[SC-L] Countering Trusting Trust through Diverse Double-Compiling

2005-12-14 Thread David A. Wheeler
message to Bugtraq earlier, but I thought some of you might not have seen it.) --- David A. Wheeler ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter

[SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

2006-03-27 Thread David A. Wheeler
such thinking is for customers to stop whining about security, and switch to products that actually supply it. When customers routinely say, No, I'll switch to another supplier with better security, we will have better security. --- David A. Wheeler

[SC-L] Re: Comparing Scanning Tools (false positives)

2006-06-12 Thread David A. Wheeler
that this would be true of modules INSIDE a software system. If one module has an unusually large density of vulnerability reports, even if they're all false positives I would start looking at that module more closely. --- David A. Wheeler ___ Secure

Re: [SC-L] Re: Comparing Scanning Tools (false positives)

2006-06-13 Thread David A. Wheeler
://www.cigital.com/papers/download/ieees_p98_2col.pdf --- David A. Wheeler ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http

Re: [SC-L] Re: Comparing Scanning Tools (false positives)

2006-06-13 Thread David A. Wheeler
can guarantee it is a false positive, this is a very useful tool indeed :-) Indeed. Unfortunately, there seems to be a distinct shortage of software that will trigger the false positive :-) :-). --- David A. Wheeler ___ Secure Coding mailing list

Re: [SC-L] darkreading: voting machines

2006-10-11 Thread David A. Wheeler
.) At no time was this DRE technology appropriate for use in voting, and the companies selling them would have known better had they done any examination of their real requirements. The voters were given a lemon, and they should have the right to get their money back. --- David A. Wheeler

[SC-L] Secure programming is NOT just good programming

2006-10-12 Thread David A. Wheeler
it right - the program is working AS DESIGNED. These programs are SPECIALLY DESIGNED to be insecure. And this was strongly argued as a GOOD programming practice. People just don't care. There, unfortunately, we agree. Though there's hope for the future. --- David A. Wheeler

Re: [SC-L] Compilers

2006-12-21 Thread David A. Wheeler
to change their language when it was realized that their language's design made it nearly impossible to be secure. I wish they'd take more steps, but on the other hand, other language communities are unwilling to take even small steps to eliminate sharp edges from their languages. --- David A. Wheeler

Re: [SC-L] Compilers

2006-12-28 Thread David A. Wheeler
the warning not report what it SHOULD report. It's a classic false positive vs. false negative problem for all static tools, made especially hard in languages where there isn't a lot of information to work with. --- David A. Wheeler ___ Secure Coding

Re: [SC-L] temporary directories

2007-01-03 Thread David A. Wheeler
that languages that build on fopen() can do so. This doesn't work on at least old versions of NFS reliably, unfortunately. I believe that's been fixed, but I have not verified that. --- David A. Wheeler ___ Secure Coding mailing list (SC-L) SC-L

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-23 Thread David A. Wheeler
lots of review. Conversely, there are many OSS programs (and proprietary programs) that are absolute junk. So look before you leap. --- David A. Wheeler ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc

[SC-L] Source code hiding doesn't work (was: Re: State Department break-in last summer)

2007-04-23 Thread David A. Wheeler
the information, could suddenly cause horrifica vulnerabilities, without anyone realizing it. Better to avoid having the vulnerabilities in the first place. The trick is to get others to understand that. --- David A. Wheeler ___ Secure Coding mailing list (SC-L

Re: [SC-L] Interesting tidbit in iDefense Security Advisory 06.26.07

2007-06-28 Thread David A. Wheeler
, and would release code with vulnerabilities that WOULD be found by such tools. --- David A. Wheeler ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available

Re: [SC-L] Interesting tidbit in iDefense Security Advisory 06.26.07

2007-06-28 Thread David A. Wheeler
, and what's worse, we lack a societal process to grow that pool of information. I've no idea how to fix that. --- David A. Wheeler ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman

[SC-L] No general-purpose computer, or everything under surveillance?

2008-05-13 Thread David A. Wheeler
DOING this, but the opportunity is there. I do not think we need to give up our liberty just to obtain some security. Benjamin Franklin already explained what happens to such people. --- David A. Wheeler ___ Secure Coding mailing list (SC-L) SC-L

Re: [SC-L] Language agnostic secure coding guidelines/standards?

2008-11-14 Thread David A. Wheeler
their mistake; I'm sure they're neither the first NOR last, and we can learn from them. --- David A. Wheeler ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter