Create an Account
username: password:
 
  MemeStreams Logo

Cyle of pain
search
Home Agent Weblogs Social Network Post Help About

Acidus
Picture of Acidus
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Acidus's topics
Arts
Business
Games
Health and Wellness
Home and Garden
Miscellaneous
Current Events
Recreation
Local Information
Science
Society
Sports
Technology

support us

Get MemeStreams Stuff!


 
Cyle of pain
Topic: Technology 10:27 am EST, Jan 17, 2007

Catonic wrote:

dc0de wrote:
I'm always amazed that with new programming languages, techniques, and plug-ins, that we continue to ignore the basic tenants of security, which is to "expect your application/code to be attacked."

I can't wait until the "next new thing" and then the "shock / horror" that it too can be attacked... unless the programmers learn to actually think like an attacker.

The more time I see pass, the more I see this cycle repeat. It almost seems as if the software companies are actively trying to keep other companies in business... job security.

-- Catonic

Decius has some good thoughts on this. Look at TCP/IP vulns. the Vista beta suffered from IP fragmentation attacks which hasn't been seen working in the wild since the Windows 95 days. The reason is simple: the programmers who solved those problems in Windows 95 are not the programmers who implemented the TCP/IP stack in Vista. Microsoft's mistake is even more retarded because the security issues with TCP/IP (Server state in the 3 way handshake, etc) and their solutions (SYN cookies, etc) are well known and studied area.

What was the lesson of the SYN floods of the mid 90s? Don't allow a single unauthenticated packet to cause state to be stored on the server or cause several packets to be sent by the server to an unverified address. Which class of protocols totally forgot this piece of knowledge? Begins with V and ends in OIP.

Security researcher Yoda says: Ignorance is the path to the dark side. Ignorance leads to poor choices. Poor choices leads to vulnerabilities. Vulnerabilities lead to IT suffering.

Cyle of pain

Thread [5]


  
 
Powered By Industrial Memetics		RSS2.0