Posts by Olivier

mixed content

The issue with mixed-ssl on a page is, IMHO, worse than described here:

Even if google used EV certificates for google analytics, there should be no reason for the browser to assure the whole page is "extendly validated" for the site on which it is installed ( of course the site needs EV ssl anyway ). THe browser should at least display the list of of certifcates, EV or not, contained in the page.

What would make sense is a feature on the browser which would block all third party content on an EV ssl page, and display the green bar only in this case.

This is currently the behavior for IE with the "ssl lock": if one component in the page is not ssl'ed, the lock is broken (which IS correct behavior ).

Unbuntu

I am rather surprised : usually there are loads of comments blaming everything on Bill Gates.. Wake up penguins:

uname:

Linux ubuntu1 2.6.24-22-server #1 SMP Mon Nov 24 20:06:28 UTC 2008 x86_64

If this could bring a bit a modesty and humility to the "community", this attack might contribute to make lamp less insecure.

win2k8

The day I discovered it was possible to *completely disable* UAC from win2k8, I was at last able to appreciate the new OS.

Clearly it has very interesting features that were not available in win2k3 ( iis7, posix shell, .. ) but for me the UAC wasted it completely.

I think most people should disable UAC on Vista or Windows7. I bet they would be actually more secure because they would not have a false feeling of protection because of the continuous interruption.

Is there any statistics suggesting UAC reduces virus infection?

down and out

Because his writings are famous not only in London

@Kilgaard

> Anything that makes it harder for SPAMMERS to SEND email looks good to me.

Unfortunately DKIM makes it much harder for legitimate senders than for spammers. If hitting spammers means killing email, what is the point? If you follow your point, then we should move from email to proprietary, secured protocols. Exactly the dream Bill had for many years. The challenge against spam is to make it hard for spammers but let legitimate email thru.

>Of course, somebody will probably point out that the CPU costs for bot-spammers > is almost zero anyway because they are just using their zombie hosts CPUs.

Exactly. Cost for spammers is 0. Sending emails via gmail accounts created by hijacked zombie PCs costs 0. And the emails are DKIM / DomainKeys signed from gmail.com! You want to block all emails with a valid DKIM signature for gmail.com domain? It will certainly make it harder for spammers.

Bill because if he had it his way, smtp would not be used anymore.

Developpers..

I was a former developper in a bank, we were coding on sybase, and use of stored procedures was mandatory, dynamic sql forbidden.

When I came to work for the web startup I am still working in, I explained all the benefits of stored procedures ( performance, maintainability, security, .. ) and believed to have converted the team to them.

The first stored proc I saw was like this:

declare procedure getusers(@filter varchar(255))

begin

declare @sql varchar(8000)

set @sql = "select * from users_table where " + @filter

exec(@sql)

end

IMHO sql injection is almost something of the past. XSS is the next challenge..

Developpers, Managers, they do not understand what it is about. They just understand this is a critic of their coding practices and a pretext for delays. When a site is hacked they reject it on the OS, the web server, the ISP, the support team. In their opinion it is definitely not an issue they have to deal with, and I see no reason which will make them change their mind.

Bill, because at its debut at microsoft you should not be managed by someone writing worse code than you.

oen source attack

Clearly this is an argument against open source code, which has no way to protect itself against this kind of threat..

The Reg should add a dead penguin picture.

Anyway, as many people already said there, hackers and security professionnals are doing this for ages. Reducing the number of bugs and vulnerabilities in closed and open source, increasing the speed at which fixes are released AND applied, looks the only sensible approach.

Trotskist rant?

Is this an english site? Even the worst leftist french blogs are more open to the realities of industry.

Does your company need to run a power station in order to have electricity? Does your company own a cement factory in order to build its headquarters?

Outsourcing is an obvious rationalization process. Obvious, but not easy to manage, and obviously outsourcing does not remove responsibility..

One of the problems ( among many others ) is that often many security aspects are not considered in outsourcing contract. This is incompetence, but this does not say anything good or bad about outsourcing itself. Nothing proves that if the process was "internalized" it would be any safer.

Hacker went for value

All this shows is that hackers wanted to come home with the most valuable laptops:

First the mac book, then the vista, and the hell with the linux thingy ( even if it is the same hardware, the Vista one comes with.. Vista! )

Note that the flash exploit is not exactly a windows vulnerability ( nor is it directly a linux or a mac vulnerability ).

For the security-challenged guys who think only root access is a security threat, just consider that the latest vulns in firefox where enough for a hacker to steal your credit card information, send spam and drive ddos attacks from your computer..

And the servers?

The "vulnerable" servers are likely to be ( again ) LAMP servers. If this could make the penguins shut up a bit.. The last infection of this kind was based on a linux kernel rootkit ..