RE: [SC-L] Any software security news from the RSA conference?

2004-03-01 Thread ljknews
At 5:58 PM -0600 2/27/04, Alun Jones wrote: Microsoft has a lot of code to contend with, and much of it is old - so a lot of it has had to be scrubbed clean of imperfections, and some has had to be re-written. A few years ago I heard the problem described as the opposite - that for Windows

[SC-L] Re: Application Sandboxing, communication limiting, etc.

2004-03-10 Thread ljknews
At 11:14 AM -0700 3/10/04, Jared W. Robinson wrote: Seems to me that the average user application doesn't need to open TCP/UDP ports for listening. Fixed in a previous major protocol stack. Doing the equivalent on DECnet requires privilege.

Re: [SC-L] Change of position

2004-04-01 Thread ljknews
At 10:09 AM -0500 4/1/04, Gary McGraw wrote: Hi all, I have done lots of soul searching lately and have come to the conclusion that trying to make software secure is not worth the effort. I think instead we should concentrate more effort on protection technologies such as advanced stateful

Re: [SC-L] opinion, ACM Queue: Buffer Overrun Madness

2004-06-08 Thread ljknews
At 1:10 PM -0400 6/8/04, Jose Nazario wrote: thought some of you may find this editorial from the May 04 ACM Queue worth a read. ACM Queue is an interesting magazine and has a website at acmqueue.org. Buffer Overrun Madness ACM Queue vol. 2, no. 3 - May 2004 by Rodney Bates, Wichita State

Re: [SC-L] opinion, ACM Queue: Buffer Overrun Madness

2004-06-09 Thread ljknews
At 9:11 AM -0400 6/9/04, Gary McGraw wrote: Language makes a huge difference, eapecially in the realm of bugs. So not using C and C++ is smart. Use Java or C# instead. Or Ada, or PL/I, or Pascal, or Eiffel, etc. There are _lots_ of choices out there.

RE: [SC-L] Interesting article on the adoption of Software Security

2004-06-11 Thread ljknews
At 9:16 AM -0500 6/11/04, Michael S Hines wrote: IBM had Language Environment (LE) before .NET come along. What is Language Environment (for either of those) ?

Re: [SC-L] ACM Queue article and security education

2004-06-30 Thread ljknews
At 8:10 PM -0400 6/29/04, James Walden wrote: While there are non-university classes and workshops that teach software security, I doubt that a majority of developers have attended even one such class. Software security has to be integrated into the CS curriculum before we can expect a

Re: [SC-L] ACM Queue article and security education

2004-07-01 Thread ljknews
At 9:10 AM -0700 7/1/04, Blue Boar wrote: Language X may very well be a much better starting point, I don't know. I do believe that it will never be properly looked at until the whole world starts using it for everything, though. I think it will be properly considered when the most strict

Re: [SC-L] ACM Queue article and security education

2004-07-02 Thread ljknews
At 1:02 PM -0700 7/1/04, Blue Boar wrote: ljknews wrote: I think it will be properly considered when the most strict portion of the software world is using language X. I have used many programs where the flaws in the program make it clear that I care not one whit about whether the authors

Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-07 Thread ljknews
At 9:40 AM -0400 7/7/04, James Walden wrote: Dana Epp wrote: Of course, I also think students should have to take at least one course in ASM to really understand how computer instructions work, so they can gain a foundation of learning for the heart of computer processing. And I think they

Re: [SC-L] Programming languages used for security

2004-07-09 Thread ljknews
At 8:49 AM -0500 7/9/04, Wall, Kevin wrote: If a GENERAL PURPOSE programming language were designed by scratch by someone who was both a security expert and programming language expert, what would this language (and it's environment) look like? More specifically, + What set

RE: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-09 Thread ljknews
At 2:26 PM +0100 7/9/04, David Crocker wrote: And much as I dislike Ada, I have to admit that if you don't intend to use dynamic binding and don't need the low-level features of C,... Which are those low-level features not available with Ada ? The C compilers I have used claim to be

Re: [SC-L] Programming languages used for security

2004-07-12 Thread ljknews
At 3:55 PM -0700 7/10/04, Crispin Cowan wrote: However, I think I do see a gap between these extremes. You could have a formal specification that can be mechanically transformed into a *checker* program that verifies that a solution is correct, but cannot actually generate a correct solution.

Re: [SC-L] Risk Analysis: Building Security In #3

2004-07-13 Thread ljknews
At 5:30 PM -0600 7/12/04, Jared W. Robinson wrote: I read the paper, and found it interesting. I read the statistic 50 percent of security problems are the result of design flaws. Where does that number come from? Experience? I would say it comes from sloppy wording. At best, the author might

Re: [SC-L] Programming languages used for security

2004-07-14 Thread ljknews
At 10:39 AM -0700 7/14/04, Blue Boar wrote: ljknews wrote: At 11:38 AM -0700 7/13/04, Blue Boar wrote: ljknews wrote: The environment with which I am most familiar is VMS, and tradition is what guides secure interfaces. Inner mode code _must_ probe any arguments provided from an outer mode

RE: [SC-L] Programming languages -- the third rail of secure

2004-07-30 Thread ljknews
coding Content-Type: text/plain; charset=us-ascii X-Virus-Scanned: Secured by aspStation Sender: [EMAIL PROTECTED] Precedence: bulk Mailing-List: contact [EMAIL PROTECTED] ; run by MajorDomo List-Id: Secure Coding Mailing List sc-l.securecoding.org List-Post: mailto:[EMAIL PROTECTED]

RE: [SC-L] Programming languages -- the third rail of secure coding

2004-08-01 Thread ljknews
At 1:03 PM +0930 8/1/04, Nick Lothian wrote: IMHO, though, any such effort is pointless. The reality is that we're going to be stuck with C/C++, Java, C#, FORTRAN, COBOL, and various interpreted/scripting languages for a very long time. What are peoples opinions of the languages listed

RE: [SC-L] Programming languages -- the third rail of secure coding

2004-08-02 Thread ljknews
At 2:25 PM +0930 8/2/04, Nick Lothian wrote: What features make Ada safer than Java/C#? (I only have limited experience with Ada but from memory there was nothing that jumps out at me as something that Java lacks) Quoting from Tucker Taft in

Re: [SC-L] ComputerWorld interview with Theo de Raadt on Software Security

2004-09-10 Thread ljknews
At 10:37 AM -0400 9/10/04, Kenneth R. van Wyk wrote: FYI, ComputerWorld is running an interesting interview with Theo de Raadt, on the state of software security, and OpenBSD in particular. See http://www.computerworld.com.au/index.php/id;1498222899;fp;16;fpid;0 for the complete text. He

Re: [SC-L] Open Source failure analysis tool released for Linux

2004-10-15 Thread ljknews
At 8:23 AM -0400 10/15/04, Kenneth R. van Wyk wrote: I believe that we don't do enough to analyze and learn from software failures. I believe the industry as a whole does plenty to analyze software failures, particularly considering how little is done to avoid those errors. Added analysis in

Re: [SC-L] Re: Application Insecurity --- Who is at Fault?

2005-04-12 Thread ljknews
At 4:21 PM -0400 4/11/05, Dave Paris wrote: Joel Kamentz wrote: Re: bridges and stuff. I'm tempted to argue (though not with certainty) that it seems that the bridge analogy is flawed in another way -- that of the environment. While many programming languages have similarities and many

Re: [SC-L] Why Software Will Continue to Be Vulnerable

2005-05-02 Thread ljknews
At 8:05 AM -0400 5/2/05, Kenneth R. van Wyk wrote: Yet, despite that pessimistic outlook -- and the survey that forked this thread -- I do think that companies are demanding more in software security, even though consumers are not. Companies value time spent on cleanup more than consumers do.

RE: [SC-L] Credentials for Application use

2005-05-11 Thread ljknews
At 11:00 AM -0500 5/11/05, Gizmo wrote: Maybe I don't fully understand the concept of Single Sign-On. As I understand it, SSO allows a user to login to an application portal, and all of the applications that user accesses via that portal know who the user is and what rights they have within their

RE: [SC-L] Credentials for Application use

2005-05-11 Thread ljknews
At 11:28 AM -0400 5/11/05, Goertzel Karen wrote: Of course, and SSO is only as secure as (1) the assurance of the credential on which it bases its authentication decisions (a static password with an SSO is a really STUPID idea); That depends on the security of the channel between the user and

Re: [SC-L] Spot the bug

2005-07-19 Thread ljknews
At 9:55 AM -0400 7/19/05, Mark Curphey wrote: If you fancy yourself as a good code reviewer you can play spot the bug at MSDN. They will be getting harder ! http://msdn.microsoft.com/security/ The overarching bug seems to be the assertion that there is only one bug, since those offering comments

Re: [SC-L] New TC poll: Was Lynn right?

2005-08-09 Thread ljknews
At 11:54 AM +0100 8/9/05, Nick Murison wrote: (Yes, this is a shameless plug) Good morning everyone, Seen as the storm after BlackHat has settled a little, I thought it'd be nice to see what people had decided about Michael Lynn's presentation. Was he right to go ahead with it, or was it

Re: [SC-L] Intel turning to hardware for rootkit detection

2005-12-13 Thread ljknews
At 9:28 AM -0800 12/13/05, Ron Forrester wrote: On 12/13/05, Kenneth R. van Wyk [EMAIL PROTECTED] wrote: The detection mechanism seems to primarily be looking primarily for non-OS software modifying OS inhabited memory blocks. Wonder how they're definining (and maintaining the definition) of

Re: [SC-L] Intel turning to hardware for rootkit detection

2005-12-14 Thread ljknews
At 1:33 AM -0800 12/14/05, Crispin Cowan wrote: Smashguard, if I recall correctly, offers approximately the protection of existing compiler methods, but with the added fun of requiring modified (non-existent) hardware. The referenced hardware in the IEEE article and the intel.com pages

[SC-L] Where to read about construction quality software

2006-02-07 Thread ljknews
The US Department of Homeland Security seems to be sponsoring a web site at https://buildsecurityin.us-cert.gov/portal/ , devoted to construction of quality software. But feeding that URL to http://validator.w3.org/ produces a list of 277 HTML errors on that software quality page :-) No, I don't

Re: [SC-L] Question about the terms encypt and secure

2006-03-06 Thread ljknews
At 12:35 PM -0500 3/5/06, William L. Anderson wrote: My question is whether it's more accurate to say secure their network rather than encrypt. I'm not clear myself about the meaning of these terms; I think of encryption as being one way to make a network secure. Another way that was

RE: [SC-L] Question about the terms encypt and secure

2006-03-06 Thread ljknews
At 6:04 AM -0800 3/6/06, Jeremy Epstein wrote: Encryption is one way to secure the *transport* on the network (subject to various caveats about appropriate use of crypto, trust issues, etc.). I'd strongly disagree with anyone who says that encryption makes a network secure - because people

Re: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

2006-03-25 Thread ljknews
At 11:39 AM + 3/25/06, Dinis Cruz wrote: 3) Since my assets as a user exist in user land, isn't the risk profile of malicious unmanaged code (deployed via IE/Firefox) roughly the same if I am running as a 'low privileged' user or as administrator? (at the If the administrator's assets are

Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code

2006-03-27 Thread ljknews
At 2:34 AM +0100 3/27/06, Dinis Cruz wrote: PS: For the Microsofties that are reading this (if any) sorry for the irony and I hope I am not offending anyone, but WHEN are you going to join this conversion? (i.e. reply to this posts) I can only see 4 reasons for your silence: a) you

Re: [SC-L] Segments, eh Smithers?

2006-04-04 Thread ljknews
At 9:02 AM -0700 4/3/06, Crispin Cowan wrote: That second question is actually pretty technically deep. What is so different about paged memory systems that makes them harder to secure than segmented memory systems? My conjecture: it is the granularity of the memory blobs. Consider: *

Re: [SC-L] HNS - Biggest X Window security hole since 2000

2006-05-05 Thread ljknews
At 11:12 AM -0400 5/4/06, Kenneth R. van Wyk wrote: Content-Type: multipart/signed; boundary=nextPart1887150.2DlSXmIMA5; protocol=application/pgp-signature; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Stories about this (below) X bug and the DHS-sponsored project that found it

Re: [SC-L] Hiring folks that are familar with SC practices

2006-06-04 Thread ljknews
At 10:38 AM -0400 6/2/06, McGovern, James F (HTSC, IT) wrote: Figured I would ask the list a question that I haven't figured out the answer to. How have other enterprises that seek architects and developers knowleedgable in secure coding software development practices articulated it to their

RE: [SC-L] RE: Comparing Scanning Tools

2006-06-09 Thread ljknews
At 2:32 PM -0400 6/9/06, Jeremy Epstein wrote: Having said that, it's completely at odds compared to what I see working for an ISV of a non-security product. That is, I almost never have prospects/customers ask me what we do to assure our software. I don't even get those questions for our

Re: [SC-L] Bumper sticker definition of secure software

2006-07-16 Thread ljknews
At 3:27 PM -0400 7/15/06, Goertzel Karen wrote: Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary=_=_NextPart_001_01C6A844.D6A28B6B I've been struggling for a while to synthesise a definition of secure software that is short and sweet, yet

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread ljknews
At 9:46 PM +0200 7/20/06, Florian Weimer wrote: * Pascal Meunier: But it's true for stupid bugs like buffer overflows and format string vulnerabilities, in which we're still swimming, and the proof is the fact that those aren't possible in some languages. Could you name a few such language

Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-17 Thread ljknews
At 12:11 PM -0400 10/13/06, James Walden wrote: you really have to use C because it's the only thing that will do, That seems extremely improbable. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information,

Re: [SC-L] Why Shouldn't I use C++?

2006-11-01 Thread ljknews
At 9:08 PM -0500 10/31/06, Ben Corneau wrote: C and C++ are very different. Using C++ like C is arguable unsafe, but when it's used as it was intended can't C++ too be considered for secure programming? What assurance does upper management have that C++ was used as it was intended rather than

Re: [SC-L] Could I use Java or c#? [was: Re: re-writing college books]

2006-11-06 Thread ljknews
At 10:47 AM -0500 11/6/06, der Mouse wrote: I read this thread and I little be afraid. I'm just ahead of a complete rewriting of my program. The previous code was written in pure C (with an OOP looks-like somewhere). Perhaps I'm missing something. Why do you have to abandon C? You

Re: [SC-L] Could I use Java or c#? [was: Re: re-writing college books]

2006-11-13 Thread ljknews
At 10:31 PM +1100 11/13/06, mikeiscool wrote: On 11/13/06, Glenn and Mary Everhart [EMAIL PROTECTED] wrote: If there is some construct that NEEDS to be interpreted to gain something, it can be justified on that basis. Using interpretive runtimes just to link languages, or just to achieve

Re: [SC-L] Could I use Java or c#? [was: Re: re-writingcollege books]

2006-11-15 Thread ljknews
At 3:44 PM + 11/15/06, Pete Shanahan wrote: ljknews wrote: At 8:18 PM -0600 11/14/06, Wall, Kevin wrote: That makes a Java inappropriate for a lot of system-level programming tasks. Simple example: There's no way in pure Java that I can lock a process in memory. Wrt this list

Re: [SC-L] Could I use Java or c#? [was: Re: re-writingcollegebooks]

2006-11-15 Thread ljknews
At 10:55 AM -0600 11/15/06, Wall, Kevin wrote: Larry Kilgallen wrote: At 8:18 PM -0600 11/14/06, Wall, Kevin wrote: That makes a Java inappropriate for a lot of system-level programming tasks. Simple example: There's no way in pure Java that I can lock a process in memory. Wrt this

Re: [SC-L] temporary directories

2006-12-29 Thread ljknews
At 6:56 PM -0500 12/29/06, Leichter, Jerry wrote: | Not on Unix, but I tend to use temporary names based on the Process ID | that is executing. And of course file protection prevents malevolent | access. | | But for a temporary file, I will specify a file that is not in any | directory. I

Re: [SC-L] temporary directories

2007-01-02 Thread ljknews
At 8:45 AM -0500 12/30/06, Leichter, Jerry wrote: [MJoderator: This is likely beyond the point of general interest to sc-l] Actually, I disagree, in that it seems to expose a set of vulnerabilities not known even to language implementors. On Fri, 29 Dec 2006, ljknews wrote

Re: [SC-L] temporary directories

2007-01-02 Thread ljknews
At 5:11 PM +0100 12/30/06, Florian Weimer wrote: I gather you are saying that the innards of Unix will force creation of an unwanted directory entry on the Ada implementation of the required null name support for packagename.CREATE . The Ada implementation could rely on exclusive access to

Re: [SC-L] Compilers

2007-01-02 Thread ljknews
At 2:18 PM + 1/2/07, Peter Amey wrote: [snip] Isn't the whole basis of Spark a matter of adding proof statements in the comments ? I don't think the general compiler marketplace would go for that built-in to compilers. After all: 1. The Praxis implementation can be used

Re: [SC-L] Building Security In vs Auditing

2007-01-02 Thread ljknews
At 9:46 AM -0500 1/2/07, McGovern, James F (HTSC, IT) wrote: I read a recent press release in which a security vendor (names removed to both protect the innocent along with the fact that it doesn't matter for this discussion ) partnered with a prominent outsourcing firm. The press release was

Re: [SC-L] Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis

2007-01-22 Thread ljknews
At 1:52 PM -0500 1/22/07, Kenneth Van Wyk wrote: Content-Type: multipart/signed; protocol=application/pgp-signature; micalg=pgp-sha1; boundary=Apple-Mail-12-58709954 Content-Transfer-Encoding: 7bit Ok, last software security news item for today, I promise. :-) This article (see

Re: [SC-L] Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis

2007-01-22 Thread ljknews
At 3:10 PM -0800 1/22/07, Blue Boar wrote: ljknews wrote: Analyzing source code is independent of machine architecture. My guess is that if a company actually is capable of analyzing binary code they only do it for the highest volume instruction sets. My guess is that attackers will go

Re: [SC-L] Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis

2007-01-28 Thread ljknews
At 5:20 PM +1100 1/25/07, Crispin Cowan wrote: ljknews wrote: My guess is that if a company actually is capable of analyzing binary code they only do it for the highest volume instruction sets. They certainly will focus on larger markets first. If you want them to focus on *your* market

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-20 Thread ljknews
At 8:55 AM -0400 3/20/07, Michael S Hines wrote: I'm not sure what your sources are but from what I'm hearing and reading the problem is that there are many missing drivers for what have become standard peripherals that people are used to - and some of the vendors are reluctant to develop new

Re: [SC-L] Darkreading: compliance

2007-03-30 Thread ljknews
At 9:29 AM -0400 3/30/07, Benjamin Tomhave wrote: SOX has been a complete waste, imo. First, the majority of it was already covered in existing law. Second, it really has nothing to do with security from a practical standpoint. The only purpose SOX has served is to give auditors another

Re: [SC-L] Best practices for encrypting client-side data

2007-05-10 Thread ljknews
At 12:01 PM +1200 5/10/07, Robin Sheat wrote: Content-Type: multipart/signed; boundary=nextPart1622971.NJ1973Q3ia; protocol=application/pgp-signature; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit On Wednesday 09 May 2007 02:11:05 ljknews wrote: I would suggest two factor

Re: [SC-L] Darkreading: Secure Coding Certification

2007-05-14 Thread ljknews
At 11:35 AM -0400 5/14/07, Greg Beeley wrote: Agreed in concept to the no second-class citizens idea. But I think the test needs to have a language-specific element to it. Every language and environment has unique pitfalls and security considerations. A developer who knows to avoid memory

Re: [SC-L] What's the next tech problem to be solved in software security?

2007-06-08 Thread ljknews
At 9:53 AM +0200 6/8/07, Stephen de Vries wrote: On 8 Jun 2007, at 02:23, Steven M. Christey wrote: More modern languages advertise security but aren't necessarily catch-alls. At the same time, the improvements in security made by managed code (e.g. the JRE and .NET runtimes) for

Re: [SC-L] What's the next tech problem to be solved in software security?

2007-06-09 Thread ljknews
At 8:33 AM -0400 6/9/07, der Mouse wrote: Immunity from buffer overflows has been around for 30 years. The fact that some set of developers choose to ignore the languages that provide it does not make the next environment that provides it an improvement for the industry. I'd disagree - if

Re: [SC-L] FW: What's the next tech problem to be solvedin softwaresecurity?

2007-06-10 Thread ljknews
At 9:51 PM +0100 6/9/07, David Crocker wrote: If instead we pay people to perform the more skilled tasks of establishing requirements and specifying the systems to meet them, and use computers to generate programs that meet the specifications, then such things as freedom from buffer

Re: [SC-L] FW: What's the next tech problem to be solvedin softwaresecurity?

2007-06-10 Thread ljknews
At 9:16 AM -0400 6/10/07, Robert C. Seacord wrote: ljknews, Yes, it is virtually impossible to get a serious runtime error in an Ada program. For example: http://www.youtube.com/watch?v=kYUrqdUyEpI It amazes me that someone in a discussion of software security would point to a page

Re: [SC-L] Harvard vs. von Neumann

2007-06-11 Thread ljknews
At 9:00 AM -0400 6/11/07, Gary McGraw wrote: If we assumed perfection at the implementation level (through better languages, say), then we would end up solving roughly 50% of the software security problem. Clearly we need to make some progress at the architecture/design level to attain

Re: [SC-L] The Next Frontier

2007-06-27 Thread ljknews
At 4:38 PM -0400 6/27/07, Paco Hope wrote: On 6/26/07 5:00 PM, McGovern, James F (HTSC, IT) [EMAIL PROTECTED] wrote: Would there be value in terms of defining an XML schema that all tools could emit audit information to? You might want to take a look at what the Fortify guys already do.

Re: [SC-L] Resources to fix vulns

2007-07-19 Thread ljknews
At 8:53 AM -0700 7/18/07, McCown, Christian M wrote: Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary=_=_NextPart_001_01C7C953.D03CBE5C What do you tell a C-level exec in terms of h/c and time it will take to fix web app vulnerabilities

Re: [SC-L] Resources to fix vulns

2007-07-19 Thread ljknews
At 9:50 AM -0400 7/19/07, McGovern, James F (HTSC, IT) wrote: I would actually recommend AGAINST using prior track records for fixing previous vulnerabilities because in all honestly they probably don't track it. Most enterprises prioritize any type of defect based on the importance as

Re: [SC-L] how far we still need to go

2007-07-26 Thread ljknews
At 2:03 AM +0100 7/26/07, Dinis Cruz wrote: It's a simple economics problem. The moment these companies and developers lose sales (or market share) because their products require admin / root privileges to run, is the moment they start to REALLY support it. For Windows that day might be when

[SC-L] Dilbert Does Software Testing

2007-07-29 Thread ljknews
http://www.dilbert.com/comics/dilbert/archive/images/dilbert2007071745828.gif -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter

Re: [SC-L] Mainframe Security

2007-11-01 Thread ljknews
At 9:16 PM +0100 11/1/07, Johan Peeters wrote: I think this could do a great service to the community. Recently I was hired by a major financial institution as a lead developer. They said they needed me for some Java applications, but it turns out that the majority of code is in COBOL. As I

Re: [SC-L] COBOL Exploits

2007-11-02 Thread ljknews
At 12:13 AM -0400 11/2/07, Mark Rockman wrote: The adolescent minds that engage in exploits wouldn't know COBOL if a printout fell out a window and onto their heads. I'm sure you can write COBOL programs that crash, but it must be hard to make them take control of the operating system. Of

Re: [SC-L] Mainframe Security

2007-11-02 Thread ljknews
At 4:11 PM +0100 11/2/07, Johan Peeters wrote: Let me offer a little variant on the previous theme though to illustrate, hopefully more convincingly, why I find COBOL worrisome: ... 01 txtpic x(2). move 'hi' to txt call

Re: [SC-L] Mainframe Security

2007-11-02 Thread ljknews
At 2:16 PM +0100 11/2/07, Johan Peeters wrote: I have been looking at an IBM system. If I do something like this ... 01 txt PIC X(120) string '**' into txt end-string display

Re: [SC-L] Mainframe Security

2007-11-02 Thread ljknews
At 11:45 PM +0100 11/2/07, Florian Weimer wrote: My limited exposure to Cobol makes me think it is as unlikely to have a buffer overflow as PL/I or Ada. Usually, Ada programmers switch off bounds checking before shipping code. I don't know why Ada has such a reputation for robustness. Can

Re: [SC-L] Code review pool

2007-11-05 Thread ljknews
At 12:50 PM +0100 11/5/07, Paolo Perego wrote: Hi guys, trying to improve Owasp Orizon project in a better way, I released a poll over my blog here: http://thesp0nge.livejournal.com/5687.html It would be great having your feedback about your vision to code review and safe coding as

Re: [SC-L] Programming language comparison?

2008-02-05 Thread ljknews
At 4:41 PM -0500 2/4/08, Steven M. Christey wrote: On Mon, 4 Feb 2008, Robert A. Martin wrote: You still need to add to that issues that apply to all languages versus these lists of language specific weaknesses and C and C++ have significant overlap given their relationship. There is an

Re: [SC-L] Programming language comparison?

2008-02-05 Thread ljknews
At 4:44 PM -0500 2/5/08, Steven M. Christey wrote: On Mon, 4 Feb 2008, ljknews wrote: (%s to fill up disk or memory, anybody?), so it's marked with All and it's not in the C-specific view, even though there's a heavy concentration of format strings in C/C++. It is marked as All

Re: [SC-L] InformIT: budgeting for software security

2008-04-11 Thread ljknews
At 8:14 AM -0500 4/11/08, Wall, Kevin wrote: In the context, I think his concern was that in the past, the RSA conferences were focused on infosec, and on cryptography in particular. Apparently, based on Stephen and gem's comments, it seems to have lost its focus. I think that's all that

Re: [SC-L] GCC and pointer overflows [LWN.net]

2008-05-01 Thread ljknews
At 1:00 PM -0400 5/1/08, Epstein, Jeremy wrote: Ken, a good example. For those of you who want to reach much further back, Paul Karger told me of a similar problem in the compiler (I don't remember the language) VAX Pascal, before VMS was on Alpha (and long before Itanium). used for

Re: [SC-L] GCC and pointer overflows [LWN.net]

2008-05-01 Thread ljknews
At 3:12 PM -0400 5/1/08, Leichter, Jerry wrote: The VAX VMM effort died with the announcement of the Alpha, in late 1992 - though obviously the death was decided internally once the move to Alpha was decided, which would have been somewhat earlier. The origins of the VAX VMM effort date back

Re: [SC-L] InternetNews Realtime IT News - Merchants Cope With PCI Compliance

2008-06-30 Thread ljknews
At 9:44 AM -0400 6/30/08, Kenneth Van Wyk wrote: Happy PCI-DSS 6.6 day, everyone. (Wow, that's a sentence you don't hear often.) http://www.internetnews.com/ec-news/article.php/3755916 In talking with my customers over the past several months, I always find it interesting that the

Re: [SC-L] Root Canal Treatment vs Source Code Review

2008-07-01 Thread ljknews
At 10:43 PM -0400 6/30/08, Mary and Glenn Everhart wrote: There is another reason I have seen quite often: you can't readily ask the designer of the code what it does when he is dead, or when he has left the company (esp. if he works for a competitor). When I participated (as author) in

Re: [SC-L] Survey

2008-08-26 Thread ljknews
At 7:21 PM -0400 8/24/08, [EMAIL PROTECTED] wrote: The publisher of the web page is not in the security business, they are in the publishing business. But how can I respect their publishing expertise if they fail a simple automatic test. Well, I guess that most of web developers are not

Re: [SC-L] Survey

2008-08-26 Thread ljknews
At 9:12 AM -1000 8/26/08, Jim Manico wrote: How does xHTML help stop access control vulnerabilities? Authorization issues? CSRF problems? It is indicative of the caliber of the people who built the site. My immediate interest is that validation combats browser crashes. I am not interested

Re: [SC-L] Human Elements of Security Survey

2008-10-09 Thread ljknews
At 8:40 PM -0400 10/8/08, Sammy Migues wrote: JavaScript is required on SurveyMonkey. Thank you for the warning. It is amazing the number of people who presume that security people are willing to go to a website enabling cookies or JavaScript or worse. Of course it is also amazing the number

Re: [SC-L] Cat out of the bag?

2008-10-30 Thread ljknews
At 11:09 AM -0600 10/30/08, Jonathan Leffler wrote: Content-Type: multipart/signed; protocol=application/x-pkcs7-signature; micalg=sha1; boundary=---z22511_boundary_sign Gary McGraw [EMAIL PROTECTED] wrote: Here is a pointer to an article... I'm getting 404 errors? I backed up

Re: [SC-L] Software Assist to Find Least Privilege

2008-11-25 Thread ljknews
At 12:26 PM -0500 11/25/08, Mark Rockman wrote: It be difficult to determine a priori the settings for all the access control lists and other security parameters that one must establish for CAS to work. Perhaps a software assist would work according to the following scenario. Run the program

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-26 Thread ljknews
At 9:32 PM -0800 11/25/08, Brian Chess wrote: Larry, I'm not sure I get your meaning. You say you don't think it's a dry well, but then you say programmers ignore the privilege management facilities at their disposal. I mean they ignore it until security overseers (800.53a, PCI DSS, 8500.2

Re: [SC-L] How Can You Tell It Is Written Securely?

2008-12-01 Thread ljknews
At 9:03 PM -0500 11/26/08, Mark Rockman wrote: OK. So you decide to outsource your programming assignment to Asia and demand that they deliver code that is so locked down that it cannot misbehave. How can you tell that what they deliver is truly locked down? Will you wait until it gets hacked?

Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)

2009-03-25 Thread ljknews
At 1:00 PM -0700 3/25/09, Andy Steingruebl wrote: On Wed, Mar 25, 2009 at 10:18 AM, ljknews mailto:ljkn...@mac.comljkn...@mac.com wrote: Worry about enforcement by the hardware architecture after you have squeezed out all errors that can be addressed by software techniques.\ Larry

Re: [SC-L] Insecure Java Code Snippets

2009-05-07 Thread ljknews
At 12:47 PM -0500 5/7/09, Brad Andrews wrote: Quoting ljknews ljkn...@mac.com: At 5:49 PM -0500 5/6/09, Brad Andrews wrote: Try a few of the PC-Lint bugs, if you ever wrote C/C++ code. They can be really hard to figure out, And yet people keep choosing those programming languages

Re: [SC-L] Insecure Java Code Snippets

2009-05-08 Thread ljknews
At 9:15 AM -0400 5/8/09, SC-L Reader Dave Aronson wrote: ljknews ljkn...@mac.com wrote: At 12:47 PM -0500 5/7/09, Brad Andrews wrote: Quoting ljknews ljkn...@mac.com: At 5:49 PM -0500 5/6/09, Brad Andrews wrote: Try a few of the PC-Lint bugs, if you ever wrote C/C++ code. They can be really

Re: [SC-L] IBM Acquires Ounce Labs, Inc.

2009-07-28 Thread ljknews
At 8:39 AM -1000 7/28/09, Jim Manico wrote: A quick note, in the Java world (obfuscation aside), the source and binary is really the same thing. The fact that Fortify analizes source and Veracode analizes class files is a fairly minor detail. It seems to me that would only be true for

Re: [SC-L] informIT: attack categories

2009-08-26 Thread ljknews
At 6:36 PM -0400 8/25/09, Steven M. Christey wrote: Gary, You said in the article: The next category of attacks to expect are attacks that target defects in design and architecture - which I call flaws. I think it's already happening. I think it has been happening for years. I use

Re: [SC-L] Inherently Secure Code?

2009-08-28 Thread ljknews
At 8:47 AM -0700 8/27/09, Benjamin Tomhave wrote: Should any sort of overflow really be allowed? It is not, except by management decision (in choosing an unsafe language). -- Larry Kilgallen ___ Secure Coding mailing list (SC-L)

Re: [SC-L] Provably correct microkernel (seL4)

2009-10-02 Thread ljknews
At 4:33 PM -0500 10/1/09, Wall, Kevin wrote: Professor Gernot Heiser, the John Lions Chair in Computer Science in the School of Computer Science and Engineering and a senior principal researcher with NICTA, said for the first time a team had been able to prove with

Re: [SC-L] 2010 bug hits millions of Germans | World news | The Guardian

2010-01-07 Thread ljknews
At 10:43 AM -0600 1/7/10, Stephen Craig Evans wrote: I am VERY curious to learn how these happened... Only using the last digit of the year? Hard for me to believe. Maybe it's in a single API and somebody tried to be too clever with some bit-shifting. My wife says that in the lead-up to the

Re: [SC-L] 2010 bug hits millions of Germans | World news | The Guardian

2010-01-07 Thread ljknews
At 2:37 PM -0600 1/7/10, Wall, Kevin wrote: Larry Kilgallen wrote... At 10:43 AM -0600 1/7/10, Stephen Craig Evans wrote: I am VERY curious to learn how these happened... Only using the last digit of the year? Hard for me to believe. Maybe it's in a single API and somebody tried to be

Re: [SC-L] market for training CISSPs how to code (Matt, Parsons)

2010-03-18 Thread ljknews
At 7:36 PM +0200 3/18/10, AK wrote: Who says so, in the context of web applications? I can see it (somewhat) from a desktop application perspective, but how is this relevant in web apps? Why should standards for a web application be different than for a desktop application ? -- Larry

Re: [SC-L] SC-L Digest, Vol 6, Issue 56

2010-03-20 Thread ljknews
At 7:56 PM +0200 3/19/10, AK wrote: It is way easier for attackers to reverse engineer desktop applications than web applications. Assuming proper server configuration, it is next to impossible for an attacker to get the server side source code or compressed form (e.g WARs) for a web