Search

You searched for the word(s): userid:2112
Page 1 of 48 (480 items) 1 2 3 4 5 Next > ... Last »
  • Microsoft’s (new!) SDL Threat Modeling Tool 2014

    Amid almost no fanfare whatsoever, Microsoft yesterday released a tool I’ve been begging them for over the last five or six years. [This is not unusual for me to be so persistently demanding, as I’ve found it’s often the only way to get what I want.] As you’ve guessed from the title, this tool is the “ SDL Threat Modeling Tool 2014 ”. Sexy name, indeed. Don’t they already have one of those? Well, yeah, kind of. There’s the TAM Threat Analysis & Modeling Tool , which is looking quite creaky with
    Posted to Tales from the Crypto (Weblog) by Alun Jones on Tue, Apr 15 2014
    Filed under: General Security, Programmer Hubris, Things I Learned At Microsoft
  • Ways you haven’t stopped my XSS, Number 2–backslash doesn’t encode quotes in HTML attributes

    Last time in this series , I posted an example where XSS was possible because a site’s developer is unaware of the implications that his JavaScript is hosted inside of HTML. This is sort of the opposite of that, noting that time-worn JavaScript (and C, Java, C++, C#, etc) methods don’t always apply to HTML. The XSS mantra for HTML attributes I teach that XSS is prevented absolutely by appropriate contextual encoding of user data on its way out of your application and into the page. The context dictates
    Posted to Tales from the Crypto (Weblog) by Alun Jones on Fri, Mar 7 2014
    Filed under: General Security, Programmer Hubris, XSS
  • Apple’s “goto fail” SSL issue–how do you avoid it?

    Context – Apple releases security fix; everyone sees what they fixed   Last week, Apple released a security update for iOS , indicating that the vulnerability being fixed is one that allows SSL / TLS connections to continue even though the server should not be authenticated. This is how they described it: Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS Description: Secure Transport failed to validate the authenticity of the connection
    Posted to Tales from the Crypto (Weblog) by Alun Jones on Wed, Feb 26 2014
    Filed under: General Security, Programmer Hubris, Why is PKI so hard?, Alun's code, I love / hate my iPad
  • Surface 2 –VPN bug disables Metro Internet Explorer

    Update - FIXED Since I wrote this article, another issue caused me to reset my WMI database, by deleting everything under C:\Windows\System32\wbem\Repository and rebooting. After that, the VPN issues documented in this article have gone away. Original article I have a home VPN – everyone should, because it makes for securable access to your home systems when you are out and about, whether it’s at the Starbucks down the street, or half way across the world, like I was on my trip to China
    Posted to Tales from the Crypto (Weblog) by Alun Jones on Wed, Jan 29 2014
    Filed under: General Security, TCP/IP, Windows 8, Surface
  • Deploying on the road…

    Now that I have a Surface 2, I’m going to leave my laptop at home when I travel. This leaves me with a concern – obviously, I’m going to play with some of my hobby software development while I have “down time”, but the devices for which I’m building are traveling with me, while the dev machine stays at home. That’s OK where I’m building for the laptop, because it’s available by Remote Desktop through a Remote Desktop Gateway. Deploying to my other devices – the Windows Phone and the Surface 2 running
    Posted to Tales from the Crypto (Weblog) by Alun Jones on Fri, Jan 17 2014
    Filed under: Miscellany - not security, Alun's code, Windows Phone 8, Windows 8, Surface
  • Thoughts on a New Year

    It’s about this time of year that I think… Why do reporters talk so much about NSA spying and Advanced Persistent Threats, when half the websites in existence will cough up cookies if you search for "-alert(document.cookie)-" ? How can we expect people to write secure code when: they don’t know what it is? they can’t recognise insecure code? it’s easier (more clicks, more thinks, etc) to write insecure code? What does it take for a developer to get: fired? a bad performance review? just
    Posted to Tales from the Crypto (Weblog) by Alun Jones on Wed, Jan 1 2014
    Filed under: Programmer Hubris, Miscellany - not security, Security Awareness
  • Error 860 in Windows 8.1 / Surface VPN

    It should be easy enough to set up a VPN in Windows, and everything should work well, because Microsoft has been doing these sorts of things for some years. Sure enough, if you open up the Charms bar, choose Settings, Change PC Settings, and finally Network, you’re brought to this screen, with a nice big friendly button to add a VPN connection. Tapping on it leads me to the following screen: No problems, I’ve already got these settings ready to go. Probably not the best to name my VPN settings “New
    Posted to Tales from the Crypto (Weblog) by Alun Jones on Tue, Dec 24 2013
    Filed under: General Security, TCP/IP, Windows 8, Surface
  • For Surfaces rendered

    I often thought I'd like to have a career in 3D animation, solely so I could send out invoices with the title of this blog post as their content. It seems a little late for me to choose that career, so I'll have to use that title for a blog posting about my Surface, now that I am three weeks in to using it. There's no secret (or if there is, it's poorly hidden) to the fact that MVPs visiting Redmond for the MVP Summit this year received a pretty sweet deal on a 32GB Surface 2 and
    Posted to Tales from the Crypto (Weblog) by Alun Jones on Sun, Dec 8 2013
    Filed under: Miscellany - not security, What my wife knows, I love / hate my iPad, Windows 8, Surface
  • Ways you haven’t stopped my XSS–Number 1, JavaScript Strings

    I saw this again today. I tried smiling, but could only manage a weak grin. You think you’ve defeated my XSS attack. How did you do that? Encoding or back-slash quoting the back-slash and quote characters in JavaScript strings Sure, I can no longer turn this: < script > s_prop0= "[user-input here]" ; </ script > into this, by providing user input that consists of ";nefarious();// : < script > s_prop0= "" ;nefarious(); //"; </ script > Instead
    Posted to Tales from the Crypto (Weblog) by Alun Jones on Tue, Nov 12 2013
    Filed under: Programmer Hubris, XSS
  • There is no such thing as “small sample code”

    Every few months, something encourages me to make the tweet that: There is no such thing as “small sample code”, every sample you publish is an SDK of its own OK, so the choice of calling these “SDKs” is rooted in my Microsoft dev background, where “sample code” didn’t need documentation or bug tracking, whereas an SDK does. You can adjust the terminology to suit. The basic point here is to remind you that you do not get to abrogate all responsibility by saying “this is sample code, you will need
    Posted to Tales from the Crypto (Weblog) by Alun Jones on Mon, Nov 11 2013
    Filed under: General Security, Programmer Hubris
Page 1 of 48 (480 items) 1 2 3 4 5 Next > ... Last »