At 7:56 PM +0200 3/19/10, AK wrote:
It is way easier for attackers to reverse engineer desktop applications
than web applications. Assuming proper server configuration, it is next
to impossible for an attacker to get the server side source code or
compressed form (e.g WARs) for a web
At 7:36 PM +0200 3/18/10, AK wrote:
Who says so, in the context of web applications?
I can see it (somewhat) from a desktop application
perspective, but how is this relevant in web apps?
Why should standards for a web application be different than
for a desktop application ?
--
Larry
At 10:43 AM -0600 1/7/10, Stephen Craig Evans wrote:
I am VERY curious to learn how these happened... Only using the last
digit of the year? Hard for me to believe. Maybe it's in a single API
and somebody tried to be too clever with some bit-shifting.
My wife says that in the lead-up to the
At 2:37 PM -0600 1/7/10, Wall, Kevin wrote:
Larry Kilgallen wrote...
At 10:43 AM -0600 1/7/10, Stephen Craig Evans wrote:
I am VERY curious to learn how these happened... Only using the last
digit of the year? Hard for me to believe. Maybe it's in a
single API
and somebody tried to be
At 4:33 PM -0500 10/1/09, Wall, Kevin wrote:
Professor Gernot Heiser, the John Lions Chair in Computer Science in
the School of Computer Science and Engineering and a senior principal
researcher with NICTA, said for the first time a team had been able to
prove with
At 8:47 AM -0700 8/27/09, Benjamin Tomhave wrote:
Should any sort of overflow really be allowed?
It is not, except by management decision (in choosing an unsafe
language).
--
Larry Kilgallen
___
Secure Coding mailing list (SC-L)
At 6:36 PM -0400 8/25/09, Steven M. Christey wrote:
Gary,
You said in the article:
The next category of attacks to expect are attacks that target defects in
design and architecture - which I call flaws.
I think it's already happening.
I think it has been happening for years. I use
At 8:39 AM -1000 7/28/09, Jim Manico wrote:
A quick note, in the Java world (obfuscation aside), the source and
binary is really the same thing. The fact that Fortify analizes
source and Veracode analizes class files is a fairly minor detail.
It seems to me that would only be true for
At 9:15 AM -0400 5/8/09, SC-L Reader Dave Aronson wrote:
ljknews ljkn...@mac.com wrote:
At 12:47 PM -0500 5/7/09, Brad Andrews wrote:
Quoting ljknews ljkn...@mac.com:
At 5:49 PM -0500 5/6/09, Brad Andrews wrote:
Try a few of the PC-Lint bugs, if you ever wrote C/C++ code.
They can be really
At 12:47 PM -0500 5/7/09, Brad Andrews wrote:
Quoting ljknews ljkn...@mac.com:
At 5:49 PM -0500 5/6/09, Brad Andrews wrote:
Try a few of the PC-Lint bugs, if you ever wrote C/C++ code.
They can be really hard to figure out,
And yet people keep choosing those programming languages
At 1:00 PM -0700 3/25/09, Andy Steingruebl wrote:
On Wed, Mar 25, 2009 at 10:18 AM, ljknews
mailto:ljkn...@mac.comljkn...@mac.com wrote:
Worry about enforcement by the hardware architecture after
you have squeezed out all errors that can be addressed by
software techniques.\
Larry
At 9:03 PM -0500 11/26/08, Mark Rockman wrote:
OK. So you decide to outsource your programming assignment to Asia and
demand that they deliver code that is so locked down that it cannot
misbehave. How can you tell that what they deliver is truly locked down?
Will you wait until it gets hacked?
At 9:32 PM -0800 11/25/08, Brian Chess wrote:
Larry, I'm not sure I get your meaning. You say you don't think it's a
dry well, but then you say programmers ignore the privilege management
facilities at their disposal.
I mean they ignore it until security overseers (800.53a, PCI DSS,
8500.2
At 12:26 PM -0500 11/25/08, Mark Rockman wrote:
It be difficult to determine a priori the settings for all the access
control lists and other security parameters that one must establish for
CAS to work. Perhaps a software assist would work according to the
following scenario. Run the program
At 11:09 AM -0600 10/30/08, Jonathan Leffler wrote:
Content-Type: multipart/signed; protocol=application/x-pkcs7-signature;
micalg=sha1; boundary=---z22511_boundary_sign
Gary McGraw [EMAIL PROTECTED] wrote:
Here is a pointer to an article...
I'm getting 404 errors? I backed up
At 8:40 PM -0400 10/8/08, Sammy Migues wrote:
JavaScript is required on SurveyMonkey.
Thank you for the warning. It is amazing the number of
people who presume that security people are willing to
go to a website enabling cookies or JavaScript or worse.
Of course it is also amazing the number
At 7:21 PM -0400 8/24/08, [EMAIL PROTECTED] wrote:
The publisher of the web page is not in the security business,
they are in the publishing business. But how can I respect
their publishing expertise if they fail a simple automatic
test.
Well, I guess that most of web developers are not
At 9:12 AM -1000 8/26/08, Jim Manico wrote:
How does xHTML help stop access control vulnerabilities?
Authorization issues? CSRF problems?
It is indicative of the caliber of the people who built
the site.
My immediate interest is that validation combats browser crashes.
I am not interested
At 10:43 PM -0400 6/30/08, Mary and Glenn Everhart wrote:
There is another reason I have seen quite often: you can't readily ask
the designer of
the code what it does when he is dead, or when he has left the company
(esp. if he works for a competitor).
When I participated (as author) in
At 9:44 AM -0400 6/30/08, Kenneth Van Wyk wrote:
Happy PCI-DSS 6.6 day, everyone. (Wow, that's a sentence you don't
hear often.)
http://www.internetnews.com/ec-news/article.php/3755916
In talking with my customers over the past several months, I always
find it interesting that the
At 1:00 PM -0400 5/1/08, Epstein, Jeremy wrote:
Ken, a good example. For those of you who want to reach much further
back, Paul Karger told me of a similar problem in the compiler (I don't
remember the language)
VAX Pascal, before VMS was on Alpha (and long before Itanium).
used for
At 3:12 PM -0400 5/1/08, Leichter, Jerry wrote:
The VAX VMM effort died with the announcement of the Alpha, in late 1992
- though obviously the death was decided internally once the move to
Alpha was decided, which would have been somewhat earlier. The origins
of the VAX VMM effort date back
At 8:14 AM -0500 4/11/08, Wall, Kevin wrote:
In the context, I think his concern was that in the past, the RSA
conferences were focused on infosec, and on cryptography in particular.
Apparently,
based on Stephen and gem's comments, it seems to have lost its focus. I think
that's all that
At 12:50 PM +0100 11/5/07, Paolo Perego wrote:
Hi guys, trying to improve Owasp Orizon project in a better way, I
released a poll over my blog here:
http://thesp0nge.livejournal.com/5687.html
It would be great having your feedback about your vision to code
review and safe coding as
At 12:13 AM -0400 11/2/07, Mark Rockman wrote:
The adolescent minds that engage in exploits wouldn't know COBOL if a
printout fell out a window and onto their heads. I'm sure you can write
COBOL programs that crash, but it must be hard to make them take control
of the operating system.
Of
At 4:11 PM +0100 11/2/07, Johan Peeters wrote:
Let me offer a little variant on the previous theme though to
illustrate, hopefully more convincingly, why I find COBOL worrisome:
...
01 txtpic x(2).
move 'hi' to txt
call
At 2:16 PM +0100 11/2/07, Johan Peeters wrote:
I have been looking at an IBM system. If I do something like this
...
01 txt PIC X(120)
string '**'
into txt
end-string
display
At 11:45 PM +0100 11/2/07, Florian Weimer wrote:
My limited exposure to Cobol makes me think it is as unlikely to have
a buffer overflow as PL/I or Ada.
Usually, Ada programmers switch off bounds checking before shipping
code. I don't know why Ada has such a reputation for robustness.
Can
At 9:16 PM +0100 11/1/07, Johan Peeters wrote:
I think this could do a great service to the community.
Recently I was hired by a major financial institution as a lead
developer. They said they needed me for some Java applications, but it
turns out that the majority of code is in COBOL. As I
http://www.dilbert.com/comics/dilbert/archive/images/dilbert2007071745828.gif
--
Larry Kilgallen
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter
At 2:03 AM +0100 7/26/07, Dinis Cruz wrote:
It's a simple economics problem. The moment these companies and
developers lose sales (or market share) because their products require
admin / root privileges to run, is the moment they start to REALLY support
it.
For Windows that day might be when
At 8:53 AM -0700 7/18/07, McCown, Christian M wrote:
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary=_=_NextPart_001_01C7C953.D03CBE5C
What do you tell a C-level exec in terms of h/c and time it will take to
fix web app vulnerabilities
At 9:50 AM -0400 7/19/07, McGovern, James F (HTSC, IT) wrote:
I would actually recommend AGAINST using prior track records for fixing
previous vulnerabilities because in all honestly they probably don't
track it. Most enterprises prioritize any type of defect based on the
importance as
At 4:38 PM -0400 6/27/07, Paco Hope wrote:
On 6/26/07 5:00 PM, McGovern, James F (HTSC, IT) [EMAIL PROTECTED] wrote:
Would there be value in terms of defining an XML schema that all tools could
emit audit information to?
You might want to take a look at what the Fortify guys already do.
At 9:00 AM -0400 6/11/07, Gary McGraw wrote:
If we assumed perfection at the implementation level (through better
languages, say), then we would end up solving roughly 50% of the
software security problem.
Clearly we need to make some progress at the architecture/design level
to attain
At 9:51 PM +0100 6/9/07, David Crocker wrote:
If instead we pay people to perform the more skilled tasks of establishing
requirements and specifying the systems to meet them, and use computers to
generate programs that meet the specifications, then such things as freedom
from
buffer
At 9:16 AM -0400 6/10/07, Robert C. Seacord wrote:
ljknews,
Yes, it is virtually impossible to get a serious runtime error in an Ada
program. For example:
http://www.youtube.com/watch?v=kYUrqdUyEpI
It amazes me that someone in a discussion of software security would point
to a page
At 8:33 AM -0400 6/9/07, der Mouse wrote:
Immunity from buffer overflows has been around for 30 years. The
fact that some set of developers choose to ignore the languages that
provide it does not make the next environment that provides it an
improvement for the industry.
I'd disagree - if
At 9:53 AM +0200 6/8/07, Stephen de Vries wrote:
On 8 Jun 2007, at 02:23, Steven M. Christey wrote:
More modern languages advertise security but aren't necessarily
catch-alls.
At the same time, the improvements in security made by managed code
(e.g. the JRE and .NET runtimes) for
At 12:01 PM +1200 5/10/07, Robin Sheat wrote:
Content-Type: multipart/signed; boundary=nextPart1622971.NJ1973Q3ia;
protocol=application/pgp-signature; micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
On Wednesday 09 May 2007 02:11:05 ljknews wrote:
I would suggest two factor
At 9:29 AM -0400 3/30/07, Benjamin Tomhave wrote:
SOX has been a complete waste, imo. First, the majority of it was already
covered in existing law. Second, it really has nothing to do with security
from a practical standpoint. The only purpose SOX has served is to give
auditors another
At 8:55 AM -0400 3/20/07, Michael S Hines wrote:
I'm not sure what your sources are but from what I'm hearing and reading the
problem is that there are many missing drivers for what have become standard
peripherals that people are used to - and some of the vendors are reluctant
to develop new
At 5:20 PM +1100 1/25/07, Crispin Cowan wrote:
ljknews wrote:
My guess is that if a company actually is capable of analyzing
binary code they only do it for the highest volume instruction
sets.
They certainly will focus on larger markets first. If you want them to
focus on *your* market
At 1:52 PM -0500 1/22/07, Kenneth Van Wyk wrote:
Content-Type: multipart/signed; protocol=application/pgp-signature;
micalg=pgp-sha1; boundary=Apple-Mail-12-58709954
Content-Transfer-Encoding: 7bit
Ok, last software security news item for today, I promise. :-) This
article (see
At 3:10 PM -0800 1/22/07, Blue Boar wrote:
ljknews wrote:
Analyzing source code is independent of machine architecture.
My guess is that if a company actually is capable of analyzing
binary code they only do it for the highest volume instruction
sets.
My guess is that attackers will go
At 8:45 AM -0500 12/30/06, Leichter, Jerry wrote:
[MJoderator: This is likely beyond the point of general interest to sc-l]
Actually, I disagree, in that it seems to expose a set of vulnerabilities
not known even to language implementors.
On Fri, 29 Dec 2006, ljknews wrote
At 5:11 PM +0100 12/30/06, Florian Weimer wrote:
I gather you are saying that the innards of Unix will force creation
of an unwanted directory entry on the Ada implementation of the required
null name support for packagename.CREATE . The Ada implementation
could rely on exclusive access to
At 2:18 PM + 1/2/07, Peter Amey wrote:
[snip]
Isn't the whole basis of Spark a matter of adding proof
statements in the comments ? I don't think the general
compiler marketplace would go for that built-in to compilers.
After all:
1. The Praxis implementation can be used
At 9:46 AM -0500 1/2/07, McGovern, James F (HTSC, IT) wrote:
I read a recent press release in which a security vendor (names removed
to both protect the innocent along with the fact that it doesn't matter
for this discussion ) partnered with a prominent outsourcing firm. The
press release was
At 6:56 PM -0500 12/29/06, Leichter, Jerry wrote:
| Not on Unix, but I tend to use temporary names based on the Process ID
| that is executing. And of course file protection prevents malevolent
| access.
|
| But for a temporary file, I will specify a file that is not in any
| directory. I
At 3:44 PM + 11/15/06, Pete Shanahan wrote:
ljknews wrote:
At 8:18 PM -0600 11/14/06, Wall, Kevin wrote:
That makes a Java
inappropriate
for a lot of system-level programming tasks. Simple example: There's no
way
in pure Java that I can lock a process in memory. Wrt this list
At 10:55 AM -0600 11/15/06, Wall, Kevin wrote:
Larry Kilgallen wrote:
At 8:18 PM -0600 11/14/06, Wall, Kevin wrote:
That makes a Java inappropriate for a lot of
system-level programming tasks. Simple example: There's no
way in pure Java that I can lock a process in memory. Wrt this
At 10:31 PM +1100 11/13/06, mikeiscool wrote:
On 11/13/06, Glenn and Mary Everhart [EMAIL PROTECTED] wrote:
If there is some construct that NEEDS to be interpreted to gain something, it
can be justified on that basis. Using interpretive runtimes just to link
languages, or just to achieve
At 10:47 AM -0500 11/6/06, der Mouse wrote:
I read this thread and I little be afraid. I'm just ahead of a
complete rewriting of my program. The previous code was written in
pure C (with an OOP looks-like somewhere).
Perhaps I'm missing something. Why do you have to abandon C? You
At 9:08 PM -0500 10/31/06, Ben Corneau wrote:
C and C++ are very different. Using C++ like C is arguable unsafe, but when
it's used as it was intended can't C++ too be considered for secure
programming?
What assurance does upper management have that C++ was used as it was
intended rather than
At 12:11 PM -0400 10/13/06, James Walden wrote:
you really have to use C because it's the only thing that will do,
That seems extremely improbable.
--
Larry Kilgallen
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information,
At 9:46 PM +0200 7/20/06, Florian Weimer wrote:
* Pascal Meunier:
But it's true for stupid bugs like buffer overflows and format string
vulnerabilities, in which we're still swimming, and the proof is the fact
that those aren't possible in some languages.
Could you name a few such language
At 3:27 PM -0400 7/15/06, Goertzel Karen wrote:
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary=_=_NextPart_001_01C6A844.D6A28B6B
I've been struggling for a while to synthesise a definition of secure
software that is short and sweet, yet
At 2:32 PM -0400 6/9/06, Jeremy Epstein wrote:
Having said that, it's completely at odds compared to what I see working
for an ISV of a non-security product. That is, I almost never have
prospects/customers ask me what we do to assure our software.
I don't even get those questions for our
At 10:38 AM -0400 6/2/06, McGovern, James F (HTSC, IT) wrote:
Figured I would ask the list a question that I haven't figured out the
answer to. How have other enterprises that seek architects and developers
knowleedgable in secure coding software development practices articulated
it to their
At 11:12 AM -0400 5/4/06, Kenneth R. van Wyk wrote:
Content-Type: multipart/signed; boundary=nextPart1887150.2DlSXmIMA5;
protocol=application/pgp-signature; micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Stories about this (below) X bug and the DHS-sponsored project that found it
At 9:02 AM -0700 4/3/06, Crispin Cowan wrote:
That second question is actually pretty technically deep. What is so
different about paged memory systems that makes them harder to secure
than segmented memory systems? My conjecture: it is the granularity of
the memory blobs. Consider:
*
At 2:34 AM +0100 3/27/06, Dinis Cruz wrote:
PS: For the Microsofties that are reading this (if any) sorry for
the irony and I hope I am not offending anyone, but WHEN are you going
to join this conversion? (i.e. reply to this posts)
I can only see 4 reasons for your silence: a) you
At 11:39 AM + 3/25/06, Dinis Cruz wrote:
3) Since my assets as a user exist in user land, isn't the risk profile
of malicious unmanaged code (deployed via IE/Firefox) roughly the same
if I am running as a 'low privileged' user or as administrator? (at the
If the administrator's assets are
At 12:35 PM -0500 3/5/06, William L. Anderson wrote:
My question is whether it's more accurate to say secure their network
rather than encrypt. I'm not clear myself about the meaning of these
terms; I think of encryption as being one way to make a network secure.
Another way that was
At 6:04 AM -0800 3/6/06, Jeremy Epstein wrote:
Encryption is one way to secure the *transport* on the network (subject to
various caveats about appropriate use of crypto, trust issues, etc.). I'd
strongly disagree with anyone who says that encryption makes a network
secure - because people
The US Department of Homeland Security seems to be sponsoring a web site
at https://buildsecurityin.us-cert.gov/portal/ , devoted to construction
of quality software.
But feeding that URL to http://validator.w3.org/ produces a list of 277
HTML errors on that software quality page :-)
No, I don't
At 1:33 AM -0800 12/14/05, Crispin Cowan wrote:
Smashguard, if I recall correctly, offers approximately the protection
of existing compiler methods, but with the added fun of requiring
modified (non-existent) hardware.
The referenced hardware in the IEEE article and the intel.com pages
At 9:28 AM -0800 12/13/05, Ron Forrester wrote:
On 12/13/05, Kenneth R. van Wyk [EMAIL PROTECTED] wrote:
The detection mechanism seems to primarily be looking primarily for non-OS
software modifying OS inhabited memory blocks. Wonder how they're definining
(and maintaining the definition) of
At 11:54 AM +0100 8/9/05, Nick Murison wrote:
(Yes, this is a shameless plug)
Good morning everyone,
Seen as the storm after BlackHat has settled a little, I thought it'd be nice
to see what people had decided about Michael Lynn's presentation. Was he
right to go ahead with it, or was it
At 9:55 AM -0400 7/19/05, Mark Curphey wrote:
If you fancy yourself as a good code reviewer you can play spot the bug at
MSDN. They will be getting harder !
http://msdn.microsoft.com/security/
The overarching bug seems to be the assertion that there is only one bug,
since those offering comments
At 11:00 AM -0500 5/11/05, Gizmo wrote:
Maybe I don't fully understand the concept of Single Sign-On.
As I understand it, SSO allows a user to login to an application portal, and
all of the applications that user accesses via that portal know who the user
is and what rights they have within their
At 11:28 AM -0400 5/11/05, Goertzel Karen wrote:
Of course, and SSO is only as secure as (1) the assurance of the
credential on which it bases its authentication decisions (a static
password with an SSO is a really STUPID idea);
That depends on the security of the channel between the user and
At 8:05 AM -0400 5/2/05, Kenneth R. van Wyk wrote:
Yet, despite that pessimistic outlook -- and the survey that
forked this thread -- I do think that companies are demanding
more in software security, even though consumers are not.
Companies value time spent on cleanup more than consumers do.
At 4:21 PM -0400 4/11/05, Dave Paris wrote:
Joel Kamentz wrote:
Re: bridges and stuff.
I'm tempted to argue (though not with certainty) that it seems that the
bridge analogy is flawed
in another way --
that of the environment. While many programming languages have similarities
and many
At 8:23 AM -0400 10/15/04, Kenneth R. van Wyk wrote:
I believe that we don't do enough to analyze and learn from software failures.
I believe the industry as a whole does plenty to analyze software
failures, particularly considering how little is done to avoid
those errors. Added analysis in
At 10:37 AM -0400 9/10/04, Kenneth R. van Wyk wrote:
FYI, ComputerWorld is running an interesting interview with Theo de Raadt, on
the state of software security, and OpenBSD in particular. See
http://www.computerworld.com.au/index.php/id;1498222899;fp;16;fpid;0 for the
complete text.
He
At 2:25 PM +0930 8/2/04, Nick Lothian wrote:
What features make Ada safer than Java/C#? (I only have limited experience
with Ada but from memory there was nothing that jumps out at me as something
that Java lacks)
Quoting from Tucker Taft in
At 1:03 PM +0930 8/1/04, Nick Lothian wrote:
IMHO, though, any such effort is pointless. The reality is
that we're going
to be stuck with C/C++, Java, C#, FORTRAN, COBOL, and various
interpreted/scripting languages for a very long time.
What are peoples opinions of the languages listed
coding
Content-Type: text/plain; charset=us-ascii
X-Virus-Scanned: Secured by aspStation
Sender: [EMAIL PROTECTED]
Precedence: bulk
Mailing-List: contact [EMAIL PROTECTED] ; run by MajorDomo
List-Id: Secure Coding Mailing List sc-l.securecoding.org
List-Post: mailto:[EMAIL PROTECTED]
At 10:39 AM -0700 7/14/04, Blue Boar wrote:
ljknews wrote:
At 11:38 AM -0700 7/13/04, Blue Boar wrote:
ljknews wrote:
The environment with which I am most familiar is VMS, and tradition
is what guides secure interfaces. Inner mode code _must_ probe any
arguments provided from an outer mode
At 5:30 PM -0600 7/12/04, Jared W. Robinson wrote:
I read the paper, and found it interesting. I read the statistic 50
percent of security problems are the result of design flaws. Where does
that number come from? Experience?
I would say it comes from sloppy wording.
At best, the author might
At 3:55 PM -0700 7/10/04, Crispin Cowan wrote:
However, I think I do see a gap between these extremes. You could have
a formal specification that can be mechanically transformed into a
*checker* program that verifies that a solution is correct, but cannot
actually generate a correct solution.
At 8:49 AM -0500 7/9/04, Wall, Kevin wrote:
If a GENERAL PURPOSE programming language were designed by
scratch by someone who was both a security expert and
programming language expert, what would this language (and
it's environment) look like?
More specifically,
+ What set
At 2:26 PM +0100 7/9/04, David Crocker wrote:
And much as I dislike Ada, I have to admit that if you don't
intend to use dynamic binding and don't need the low-level features of C,...
Which are those low-level features not available with Ada ?
The C compilers I have used claim to be
At 9:40 AM -0400 7/7/04, James Walden wrote:
Dana Epp wrote:
Of course, I also think students should have to take at least one course in ASM to
really understand how computer instructions work, so they can gain a foundation of
learning for the heart of computer processing. And
I think they
At 1:02 PM -0700 7/1/04, Blue Boar wrote:
ljknews wrote:
I think it will be properly considered when the most strict portion
of the software world is using language X. I have used many
programs where the flaws in the program make it clear that I care not
one whit about whether the authors
At 9:10 AM -0700 7/1/04, Blue Boar wrote:
Language X may very well be a much better starting point, I don't know. I do believe
that it will never be properly looked at until the whole world starts using it for
everything, though.
I think it will be properly considered when the most strict
At 8:10 PM -0400 6/29/04, James Walden wrote:
While there are non-university classes and workshops that teach software security, I
doubt that a majority of developers have attended even one such class. Software
security has to be integrated into the CS curriculum before we can expect a
At 9:16 AM -0500 6/11/04, Michael S Hines wrote:
IBM had Language Environment (LE) before .NET come along.
What is Language Environment (for either of those) ?
At 9:11 AM -0400 6/9/04, Gary McGraw wrote:
Language makes a huge difference, eapecially in the realm of bugs. So not using C
and C++ is smart. Use Java or C# instead.
Or Ada, or PL/I, or Pascal, or Eiffel, etc.
There are _lots_ of choices out there.
At 1:10 PM -0400 6/8/04, Jose Nazario wrote:
thought some of you may find this editorial from the May 04 ACM Queue
worth a read. ACM Queue is an interesting magazine and has a website at
acmqueue.org.
Buffer Overrun Madness
ACM Queue vol. 2, no. 3 - May 2004
by Rodney Bates, Wichita State
At 10:09 AM -0500 4/1/04, Gary McGraw wrote:
Hi all,
I have done lots of soul searching lately and have come to the
conclusion that trying to make software secure is not worth the effort.
I think instead we should concentrate more effort on protection
technologies such as advanced stateful
At 11:14 AM -0700 3/10/04, Jared W. Robinson wrote:
Seems to me that the average user application doesn't need to open
TCP/UDP ports for listening.
Fixed in a previous major protocol stack.
Doing the equivalent on DECnet requires privilege.
At 5:58 PM -0600 2/27/04, Alun Jones wrote:
Microsoft has a lot of code to contend with, and much of it is old - so a
lot of it has had to be scrubbed clean of imperfections, and some has had to
be re-written.
A few years ago I heard the problem described as the opposite - that for
Windows
95 matches
Mail list logo