Back to Top

Thursday, January 11, 2007

Mixed links and commentary

Since I'm very occupied at the moment, I won't do a full post here, just some interesting links. I hope to get back to my normal schedule sometimes next week:

Rift Widens Over Bug Disclosure - the discussion over bug disclosure continues.

Why blurring sensitive information is a bad idea - an added note: if you want to cover it with a solid color, make sure that you cover it 100%, don't leave edges of letter visible, because those to can be used for a similar attack (even more so if the used font isn't a fixed width one, because then even the position of characters reveals information.

A Cost Analysis of Windows Vista Content Protection - the paper of Peter Gutmann which made the rounds lately. I would be interested in an official rebuttal, because I'm sure that there are things which are blown out of proportion or are even untrue (for example AFAIK there is no such thing as driver signature revocation. This was a big minus when MS first posted the guidelines for required driver signing, because people complained that even one compromised private key could lead to malware writers having no problems in writing drivers). But all in all it paints a grim picture.

WikiFilter - an interesting project using which you can own a local copy of WikiPedia. Wow, I didn't know that there is a public archive with all the contents of it! (Via Puretechie)

Probably I mentioned earlier (if not, I do it now): some videos of the 23rd CCC conventions are posted on Google Video. (probably all of them will be posted at some time). My favorite one if the Hacker Jeopardy. On the same note: the videos from Black Hat are available too.

The latest round of MS updates is out. Fortunately these don't seem to require a reboot. It is interesting though that a vulnerability was patched in the VML parser. Again.

BITS, a dangerous proxy? - Old things are new again! This issue is know for a while and AFAIK you have to have elevated privileges to use this. And if you already have elevated privileges (like power user), what's the point? Conversely, if you have an on-access AV, it will pick up on these files too. So there is really no point to this post, even more so when they are trying to present it as new research by not providing links to any previous discussions.

A new code editor for Windows: Intype. Will have to check it out, but for now I'm using Notepad2 when I'm on Windows. One of its big advantages are that it doesn't require installation.

You Use IE, Why Worry About Skype? - a great, great post about how perception clouds the real issues in computer security.

An old (but still very interesting) post from MS security guru Larry Osterman: What's wrong with this code, part 11 and the solution. Reactions: it's incredible that this sort of thing exists in Windows, but at least it's documented. Then again who reads all the documentation? Your options are: read carefully the documentations of the APIs you are using or use wrapper framework and hope that the makers of the framework read the documentation.

15 Risks of Blogging

Last week it as Linux week at Lifehacker:

The Adobe Reader flaw is also rather old news (in security terms. You could use FoxIt readers instead, however reportedly this too has some problems (no confirmed exploit at this moment though, only a silent crash). Andy asks why the companies are including every feature and not proving it as a (free) add-on? As a software vendor my thoughts on this would be: if I don't provide all the features at once, it can be a real pain in the lower end: if the client wants to use the specified feature, s/he must take additional actions the first time. S/he might not have the proper privileges to do this (for example in a corporate environment). This results in additional help-desk time. If I (the software vendor) want to make the new feature useful I already have to battle the fact that there are clients who don't update to the latest version. Do I need an additional headache worrying about different possible setups of my application?

The Line Between Clarity and Chaos: An Interview with Barry Schwartz - very nice interview.

A great article about the top 10 objections management might have to introducing Web 2.0 tools (Wikis for example) in the enterprise. Also a great response to each of the points. A must read if you want to introduce such tools, so that you can be prepared to answer questions.

1 comment:

  1. Thank you for linking to my "15 Risks of Blogging" post.

    It seems that lists pull high traffic numbers to a post, if the list is numbered and relevant or controversial. Many blogologists concur.

    Will be reading this blog and glad to have discovered it.