Browse by Tags
All Tags »
Security (
RSS)
Just in case you thought secretly installing malware on a machine wasn't bad enough, it appears that Apple aren't actually interested in resolving security flaws in Safari. So it's bug-ridden and they're happy with that. This has led Microsoft to take the unprecedented step of advising Windows users to restrict their use of Safari . So, I guess the question of whether Apples products were 'more secure' than Microsofts due to inherent security or installed base has been definitively...
Marcus Ranum has an article titled The Six Dumbest Ideas in Computer Security . I strongly suggest that anyone interested in security read it, and his other articles too. It's quite an old article, but someone put it on proggit and it made me remember it. In fact, I'd say that this article was seminal in guiding my undertstanding of computer security. For those of you too lazy to click on links, a swift summary: Permitting things by default instead of denying things by default. Used to be...
Dunno how many of you read John Lilly's rant about Apple pushing out their Safari browser via iTunes update the other day? Basically he was rightly upset that Apple were using what should be an update and patch delivery mechanism to subtly trick users into installing their Safari web browser. His main point was Apple has made it incredibly easy — the default, even — for users to install ride along software that they didn’t ask for, and maybe didn’t want. This is wrong, and borders on malware...
Well, well, well, it appears that we will need a separate topic for this. My eNaTIS Performance post was very popular, with a lot of people expressing their dissatisfaction with the system. As before, I'd like to try and keep this to facts and figures, however in this case that may be difficult. There have been numerous rumblings about the security on this high-tech boodoggle, starting with [from my previous post]: The Beeld has a report about the security issues with eNaTIS system. Very worrying...
Jeff Jones has a 6-month OS vulnerability report , focusing on Windows Vista. You can wade through the full report if you like, it's only a few pages, but I liked the main chart: The other charts contain pretty much the same ratios for total vulerabilities as well as against reduced Linux packages. So, it would seem that Vista can, right now, claim to be the most secure consumer OS on the market, twice as secure as Mac OS X despite having a vastly greater set of attackers. I also find it interesting...
There's quite a funny joke going around: apparently Apple are releasing Safari for Windows . This is a browser so unpopular that most Mac users appear to prefer using FireFox instead. Somehow Apple think it's going to coax from IE those users (like me) who were uncoaxed by the much more impressive FireFox . Just for jollies, it appears that Safari may be a major security risk, with Aviv Raff finding a potentially exploitable memory bug using a tool he wrote, Errata Security managed to find...
There's a story at Slashdot about a teenaged hacker named Brad Willman who broke into 3,000 computers using a trojan he wrote. He created some infected pictures, and then distrbuted them on child porn groups, using them to gain access to the downloaders compluters. Anyway, he managed to track down a judge who was contemplating abusing a boy, and had him arrested. The Computer Crime Research Center has an article about him. Anyway, it looks like the judge could have got off scott free due to this...
I've been watching this story about the PatchGuard system in Vista for some time. It's an interesting one. Basically, the security companies have made their fortunes by patching up holes that Microsoft has neglected. It's an important function considering how many holes there have been (I count almost 70 critical security patches since Windows XP SP2). However the biggest worry is rootkit-like systems that compromise the kernel. Such systems can hide themselves even from virus checkers...
I just read this article by RudolfH, and am one of the people having a heart seizure in the corner. Whilst most of the points he makes are quite good, I have two main problems. One, which was also pointed out by rhanekom in the article comments is that parameterised queries can quite easily be used without stored procedures: SELECT * FROM Customers WHERE ID = @id The other is a far more serious implicit assumption in the article, which is that with enough validation on inputs one can ensure that...