security
In The Humane Interface, the late Jef Raskin asks an intriguing question: why do login dialogs have a "User" field? Shouldn't login dialogs look more like this? And you know what? He's right. Your password alone should be enough information for the computer to
programming languages
On one of our e-commerce web sites, we needed a unique transaction ID to pass to a third party reporting tool on the checkout pages. We already had a GUID on the page for internal use. And you know how much we love GUIDs! 22da5537-de54-459d-9b33-f40f2101143b A GUID is 128 bits,
security
Marcus Ranum, the inventor of the proxy firewall [http://www.ranum.com/stock_content/about.html], brilliantly condenses why many security efforts are doomed from the start: they fall prey to the The Six Dumbest Ideas in Computer Security [http://www.ranum.com/security/computer_security/editorials/dumb/] : 1. Default
security
In order to speed up my web browsing experience, I disable Flash in Internet Explorer. I've got nothing personal against Flash, mind you, but it's generally chrome. It's visually (and sometimes audibly) distracting, and it adds download time to each page view. An image
security
We were discussing nasty software hacks today at lunch. The worst hacks are always in software, but those software hacks have an insidious tendency to seep into the hardware, too. I was reminded of Intel's infamous CPUID hack [http://linux.omnipotent.net/article.php?article_id=11457]: >
security
The article Passwords: The Weakest Link references a 25 year old research work on the efficacy of passwords: In the pre-Internet Age of 1979, when storage was measured in the number of bits that could fit on a foot of magnetic tape, a seminal paper on password security found that
programming languages
In the spirit of iPod modem hacking, Michael Steil documents how hackers compromised the Xbox security system. Mostly thanks to 512 bytes of rather buggy security code embedded in the Xbox boot ROM: The Xbox is an IBM PC, i.e. it has an x86 CPU. When the machine is
security
In an era of instant online worldwide connectivity, protecting users from themselves is a lot harder than it used to be. For one thing, full trust can't be trusted. And then there are all those dancing bunnies to contend with: What's the dancing bunnies problem? It&
security
Maybe it's just my OCD kicking in again [http://www.ocfoundation.org/], but it's incredibly annoying how these phantom, zero-byte IO.SYS [http://searchwin2000.techtarget.com/sDefinition/0,,sid1_gci214057,00.html] and MSDOS.SYS [http://www.annoyances.org/exec/show/article07-021] files keep showing up
security
I have fairly strong feelings when it comes to the stored procedures versus dynamic SQL argument, but one thing is clear: you should never, ever use concatenated SQL strings in your applications. Give me parameterized SQL, or give me death. There are two good reasons you should never do this.
security
You may remember the ASP.NET canonicalization vulnerability from last year. And what exactly is canonicalization? From Microsoft’s Design Guidelines for Secure Web Applications: Data in canonical form is in its most standard or simplest form. Canonicalization is the process of converting data to its canonical form. File paths
security
I just posted a new article on CodeProject, .NET Encryption Simplified. In my spare time over the last 6 months, I’ve delved deeper and deeper into the System.Security.Cryptography classes. And you know what I learned? Cryptography is hard. Anyway, I now have a heavily documented wrapper class