such demonstrations play in moving software security forward? To pick one extreme, I believe there are times when intentionally

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Blue Boar
Gary McGraw wrote: And don't forget about the compiler you will no doubt have to use. Do you trust that? You might want to read Thompson's classic reflections on trusting trust. www.acm.org/classics/sep95 All your compilers are belong to us. While that is always a good read, I'm not

Re: [SC-L] Segments, eh Smithers?

2006-04-04 Thread Blue Boar
Crispin Cowan wrote: Of particular and critical interest at this juncture is segmented memory. Graybeards love segmented memory, and modern Linux kidz hate segmented memory. A close friend has observed to me that 100% of A1 evaluated operating systems (both of them :) used segmented memory. In

Re: [SC-L] Bugs and flaws

2006-02-03 Thread Blue Boar
David Crocker wrote: I don't think this analogy between software development and manufacturing holds. There are no manufacturing defects in software construction For software: A design defect is when you correctly implement what you wanted, and you wanted the wrong thing. A manufacturing

Re: [SC-L] re: Why Software Will Continue to Be Vulnerable

2005-05-03 Thread Blue Boar
Bill Cheswick wrote: Probably like many of you, I'm the local friends-and-family computer fixit guy. My father has repeatedly asked why he should care that his computer is totally owned. I've told him that his CPU engine is blowing blue smoke all over the Internet, but that doesn't help.

Re: [SC-L] Application Insecurity --- Who is at Fault?

2005-04-07 Thread Blue Boar
Michael Silk wrote: See, you are considering 'security' as something extra again. This is not right. It is extra. It's extra time and effort. And extra testing. And extra backtracking and schedule slipping when you realize you blew something. All before it hits beta. Any solution that ends

Re: [SC-L] Programming languages used for security

2004-07-14 Thread Blue Boar
ljknews wrote: At 11:38 AM -0700 7/13/04, Blue Boar wrote: ljknews wrote: The environment with which I am most familiar is VMS, and tradition is what guides secure interfaces. Inner mode code _must_ probe any arguments provided from an outer mode, probe the buffers specified by descriptors

Re: [SC-L] Programming languages used for security

2004-07-13 Thread Blue Boar
ljknews wrote: The environment with which I am most familiar is VMS, and tradition is what guides secure interfaces. Inner mode code _must_ probe any arguments provided from an outer mode, probe the buffers specified by descriptors provided, etc. What do you do when you're handed a bad pointer?

[SC-L] Secure Coding Themes

2004-07-12 Thread Blue Boar
So in all the discussions, I think I'm seeing several main themes: -Some holes are design or logic errors (possible in any language) -Some holes are failures to code safely in a given language (language specific; possibly addressable by switching to a safer language) -Some holes are harder to

Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread Blue Boar
Jose Nazario wrote: rather than talking in a vacuum, make sure you've read the latest ACM/IEEE-CS curriculum guidelines: http://www.acm.org/education/curricula.html http://sites.computer.org/ccse/ Hrm. I checked both pages, and searched for secur, and got nothing. I didn't click

Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-08 Thread Blue Boar
Fernando Schapachnik wrote: I smell a discusion going nowhere. What is the point of teaching a languague? Teach them to program in a paradigm (better, in all of them, and give them the tools to make educated choices about which is better for each context), and choose any language as an *example*

Re: [SC-L] ACM Queue article and security education

2004-07-02 Thread Blue Boar
Peter Amey wrote: I'm not entirely sure I follow this. I _think_ you are saying: since we can't be sure that X is perfect (because it might have 5 remaining flaws) then there is no point in adopting it. You seem to be saying that it doesn't matter if X is _demonstrably_much_better_ than Y, if it

Re: [SC-L] ACM Queue article and security education

2004-07-01 Thread Blue Boar
ljknews wrote: I think it will be properly considered when the most strict portion of the software world is using language X. I have used many programs where the flaws in the program make it clear that I care not one whit about whether the authors of that program have opinion about anything I