Insecure vs. Unsecured

A high school classmate of mine recently posted on Facebook: Message just popped up up my screen from Microsoft, I guess. “This site has insecure content.” Really? Is the content not feeling good about itself, or, perchance, did they mean “unsecured?” What the ever-lovin’ ****? I was intrigued, because it was an ambiguous message and…

5

Hacking Windows with Phones… I don’t get it.

Over the weekend, Engadget and CNet ran a story discussing what was described as a new and novel attack using Android smartphones to attack PCs.  Apparently someone took an Android smartphone and modified the phone to emulate a USB keyboard. When the Android phone was plugged into Windows, Windows thought it was a keyboard and…

12

Microsoft Office team deploys botnet for security research

Even though it’s posted on April 1st, this is actually not an April Fools prank. It turns out that the Office team runs a “botnet” internally that’s dedicated to file fuzzing.  Basically they have a tool that’s run on a bunch of machines that runs file fuzzing jobs in their spare time.  This really isn’t…

4

NextGenHacker101 owes me a new monitor

Because I just got soda all over my current one… One of the funniest things I’ve seen in a while.    And yes, I know that I’m being cruel here and I shouldn’t make fun of the kids ignorance, but he is SO proud of his new discovery and is so wrong in his interpretation…

102

Why are they called “giblets” anyway?

Five years ago, I attended one of the initial security training courses as a part of the XP SP2 effort.  I wrote this up in one of my very first posts entitled “Remember the giblets” and followed it up last year with “The Trouble with Giblets”.  I use the term “giblets” a lot but I’d…

0

Good News! strlen isn’t a banned API after all.

We were doing some code reviews on the new Win7 SDK samples the other day and one of the code reviewers noticed that the code used wcslen to compute the length of a string. He pointed out that the SDL Banned API page calls out strlen/wcslen as being banned APIs: For critical functions, such as…

6

Chrome is fixing the file download bug…

I just noticed that Ryan Naraine has written that Google’s fixed the file download bug in Chrome.  This is awesome, but there’s one aspect of the fix that concerns me. According to the changelog: This CL adds prompting for dangerous types of files (executable) when they are automatically downloaded. When I read this, my first…

13

What makes a bug a security bug?

In my last post, I mentioned that security bugs were different from other bugs.  Daniel Prochnow asked: What is the difference between bug and vulnerability? In my point of view, in a production enviroment, every bug that may lead to a loss event (CID, image, $) must be considered a security incident. What do you…

22

Linus Torvalds is “Fed up with the ‘security circus’”

There’s been a lot of discussion on the intertubes about some comments that Linus Torvalds, the creator of Linux has made about security vulnerabilities and disclosure.Not surprisingly, there’s been a fair amount of discussion amongst the various MSFT security folks about his comments and about the comments about his comments (are those meta-comments?).   The…

23

More proof that crypto should be left to the experts

Apparently two years ago, someone ran a static analysis tool named “Valgrind” against the source code to OpenSSL in the Debian Linux distribution.  The Valgrind tool reported an issue with the OpenSSL package distributed by Debian, so the Debian team decided that they needed to fix this “security bug“.   Unfortunately, the solution they chose…

41