http://blogs.dotnetthis.com/Ivan/ Security & .NET Web Log Copyright 2006 Thu, 16 Jun 2005 18:55:42 +0000 http://www.movabletype.org/?v=3.11 http://blogs.law.harvard.edu/tech/rss An article on Microsoft's "Blue Hat" summit is posted on new.com - good read. http://news.com.com/Microsoft+meets+the+hackers/2009-1002_3-5747813.html... http://blogs.dotnetthis.com/Ivan/archives/2005/06/microsoft_meets.html http://blogs.dotnetthis.com/Ivan/archives/2005/06/microsoft_meets.html Thu, 16 Jun 2005 18:55:42 +0000 Tomorrow come join a security chat at microsoft.com where MS experts are going to talk about ACLs, authorization techniques, role based access control and ASP.NET. Should be interesting :). http://www.microsoft.com/communities/chats/default.mspx#05_0526_DN_ACT... http://blogs.dotnetthis.com/Ivan/archives/2005/05/security_chat_o.html http://blogs.dotnetthis.com/Ivan/archives/2005/05/security_chat_o.html Thu, 26 May 2005 00:57:22 +0000 It's been awhile since I last posted anything here, even though life is full of interesting and exciting things, including ones in the security space. My main focus remains on building security tools. Unfortunately many of them I can not talk about, which is part of the reason why this blog has been stagnant. One of the tools I can talk about though is the Threat Modeling Tool, which my team owns and we are currently working on a new version with some bug fixes, nicer UI and some new features. Most likely it will be available for download some time in summer. Other things we focus on include building tools that incorporate [relatively] new methods of finding security vulnerabilities, such as fuzzing or fuzz-testing (I should probably post an entry on this as it is a very interesting topic). SDL (Secure Development Lifecycle) is another thing I am involved into, partly helping drive it, partly building tools that enforce it. I have recently been to Russia, speaking about security tools for developers at MS Research's Academic Days event and while on this trip I had also visited several universities. I have to say that I am surprised by how much attention software security gets nowdays, some universities (such as MEPHI) have whole faculties dedicated to this problem. I think this is awesome. Cheers everybody and I will try to write more frequently.... http://blogs.dotnetthis.com/Ivan/archives/2005/05/new_entry.html http://blogs.dotnetthis.com/Ivan/archives/2005/05/new_entry.html Thu, 12 May 2005 02:39:31 +0000 A video tour of MSRC/SWI team with some folks interviewed has been posted on Channel9 :)... http://blogs.dotnetthis.com/Ivan/archives/2005/01/msrc_tour_on_ch.html http://blogs.dotnetthis.com/Ivan/archives/2005/01/msrc_tour_on_ch.html Mon, 10 Jan 2005 19:43:10 +0000 (inspired by this article: http://www.codeproject.com/dotnet/NeCoder03.asp, where the author shows how to "break" strong names) There is a lot of misconceptions out there related to various security technologies - some people think having a strong name makes their assemblies tamper-proof, some people think obfuscation prevents other people from reverse-engineering their code, some people think DRM prevents everybody from copying protected content. Let me tell you the truth: - Strong Names provide unspoofable unique assembly names, it is not possible to change the assembly and still keep the same valid strong name, but it is trivial to remove a strong name (same goes for publisher Authenticode signatures), or put a different strong name on the same assembly; - Obfuscation doesn't stop reverse engineering, it makes it HARDER; - DRM doesn't prevent a malicious hacker from copying protected content, it makes it HARDER; Some approaches make it a little bit harder, some approaches make it a lot harder, but none of the approaches gives 100% protection. That's all there is to it, end of story.... http://blogs.dotnetthis.com/Ivan/archives/2004/11/what_is_common.html http://blogs.dotnetthis.com/Ivan/archives/2004/11/what_is_common.html Thu, 18 Nov 2004 00:17:41 +0000 From http://www.securityfocus.com/archive/1/378632/2004-10-15/2004-10-21/0: "All browsers but Microsoft Internet Explorer kept crashing on a regular basis due to NULL pointer references, memory corruption, buffer overflows, sometimes memory exhaustion; taking several minutes on average to encounter a tag they couldn't parse." Nice to read this :))... http://blogs.dotnetthis.com/Ivan/archives/2004/10/cudos_to_intern.html http://blogs.dotnetthis.com/Ivan/archives/2004/10/cudos_to_intern.html Mon, 18 Oct 2004 18:28:04 +0000 I will be attending the Security Summit East in Washington, DC this week, giving a brand new talk about Microsoft's security-related processes, tools and techniques we are using to find, fix and prevent security issues. Some tools I will be touching on: - Threat Modeling Tool - Windows Application Verifier - FxCop... http://blogs.dotnetthis.com/Ivan/archives/2004/10/security_summit.html http://blogs.dotnetthis.com/Ivan/archives/2004/10/security_summit.html Mon, 11 Oct 2004 16:46:33 +0000 As you may have noticed my blog has been broken for a while. For some reason Movable Type croaked on me, so today I updated to the latest version (and lost all my previous comments, which I may attempt to restore later). In any case I hope the new version will work fine, and I will be able to post some new entries :)... http://blogs.dotnetthis.com/Ivan/archives/2004/09/blog_system_upd.html http://blogs.dotnetthis.com/Ivan/archives/2004/09/blog_system_upd.html Thu, 30 Sep 2004 23:18:22 +0000