security

security

Nasty Software Hacks and Intel’s CPUID

We were discussing nasty software hacks today at lunch. The worst hacks are always in software, but those software hacks have an insidious tendency to seep into the hardware, too. I was reminded of Intel’s infamous CPUID hack: Prior to the Pentium, software had to jump through elaborate loops

By Jeff Atwood ·
Comments

security

Passphrase Evangelism

The article Passwords: The Weakest Link references a 25 year old research work on the efficacy of passwords: In the pre-Internet Age of 1979, when storage was measured in the number of bits that could fit on a foot of magnetic tape, a seminal paper on password security found that

By Jeff Atwood ·
Comments

programming languages

How to fit three bugs in 512 bytes of security code

In the spirit of iPod modem hacking, Michael Steil documents how hackers compromised the Xbox security system. Mostly thanks to 512 bytes of rather buggy security code embedded in the Xbox boot ROM: The Xbox is an IBM PC, i.e. it has an x86 CPU. When the machine is

By Jeff Atwood ·
Comments
The Dancing Bunnies Problem

security

The Dancing Bunnies Problem

In an era of instant online worldwide connectivity, protecting users from themselves is a lot harder than it used to be. For one thing, full trust can’t be trusted. And then there are all those dancing bunnies to contend with: What’s the dancing bunnies problem? It’s a

By Jeff Atwood ·
Comments
Phantom DOS files in my root

security

Phantom DOS files in my root

Maybe it’s just my OCD kicking in again, but it’s incredibly annoying how these phantom, zero-byte IO.SYS and MSDOS.SYS files keep showing up in the root of my c: drive on every computer I own. It’s a gentle reminder of the Bad Old Days. The

By Jeff Atwood ·
Comments

security

Give me parameterized SQL, or give me death

I have fairly strong feelings when it comes to the stored procedures versus dynamic SQL argument, but one thing is clear: you should never, ever use concatenated SQL strings in your applications. Give me parameterized SQL, or give me death. There are two good reasons you should never do this.

By Jeff Atwood ·
Comments

security

Canonicalization: Not Just for Popes

You may remember the ASP.NET canonicalization vulnerability from last year. And what exactly is canonicalization? From Microsoft’s Design Guidelines for Secure Web Applications: Data in canonical form is in its most standard or simplest form. Canonicalization is the process of converting data to its canonical form. File paths

By Jeff Atwood ·
Comments

security

Encryption for Dummies

I just posted a new article on CodeProject, .NET Encryption Simplified. In my spare time over the last 6 months, I’ve delved deeper and deeper into the System.Security.Cryptography classes. And you know what I learned? Cryptography is hard. Anyway, I now have a heavily documented wrapper class

By Jeff Atwood ·
Comments

checksums

Checksums and Hashes

I learned to appreciate the value of the Cyclic Redundancy Check (CRC) algorithm in my 8-bit, 300 baud file transferring days. If the CRC of the local file matched the CRC stored in the file (or on the server), I had a valid download. I also learned a little bit

By Jeff Atwood ·
Comments

captchas

Captchas Compared and Critiqued

An eagle-eyed CodeProject reader posted a comment to my ASP.NET CAPTCHA Server Control article pointing out one French developer’s very thorough attempts to defeat common CAPTCHA techniques. He compares lots of visual CAPTCHAs side by side and comments on their strengths and weaknesses. Some of the “best” CAPTCHAs

By Jeff Atwood ·
Comments

security

On Managed Code Performance

My personal turning point on the importance of managed code was in September 2001, when the NIMDA worm absolutely crushed our organization. It felt like a natural disaster without the “natural” part – the first notable port 80 IIS buffer overrun exploit. We got literally zero work done that day, and

By Jeff Atwood ·
Comments

security

Beating CAPTCHAs with .NET code

I stumbled across an interesting article outlining how to beat the MSDN visual CAPTCHA algorithm with some .NET code. Unfortunately, the author (a Microsoft MVP) demonstrated his “crack” by testing it on the blogs of other MVPs: (if you were one of the 94 people i comment spammed) sorry about

By Jeff Atwood ·
Comments