Since I’m very occupied at the moment, I won’t do a full post here, just some interesting links. I hope to get back to my normal schedule sometimes next week:
Rift Widens Over Bug Disclosure – the discussion over bug disclosure continues.
Why blurring sensitive information is a bad idea – an added note: if you want to cover it with a solid color, make sure that you cover it 100%, don’t leave edges of letter visible, because those to can be used for a similar attack (even more so if the used font isn’t a fixed width one, because then even the position of characters reveals information.
A Cost Analysis of Windows Vista Content Protection – the paper of Peter Gutmann which made the rounds lately. I would be interested in an official rebuttal, because I’m sure that there are things which are blown out of proportion or are even untrue (for example AFAIK there is no such thing as driver signature revocation. This was a big minus when MS first posted the guidelines for required driver signing, because people complained that even one compromised private key could lead to malware writers having no problems in writing drivers). But all in all it paints a grim picture.
Probably I mentioned earlier (if not, I do it now): some videos of the 23rd CCC conventions are posted on Google Video. (probably all of them will be posted at some time). My favorite one if the Hacker Jeopardy. On the same note: the videos from Black Hat are available too.
BITS, a dangerous proxy? – Old things are new again! This issue is know for a while and AFAIK you have to have elevated privileges to use this. And if you already have elevated privileges (like power user), what’s the point? Conversely, if you have an on-access AV, it will pick up on these files too. So there is really no point to this post, even more so when they are trying to present it as new research by not providing links to any previous discussions.
You Use IE, Why Worry About Skype? – a great, great post about how perception clouds the real issues in computer security.
An old (but still very interesting) post from MS security guru Larry Osterman: What’s wrong with this code, part 11 and the solution. Reactions: it’s incredible that this sort of thing exists in Windows, but at least it’s documented. Then again who reads all the documentation? Your options are: read carefully the documentations of the APIs you are using or use wrapper framework and hope that the makers of the framework read the documentation.
Last week it as Linux week at Lifehacker:
- Weekend Project: Learn Linux
- Find Linux equivalents to Windows software
- Which Linux distro is right for you?
- Learn how to ‘Make The Move’ to Linux
The Adobe Reader flaw is also rather old news (in security terms. You could use FoxIt readers instead, however reportedly this too has some problems (no confirmed exploit at this moment though, only a silent crash). Andy asks why the companies are including every feature and not proving it as a (free) add-on? As a software vendor my thoughts on this would be: if I don’t provide all the features at once, it can be a real pain in the lower end: if the client wants to use the specified feature, s/he must take additional actions the first time. S/he might not have the proper privileges to do this (for example in a corporate environment). This results in additional help-desk time. If I (the software vendor) want to make the new feature useful I already have to battle the fact that there are clients who don’t update to the latest version. Do I need an additional headache worrying about different possible setups of my application?
The Line Between Clarity and Chaos: An Interview with Barry Schwartz – very nice interview.
A great article about the top 10 objections management might have to introducing
Web 2.0 tools (Wikis for example) in the enterprise. Also a great response to each of the points. A must read if you want to introduce such tools, so that you can be prepared to answer questions.