RE: [SC-L] Re: White paper: Many Eyes - No Assurance Against Ma ny Spies

2004-05-03 Thread Jeremy Epstein
Crispin said: But taking the remark seriously, it says that you must not trust anything that you don't have source code for. The point of Thompson's paper is that this includes the compiler; having the source code for the applications and the OS is not enough, and even having the

RE: [SC-L] Programming languages used for security

2004-07-12 Thread Jeremy Epstein
der Mouse is correct. I recall a product from the early 80s called The Last One. There was an advertisement for the product on Prof Doug Comer's door when I was a grad student at Purdue... the claim was that this product made designing applications so simple that you'd never have to program

RE: [SC-L] Top security papers

2004-08-09 Thread Jeremy Epstein
There's lots of interesting papers; I couldn't begin to select a top 10. But for an answer to this question from the late 90s, take a look at the UC Davis collection available at http://csrc.nist.gov/publications/history/index.html Also a plug: every year the Annual Computer Security Applications

RE: [SC-L] certification for engineers/developers?

2005-03-23 Thread Jeremy Epstein
The Great Australian Ice Creamery might be as effective as CISSP for software engineers. I was wondering whether it was accidental or intentional that Ed Rohwer suggested defiantly looking at CISSP. Defiantly: in a rebellious manner or boldly resisting. [Ed. Thanks for the laugh, Jeremy! KRvW]

RE: [SC-L] Question about the terms encypt and secure

2006-03-06 Thread Jeremy Epstein
Encryption is one way to secure the *transport* on the network (subject to various caveats about appropriate use of crypto, trust issues, etc.). I'd strongly disagree with anyone who says that encryption makes a network secure - because people interpret that to mean if I encrypt the network, I

RE: [SC-L] RE: Comparing Scanning Tools

2006-06-09 Thread Jeremy Epstein
Title: Re: [SC-L] RE: Comparing Scanning Tools At the RSA Conference in February, I went to a reception hosted by a group called "Secure Software Forum"(not to be confused with the company Secure Software Inc, which offers a product competitive to Fortify). They had a panel session where

Re: [SC-L] darkreading: voting machines

2006-10-10 Thread Jeremy Epstein
Gary, Interesting point. I'm on the Virginia state commission charged with making recommendations around voting systems, and we watched the Princeton video as part of our most recent meeting. The reaction from the election officials was amusing and scary: if this is so real, why don't you hack

Re: [SC-L] FW: Good Magazines and Books

2007-01-31 Thread Jeremy Epstein
Having lurked on this list for a while, I'll chime in. The answer depends on what you're trying to learn. If your goal is latest thinking, concepts, etc., I agree with GEM that IEEE SP is best. If you want to know about the latest products, what's going on in the market, try Information

[SC-L] Catching up, and some retrospective thoughts

2007-04-24 Thread Jeremy Epstein
Gonzales or anyone else tapping my phone. --Jeremy Jeremy Epstein Senior Director, Product Security Performance P 703.460.5852 | C 703.989.8907 | F 703.460.2599 | W 202.456. AIM jeremyepstein | Skype jjepstein www.webMethods.com ___ Secure Coding

[SC-L] Goodbye to faulty software?

2008-07-19 Thread Jeremy Epstein
Saw this article: http://cordis.europa.eu/ictresults/popup.cfm?section=newstpl=articleID=89864AutoPrint=True, and was wondering if anyone on this list knows anything about the project or Dr Bengt Nordström at Chalmers University in Göteborg Sweden. Sounds to me like they're reinventing all the

[SC-L] Announcing LAMN: Legion Against Meaningless certificatioNs

2009-03-18 Thread Jeremy Epstein
Colleagues, I'm pleased to announce the creation of LAMN, the Legion Against Meaningless certificatioNs. If you don't have a CISSP, CISM, MCSE, or EIEIO - and you're proud of it - this group is for you. You can join LAMN on LinkedIn by searching in the groups area. Unlike so many other

Re: [SC-L] Announcing LAMN: Legion Against Meaningless certificatioNs

2009-03-19 Thread Jeremy Epstein
On Thu, Mar 19, 2009 at 11:14 AM, Benjamin Tomhave list-s...@secureconsulting.net wrote: gee whiz, what if you have letters after your name that aren't meaningless certifications (like MS or PhD)? :) Paragraph 13.4 subsection (B)(iv) of the LAMN bylaws allows earned degrees, but only if you

Re: [SC-L] The Importance of Type Safety

2009-03-24 Thread Jeremy Epstein
This is kind of a funny discussion, to those of us over a certain age. When I was a young-un :-), the argument was that you couldn't write real software in a high level language like C because it was too inefficient compared to assembly language, and you lost flexibility since you didn't have

Re: [SC-L] Certified Application Security Specialists

2009-04-01 Thread Jeremy Epstein
The cat's out of the bag. LAMN is being acquired by ASSCERT we decided that some certifications *are* valid. On Wed, Apr 1, 2009 at 11:25 AM, SC-L Reader Dave Aronson securecoding2d...@davearonson.com wrote: Y'all- I think I've finally found the right certification for me! Check out the

Re: [SC-L] RSA panel

2009-04-15 Thread Jeremy Epstein
I'm also doing a panel on security in voting systems. Podcast at https://365.rsaconference.com/blogs/podcast_series_rsa_conference_2009/2009/04/15/jeremy-epstein-rr-107-technology-lessons-learned-from-election-2008 Hope to see many of you at the panel - Tue @ 410pm. --Jeremy On Wed, Apr 15

Re: [SC-L] RSA panel

2009-04-16 Thread Jeremy Epstein
RSA records all the sessions and makes the recordings available for purchase at some exorbitant fee. On 4/15/09, Brad Andrews andr...@rbacomm.com wrote: Are any of these going to be recorded? That would help those of us with no travel budget or time. :) Brad Quoting Gary McGraw

[SC-L] Seeking vulnerable server-side scripts

2009-05-06 Thread Jeremy Epstein
Greetings, I'm experimenting (on paper initially) with a technique for improving resiliency of web applications, and to do so am looking for examples of server side scripts (PHP, Perl, whatever) that have security vulnerabilities, to see if the technique would work. If you have scripts you'd be

Re: [SC-L] embedded systems security analysis

2009-08-21 Thread Jeremy Epstein
I spent a fair bit of time doing stuff relating to voting systems, which all have embedded systems. (I am not one of the experts who pulls them apart, lest anyone think I'm claiming credit for them.) They are supposedly closed systems, but every time someone competent has tried to attack them,

[SC-L] NSA comparison of source code analysis tools

2009-09-29 Thread Jeremy Epstein
(Apologies if I already sent this to the group; I don't think I did.) There's an interesting presentation at http://www.iarpa.gov/stonesoup_Merced_DHSAWGbrief.pdf about a study done by the US NSA (National Security Agency) of C and Java source code analysis tools. They developed a synthetic test

Re: [SC-L] Provably correct microkernel (seL4)

2009-10-02 Thread Jeremy Epstein
...@securecoding.org] On Behalf Of Jeremy Epstein Sent: Friday, October 02, 2009 6:38 AM To: Wall, Kevin Cc: Secure Code Mailing List Subject: Re: [SC-L] Provably correct microkernel (seL4) This was discussed a few months ago on several other lists I read. The consensus is that it's interesting

[SC-L] Checklist Manifesto applicability to software security

2010-01-07 Thread Jeremy Epstein
Greetings, I was listening yesterday to an interview [1] on NPR with Dr. Atul Gawande, author of Checklist Manifesto [2]. He describes the problem that medical procedures (e.g., surgery) tend to have lots of mistakes, mostly caused because of leaving out important steps. He claims that 2/3 of

[SC-L] A massive change at DARPA

2010-02-11 Thread Jeremy Epstein
OK, many of you don't care about DARPA, but here's something that happened there you *should* care about. DARPA funds research, and has historically drawn its program managers from the ranks of academia and occasionally the military. This is a massive change in outlook

[SC-L] One day software security awareness training?

2010-06-24 Thread Jeremy Epstein
All, I'm looking for a one day software security awareness training class for a client. Yes, I know one day isn't enough to teach what people need to know, but I'll be lucky if I can get them to spend that long. (The initial reaction to my recommendation was no way.) My goal is for them to

[SC-L] Wanna analyze a real voting system? Open season on DC's Internet pilot system

2010-09-22 Thread Jeremy Epstein
All, For a VERY short window (Sep 24-30), the DC Board of Elections and Ethics is opening up their system for review - documents, source code, and a live system to hack. I think it's probably a well-designed system (the folks doing it are knowledgeable), but it's of course completely vulnerable

[SC-L] DC voting experiment hacked

2010-10-06 Thread Jeremy Epstein
As many of you know, DC is doing an Internet voting pilot - original plan was to allow voters to download blank ballots as PDF, mark them, and submit them (*). They set up a test server and encouraged anyone interested to take a whack - which promptly happened. A team from Univ of Michigan led

Re: [SC-L] informIT: Technology transfer

2010-10-29 Thread Jeremy Epstein
The ITS4 article can be found at http://www.acsac.org/2000/abstracts/78.html - it won the best paper award when it was presented in 2000. (I don't think SLINT was every presented at a professional conference.) And since I'm mentioning ACSAC, the deadline for early registration is coming up on

[SC-L] US DoD RFI on software assurance

2013-12-20 Thread Jeremy Epstein
All, This may be of interest - an RFI is a way to both provide information and influence future procurements by pointing out areas that need to be emphasized. https://www.fbo.gov/index?s=opportunitymode=formid=3c867a45671f0cde56fca2bf81bdaf44tab=documentstabmode=list --Jeremy

Re: [SC-L] SearchSecurity: Medical Devices and Software Security

2014-07-07 Thread Jeremy Epstein
Agree with you - there's nothing new in the article. I gave a talk a couple years ago at a conference on biomedical engineering, and there was one person in the room (out of a few hundred) who had heard of Therac-25. (Which I assume is what you were referring to with 1985.) If the article were