Browse by Tags

All Tags » Programmer Hubris » What my wife knows (RSS)

Training developers to write secure code

I’ve done an amount of training developers recently, and it seems like there are a number of different kinds of responses to my security message. [You can safely assume that there’s also something that’s wrong with the message and the messenger, but I...

Changing passwords on a service, part 3

It’s been quite some time since I wrote about changing passwords on a Windows service , and then provided a simple tool written in Visual Basic to propagate a password among several systems sharing the same account. I hinted at the time that this was...

Black Hat with Amazon.com–2011 Code Challenges I

As a part of my day job at Amazon, I get to spend time recruiting the brightest and the best of the world’s security professionals – especially those who are willing to move to Seattle, Virginia, Dublin or Bangalore. Every so often, we go out on the road...

Vulnerability Disclosure–Cheap, Fast, and Out of Control?

I’ve posted a few times before on vulnerability disclosure: Vulnerability in WFTPD Dealing in Vulnerabilities - Denying the Vendor Full Disclosure - how full is full? Sandi brings up the question of responsible disclosure. "Full Disclosure"...

More(*) LoadLibrary fun–ACROS Security

Way back in the days of Windows for Workgroups, we knew it was a dumb idea. Moving from being a Unix developer to being a Windows developer, I could tell it was a dumb idea. People inside of Microsoft knew it was a dumb idea. And yet, LoadLibrary still...

Sometimes It Seems Like Unix(*) Needs to Learn from Windows

(*) By “Unix”, I mean Linux, Unix, AIX, OS/X, and similar flavours. Way back when, about twenty or so years ago, I was a Unix admin, and a Unix developer. I had to be both, because I was the only person in the company who could spell Unix...

My MP3 player demands to administer my system

Thanks to the excellent http://www.woot.com , I upgraded to a new MP3 player - this one, the Sansa e250 from SanDisk , has a little screen and shows video at an almost completely unacceptably small resolution. But I don't mind that, I didn't really...

Retro-bundling - another suck of the Apple

I thought I was done blogging about Apple Software Update, having removed QuickTime from my system completely, and sworn never to install it again or watch another QT or MOV file. But nooo, someone had to spoil it by telling me what Apple Software Update...

Removing Apple Mobile Device Support

As mentioned before, I'm not a fan of Appple 's, particularly because they tend to impose crap on me that I'm not interested in having. I've been trying to figure out how to remove iTunes , iPod and Aple Mobile Device Support on and off...

I didn't want iTunes - now I've got iPod, too?

So, in my last post " Can the EU get me QuickTime N? ", I noted that my installation of QuickTime (because I had a .MOV file I want to see) led to Apple Software Update offering me "iTunes + QuickTime 7.5", despite my removing iTunes...

Can the EU get me QuickTime N?

So, a long time ago, in a continent not so far away, the European Union required Microsoft to ship a version of Windows without Media Player , called Windows XP N. Now, here's a follow-up to my previous articles: Programmer Hubris Part 1 - He's...

Why complain about UAC prompts?

Jesper's article in TechNet Magazine on the purpose and future of UAC in Windows Vista and beyond reminded me that there's a whole slew of behaviours more annoying than UAC's prompting (which, as Jesper points out, is only the most visible...

I'm still not that into Apple

Apple Updater showed me two new software updates the other day - "Quicktime" and "iTunes + QuickTime". Now, remember, I never installed iTunes , and went out of my way to install only QuickTime . I use QuickTime about once every six...

Alternate Data Streams in Windows Vista

Windows NT 3.1 was released ... oh, back in the early to mid '90s. Ever since then, I've been aware that it supported Alternate Data Streams, also known as ADS, or in some technical documents that didn't make it to final review, Alternative...

WIP: Principles of Secure Software Development

This is a work-in-progress, but I'd like your opinions on it: Principles of Secure Software Development You're not that good - someone will find a hole in your software. Find as many as you can, first. You're still not that good - you didn't find all...

Developers are users, too.

Jesper and Steve like to talk about "users just want to see the naked dancing pigs ". What they mean is that when users have selected an action that they want to do, whether it's looking at a purported picture of a naked celebrity, or getting rich by...

Don't surf from your dev box either

I've always scoffed some at reports of vulnerabilities in Visual Studio. After all, how many ways is a developer likely to get attacked through Visual Studio? Through loading and executing malicious code - don't fetch code from people you don't trust...

I'm a developer - I don't do operations.

Okay, so there's a point that Larry has here, in referring to Dare's posts 1 and 2 - that operations and development are two separate skills. [ Joe refers to it , too] I've suggested for a long time that developers should spend some time on technical...