-
Modeling Threats Part3
So I owe you guys one more post. It's my description of the final phase of threat modeling.
MeasurementWhat I was taught was that measurement is a phase that you can skip (it's not THAT important), and from a security perspective I would agree. But from a perspective of pleasing the managers above you, I would say that this is extremely important.
In the last article, I mentioned quantifying the vulnerability (so you can say “this is a 60 vulnerability“). I forgot to mention 1 more thing. You should note how much you think the fix (or the method of coding + testing in an...
-
DonXML points out some VB vs. C# issues...
First if you don't regularly read Don's blog, go here (I'll wait for you.... <whisting /> Are you done yet? no? <whistling some=”more” /> Now? Good!
First of all, great post Don! You managed to point out the issue without bashing and actually got the right issue. After I embraced VB.Net (meaning after I used it), I began to realize that MS had dumbed down the language in a couple places to protect the Jr. level VB programmer that is prevalent within the community. The more I look at this stuff I really wish they had created 2 languages: VB.Net and what...
-
Much Sadness...
[I know that I still owe all of you (and myself) one more post on Threat Modeling; I've bee fighting comment spam a lot lately! It seems every time I go to blog... I'm dealing with spam and run out of time to blog].
Carl has corrected me. How did I miss the links on the right! Wooho! I can get my weekly supply of zaniness from Carl, Rory, and the rest of the team. Go ahead and move on down to the blog mint....
I'm mourning the demise of something in my life -- Google Weirdos, Ask Rory, the Weird Wide...
-
This content spam is killing me!
I'm about to take matters into my own hands. I'm so sick of these content spammers! I'm tempted to drift to the other side of the law. I understand why some people go rogue and start hacking spammers on the net.
I'm really tempted to mount a DoS azttack against some of these content spammers (DoS = Denial of Service... efffectively I would shut them down). Maybe we could create a peer-to-peer service where we would all mount attacks against spammers like this (by committee of course).
I'm just kidding, but this crap is getting old!
With...
-
I'm moving to MS!
After almost a week of being here in Seattle, I'm considering selling my home and moving here. Don't worry Hugh (that would be my supervisor who reads my blog), I'm just joking. Everything is free here in building 20. Free Soda, free ice cream snacks, free popcorn, free meals (I've yet to pay for a meal yet), free broadband, and free X-Box gaming. I'm thinking of moving my entire family to Microsoft. We'll have to become nocturnal, but I think we can do that.
You might think that I'm considering applying for a job in Redmond. But why do that? I just need...
-
Connection strings, encryption, and security
I want to respond back to d.code's post (at least to throw more info on the fire)
d. I love you to death, man!
Let me ask a couple questions. How big is your key? Because even if I can't get it I may still be able to get to the connection string even though it is encrypted through brute force or some other method. While to date, Rijndael has proved to be a very powerful encryption engine. Someday someone is going to figure out how to crack it quickly ("quickly" being a relative term... "quickly" could mean quicker than 100 years). ...
-
Modeling Threats Part2
[This is part 2 in a series of 3 posts]
Before I get started I wanted to respond to a comment from d.cod about storing connection strings. d.cod (who is a friend and co-worker) says that he is offended that I would say that you shouldn't save the encrypted connection string in the web.config... isn't safe now that I have encrypted it? The answer to the question is “maybe.” Here's the deal encrypting a string makes it harder for an attacker to read once he has it (but not impossible). By sticking this string in your web.config (which is in the...
-
Modeling Threats
OK, I'm at this conference where I'm under NDA. I'm not going to talk about the conference, but I am going to talk about a few things I'm learning (the concepts). BTW, I believe that there is stuff here that every programmer should read especially VB people who are struggling with OOP.
One of my passions in programming is security. I've seen way too many things (the proper security term is exploits). You need to understand exploits. Here's just a couple of them (just so you know): SQL Injection, Cross site scripting, etc. If you want a decent understanding of exploits, go lookup...
-
Security Summit update...
This is the one and only update I'll be giving on the security summit. One of the first things I learned is that the summit is covered by NDA, so guess what? That means that I can't talk about it at all...
I would do something cutesy here like Rory did before the Channel9 launch, but why bother (my art skills aren't that astounding).
I can say that I've started playing with least priviledge and am attempting to take away my admin access on my laptop and try to use it. Aaron Margosis' blog is a big help (he also has a...
-
Where in the world is Jay??
I haven't blogged as much for a couple reasons. Mainly, I have been fighting content spam and have been trying to do less blogging while I'm at work. While I suspect that my immediate supervisor wouldn't have that much of a problem with it as long as I'm delivering stuff on time and aren't blogging too much, his supervisors probably would take a dimmer view of it (it's a very old school place at times).
Anyway, I'm in my hotel in Seattle right now. It's about 6:40 local time. I will be attending an MS Security Summit (the partner one if you're...
-
Content Spam is killing me!
I've been fighting content spam for a couple days now. I reported one spammer to Interland (he was easy to trace back. Now there is a spammer coming through gandi.net in France which appears to be a redirection service (they have messages stating that if someone is spamming you from our address go away because we didn't do it... go find their real ISP). I looked up the IP address and I was able to trace the IP to RIPE.net in Amsterdam. When I started sniffing around on ripe.net I discovered that they were a subsidiary of gandi.net. They do...
-
MS Security Summit...
Dear Readers,
I lucked out and am attending an MS Security Summit. I say “lucked out” because someone from my company was unable to attend it, and so I was selected. I'm hoping to blog about the conference. It's next week in Redmond on the main campus of Microsoft (I think).
1) Anyone want to hook up for a Nerd Dinner? I would really like to take part in one!
2) I would love to look up some of my buddies at MS (which almost equals 1 person). Scoble, if you're reading this I would love to meet you! Obviously, Rory and Jim Blizzard if you've got the time...
-
Deja Vu all over again...
I just wanted to add a little levity to the us election [cause this is the only piece of levity I can find from all of this].
My good friend Dave was living here in Florida during the 2000 election when Florida had all those problems. Now Dave lives in Ohio (where the center of attention is now at for the 2004 election). Coincidence? I think not. I think Dave is a Republican agent wreaking destruction on whatever state he lives in (of course it could be his wife <grin />... although I have yet to determine whether she or her...