Re: [SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

2007-11-30 Thread Leichter, Jerry
| Just as a traditional manufacturer would pay less tax by | becoming greener, the software manufacturer would pay less tax | for producing cleaner code, [...] | | One could, I suppose, give rebates based on actual field experience: | Look at the number of security problems

Re: [SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

2007-11-29 Thread Leichter, Jerry
| FYI, there's a provocative article over on Dark Reading today. | http://www.darkreading.com/document.asp?doc_id=140184 | | The article quotes David Rice, who has a book out called | Geekconomics: The Real Cost of Insecure Software. In it, he tried | to quantify how much insecure software costs

Re: [SC-L] OWASP Publicity

2007-11-16 Thread Leichter, Jerry
| ...I've never understood why it is that managers who would never dream | of second-guessing an electrician about electrical wiring, a | construction engineer about wall bracing, a mechanic about car | repairs, will not hesitate to believe - or at least act as though they | believe - they know

Re: [SC-L] Really dumb questions?

2007-08-30 Thread Leichter, Jerry
| Most recently, we have met with a variety of vendors including but not | limited to: Coverity, Ounce Labs, Fortify, Klocwork, HP and so on. In | the conversation they all used interesting phrases to describe they | classify their competitors value proposition. At some level, this has | managed

Re: [SC-L] Interesting tidbit in iDefense Security Advisory 06.26.07

2007-06-28 Thread Leichter, Jerry
On Thu, 28 Jun 2007, J. M. Seitz wrote: | Hey there, | | If you couldn't insert ignore directives, many people | wouldn't use such tools at all, and would release code with | vulnerabilities that WOULD be found by such tools. | | Of course, much like an IDS, you have to find the baseline

Re: [SC-L] What's the next tech problem to be solved in software security?

2007-06-08 Thread Leichter, Jerry
On Thu, 7 Jun 2007, Steven M. Christey wrote: | On Wed, 6 Jun 2007, Wietse Venema wrote: | | more and more people, with less and less experience, will be | programming computer systems. | | The challenge is to provide environments that allow less experienced | people to program computer

Re: [SC-L] temporary directories

2007-01-02 Thread Leichter, Jerry
, Leichter, Jerry wrote: | | | Not on Unix, but I tend to use temporary names based on the Process ID | | that is executing. And of course file protection prevents malevolent | | access. | | | | But for a temporary file, I will specify a file that is not in any | | directory. I presume

Re: [SC-L] Compilers

2007-01-02 Thread Leichter, Jerry
| ...P.S. Please watch for the unfortunate word wrap in the URL of my | original post. The broken link still works but goes to thw wrong place! Now, *there's* an interesting hazard! One can imagine some interesting scenarios where this could be more than unfortunate. At the least, it could be

Re: [SC-L] Compilers

2006-12-29 Thread Leichter, Jerry
| I _strongly_ encourage development with maximal warnings turned on. | However, this does have some side-effects because many compilers | give excessive spurious warnings. It's especially difficult to | do with pre-existing code (the effort can be herculean). Agreed. Writing for maximum freedom

Re: [SC-L] re-writing college books - erm.. ahm...

2006-11-05 Thread Leichter, Jerry
Much as I agree with many of the sentiments expressed in this discussion, there's a certain air of unreality to it. While software has it's own set of problems, it's not the first engineered artifact with security implications in the history of the world. Bridges and buildings regularly

Re: [SC-L] Apple Places Encrypted Binaries in Mac OS X

2006-11-03 Thread Leichter, Jerry
| Here's a somewhat interesting link to an eweek article that discusses | Apple's use of encryption to protect some of its OS X binaries: | http://www.eweek.com/article2/0,1895,2050875,00.asp | | Of course, encrypting binaries isn't anything new, but it's | interesting (IMHO) to see how it's

Re: [SC-L] Apple Places Encrypted Binaries in Mac OS X

2006-11-03 Thread Leichter, Jerry
BTW, an interesting fact has been pointed out by Amit Singh, author of a book describing Mac OS X internals: The first generation of x86-based Mac's - or at least some of them - contained a TPM chip (specifically, the Infineon SKB 9635 TT 1.2. However, Apple never used the chip - in fact, they

Re: [SC-L] Why Shouldn't I use C++?

2006-11-01 Thread Leichter, Jerry
| From time to time on this list, the recommendation is made to never | user C++ when given a choice (most recently by Crispin Cowan in the | re-writing college books thread). This is a recommendation I do not | understand. Now, I'm not an expert C++ programmer or Java or C# | programmer and as

Re: [SC-L] Secure programming is NOT just good programming

2006-10-12 Thread Leichter, Jerry
| The only way forward is by having the *computer* do this kind of | thing for us. The requirements of the task are very much like those | of low-level code optimization: We leave that to the compilers today, | because hardly anyone can do it well at all, much less competitively | with

Re: [SC-L] Retrying exceptions - was 'Coding with errors in mind'

2006-09-06 Thread Leichter, Jerry
| Oh, you mean like the calling conventions on the IBM Mainframe where a dump | produces a trace back up the call chain to the calling program(s)? Not to | mention the trace stack kept within the OS itself for problem solving | (including system calls or SVC's as we call them on the mainframe).

Re: [SC-L] Coding with errors in mind - a solution?

2006-09-05 Thread Leichter, Jerry
[Picking out one minor point:] | [Exceptions] can simplify the code because | -as previously mentioned by Tim, they separate error handling from normal | logic, so the code is easier to read (it is simpler from a human reader's | perspective). I have found bugs in my own code by going from error

Re: [SC-L] Retrying exceptions - was 'Coding with errors in mind'

2006-09-01 Thread Leichter, Jerry
On Fri, 1 Sep 2006, Jonathan Leffler wrote: | Pascal Meunier [EMAIL PROTECTED] wrote: | Tim Hollebeek [EMAIL PROTECTED] wrote: | (2) in many languages, you can't retry or resume the faulting code. | Exceptions are really far less useful in this case. | | See above. (Yes, Ruby supports