Montreal blog on Internet Security Software: Blog

Binary vulnerabilities and Exploit Writing

Tue, 10 Jun 2008 19:02:45 GMT

I've been writing assembly all day at the recon 2008 security conference with Gerardo 'gera' Richarte.

This is really really really fun. Hands on buffer overflows and exploits using OllyDbg....

http://recon.cx/2008/training2.html

http://www.superconfigure.com/home.html

Fri, 06 Jun 2008 18:37:42 GMT

I wrote a small Windows (XP & Vista) reset & harden like tool, check it out: http://www.superconfigure.com/home.html

Windows Vista

Fri, 06 Jun 2008 14:46:04 GMT

Top Security Features in Windows Vista

http://technet.microsoft.com/en-us/magazine/cc546565.aspx

User Account Control

Internet Explorer Protected Mode

Standard User Support

BitLocker Drive Encryption

Windows Resource Protection

Services Hardening

Advanced Firewall

Windows Vista SP1 UAC improvements

http://edge.technet.com/Media/Windows-Vista-SP1-UAC-improvements/

MSFT Live Mesh Beta..wtf?!

Wed, 28 May 2008 13:47:04 GMT

Oh come on..I can't upload a folder, I gotta do it file by file ?!

Thanks live mesh, but I'll stick with jungle disk for now....

phishing email collection...

Wed, 28 May 2008 13:16:24 GMT

"If you have found this site by searching for an email address or information contained in an email sent to you and you have sent money to the person who sent you that email please..."

interesting site, seems to be a collection of phishing emails..: http://www.scamwarning.org/

Maybe I'll 'email' them and get something funny up there;-)

Are these actual, free MP3's on the net?

Tue, 27 May 2008 13:18:15 GMT

http://muxfind.com/

10 years and 499,999 servers later...

Tue, 20 May 2008 13:51:00 GMT

This old picture from google labs circa 1999..

http://www.codinghorror.com/blog/archives/000305.html

Setting privileges on a specific thread

Tue, 13 May 2008 16:33:49 GMT

If you've ever needed to set privileges to a specific thread Id only, and not an entire process, you may of visited quite a few MSDN web pages trying to figure out exactly how to achieve this.

Here is a function that does this, call it using a format such as:

AddThreadPriv(GetCurrentThreadId(), SE_BACKUP_NAME);

AddThreadPriv(const DWORD in_tid, const std::string& in_rstrPrivilegeName)
{
ImpersonateSelf(SECURITY_MAX_IMPERSONATION_LEVEL);

HANDLE h = OpenThread( TOKEN_ALL_ACCESS, FALSE, in_tid);

HANDLE hToken = NULL;

if(h)
OpenThreadToken(h, TOKEN_ALL_ACCESS, TRUE, &hToken);

if( hToken )
{
TOKEN_PRIVILEGES tpNew = { 1 };
tpNew.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

  if( ::LookupPrivilegeValue( NULL, in_rstrPrivilegeName.c_str(), &tpNew.Privileges[0].Luid ) )
  {
   VERIFY( ::AdjustTokenPrivileges( hToken, FALSE, &tpNew, 0, NULL, NULL ) );

CLOSEHANDLE(h);
CLOSEHANDLE(hToken);

return (ERROR_SUCCESS == GetLastError());
}
}

CLOSEHANDLE(h);
return false;
}

Trying to locate the proper documentation shouldn't be this difficult, certainly not for a company that size.

IPv6 is good for business, and will flush out unmaintained crapware

Sat, 10 May 2008 15:17:11 GMT

Ipv4 will be out of addresses sooner than most people realize.

This will probably occur within 24 months, and will likely cement Vista as the desktop os replacement for Xp, since its stack has IPv6 out-of-the-box.

The good news is that this will weed out the smaller software products who do not have the man-power to upgrade their existing applications to this newer reality.

We may even see well established products lag behind because they may be dealing with too much legacy Ipv4 code.

Time will tell...

What Will Microsoft Do With Credentica?

Tue, 06 May 2008 18:29:51 GMT

Written by Bernard Lunn / May 3, 2008

http://www.readwriteweb.com/archives/what_will_microsoft_do_with_credentica.php

The Race to Zero

Mon, 05 May 2008 13:36:10 GMT

The Race to Zero contest is being held during Defcon 16 at the Riviera Hotel in Las Vegas, 8-10 August 2008.

The event involves contestants being given a sample set of viruses and malcode to modify and upload through the contest portal. The portal passes the modified samples through a number of antivirus engines and determines if the sample is a known threat. The first team or individual to pass their sample past all antivirus engines undetected wins that round. Each round increases in complexity as the contest progresses.

http://www.racetozero.net/index.html

Bjarne Stroustrup on the Evolution of Languages

Wed, 30 Apr 2008 17:49:35 GMT

http://msdn.microsoft.com/en-us/magazine/cc500572.aspx

twitter

Mon, 28 Apr 2008 14:44:23 GMT

follow 0utlaw at http://twitter.com

Encrypt Anything: 50 Ways to Secure ALL Your Data, Regardless of Medium

Wed, 23 Apr 2008 14:09:44 GMT

http://www.businesscreditcards.com/bootstrapper/encrypt-anything-50-ways-to-secure-all-your-data-regardless-of-medium/

Speed up that old system

Mon, 21 Apr 2008 13:12:22 GMT

Is your dev machine running slower due to the increased number of software pieces tacked on over the years?

Clean up your registry, remove duplicate files, and then defrag the drive for that new-car smell.

Here are three free utilities to do just that:

Eusing Free Registry Cleaner

http://www.pcworld.com/downloads/file/fid,64953-page,1-c,systemresourcestuneup/description.html

DoubleKiller

http://www.bigbangenterprises.de/en/doublekiller/

Defraggler

http://www.defraggler.com/

I actually hit an XP Home Limitation

Fri, 18 Apr 2008 14:41:00 GMT

I think this is a first for me. I do not think I've ever had to choose one flavor of an OS over an other because of a feature set.

I'm configuring some of my home LAN and set up remote desktop on the machines so I can log onto each one from my laptop.

Except for one.

You can't remote desktop to an XP Home edition.

So I installed something I haven't used in forever, vncviewer. It works OK, but IFF you lock the computer running the vnc server, you can't connect to it; something which is not a limitation using remote desktop.

Microsoft has released Microsoft Security Development Lifecycle, version 3.2

Tue, 15 Apr 2008 02:58:53 GMT

Microsoft has released Microsoft Security Development Lifecycle, version 3.2

Tons of great recommendations for your development team, to better your software product, such as

Code priority definitions are provided in the following list:

· Pri1 code is considered the most sensitive from a security standpoint. The following examples of Pri1 code are not necessarily a definitive list:

· All Internet- or network-facing code

· Code in the Trusted Computing Base (TCB) (for example, kernel or SYSTEM code)

· Code running as administrator or Local System

· Code running as an elevated user (including LocalService and NetworkService)

· Features with a history of vulnerability, regardless of version

· Any code that handles secret data, such as encryption keys and passwords

· Any unverifiable managed code (any code that the standard PEVerify.exe tool reports as not verified)

· All code supporting functionality exposed on the maximum attack surface

· Pri2 is optionally installed code that runs with user privilege, or code that is installed by default that does not meet the Pri1 criteria.

· Pri3 is rarely used code and setup code. (Setup code that handles secret data, such as encryption keys and passwords, is always considered Pri1 code.)

· Any code or component that has experienced large numbers of security bugs is considered Pri1 code, even if it would otherwise be considered Pri2 or Pri3. Although the definition of large numbers is subjective, it is important to scrutinize carefully the portions of code that contain the most security bugs.

Here's a table of recommended settings compiler/linker settings for unmanaged code.

Win32 Requirements: Unmanaged Code

Table G.1. Win32 Requirements: Unmanaged Code

Compiler/ tool	Minimum required version and switches/options	Optimal/ recommended version and switches/options	Comments
C/C++ Compiler	Microsoft® Visual Studio® .NET 2005
cl.exe	Version 14.0.50727.42 Use /GS	Use /GS
Link.exe	Version 8.0.50727.42 Use /SAFESEH Use /NXCOMPAT and don’t use /NXCOMPAT:NO. See "Appendix F: SDL Requirement: No Executable Pages" for more information.	Use /SAFESEH Use /functionpadmin:5 Use /DYNAMICBASE	Visual Studio 2005 SP1 is needed for /DYNAMICBASE
MIDL.exe	Version 6.0.366.1 Use /robust	Use /robust
Source code analysis	Visual Studio 2005 Code Analysis Options (“/analyze”) For Visual Studio 2005 code analysis, all warning IDs from the following list must be fixed: 4532 6029 6053 6057 6059 6063 6067 6200 6201 6202 6203 6204 6248 6259 6260 6268 6276 6277 6281 6282 6287 6288 6289 6290 6291 6296 6298 6299 6305 6306 6308 6334 6383	Visual Studio 2005 Code Analysis Options (“/analyze”). For Visual Studio 2005 code analysis, all warning IDs from the following list must be fixed: 4532 6029 6053 6057 6059 6063 6067 6200 6201 6202 6203 6204 6248 6259 6260 6268 6276 6277 6281 6282 6287 6288 6289 6290 6291 6296 6298 6299 6305 6306 6308 6334 6383 Standard Annotation Language (SAL): Code annotated with SAL should correct additional warnings in addition to those listed above. See “Appendix H: SDL Standard Annotation Language (SAL) Recommendations for Native Win32 Code” for more information. The warnings are summarized as follows: SAL Compliance Visual Studio 2005: 26020 - 26023 /analyze Visual Studio 2005: 6029; 6053; 6057; 6059; 6063; 6067; 6201-6202; 6248; 6260; 6276; 6277; 6305	Visual Studio 2005 Team Edition contains a publicly available version that is branded as “C/C++ Code Analysis”.
Protecting against Heap Corruption	n/a	All executable programs written using unmanaged code (.EXE) must call the HeapSetInformation interface. See “Appendix I: SDL Requirement: Heap Manager Fail Fast Setting” for more information.

Been a target of an attack?

Wed, 09 Apr 2008 19:13:09 GMT

What do you do if you receive a phishing email?

And what will you do if you find a site which is distributing malware?

I gathered a list of emails and forms which can be used for reporting phishing sites, phishing emails, and malware sites:

Report a site that you suspect contains malicious software.
http://www.google.com/safebrowsing/report_badware/
http://www.stopbadware.org/home/new

Report a Phishing Page
http://www.google.com/safebrowsing/report_phish/

Forward phishing emails to my company: fraudsubmission@radialpoint.com
To fraud watch international: scams@fraudwatchinternational.com
To APWG: reportphishing@antiphishing.org

If you have found a security vulnerability in any of Microsoft’s online services,
secure@microsoft.com

virus, worm, or trojan horse submission to
avsubmit@submit.microsoft.com

spyware or other malware submission to
windefend@submit.microsoft.com

Stroustrup Says C++ Education Needs To Improve

Tue, 08 Apr 2008 14:55:41 GMT

Although I rarely head over to slashdot anymore, (I prefer Digg), but once in a a while there's a great thread over there.

This thread http://developers.slashdot.org/article.pl?no_d2=1&sid=08/03/30/1155216 on C++ really shows how much developers either really love it, or hate it.

One thing is sure, C++ 'experts' are few and far between. With the upcoming TR1 adding yet more to the language, it's difficult just to keep up with everything.

I can't imagine a newbie trying to step through 8 boost pointer indirections and not getting discouraged, or trying to decipher template compiler errors.

For a TR1 overview, check out Pete Becker's book.

Et tu, Amazon?

Tue, 01 Apr 2008 14:07:09 GMT

Amazon has DRM free music. If you want to download songs, that's what you need to be using, not iTunes.

But, I tried purchasing the latest Moby CD MP3's, and because I'm a Canadian customer it won't let me.

This reminds me of that great pandora.com service which every coder here used, before it too shut down streaming to Canadian IPs.

OpenDNS rocks!

Tue, 25 Mar 2008 17:44:13 GMT

So far this year I am using two amazing products.

Jungledisk has rendered all my USB keys useless. I have it installed on all my machines, my sample code and all my tools are saved in the amazon cloud.

I don't even use its backup ability, just the storage space. Finally no more stumbling around my DVDs looking for some old piece of code which I now need!

And OpenDNS rocks. Is it faster? Maybe. Is it safer? Maybe? is it better? Absolutely. Here's what I like most, besides the fact its free:

I no longer need to run my parental control tool client-side? Why is this good?

- Less client-side code means your Cpu is free to do other things

- Less client-side code means less risk of it crashing

Now, my parental tool is good, I was one of the guys who wrote it. I even optimized the networking code of late. But it uses an OOB network call to validate Urls! It cannot possibly go faster than a DNS based solution.

Now, instead of validating pbdkids.org (while the browser sits there and waits), by sending the Url to another server which categorizes the Url, the categorization is done at the DNS request level. Here's a snapshot of the OpenDNS web site where you can configure your networks:

Anti-Malware field keeps getting more crowded

Fri, 14 Mar 2008 15:11:11 GMT

Another new Anti-Malware company is launched: http://blogs.zdnet.com/security/?p=366

I have installed their product on a couple of my machines, and I really like it so far. I've been a proponent of securing the HTTP pipe between clients and web sites; that can provide users MORE security than an up-to-date Av definition file...try it out, it's free http://hautesecure.com/index.aspx

They seem to use the google safe browsing API to use the google blacklists (phishing + malware), http://code.google.com/apis/safebrowsing/developers_guide.html in addition to other feeds. They send the URL to a backend (here's an actual trace for offensive-security.com):

- Http: Request, GET /v1.2/QueryUrl.aspx
- Request:
     Command: GET
   - URI: /v1.2/QueryUrl.aspx?Url=http:%2F%2Fwww.offensive-security.com%2F&HostId=6d0c1292-5589-4648-83c8-c68ed1a95adb&ClientVersion=1.2.1.1906&QueryThirdParty=1&QueryFrom=Client
    - Uri:
       Location: /v1.2/QueryUrl.aspx
       Url: http:%2F%2Fwww.offensive-security.com%2F
       HostId: 6d0c1292-5589-4648-83c8-c68ed1a95adb
       ClientVersion: 1.2.1.1906
       QueryThirdParty: 1
       QueryFrom: Client
     ProtocolVersion: HTTP/1.1
     UserAgent: HauteSecure 1.0
     Host: communitystats-cws.hautesecure.net
     HeaderEnd: CRLF

This is similar to the solution we use in our security product, which also validates URLs against a phishing blacklist (not a malware blacklist though).

"The four founders are Iain Mulholland, a former security strategist and manager of the MSRC (Microsoft Security Response Center); Frank Swiderski, a software architect who did stints at Microsoft and @Stake; Rob Vucic, who worked at Redmond on Microsoft’s Secure Windows Initiative Internet Crime Investigations team; and Steve Anderson, who worked on the Windows Server team at Microsoft....TechCrunch reports that the company launched with $500,000 in funding"

500K$ !? That's it? Ask my friend Austin, who's recently blogged about a couple of Montreal based shops being bought by US companies, will tell you that that's peanuts!

http://www.billionswithzeroknowledge.com/2008/03/07/congratulations-its-a-startup-canadian-fairchildren-unite/

Great vacation reading

Tue, 11 Mar 2008 17:48:47 GMT

I had the pleasure of reading The Web Application hacker's Handbook on my vacation.

It's terrific, check it out on amazon: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws

Disk encryption may not be secure enough, new research finds

Mon, 25 Feb 2008 20:32:39 GMT

Yet more proof that in computer security, there is no silver bullets and no free lunches.

Read the article here.

"The Incredi" attack

Fri, 22 Feb 2008 22:15:40 GMT

I was probing a possible attack vector in a "security suite" type application, and found an interesting twist based on, The Incredibles of all things...

Recall the scene where Mr Incredible has trouble fighting off a robot, and ends up winning by having the robot attack itself? By using clever tricks, we can convince "security suites" to attack specific files, and remove them, simply by having the file trigger a hit (a positive virus detection).

How is this possible? Well, today's security vendors are constantly battling to achieve levels of certification by detecting as many malwares as possible, they want to add database entries!

I won't list real-world examples, but here's an example:

Just run [echo "removed for security purposes" > filetoberemoved] and presto!

Obviously here I can just remove the file my own self, but in fact I have the anti-malware level do so, which they often can do with elevated privileges!

Welcome to the jungle

Wed, 20 Feb 2008 17:49:24 GMT

I finally started using jungle disk, and after a little problem with it on Vista (which I managed to workaround) I really enjoy it! Not only is it dirt cheap, but you use your existing Amazon account to pay...I use picasa for pixs simply because it finds the pictures locally easily, but that seems to have an upper limit of 1 G only..

Windows Vista Media Center + Xbox 360

Mon, 18 Feb 2008 15:10:46 GMT

I set up a small home network (3PCs), with Vista Media Center on a laptop.

It detects the digital camera, imports the pictures, easily and seamlessly.

Then, one day, I had the Xbox 360 console on, and it detected this (they are not connected, but only share the same router) after which the Vista Media center asked me if I wanted to add it as an Extender.

Without any other configuration, I was browsing pictures (from the laptop) on my TV using the Xbox 360!!!

The only downside to my Vista+Xbox+HD Tv setup is the fact that I have an Xbox HD-DVD...something which will apparantly be replaced with Blu-Ray eventually. Perhaps Microsoft will put out a dual-reader.

Zune + Windows Mobile

Mon, 18 Feb 2008 15:01:34 GMT

I've been using the new Zune 80GB instead of my iPod Nano.

The video podcasts are crystal clear on the 3.2" LCD, and space is not an issue.

It understands WMA files, and can sync Wi-Fi, something an iPod cannot do.

What I would really appreciate, is an iZune type device which incorporates all the Windows Mobile features, with those of the Zune.

There's no reason to carry a cell phone AND and Zune; these should be merged into a single device.

As it stands my Windows mobile HTC cell cannot hold 80GB obviousy...

Tracking someone's IP

Thu, 25 Oct 2007 14:41:05 GMT

If you ever need to know where an IP is from, say because of an email you want to trace (never mind web mail of course), here's what I use:

geobytes

and

ip2location

(You can see your own ip here: http://www.ip-adress.com/)

XSSDetect Public Beta now Available

Wed, 24 Oct 2007 16:21:59 GMT

XSSDetect runs as a Visual Studio plug-in and can detect potential XSS issues in managed code.

While the functionality may seem straight forward, many years of research and hard work have gone into making XSSDetect a reality. XSSDetect is a stripped down version of our enterprise ready Code Analysis Tool for .NET code bases (CAT.NET for short). CAT.NET adds such features as VSTF integration, centralized reporting using web services, customized rulesets and filters, integration with FXCop and MSBUILD as well as the ability to run from the command line to integrate with your build processes (or if you're just old school and rock it like that ;)

XSSDetect Public Beta now Available

Some easy places to obtain malware

Wed, 24 Oct 2007 16:13:51 GMT

Malware distribution project

Virus Collection (VX heavens)

Offensive Computing

Indiana University Security Awareness kit

Sun, 16 Sep 2007 01:04:11 GMT

Has some very funny posters!

see http://itpo.iu.edu/education/ncamkit.html

iPhone, _not_

Sun, 19 Aug 2007 03:49:06 GMT

I'm now using a HTC P4000 Pocket PC Phone.

It's got everything a cell/pda can need, and I upgraded to Windows Mobile 6.

Best of all, it's not an iPhone.

Security Links, and more

Tue, 14 Aug 2007 03:01:25 GMT

On June 8th 2007, Robin Bloor at the register wrote an article entitled, "The slow death of AV technology". Then on August 9th, same guy same web site, writes an article entitled, "Is AV product testing corrupt?". Draw your own conclusions.

Mr Bloor is well liked over at the Authentium Blog.

Here's a good article entitled, "Security conferences versus practical knowledge" which states, "the computer conference - specifically the computer security conference - has declined in relevance to the everyday sys-admin and network security practitioners."

I really enjoy conferences of all types, and I too think they've diminished in quality, and quantity; But *I* believe it is also due to the popularity of blogging by *everyone*; Why attend a conference on a topic you've just read it online?

A ok article entitled "Secure Browsing Mode" by Ivan Ristic.

Microsoft products roadmap for FY08 and beyond

Fred George blog on Agile Team structures.

Vice President for the Microsoft Developer Division, blogged about the future of Visual C++.

An finally, this site "monitors" the internet for your credit card or SSN.

Wasting Time is not Time Wasted

Wed, 01 Aug 2007 14:22:53 GMT

Or something like that...every summer I take some time off on the beach and read computer magazines, those found in bookstores. It's an interesting read to say the least, a good change from the usual technical books.

This summer I've learned that using ink from another manufacturer can void your printer warranty.

Cool software article - 10 developers for the price of one

Sun, 15 Jul 2007 01:50:42 GMT

This is so true...great article

Some of My old blog at web.archive.org

Wed, 20 Jun 2007 19:01:18 GMT

http://web.archive.org/web/20060207233647/http:/bubbler.net/pages/560399

My company is ranked 32nd in Profit 100 Canada's fastest growing companies

Tue, 19 Jun 2007 03:08:06 GMT

http://www.canadianbusiness.com/rankings/profit100/list.jsp?pageID=profile&profile=32&year=2007&type=profile&listType=P100

Radialpoint at google finance

http://finance.google.com/finance?cid=14413378

C++/CLI

Thu, 07 Jun 2007 15:18:33 GMT

On 3-20-2006 I wrote:

"and over the horizon looms another programming shift; from 32 to 64 bits, but also, (and here's the crystal ball part) from C++/MFC to the C++/CLI / WinFx. The similar pattern in both scenarios: the ubiquity of the MS OS, and the MS framework to leverage that OS."

I am now reading a terrific book on C++/CLI by Gordon Hogenson.

Rich Internet Apps

Thu, 07 Jun 2007 14:51:59 GMT

On 0-3-2005 I was mumbled:

I'll be honest I've tried several web incarnations of desktop apps, and in general the less they try to do, the better they were at doing it.

For example, thinkfree has an online 'suite' which allows you to edit excel documents, word documents, all without installing any software (except for the Java Runtime Engine).

Of course it freezes up just about everytime I scroll in the excel document I uploaded...and that's the crux of the problem, are you willing to potentially lose all of your existing work!?

So I figured I'd give ThinkFree another spin, it's been two years so surely they go their stuff running better....not. When I tried creating a presentation document, or a spreadsheet, it choked with "Error encountered".

Maybe in another 2 years then...

Netsh Commands for Wireless Local Area Network (WLAN) Entry from 5-17-2007

Tue, 05 Jun 2007 20:40:02 GMT

Being at a hotel, the wireless connections are flaky and I often have to change routers.

I could use the Vista UI to browse and connect to wireless LANs, but here's what I do to find the best signal, from the command prompt:

netsh wlan show networks mode=bssid

For details on the Netsh Commands for Wireless Local Area Network (WLAN)

see: http://technet2.microsoft.com/WindowsVista/en/library/f435edbe-1d50-4774-bae2-0dda33eaeb2f1033.mspx?mfr=true

You'll get an output similar to the following:

Interface Name : Wireless Network Connection
There are 5 networks currently visible.

SSID 1 : VIGER-A
    Network type            : Infrastructure
    Authentication          : Open
    Encryption              : None
    BSSID 1                 : 00:1b:11:4b:40:d5
         Signal             : 84%
         Radio Type         : 802.11g
         Channel            : 6
         Basic Rates (Mbps) : 1 2 5.5 11
         Other Rates (Mbps) : 6 9 12 18 24 36 48 54

SSID 2 : dlink
    Network type            : Infrastructure
    Authentication          : Open
    Encryption              : None
    BSSID 1                 : 00:1b:11:4b:64:c1
         Signal             : 0%
         Radio Type         : 802.11g
         Channel            : 6
         Basic Rates (Mbps) : 1 2 5.5 11
         Other Rates (Mbps) : 6 9 12 18 24 36 48 54

Enabling no-execute Entry from 4-30-2007

Tue, 05 Jun 2007 20:37:23 GMT

On XP32, to enable no execute protection (which is a good thing security-wise), you edit your boot.ini file
and simply add "/NoExecute=AlwaysOn". Then, after half your apps fail to load, you can go back and undo that change...

But what about Vista32? There's no boot.ini so how does one enable no execute protection? (Other than running the 64-bit version)
By using the "bcdedit" command. Simply execute the following.

bcdedit /set nx AlwaysOn

I haven't had to remove it on my Vista32, so far..

ghost in the machine Entry from 5-13-2007

Tue, 05 Jun 2007 20:35:45 GMT

This following paper by google confirms what I've been saying for some time,
securing the sites is as important as securing the desktop.

Google has access to all of the Internet's web sites essentially, and they can verify what some of these sites
contain, namely malware.

These results show why SiteAdvisor was sold for so much...

The Ghost In The Browser Analysis of Web-based Malware
http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf

Vista developers, on your mark, set, amazon! Entry from 5-14-2007

Tue, 05 Jun 2007 20:33:51 GMT

If you're a windows developer you cannot afford _not_ to read "Writing Secure Code for Windows Vista".

From the creators of "Writing Secure Code", another great book, this one covers essentially Vista changes and additions.

http://www.microsoft.com/MSPress/books/10723.aspx

Alot of what I've learned was obtained through trial & error, and various MSDN articles.
It's really good to have a hard-copy explanation direct from the horses mouth to validate and consolidate all this information in one place;
and there is alot of information.

Couple of things I'm not totally clear on, in the "consolidated URL" section, they recommend not using some APIs such as
InternetCrackUrl(), and InternetCreateUrl()

ok, those are in <wininet.h>, but what about UrlGetPart, and UrlGetLocation? Those are actually from the Windows light-weight utility APIs;
<shlwapi.h>. I thought using those were a *good thing* because if some wininet Apis were later deprecated, the shell DLL would later change
so that your code would not have to....

And CapiCOM. I've been using CapiCOM on Vista forever, it's been working, I even just now updated it with the one from my XP machine, because
it was recently updated on a patch tuesday (http://support.microsoft.com/kb/931906).
They say that it is "no longer supported on Vista"; I guess you shouldn't confuse that with "no longer works".

phishing paper from Carnegie Mellon Entry from 11-13-2006

Tue, 05 Jun 2007 20:29:43 GMT

The paper entitled, "Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System " is available here http://www.cylab.cmu.edu/default.aspx?id=2253.

I try to keep up-to-speed on all the anti-phishing trends and found this idea really cute,

"Our approach consists of periodically sending users fake phishing emails that are actually from our system rather than from a scammer. If a person falls for our fake email and clicks on a link, we display an intervention that provides immediate feedback about what happened and what simple actionable steps users could take to protect themselves."

I can already see a simimlar approach used for viruses; send users EXE's, archives, CMD files, etc which if executed simply warns the user that this is a very dangerous action.

"Our email approach is designed to provide training in the course of normal email usage. If users are interested in learning more, they can then play our game to gain a more thorough understanding of phishing attacks and ways of identifying phishing web sites.

The four suggestions we decided to teach people were:

• Never click on links in emails

• Initiate contact (i.e. manually type in URLs into the web browser)

• Call customer service

• Never give out personal information"

In any case, I too dislike the toolbar-like approach to site validation; at my company we use a different approach, we replace the entire HTML page with our own.

What is an architect? Entry from 11-27-2006

Tue, 05 Jun 2007 20:26:55 GMT

I had the displeasure of working with an architect who's entire day was spent doing, and then redoing, UML diagrams. Of course we never used those diagrams to do the actual work, instead I build a "test app" which consisted of a dialog-like UI with a button to cover each of the major features of the component I was building.

Back then (this was pre-dot-com) extreme programming was inexistant, and getting ISO 9001 certified was *the* big thing. I wasn't comfortable with a process that consisted of "document what you do, do what you document." but hey I was just a kid.

I never knew of the existence of an actual extreme-architecture-like job title, but it exists. The agilearchitect.org website is as plain as is it interesting. Turns out I am an architect after-all, only a productive one:

The key objectives for an Agile Architect are:

Deliver working solutions
Maximise stakeholder value
Find solutions which meet the goals of all stakeholders
Enable the next effort
Manage change and complexity