[SC-L] Unreal IRCd backdoor

2010-06-14 Thread Gadi Evron
Very interesting post by Fyodor: http://seclists.org/nmap-dev/2010/q2/826 Gadi. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at -

Re: [SC-L] Fully Countering Trusting Trust through Diverse Double-Compiling

2009-11-04 Thread Gadi Evron
Wheeler, David A wrote: Gadi Evron said: David, this is very cool indeed. Thank you for sharing, and a lot of luck! Thanks! I'd like to note in a semi-related fashion that the concept of trusting trust, while in the original paper limited to the compiler case, is a generic concept

Re: [SC-L] Supply Chain Resiliency Project Assistance

2009-03-22 Thread Gadi Evron
On Sun, 22 Mar 2009, Gary McGraw wrote: hi sc-l, For what it's worth, I am involved in the project with jmr...as is Sammy Migues. jmr was our BSIMM participant from DTCC. Their software security initiative is most impressive. I don't know much TOO much about supply chain issues, but I

[SC-L] Secure Development World ?

2008-03-14 Thread Gadi Evron
I am trying to understand if this conference is cancelled or not? ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at -

[SC-L] [fuzzing] the future of fuzzing [was: Rcov] (fwd)

2007-03-27 Thread Gadi Evron
I didn't want to cross-post to another list, but sending here if the moderator finds this post useful. -- Forwarded message -- Date: Mon, 26 Mar 2007 19:05:58 -0500 (CDT) From: Gadi Evron [EMAIL PROTECTED] To: Kowsik [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], dailydave

Re: [SC-L] Full Disclosure: Fuzzled - Perl fuzzing framework

2007-03-26 Thread Gadi Evron
On Mon, 26 Mar 2007, Kenneth Van Wyk wrote: FYI, I saw this tool announcement and thought some folks here might find it useful. It's a free perl-based fuzzing framework written by Tim Brown. Follow the link to find the download site.

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-13 Thread Gadi Evron
lists and im still hearing gadi - HD Moore to Gadi Evron on IM, on Gadi's interview on npr, March 2007. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-12 Thread Gadi Evron
On Mon, 12 Mar 2007, Crispin Cowan wrote: Ed Reed wrote: For a long time I thought that software product liability would eventually be forced onto developers in response to their long-term failure to take responsibility for their shoddy code. I was mistaken. The pool of producers (i.e.,

[SC-L] Luis Miras on automated exploit detection in binaries at CCC

2007-01-02 Thread Gadi Evron
CCC was amazing, and here is the video for one of the lectures. http://video.google.com/videoplay?docid=-5897236579900914407q=23c3 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc -

[SC-L] it's Y2K, no, it's 32 bit unix time, no, it's slashdot!

2006-11-09 Thread Gadi Evron
[X-posted to the funsec mailing list] http://slashdot.org/articles/06/11/09/1534204.shtml 2^24 comments ought to be enough for anyone -- CmdrTaco Slashdot Posting Bug Infuriates Haggard Admins Posted by CmdrTaco on Thursday November 09, @10:45AM from the this-is-never-good dept.

Re: [SC-L] Fwd: re-writing college books - erm.. ahm...

2006-11-07 Thread Gadi Evron
On Mon, 6 Nov 2006, Julie J.C.H. Ryan wrote: Folks, I've been forwarding select messages from this listserv to my nephews, who are undergrads in CS at some fairly reknown universities, which shall remain nameless cause it would embarrass the heck out of them to have the following

Re: [SC-L] Fwd: re-writing college books - erm.. ahm...

2006-11-07 Thread Gadi Evron
On Wed, 8 Nov 2006, Robin Sheat wrote: It is important to note that there is no goal of teaching students to go off and be safe programmers. Computer science is seen to a reasonable extent to be a theoretical persuit. Algorithms are covered, GC methods, heuristical searchs, and so on.

Re: [SC-L] Fwd: re-writing college books - erm.. ahm...

2006-11-07 Thread Gadi Evron
On Tue, 7 Nov 2006, Matt Bishop wrote: Folks, A comment based on an idea we tried here. Well, I never recieved any replies here on what's already being done.. so now, I am asking for ideas on how we can approach schools. What's needed, in order for basic CS classes to have a

Re: [SC-L] re-writing college books - erm.. ahm...

2006-11-06 Thread Gadi Evron
On Sun, 5 Nov 2006, Leichter, Jerry wrote: Much as I agree with many of the sentiments expressed in this discussion, there's a certain air of unreality to it. While software has it's own set of problems, it's not the first engineered artifact with security implications in the history of the

Re: [SC-L] re-writing college books - erm.. ahm...

2006-10-30 Thread Gadi Evron
On Sun, 29 Oct 2006, Robert C. Seacord wrote: Gadi, I feel like I've been here before, but I'll give it another shot anyway. Okay, than let's make some progress: 1. Where and who is currently involved with doing this? 2. What are they doing? 3. Can we use their experience to make it

Re: [SC-L] re-writing college books - erm.. ahm...

2006-10-29 Thread Gadi Evron
On Sat, 28 Oct 2006, Crispin Cowan wrote: Gadi Evron wrote: So, dump C, Use SML, What secure coding classes are you doing? and we are already doing it!! are the responses I got when I started this thread. What did you expect from whining about the generally poor quality of software

Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-12 Thread Gadi Evron
. This community is perfect for this job. Gadi. gem -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Wed Oct 11 20:58:12 2006 To: Kenneth Van Wyk Cc: Secure Coding Subject: [SC-L] re-writing college books [was: Re: A banner year for software bugs

[SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-11 Thread Gadi Evron
So, how can we edit current basic programming college books to present secure code, a couple of words of the correct way of doing things, and a whole new chapter on secure coding (which may be redudndent?) How do we start? Some Whiley book for introduction to CS? Any volunteers to get this on

Re: [SC-L] Google code search games

2006-10-08 Thread Gadi Evron
on the daily WTF, where the do more funny searches: http://thedailywtf.com/forums/thread/94630.aspx On 10/5/06, Gadi Evron [EMAIL PROTECTED] wrote: playing with Google Code Search, as Lev Toger just wrote: Google released a code search engine to catch up with Krugle, Koders

Re: [SC-L] Google code search games

2006-10-05 Thread Gadi Evron
Another guy just wrote some more fun keyw ords to search for: http://blogs.securiteam.com/index.php/archives/661 On Thu, 5 Oct 2006, Gadi Evron wrote: playing with Google Code Search, as Lev Toger just wrote: Google released a code search engine to catch up with Krugle, Koders, and Codease

Re: [SC-L] Web Services vs. Minimizing Attack Surface

2006-08-15 Thread Gadi Evron
ou get to play with the code, in some cases anyway.Other than that and the fact the code runs, mostly, locally, there is no difference. The one major different is that with some services, the vulnerability is local as everybody builds their own. The main issue here is that web services allow

[SC-L] Google Auditing

2006-07-20 Thread Gadi Evron
Hi guys! A few days ago, following the announcements by Dan from Websense and then HD, I wrote a post covering what they have done and what the future may gold for Google hacking for security purposes. http://blogs.securiteam.com/index.php/archives/513 Today a guy posted a blog on using the

Re: [SC-L] Bumper sticker definition of secure software

2006-07-18 Thread Gadi Evron
On Mon, 17 Jul 2006, Rajeev Gopalakrishna wrote: Reliability is concerned only with accidental failures while security has to consider malicious attacks as well. The difference is in the intent of the software user: benign or malicious. And for a bumper sticker, here is one for the

Re: [SC-L] Bumper sticker definition of secure software

2006-07-17 Thread Gadi Evron
On Mon, 17 Jul 2006, Peter G. Neumann wrote: Forget the bumper sticker approach. Hey Peter. :) Well, one should forget the bumper-sticker approach if all us broing dry guys keep try to explain to people how math works. Instead, teling them: 1+1=? Didn't learn math, eh? Is bumper-sticker

Re: [SC-L] ddj: beyond the badnessometer

2006-07-14 Thread Gadi Evron
On Fri, 14 Jul 2006, Daniele Muscetta wrote: On 7/13/06, Gary McGraw [EMAIL PROTECTED] wrote: 3) never use the results of a pen test as a punch list to attain security You are right, but very sadly, that's how it gets used by a lot of companies hey, the pen testers found

Re: [SC-L] ddj: beyond the badnessometer

2006-07-13 Thread Gadi Evron
On Thu, 13 Jul 2006, Gary McGraw wrote: Hi all, Is penetration testing good or bad? http://ddj.com/dept/security/18951 It's great, but penetration testing of the network assesment types is useless as it takes a picture of what the network look slike TODAY, while tomorrow it's a

[SC-L] Baking Security In - Microsoft dev security training

2006-07-07 Thread Gadi Evron
http://softwaredev.itbusinessnet.com/articles/viewarticle.jsp?id=47176 Gadi. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at -

Re: [SC-L] HNS - Biggest X Window security hole since 2000

2006-05-04 Thread Gadi Evron
On Thu, 4 May 2006, Kenneth R. van Wyk wrote: Stories about this (below) X bug and the DHS-sponsored project that found it have been floating around the net all week. This story caught my eye, though: http://www.net-security.org/secworld.php?id=3994 The author claims, This flaw, caused

Re: [Owasp-dotnet] Re: [SC-L] Is there any Security problem in Ajax technology?

2006-03-16 Thread Gadi Evron
George Capehart wrote: Yvan Boily wrote: Hi George, I think a much more eloquent form of what you are saying is that validation must be performed each time data crosses a security boundary. Hello Yvan, I absolutely agree. Wish I'd said it myself . . . :) In other words, it's just

[SC-L] static analysis you say?

2006-02-09 Thread Gadi Evron
Just last month Greta Yorsh, fresh from work in Microsoft Research over in the US lectured to us on something related in TAUSEC (http://www.cs.tau.ac.il/tausec - in Hebrew). - Title: Testing, Abstraction, Theorem Proving: Better Together. We present a method for static program analysis

Re: [SC-L] ZDNet: Microsoft to hunt for new species of Windows bug

2006-01-10 Thread Gadi Evron
Steven M. Bellovin wrote: I like this line: This kind of threat has not been anticipated before, from Microsoft. Mobile code hasn't been anticipated? C'mon! I think they meant 'features that allow you to execute code have not been seen as a security issue before. We have no idea where and

Re: [SC-L] Intel turning to hardware for rootkit detection

2005-12-13 Thread Gadi Evron
http://www.eweek.com/article2/0,1895,1900533,00.asp Gee this sounds just like virus wars, using add-on products to make up for weakness in the operating system. A reliable operating system would not permit such modifications in the first place Whatever happened with Intel NX technology?

[SC-L] [Fwd: DJB's students release 44 *nix software vulnerability advisories]

2004-12-18 Thread Gadi Evron
[Ed. Cross-posted from Bugtraq... KRvW] Subject: DJB's students release 44 *nix software vulnerability advisories Date: Thu, 16 Dec 2004 01:47:12 -0800 Message-ID: [EMAIL PROTECTED] From: Thor Larholm [EMAIL PROTECTED] To: [EMAIL PROTECTED] Widely deployed open source software is commonly