Sign in
in
   
"It is the mark of an educated mind to be able to entertain a thought without accepting it."
-Aristotle

About Me

I am a co-founder of Notches, an early stage startup currently based in NYC. We are building a free, open reviews network that anyone can participate in and anyone can build on top of. You can find out more on our official blog.

Read more about my background.

Connect with me on...

Recent Readers

Flickr Photos

Tags

Monthly Archives
 

Browse by Tags

All Tags » Misbehaving Software » Security (RSS)

  • The Prevalence and Danger of SQL Injection

    Michael Sutton looks at the prevalence of SQL injection vulnerabilities ( via Bruce Schneier ). He tested 708 different servers and found verbose SQL errors on 80 of them (11.3%) - numbers that are not, as Michael says, surprising but are certainly sobering. Michael acknowledges that his method is imperfect, and in fact I think the percentage is actually a lot higher. His test only captures sites that are vulnerable and actually return verbose error messages. I guarantee there are countless others on his list that were actually vulnerable and fail "silently" (i.e., reporting user name not found, but not the words he is testing for). If you're not familiar with SQL injection, and what can happen as a result, I suggest reading Steve Friedl's wonderful introduction in SQL Injection Attacks by Example . (Image above borrowed from his article). Oh, Scott Guthrie also had a great post on how to avoid these problems . As you can see, it's not difficult - you just have to be aware and not construct...
    Posted Oct 12 2006, 03:53 PM by Tim with | with no comments
    Filed under: , , , , ,

  • Microsoft's Genuine Advantage: WGA Phones Home

    Windows Genuine Advantage phones home , sending the product key, manufacturer, operating system version, BIOS information and user locale setting and language back to Microsoft servers. WGA phones home even after the particular copy has been validated. Microsoft defended this , saying its intentions are good. when the WGA Notifications checks in with Microsoft when a PC is booted, it is not providing any information to the vendor if a PC's copy of Windows has already been validated. Instead, it is checking with a "server-side configuration setting to determine if WGA should run or not." The check-in also gives Microsoft the ability to disable the WGA program, if necessary. It looks like Microsoft has since backed off somewhat and will only be checking on 14-day intervals. Fortunately, OneCare blocks it. (Apparently, some have reported that ZoneAlarm does not ). Tags: Microsoft , Windows , WGA , windows genuine advantage
    Posted Jun 15 2006, 08:59 AM by Tim with | with 2 comment(s)
    Filed under: , , , ,

Recent Posts

Most Popular Posts

Legal disclaimer

Coming soon.

Articles

My stuff

Friends

Powered by Community Server (Non-Commercial Edition), by Telligent Systems