Spliced feed for Security Bloggers Network |
| DNS based GSLB demystified (part 2/3) [Francois Ropert weblog] Posted: 26 Oct 2008 04:42 AM CDT Impacts of DNS caching When using DNS, DNS responses are cached for a specific period of time by resolvers and clients. This time is configurable and is called TTL (time to live). When the client cache expires and the application calls the same name it sends a new DNS request. If the resolver cache has not expired, it replies directly, If the resolver cache expired, the GSLB mechanism runs again. Setting a TTL to "0" means « no cache » |
| Gartner: Oracle & VMware Tied For Most Secure Hypervisor? [Rational Survivability] Posted: 26 Oct 2008 04:31 AM CDT I was reading an interesting article from James Maguire from Datamation that outlined various competitors in the virtualization platform space. In the article, James referenced a Gartner slide that comparatively summarized hypervisor selection criteria including the maturity of features, pricing, management and ultimately security. Unfortunately the presentation source of the slide was not cited, but check this out: Since Oracle's hypervisor is based upon Xen and Citrix/XenSource is not ranked as high, it leaves me scratching my head. Given that this chart references hypervisor selection to YE08, it more than likely does not take into consideration the coming vNetwork/VMsafe API's; it's unclear if this section is a measure of VMM "security" based upon published vulnerabilities, an assessment of overall architecture, the availability of security solutions in the ecosystem... This is a very interesting assertion and I'd really like to get the entire document that describes how this was quantified and what it means. Anyone know which report this came from? /Hoff |
| Posted: 26 Oct 2008 01:05 AM CDT |
| I'm whole again! [StillSecure, After All These Years] Posted: 25 Oct 2008 10:20 PM CDT The toughest thing to repair from my blog hack incident back in August was that the kind, thoughtful folks (we know who you are, be afraid, very afraid) who did it decided to try and save Typepad some disk space and deleted a whole bunch of my posts from Feb 2008 through early August. As I have mentioned before, Typepad does not have a restore from deleted feature. As I have also said before as a result of knowing some folks at Typepad I was able to get a back up of my blog. They showed me how to manually set up a file to import the deleted posts. That was fine for doing one or two at a time, but almost 300 blog posts was just a bit much. I tried and tried to figure out the best way to do this. Finally I gave up. Instead I handed it over to handy, dandy Jake Reynolds, IT magician person. Jake took the file onto his shiny Mac, did some scripting and tonight I imported 6 files and presto! 6 months worth of blog files restored! I am not sure the indexing of them is synced yet, but that should take a day or two I guess. In the meantime, all 1300+ of my blog articles are now available again. At some level I feel like this is closing another chapter on the whole experience of August. ![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=bcc7c934-0c3c-4288-8b8f-debf085951f8) |
| Ridiculing the Ridiculous: Terrorist Tweets [Emergent Chaos] Posted: 25 Oct 2008 09:09 PM CDT A group of soldiers with the US Army's 304th Military Intelligence Battalion have managed to top previous military research on terrorist use of World of Warcraft. Realizing that mentioning the word "terrorist" can allow researchers to acquire funding to play the popular MMOG, they turned attention to the popular, if architecturally unscalable micro-blogging system, Twitter. Surpassing the threat-analysis skill of super-spy Chad Feldheimer from the recent documentary "Burn After Reading," they mention not only the threat of "socialists," "communists," and "anarchists," in using Twitter to "communicate with each other and to send messages to broader audiences," but the wider and more up-to-date threats from "religious communities," "atheists," "political enthusiasts," "human rights groups," "vegetarians," and last but not least, "hacktivists." They notably left out delinquent teenagers, so one presumes they don't use systems like Twitter. The Military Intelligence group also discovered that people can use GPS in phones like the Nokia 6210 and Nokia Maps to know where they are. This could let terrorists who want to illegally cross a border know where that border is, or to know that a certain large triangular stone thing is the Pyramid of Cheops (category: Attraction). The report's cutting edge thinking also discusses how terrorists could use voice-changing software such as AV Voice Changer Diamond to make prank phone calls and effectively hide under an abaya. The full report, marked "For Official Use Only," can be found here. It also redacts with a dark gray splash of ink the email address of sarah.e.womer@ugov.gov, from whom you can get a copy of the report if you do not have access to INTELINK, Cryptome, or the Federation of American Scientists. I think the report speaks for itself. I just can't make this stuff up, apart from the bit about hiding under an abaya. |
| Bloblive was a blast! [Srcasm] Posted: 25 Oct 2008 07:52 PM CDT As most of you who follow me know, I love to talk. I can and will talk to almost anyone I come in contact with and even more than that, I love to hear new ideas. I went to an event called bloblive put on by ideablob in Phildaelphia recently where people got to get up and share ideas that they had. They ranged from food carts to community financed physicians and everything in between. I thoroughly enjoyed each and every one of the presenters. At this event, a good friend of mine spoke about her idea. Gloria discussed the idea of “a la carte business assistant services”. These could include doing the books, sending emails or event running customer service duty when you’re unavailable as an entrepreneur. Check out her presentation below and her company at Red Stapler Consulting or her interview by Jonny Goldstein.
In addition, if you’re willing to sit back with a bag-o-popcorn and laugh your butt off, go ahead and catch my impromptu presentation on how to build up free wireless in Philadelphia — Correctly. |
| With great privilege comes great responsibility [StillSecure, After All These Years] Posted: 25 Oct 2008 07:40 PM CDT How many of us have grown up hearing about the sacrifices of our forefathers enabling our freedoms and lifestyle. How many of you have believed that the dream of home ownership, regular vacations, bountiful food and freedom to be and do almost anything is your birthright? If you are anything like me, you have taken the lifestyle you and your family lead for granted. Over the last few months and weeks though I have thought a lot about what so many of us take for granted. Life, liberty, the pursuit of happiness are more than just words. Being able to quench your hunger by just opening the refrigerator is not the natural state of man. Buying electronics, toys and other luxuries is not a God given right. There really have been huge sacrifices made for us to live the life we lead. Whether we talk about brave men and woman giving their blood so that we can live the way we live or people scrimping and saving, doing without - in the hope of a better life for their children, every generation has done what they had to. They have risen to the challenges of their day. Their only hope being that the generation who comes next will have it better than they did. A review of history shows that almost every generation comes to a crisis point where the life we lead and the life we want for our children is in jeopardy. Every generation must rise up to meet this challenge. For the most part we have been blessed that the generations who have gone before us have risen up to meet this challenge. In every generation leaders have arisen to lead the charge, but it is up to the rank and file to overcome. Tom Brokaw wrote about one such generation in his book "The Greatest Generation". Our grandparents and great-grandparents who suffered through the great depression and then made the world "safe for democracy". The next generation who overcame the morass of Vietnam, but eventually vanquished the threat of Communism and the Cold War. Earlier generations built an economic powerhouse that rivaled any of the great empires of antiquity. Our ingenuity and innovative culture has accelerated the pace of progress beyond anything imagined before. All of this resulting in a way of life that would seem impossible to humans just a hundred or so years ago. Our generation has enjoyed the life that these accomplishments and sacrifices have enabled. But I think now is the time for our generation to step up and pay back.We are at our crisis point. Between global events with terrorism, energy and environmental issues. Coming to grips with living on borrowed money and perhaps borrowed time. An economy that maybe is not as fundamentally sound and strong as we have believed. A society that is too absorbed in me, to care too much about us, our problems all seem to be coming home to roost at the same time. How we respond and face all of these challenges simultaneously will determine not only how we get by these times, but what kinds of lives our children will lead. It is time to really show that we don't take all of our bounty for granted. We need to show that we are willing to do what we have to in order to continue and to prosper. We as a generation have to step up, be counted, meet the challenges and continue the tradition of our forefathers. The future of our planet and species is dependent on it! Related articles by Zemanta![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=c05ef177-2845-468c-92f8-a22671045bd6) |
| Patching The Cloud? [Rational Survivability] Posted: 25 Oct 2008 07:05 PM CDT
Let's say the grand vision comes to fruition where enterprises begin to outsource to a cloud operator the hosting of previously internal complex mission-critical enterprise applications. After all, that's what we're being told is the Next Big Thing™ In this version of the universe, the enterprise no longer owns the operational elements involved in making the infrastructure tick -- the lights blink, packets get delivered, data is served up and it costs less for what is advertised is the same if not better reliability, performance and resilience. Oh yes, "Security" is magically provided as an integrated functional delivery of service. Tastes great, less datacenter filling. So, in a corner case example, what does a boundary condition like the out-of-cycle patch release of MS08-067 mean when your infrastructure and applications are no longer yours to manage and the ownership of the "stack" disintermediates you from being able to control how, when or even if vulnerability remediation anywhere in the stack (from the network on up to the app) is assessed, tested or deployed. Your application is sitting atop an operating system and underlying infrastructure that is managed by the cloud operator. This "datacenter OS" may not be virtualized or could actually be sitting atop a hypervisor which is integrated into the operating system (Xen, Hyper-V, KVM) or perhaps reliant upon a third party solution such as VMware. The notion of cloud implies shared infrastructure and hosting platforms, although it does not imply virtualization. A patch affecting any one of the infrastructure elements could cause a ripple effect on your hosted applications. Without understanding the underlying infrastructure dependencies in this model, how does one assess risk and determine what any patch might do up or down the stack? How does an enterprise that has no insight into the "black box" model of the cloud operator, setup a dev/test/staging environment that acceptably mimics the operating environment? How does one negotiate the process for determining when and how a patch is deployed? Where does the cloud operator draw the line? If the cloud fabric is democratized across constituent enterprise customers, however isolated, how does a cloud provider ensure consistent distributed service? If an application can be dynamically provisioned anywhere in the fabric, consistency of the platform is critical. I hate to get all "Star Trek II: The Wrath of Khan" on you, but as Spock said, "The needs of the many outweigh the needs of the few." How, when and if a provider might roll a patch has a broad impact across the entire customer base -- as it has had in the hosting markets for years -- but again the types of applications we are talking about here are far different than what we we're used to today where the applications and the infrastructure are inextricably joined at the hip. Hosting/SaaS providers today can scale because of one thing: standardization. Certainly COTS applications can be easily built on standardized tiered models for compute, storage and networking, but again, we're being told that enterprises will move all their applications to the cloud, and that includes bespoke creations. If that's not the case, and we end up with still having to host some apps internally and some apps in the cloud, we've gained nothing because we won't be able to eliminate the infrastructure needed to support either. What about it? Do you see cloud computing as just an extension of SaaS and hosting of today? Do you see dramatically different issues arise based upon the types of information and applications that are being described in this model? We've seen issues such as data ownership, privacy and portability bubble up, but these are much more basic operational questions. This is obviously a loaded set of questions for which I have much to say -- some of which is obvious -- but I'd like to start a discussion, not a rant. /Hoff *This little ditty was inspired by a Twitter exchange with Bob Rudis who was complaining that Amazon's EC2 service did not have the MS08-067 patch built into the AMI...Check out this forum entry from Amazon, however, as it's rather apropos regarding the very subject of this blog... |
| Insecurity Theatre [Emergent Chaos] Posted: 25 Oct 2008 03:56 PM CDT  "It's been in the back of my mind since you first came in: How do you get the missile on the trailer into Manhattan?" federal Judge William Pauley III asked.So reports the New York Post, "Security Lapse Let in Naughty Fake Rocket." I was going to comment, but I think I'll just salute. |
| A security lesson from the Joe the Plumber snooper [SOURCE Conference Blog] Posted: 25 Oct 2008 03:22 PM CDT First we had the Gov. Palin Yahoo email break in to teach us the vulnerabilities of weak password reset schemes. Now we have a Joe the Plumber government records snooper teaching us about proper computer account management. The Columbia Dispatch is reporting that a state employee with access to a “test account” has been accessing Joe the Plumber’s government records:
Security best practices require that test accounts be removed before a system is put into production and loaded with real data. Otherwise there is no accountability to any one individual. Shared accounts such as test accounts are frequently abused so that the snooper can get away undetected. The investigation should look at what other data has been snooped on using this test account. Perhaps this has been going on for a long time and no one noticed. It is still likely that the perpetrator can be tracked down if he or she accessed the data from an internal system and the records application logged the IP address that connected to it. Even if the IP address doesn’t connect back to an individual’s computer and to a shared machine, the search will have been narrowed down greatly. |
| A security lesson from the Joe the Plumber snooper [Zero in a bit] Posted: 25 Oct 2008 03:22 PM CDT First we had the Gov. Palin Yahoo email break in to teach us the vulnerabilities of weak password reset schemes. Now we have a Joe the Plumber government records snooper teaching us about proper computer account management. The Columbia Dispatch is reporting that a state employee with access to a “test account” has been accessing Joe the Plumber’s government records:
Security best practices require that test accounts be removed before a system is put into production and loaded with real data. Otherwise there is no accountability to any one individual. Shared accounts such as test accounts are frequently abused so that the snooper can get away undetected. The investigation should look at what other data has been snooped on using this test account. Perhaps this has been going on for a long time and no one noticed. It is still likely that the perpetrator can be tracked down if he or she accessed the data from an internal system and the records application logged the IP address that connected to it. Even if the IP address doesn’t connect back to an individual’s computer and to a shared machine, the search will have been narrowed down greatly. |
| Here they come! [Security Circus] Posted: 25 Oct 2008 12:47 PM CDT As I (and not just I...) predicted yesterday, here are the first two trojans abusing the new MS vuln: Spy-Agent.da as well as Gimmiv.a Of course, exploit details are already available, so making a viable trojan is now just a game. |
| The sleepy summit in China... :) [Security Circus] Posted: 25 Oct 2008 12:06 PM CDT
The sleepy summit in China... :) This posting includes an audio/video/photo media file: Download Now |
| Tim Callan at Net.Finance East [Tim Callan's SSL Blog] Posted: 25 Oct 2008 11:57 AM CDT If you're going to Net.Finance East this coming week, make sure you arrive on time on the first day. That's because I'm giving the second keynote. I'll go over proven techniques to increase consumer confidence in your site and how those techniques are known to increase customers' likelihood to do business online. Make sure you come up and talk to me afterward. I'll also be in attendance for the entire two days, so you can catch me in the sessions or on the show floor as well. |
| PaulDotCom Security Weekly - Episode 127 Part II - October 23, 2008 [PaulDotCom] Posted: 25 Oct 2008 11:51 AM CDT Larry does a tech segment, and we discuss the stories for the week. Again, apologize for the sound quality.
 Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian Email: psw@pauldotcom.com Audio Feeds: |
| PaulDotCom Security Weekly - Episode 127 Part I - October 23, 2008 [PaulDotCom] Posted: 25 Oct 2008 11:49 AM CDT We are joined by two special guests, Larry does a tech segment, and we discuss the stories for the week. I do apologize for the sound quality, we are still working some of the kinks out of our new system. We will be replacing the recording laptop for next week, which seems to have been the cause of the background noise.
 Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian Email: psw@pauldotcom.com Audio Feeds: |
| Here they come! [Security Circus] Posted: 25 Oct 2008 11:24 AM CDT As I predicted yesterday, here's a nasty trojan that uses MS out-of-cicle emergency patch... forerunner of the botnets-to-come. It's called Gimmiv.A or Spy-Agent.da, and it looks like a worm-in-the-making. For now it "just" steals information and posts them remotely. Some exploit code also appeared on Milw0rm, it doesn't yet make the exploit a piece of cake, but I wouldn't rely on the exploit unreliability to defend our networks. Once again, people, patch. |
| US Military Wants Packs Of Robots To Hunt Humans [Liquidmatrix Security Digest] Posted: 25 Oct 2008 07:35 AM CDT  Well, to hunt down the bad kind or “uncooperative” ones anyway. This has a weird humour element as it manages to conjure an image of Bender calling to “kill all humans”. From New Scientist:
So, the author is concerned where this tech could end up? The US military wants a droid army. What could possibly go wrong?  Oh, riiight. For the full article read on. |
| Creating 64-bit Applications with VS2008 Express [From a malicious attacker] Posted: 25 Oct 2008 07:00 AM CDT This post provides step by step instructions on how to create 64-bit applications using Visual C++ 2008 Express Edition. There are a large number of related posts on forums and other venues, but these don't really boil things down. Step 0: Install VS 2008 Express Download and install Visual C++ 2008 Express Edition. Step 1: Install Platform SDK Install the appropriate Platform SDK. For example, if you run Vista, install the Vista Platform SDK. This package will contain IA64 versions of the VC tool chain.  Step 2: Launch Platform SDK Command Line Launch a Platform SDK command shell by clicking Start -> Microsoft Windows SDK -> CMD Shell. Note that I typed 'cl' in the command prompt and got back information indicating that this version of cl targets x64. Step 3: Launch VC Express From Command Line Launch VCExpress from the Platform SDK command like this: cd C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDEThe location of your VCExpress.exe may be different. After entering the command, Visual C++ Express should pop up. Most of the work is done at this point, there are just a few project configuration tweaks to make. Step 4: Verify Environment Paths Verify that the VC++ paths are correct by going to Tools -> Options -> Projects & Solutions -> VC++ Directories. Your settings should resemble those shown in the screenshots below.  Note that the executable paths include the x64 tool chains. Include paths are shown to the left and library paths shown below on the right.  Step 5: Configuration Tweaks One you've verified that paths are setup correctly, it's time to make a few small changes. Change the target machine to be x64 as shown below. These have to be made per project, so open up a project you'd like to build targeting x64. In my case, I just created a dummy application using a Win32 template. Open the properties page of the project (right click the project in the browser bar on the left and click properties). You should see something looking like the screenshot below.  Next, verify that Debug Information Format is set to Zi, as shown below.   You should be all set now! Build the solution and see for yourself. |
| Security Flaw In T-Mobile’s Google Phone [Liquidmatrix Security Digest] Posted: 24 Oct 2008 09:08 PM CDT  Well, that certainly didn’t take very long now did it? From NY Times:
Tricking a user into surfing an infected site? Nevah.
I guess we can safely say that, yes, that would be unpleasant. UPDATE: Well, I posted this just yesterday and now it appears that there are serious problems with T-Mobile’s G1 mobile email service. They are actively working to address the issue. Tags: Google, Android, Google Android, T-Mobile |
| Reader contributions of SSL haiku [Tim Callan's SSL Blog] Posted: 24 Oct 2008 08:00 PM CDT Longtime readers of The SSL Blog will remember that in the past I have published haiku about SSL, including a haiku about EV SSL. Apparently I'm not the only one. Reader Troy Kitch offers this gem: I found a green bar Reader Patricia Damron shared this haiku with me, complete with her own personal philosophy on security: Worthy engineers |
| Friday Update: It’s 0day Week! [securosis.com] Posted: 24 Oct 2008 06:06 PM CDT Holy 0day Batman! On a totally different note, I think I found a minor security flaw in the RSA Conference session submission system. It appears that if you submit a session and add a speaker, you can overwrite some of the attributes of that speaker if they are already in the system. Minor, but annoying since I was submitted for something like 10 sessions and part of my bio kept changing while I was submitting my own stuff. Webcasts, Podcasts, and Conferences:
Favorite Securosis Posts:
Favorite Outside Posts:
Top News:
Blog Comment of the Week: |
| Arista Networks: Cloud Networking? [Rational Survivability] Posted: 24 Oct 2008 05:32 PM CDT
I set about to understand what business Arista was in and what problems they aim to solve given their catchy (kitchy?) tagline of Cloud Networking™ Arista makes 10GE switches utilizing a Linux-based OS they call EOS which provides high-performance networking. The EOS features a "...multi-process state sharing architecture that completely separates networking state from the processing itself. This enables fault recovery and incremental software updates on a fine-grain process basis without affecting the state of the system." These seem like a reasonable set of assertions but I don't see much of a difference between these requirements and the transformative requirements of internal enterprise networks today, especially with the adoption of virtualization and real time infrastructure. Pawing through their Cloud Networking Q&A, I was struck by the fact that the fundamental assumptions being made by Arista around the definition of Cloud Computing are very myopic and really seem to echo the immaturity of the definition of the "cloud" TODAY based upon the industry bellweathers being offered up as examples of leaders in the "cloud" space. Let's take a look at a couple of points that make me scratch my head: Q1: What is Cloud Computing? A1: Cloud Computing is hosting applications and data in large centralized datacenters and accessing them from anywhere on the web, including wireless and mobile devices. Typically the applications and data is distributed to make them scalable and fault tolerant. This has been pioneered by applications such as Google Apps and Salesfore.com, but by now there are hundreds of services and applications that are available over the net, including platform services such as Amazon Elastic Cloud and Simple Storage Service. That's a very narrow definition of cloud computing and seems to be rooted in examples of large, centrally-hosted providers today such as those quoted. This definition seems to be at odds with other cloud computing providers such as 3tera and others who rely on distributed computing resources that may or may not be centrally located. Q4: Is Enterprise Cloud Computing the same as Server Virtualization? A4: They are not. Server Virtualization means running multiple virtualized operating systems on a single physical server using a Hypervisor, such as VMware, HyperV, or KVM/XVM . Cloud computing is delivering scalable applications that run on a remote pool of servers and are available to users from anywhere. Basically all cloud computing applications today run directly on a physical server without the use of virtualization or Hypervisors. However, virtualization is a great building block for enterprise cloud computing environments that use dynamic resource allocation across a pool of servers. While I don't disagree that consolidation through server virtualization is not the same thing as cloud computing, the statement that "basically all cloud computing applications today run directly Q5: What is Cloud Networking? A5: Cloud Networking is the networking infrastructure required to support cloud computing, which requires fundamental improvement in network scalability, reliability, and latency beyond what traditional enterprise networks have offered. In each of these dimension the needs of a cloud computing network are at least an order of magnitude greater than for traditional enterprise networks. I don't see how that assertion has been formulated or substantiated. I'm puzzled when I look at Arista's assertion that existing and emerging networking solutions from the likes of Cisco are not capable of providing these capabilities while they simultaneously seem to shrug off the convergence of storage and networking. Perhaps they simply plan on supporting FCoE over 10GE to deal with this? Further, ignoring the (initial) tighter coupling of networkng with virtualization to become more virtualization-aware with the likes of what we see from the Cisco/VMware partnership delivering VN-Link and the Nexus 1000v, Ieaves me shaking my head in bewilderment. Further, with the oft-cited example of Amazon's cloud model as a reference case for Arista, they seem to ignore the fact that EC2 is based upon Xen and is now offering both virtualized Linux and Windows VM support for their app. stack. It's unclear to me what problem they solve that distinguishes them from entrenched competitors/market leaders in the networking space unless the entire value proposition is really hinged on lower cost. Further, I couldn't find much information on who funded (besides the angel round from von Bechtolsheim) Arista and I can't help but wonder if this is another Cisco "spin-in" that is actually underwritten by the Jolly Green Networking Giant. If you've got any useful G2 on Arista (or you're from Arista and want to chat,) please do drop me a line... /Hoff |
| EFF Offers NSA Spoof T-Shirts [Liquidmatrix Security Digest] Posted: 24 Oct 2008 05:03 PM CDT  This is rather funny capper to a long week. The EFF, in a bid to raise donations, has made t-shirts with their spoof of the National Security Agency’s logo on them. Very amusing. From EFF:
This is available for a donation of $65 or more. Very cool shirt and the money helps to fund a great cause. |
| Will You All Please Shut-Up About Securing THE Cloud...NO SUCH THING... [Rational Survivability] Posted: 24 Oct 2008 04:02 PM CDT
This love affair with abusing the amorphous thing called "THE Cloud" is rapidly approaching meteoric levels of asininity. In an absolute fit of angst I make the following comments:
If you thought virtualization and its attendant buzzwords, issues and spin were egregious, this billowy mass of marketing hysteria is enough to make me...blog ;) C'mon, people. Don't give into the generalist hype. Cloud computing is real. "THE Cloud?" Not so much. /Hoff (I don't know what it was about this article that just set this little rant off, but well done Mr. Moyle) |
| Oracle APEX Vulnerability Comment [securosis.com] Posted: 24 Oct 2008 11:45 AM CDT I was asked about the recent post by Pete Finnigan regarding the APEX vulnerability that he discovered, was part of the recent Oracle CPU, and Pete elaborated upon in a recent post. Pete is one of the best in the business at Oracle security, so when he lists something as a vulnerability, people usually react. The question was why had I recommended applying the new Oracle CPU under normal patch cycles when this looked like a reasonably serious vulnerability. Why wait? You don’t need to wait, but if you are vulnerable to this attack, you probably have bigger issues that should have been addressed already. Specifically:
APEX is a handy development tool, but if you are a DBA or a security professional, reading Oracle’s description should make the hair on the back of your neck stand up: “APEX is operated from a web browser and allows people with limited programming experience to develop professional applications.” A powerful tool in the hands of inexperienced programmers sounds like handing out loaded guns. Patch if you think you are susceptible to this vulnerability, but for self-preservation, run some assessments to catch this class of vulnerability and not just this issue. -Adrian |
| Fake Fish and Security [Emergent Chaos] Posted: 24 Oct 2008 11:04 AM CDT  There was a very interesting article in the New York Times, "Fish Tale has DNA Hook," in which two high school students used DNA testing to discover that nearly 1/4 of the sushi they tested and identified was mis-labeled. The article only identifies one of the vendors: Dr. Stoeckle was willing to divulge the name of one fish market whose products were accurately labeled in the test: Leonards’ Seafood and Prime Meats on Third Avenue. John Leonard, the owner, said he was not surprised to find that his products passed the bar code test. “We go down and pick the fish out ourselves,” he said. “We know what we’re doing.” As for the technology, Mr. Leonard said, “it’s good for the public,” since “it would probably keep restaurateurs and owners of markets more on their toes.”I was amused by this, but Robin Hanson had an interesting comment: This is a huge fraud rate. Will diners continue to tolerate it? Probably, yes - I suspect diners care more about affiliating with impressive cooks and fellow diners than they do that fish is correctly labeled.I think that there's a related phenomenon in software security. It's hard to accurately identify secure or insecure software. It's usually easier to look at other elements of what makes a program useful. Which makes for a very fishy market. Photo: "Dinner at Masa: O! Fishy fishy fishy fish" by mobil'homme. |
| You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now. | Email Delivery powered by FeedBurner |
Inbox too full?  Subscribe to the feed version of Security Bloggers Network in a feed reader. | |
| If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610 | |
No comments:
Post a Comment