security
We were discussing nasty software hacks today at lunch. The worst hacks are always in software, but those software hacks have an insidious tendency to seep into the hardware, too. I was reminded of Intel’s infamous CPUID hack: Prior to the Pentium, software had to jump through elaborate loops
security
The article Passwords: The Weakest Link references a 25 year old research work on the efficacy of passwords: In the pre-Internet Age of 1979, when storage was measured in the number of bits that could fit on a foot of magnetic tape, a seminal paper on password security found that
programming languages
In the spirit of iPod modem hacking, Michael Steil documents how hackers compromised the Xbox security system. Mostly thanks to 512 bytes of rather buggy security code embedded in the Xbox boot ROM: The Xbox is an IBM PC, i.e. it has an x86 CPU. When the machine is
security
In an era of instant online worldwide connectivity, protecting users from themselves is a lot harder than it used to be. For one thing, full trust can’t be trusted. And then there are all those dancing bunnies to contend with: What’s the dancing bunnies problem? It’s a
security
Maybe it’s just my OCD kicking in again, but it’s incredibly annoying how these phantom, zero-byte IO.SYS and MSDOS.SYS files keep showing up in the root of my c: drive on every computer I own. It’s a gentle reminder of the Bad Old Days. The
security
I have fairly strong feelings when it comes to the stored procedures versus dynamic SQL argument, but one thing is clear: you should never, ever use concatenated SQL strings in your applications. Give me parameterized SQL, or give me death. There are two good reasons you should never do this.
security
You may remember the ASP.NET canonicalization vulnerability from last year. And what exactly is canonicalization? From Microsoft’s Design Guidelines for Secure Web Applications: Data in canonical form is in its most standard or simplest form. Canonicalization is the process of converting data to its canonical form. File paths
security
I just posted a new article on CodeProject, .NET Encryption Simplified. In my spare time over the last 6 months, I’ve delved deeper and deeper into the System.Security.Cryptography classes. And you know what I learned? Cryptography is hard. Anyway, I now have a heavily documented wrapper class
checksums
I learned to appreciate the value of the Cyclic Redundancy Check (CRC) algorithm in my 8-bit, 300 baud file transferring days. If the CRC of the local file matched the CRC stored in the file (or on the server), I had a valid download. I also learned a little bit
captchas
An eagle-eyed CodeProject reader posted a comment to my ASP.NET CAPTCHA Server Control article pointing out one French developer’s very thorough attempts to defeat common CAPTCHA techniques. He compares lots of visual CAPTCHAs side by side and comments on their strengths and weaknesses. Some of the “best” CAPTCHAs
security
My personal turning point on the importance of managed code was in September 2001, when the NIMDA worm absolutely crushed our organization. It felt like a natural disaster without the “natural” part – the first notable port 80 IIS buffer overrun exploit. We got literally zero work done that day, and
security
I stumbled across an interesting article outlining how to beat the MSDN visual CAPTCHA algorithm with some .NET code. Unfortunately, the author (a Microsoft MVP) demonstrated his “crack” by testing it on the blogs of other MVPs: (if you were one of the 94 people i comment spammed) sorry about