Browse by Tags

All Tags » General Security » Programmer Hubris » Things I Learned At Microsoft (RSS)
Thursday, July 26, 2007 9:05 PM

firefoxURL:%03

Part 3 - and I promise that's the lot for now, because it's starting to look like I'm obsessed or something. Over the past week or so, you've read me talking about vulnerabilities in Fire fox's protocol handlers, and how my perception...
Posted by Alun Jones | 4 comment(s)
Filed under: , ,
Sunday, July 22, 2007 1:57 PM

firefoxurl: URL vulnerability

Heard about the firefoxurl vulnerability? It turns out that you can exploit Firefox by having Internet Explorer visit a link to a URL that starts with "firefoxurl:" (and a bunch of other code). [Assuming you have Firefox on your computer along...
Posted by Alun Jones | 5 comment(s)
Filed under: , ,
Wednesday, March 21, 2007 5:19 PM

WIP: Principles of Secure Software Development

This is a work-in-progress, but I'd like your opinions on it: Principles of Secure Software Development You're not that good - someone will find a hole in your software. Find as many as you can, first. You're still not that good - you didn't find all...
Posted by Alun Jones | 5 comment(s)
Filed under: , , ,
Friday, January 26, 2007 10:38 AM

ScreenSaverGracePeriod - how fast can you cross a training room?

We're faced with an issue where presenters are losing their train of thought mid presentation because their slides are covered up by the screensaver - this would not be a significant problem, except that by the time they get back to wiggle the mouse,...
Posted by Alun Jones | 1 comment(s)
Filed under: , ,
Tuesday, January 23, 2007 10:36 PM

Trying to deploy an Outlook add-in

Even us grizzled security professionals occasionally have to give up when faced with a pile of security so incomprehensibly bizarre as to make life seem impossible. Recently, a member of our Security Council asked the simple question "instead of having...
Posted by Alun Jones | 1 comment(s)
Filed under: , ,
Thursday, January 11, 2007 1:13 PM

Developers still don't get it.

I'm perplexed by a statement made by one of the commentors on a recent Michael Howard blog posting . Why would you NOT run [Visual Studio] as an administrator at all times? As a developer, I spend enough time on my own work. I don't need to be spending...
Posted by Alun Jones | 2 comment(s)
Filed under: , ,
Monday, November 27, 2006 10:14 PM

Developers are users, too.

Jesper and Steve like to talk about "users just want to see the naked dancing pigs ". What they mean is that when users have selected an action that they want to do, whether it's looking at a purported picture of a naked celebrity, or getting rich by...
Posted by Alun Jones | 3 comment(s)
Filed under: , , ,
Thursday, October 05, 2006 8:06 PM

McAfee wants to modify your kernel

Much press has been made lately about the complaints by McAfee and Symantec that they have been locked out of modifying the Windows Vista x64 kernel through the closure of undocumented back-doors that they used to use. (Sadly, none of what either company...
Posted by Alun Jones | 4 comment(s)
Filed under: , , ,
Monday, July 24, 2006 5:28 PM

"Steam will save the world"

I was reminded last night, that there are always going to be some constructs that your static analysis tools won't save you from. [A point made by Microsoft's Michael Howard, in his blog and in his new book on the Secure Development LifeStyle... er.....
Posted by Alun Jones | 2 comment(s)
Filed under: , ,
Saturday, July 15, 2006 9:40 PM

Is a denial-of-service a vulnerability?

I always like to ask questions that make everyone answer immediately with what they are sure is the right answer, and then tell them that they haven't thought it through. The title of this post is one such question. The answer is "yes", right? Sometimes...
Posted by Alun Jones | 3 comment(s)
Filed under: , ,
Saturday, June 03, 2006 11:01 AM

Making secure programming hard through bad documentation.

I ran into a little confusion when tracking down a bug in one of my programs today. Direct quote from the sscanf_s formatting fields documentation (as of the time of posting, maybe it'll be corrected soon): "The secure versions (those with the _s suffix...
Posted by Alun Jones | 5 comment(s)
Filed under: , ,
Friday, June 02, 2006 11:44 AM

You can lead a horse to water, but you can't make him think. Part 2.

In the interests of balance to my last post , maybe I should tell a story about a Microsoft developer not getting it, either. When I was working for Microsoft, I was sent on a day-long mandatory course to hear, from Michael Howard himself, how to do secure...
Posted by Alun Jones | with no comments
Filed under: , ,