Images for Threat Modelling Post

Recently I’ve had several folks ask me for the images for my Threat Modelling Post, which have disappeared due to various back-end changes over the years. The first few times I just e-mailed the Visio diagram, but more people are asking so I updated the post with the images.


Updating Firefox as non-admin

Firefox , like all web browsers, needs to be regularly updated to keep up with security patches. Version 1.5 has an auto-update feature built-in, but unfortunately if you’re not running as a local Administrator (at least in Windows), it doesn’t work. In one way, this is no different than Windows Update; if you go to…


When facts get in the way of a good argument

I’ve wanted to write this blog for a long time, but never gotten around to it. It’s a very simple observation, but one that too many people fail to make. Maybe something will come of it 🙂 Oftentimes you will see something like the following on a web news site: Headline: New security bug found…


Why not use hashes for the Anti-Phishing Filter?

Several people have asked why Internet Explorer 7 will send “real” URLs instead of hashes to the AP (Anti-Phishing) server. That’s a good question, and I know it’s a good question because it’s the same thing just about everybody at Microsoft (including me) says the first time they hear about the feature :-). Nevertheless, a…


Blindly trusting detection tools

Imagine I have a house cleaner that comes in once a week to clean the house. After a while I start to notice that my house smells “fishy”, but my house cleaner has just the ticket — the all-new FishBeGone (TM) cleaner & fragrance that gets rid of fishy smells for up to seven days…


What is Microsoft doing for security?

A recent comment on the IE Blog made it pretty apparent that not everybody is aware of Microsoft’s efforts around security. Michael Howard has mentioned the Security Development Lifecyle before, but in case you don’t want to read the entire document on MSDN, here’s a quick introduction on the basics of what happens: Training People…



As most of my friends know, I’m a pretty jumpy person. And, of course, most of those same friends like to exploit that fact for their own amusement from time to time (thanks to Jeff for almost running me over the other day). The fact that I lose 5 years of my life every time…


IE Blog

For those of you who haven’t already heard, the IE team has a blog and recently they’ve started to talk about some of the cool features to be found in IE 7 Beta 1 (or planned for RTM). I’ve been working pretty closely with the IE team for some time now, but the nature of…


The Evil Problem

Over on the IE Blog, a commenter made a very good point — why is it that IE flags scripts as “potentially bad”? That’s very confusing to the average user, and they have no way of knowing whether or not the script really is bad or not (and therefore whether they should enable it or…


Malicious vs Spoofed Servers

Curious Caroline writes: Dear Peter , I have a friend who was talking to a security tester the other day, and apparently the tester said that having a “malicious server” is different than having a “spoofed” server. How is that so? My friend would really like to know, so I told her I’d ask you….