Ivan 2005-06-16T18:57:44Z Security & .NET Web Log tag:blogs.dotnetthis.com,2006:/Ivan/1 Movable Type Copyright (c) 2005, ivan Microsoft meets the hackers 2005-06-16T18:57:44Z 2005-06-16T18:55:42Z tag:blogs.dotnetthis.com,2005:/Ivan/1.8 2005-06-16T18:55:42Z An article on Microsoft's "Blue Hat" summit is posted on new.com - good read. http://news.com.com/Microsoft+meets+the+hackers/2009-1002_3-5747813.html... ivan http://www.dotnetthis.com ivan@dotnetthis.com An article on Microsoft's "Blue Hat" summit is posted on new.com - good read. http://news.com.com/Microsoft+meets+the+hackers/2009-1002_3-5747813.html

]]> Security Chat on Microsoft.com 2005-05-26T01:00:58Z 2005-05-26T00:57:22Z tag:blogs.dotnetthis.com,2005:/Ivan/1.7 2005-05-26T00:57:22Z Tomorrow come join a security chat at microsoft.com where MS experts are going to talk about ACLs, authorization techniques, role based access control and ASP.NET. Should be interesting :). http://www.microsoft.com/communities/chats/default.mspx#05_0526_DN_ACT... ivan http://www.dotnetthis.com ivan@dotnetthis.com Tomorrow come join a security chat at microsoft.com where MS experts are going to talk about ACLs, authorization techniques, role based access control and ASP.NET. Should be interesting :). http://www.microsoft.com/communities/chats/default.mspx#05_0526_DN_ACT

]]> New entry :) 2005-05-12T02:51:41Z 2005-05-12T02:39:31Z tag:blogs.dotnetthis.com,2005:/Ivan/1.6 2005-05-12T02:39:31Z It's been awhile since I last posted anything here, even though life is full of interesting and exciting things, including ones in the security space. My main focus remains on building security tools. Unfortunately many of them I can not talk about, which is part of the reason why this blog has been stagnant. One of the tools I can talk about though is the Threat Modeling Tool, which my team owns and we are currently working on a new version with some bug fixes, nicer UI and some new features. Most likely it will be available for download some time in summer. Other things we focus on include building tools that incorporate [relatively] new methods of finding security vulnerabilities, such as fuzzing or fuzz-testing (I should probably post an entry on this as it is a very interesting topic). SDL (Secure Development Lifecycle) is another thing I am involved into, partly helping drive it, partly building tools that enforce it. I have recently been to Russia, speaking about security tools for developers at MS Research's Academic Days event and while on this trip I had also visited several universities. I have to say that I am surprised by how much attention software security gets nowdays, some universities (such as MEPHI) have whole faculties dedicated to this problem. I think this is awesome. Cheers everybody and I will try to write more frequently.... ivan http://www.dotnetthis.com ivan@dotnetthis.com It's been awhile since I last posted anything here, even though life is full of interesting and exciting things, including ones in the security space. My main focus remains on building security tools. Unfortunately many of them I can not talk about, which is part of the reason why this blog has been stagnant. One of the tools I can talk about though is the Threat Modeling Tool, which my team owns and we are currently working on a new version with some bug fixes, nicer UI and some new features. Most likely it will be available for download some time in summer. Other things we focus on include building tools that incorporate [relatively] new methods of finding security vulnerabilities, such as fuzzing or fuzz-testing (I should probably post an entry on this as it is a very interesting topic). SDL (Secure Development Lifecycle) is another thing I am involved into, partly helping drive it, partly building tools that enforce it.
I have recently been to Russia, speaking about security tools for developers at MS Research's Academic Days event and while on this trip I had also visited several universities. I have to say that I am surprised by how much attention software security gets nowdays, some universities (such as MEPHI) have whole faculties dedicated to this problem. I think this is awesome.
Cheers everybody and I will try to write more frequently.

]]> MSRC tour on Channel9 2005-01-10T19:45:23Z 2005-01-10T19:43:10Z tag:blogs.dotnetthis.com,2005:/Ivan/1.5 2005-01-10T19:43:10Z A video tour of MSRC/SWI team with some folks interviewed has been posted on Channel9 :)... ivan http://www.dotnetthis.com ivan@dotnetthis.com A video tour of MSRC/SWI team with some folks interviewed has been posted on Channel9 :)

]]> What is common between Strong Names, Obfuscation and DRM? 2004-11-18T00:32:08Z 2004-11-18T00:17:41Z tag:blogs.dotnetthis.com,2004:/Ivan/1.4 2004-11-18T00:17:41Z (inspired by this article: http://www.codeproject.com/dotnet/NeCoder03.asp, where the author shows how to "break" strong names) There is a lot of misconceptions out there related to various security technologies - some people think having a strong name makes their assemblies tamper-proof, some people think obfuscation prevents other people from reverse-engineering their code, some people think DRM prevents everybody from copying protected content. Let me tell you the truth: - Strong Names provide unspoofable unique assembly names, it is not possible to change the assembly and still keep the same valid strong name, but it is trivial to remove a strong name (same goes for publisher Authenticode signatures), or put a different strong name on the same assembly; - Obfuscation doesn't stop reverse engineering, it makes it HARDER; - DRM doesn't prevent a malicious hacker from copying protected content, it makes it HARDER; Some approaches make it a little bit harder, some approaches make it a lot harder, but none of the approaches gives 100% protection. That's all there is to it, end of story.... ivan http://www.dotnetthis.com ivan@dotnetthis.com (inspired by this article: http://www.codeproject.com/dotnet/NeCoder03.asp, where the author shows how to "break" strong names)
There is a lot of misconceptions out there related to various security technologies - some people think having a strong name makes their assemblies tamper-proof, some people think obfuscation prevents other people from reverse-engineering their code, some people think DRM prevents everybody from copying protected content.
Let me tell you the truth:
- Strong Names provide unspoofable unique assembly names, it is not possible to change the assembly and still keep the same valid strong name, but it is trivial to remove a strong name (same goes for publisher Authenticode signatures), or put a different strong name on the same assembly;
- Obfuscation doesn't stop reverse engineering, it makes it HARDER;
- DRM doesn't prevent a malicious hacker from copying protected content, it makes it HARDER;
Some approaches make it a little bit harder, some approaches make it a lot harder, but none of the approaches gives 100% protection. That's all there is to it, end of story.

]]> Cudos to Internet Explorer on BugTraq 2004-10-18T18:30:31Z 2004-10-18T18:28:04Z tag:blogs.dotnetthis.com,2004:/Ivan/1.3 2004-10-18T18:28:04Z From http://www.securityfocus.com/archive/1/378632/2004-10-15/2004-10-21/0: "All browsers but Microsoft Internet Explorer kept crashing on a regular basis due to NULL pointer references, memory corruption, buffer overflows, sometimes memory exhaustion; taking several minutes on average to encounter a tag they couldn't parse." Nice to read this :))... ivan http://www.dotnetthis.com ivan@dotnetthis.com From http://www.securityfocus.com/archive/1/378632/2004-10-15/2004-10-21/0:
"All browsers but Microsoft Internet Explorer kept crashing on a regular basis due to NULL pointer references, memory corruption, buffer overflows, sometimes memory exhaustion; taking several minutes on average to encounter a tag they couldn't parse."

Nice to read this :))

]]> Security Summit East 2004-10-11T16:53:09Z 2004-10-11T16:46:33Z tag:blogs.dotnetthis.com,2004:/Ivan/1.2 2004-10-11T16:46:33Z I will be attending the Security Summit East in Washington, DC this week, giving a brand new talk about Microsoft's security-related processes, tools and techniques we are using to find, fix and prevent security issues. Some tools I will be touching on: - Threat Modeling Tool - Windows Application Verifier - FxCop... ivan http://www.dotnetthis.com ivan@dotnetthis.com I will be attending the Security Summit East in Washington, DC this week, giving a brand new talk about Microsoft's security-related processes, tools and techniques we are using to find, fix and prevent security issues.
Some tools I will be touching on:
- Threat Modeling Tool
- Windows Application Verifier
- FxCop

]]> Blog system updated 2004-09-30T23:20:49Z 2004-09-30T23:18:22Z tag:blogs.dotnetthis.com,2004:/Ivan/1.1 2004-09-30T23:18:22Z As you may have noticed my blog has been broken for a while. For some reason Movable Type croaked on me, so today I updated to the latest version (and lost all my previous comments, which I may attempt to restore later). In any case I hope the new version will work fine, and I will be able to post some new entries :)... ivan http://www.dotnetthis.com ivan@dotnetthis.com As you may have noticed my blog has been broken for a while. For some reason Movable Type croaked on me, so today I updated to the latest version (and lost all my previous comments, which I may attempt to restore later). In any case I hope the new version will work fine, and I will be able to post some new entries :)

]]>