Grey Panthers Savannah

Category: security

  • The progress of MOPB

    The Month of PHP bugs is progressing nicely and the counter is up to nine (at this rate – supposing that we have a linear progression – we will have almost 70 vulnerabilities!). The new ones repeat the same patterns as the previous ones: they can be mitigated in environments where a single user controls…

  • Month of PHP bugs started

    The Month of PHP bugs started off today with not one, but three bugs. Two of them can be protected against by using Suhosin (you might accuse the guy of some grey area marketing – but you can’t since his product is both free and open source) and the third by upgrading to PHP5 (because…

  • Distinguishing real and non-real security measures

    This post was prompted by a post at Andy’s blog, where he complains about the lack of NAT’s and firewalls in cable modems. My opinion about it: NATs are not a security measure. VPNs aren’t either. And IPv6 isn’t inherently insecure just because it has the potential to give end-to-end connectivity to all hosts. These…

  • Why rootkits and anti-rootkits are irrelevant

    Given my recent (and probably ongoing) adventure with the authors of RkUnhooker, I thought that I post my opinions about the whole rootkit – antirootkit business. To put it bluntly: it doesn’t (or shouldn’t) matter at best and it is a misguided effort to stear up hype in which many people participate without even realizing…

  • Grokking OpenID and Blogger

    I just created my first OpenID account! If you don’t know what OpenID, it is a single sign-on solution (sometimes also called login federation), which ensures that you can have a single login name / password using which you can authenticate in may (web-)places. It is similar to the Microsoft Passport initiative, the difference being…

  • PHP coders of the world – secure your code!

    Being a seasoned coder myself (I’ve been doing PHP coding on and off for 6 years now) I think I can speak with some authority about this subject. I came to believe that PHP is pretty much a Perl copy-cat where they eliminated the features which they considered too hard for the beginner. While catering…

  • On disclosure

    Disclosure and responsible disclosure is a very much discussed topics these days as the MOAB (no, not that one – yes it is a cheap shot, but maybe there are people who didn’t read it on ten other blogs :)). Here is one blog entry which says: I completely disagree with the decision for security…

  • Reinventing the wheel

    Those damn kids today don’t know their history and think that .NET is 1337! 😀 Some random dude in Taiwan couldn’t browse the web (because an undersea cable broke due to a recent earthquake) and he decided that using a webserver (probably configured by him) which ran arbitrary executables mailed to it (hint: the from…

  • I know what you did last page!

    With the hype around AJAX many people jumped on the Javascript bandwagon and assumed that everything should be done client side (even encryption) and even when perfectly suitable server side solutions exists, people insist on using Javascript. (Just a quick note: I realize that many times a well written client side script can (a) hide…

  • What virtualization can and cannot do in an anti-malware context

    Over at the anti-virus rant blog (which is a nice blog because it includes the word rant in the title :)) Kurt Wismer states that virtualization is overhyped as a security technology. While I agree, I want to point out that following some simple rules, it can be a very powerful security which can easily…