Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

Discussions

evildictaitor evildictait​or Devil's advocate
  • What PC's need in post ​floppy/cd-​rom/dvd/sno​wden era

    , kettch wrote

    A key to computer security is knowing that you can never keep out a truly determined and capable foe without arcane methods that make system unusable. Even then, it's not going to make a difference.

    So, we do the most we reasonably can in order to keep out the ordinary criminals. If you go to far with security paranoia, you won't actually get any work done.

    Security paranoia can paralyze you, but security nihilism is also dangerous.

    For most people, being 100% secure isn't achievable - but that's not the case for everybody. It is possible to design systems that have ideal security, it's just hard and expensive. But for things like securing your nuclear power station so someone can't raise the rods and leave them up until the plant goes nuclear, it's probably worth the effort.

    For most people though, there are some basic security things that will stop the vast majority of real-world hackers from breaking in:

    * Patch your machine regularly.
    * Use SSL/TLS across your whole site. Seriously. All of it.
    * Use strong unique passwords
    * Parameterize your SQL. Always. Even when you think it's safe, it's safer to parameterize.
    * Always write in a managed language. The number of people who can write unmanaged code safely would fit in a small bar.
    * For websites, store *all* user-data in a database, never on the filesystem - even if the data feels like a file.
    * Avoid reflection, and constructs like eval. They are a sign of poor design, and are often vulnerable to code-injection attacks.
    * Keep your corporate network and operations networks separate. Corporate networks are hard to secure; operations networks can be kept clean and secure much more easily.

    There's other stuff you can do once you've done all of that, but it rapidly gets into diminishing returns territory. Following the advice above will stop well over 99.99% of all real-world attacks against your program.

     

  • Turn on SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2

    , cheong wrote

    @spivonious:The correct way to address this problem is to rearrange cipher preference order so TLS come up first. Then leave a message on noticeable area point to Microsoft's instruction on how to disable SSLv3 or below and enable TLS.

    If they still want to risk security problem by not doing anything... well, just let it be. You have after all done your job by tried to warn them.

    Um, you're confusing ciphersuites with TLS versions.

    TLS always uses the highest version that both the client and server support. In the vast majority of circumstances, that's TLS1.2.

    Ciphersuites are the individual ciphers within TLS that are actually doing the various bits of cryptography. Some of those are set by the certificate (i.e. the asymmetric handshake), some are set by negotiation (e.g. the symmetric-cipher and the HMAC cipher).

    You can re-order the ciphersuites - e.g. if you prefer RC4 to AES, but you can't reorder TLS versions. TLS always chooses the best version available.

    Nowadays, there's really no excuse for your server or client supporting TLS1.0 or below. It's just deadweight code that might contain critical bugs - as some of the recent SChannel bugs have so depressingly shown.

  • MS to pay China $140 Million for Tax Evasion

    Good. Microsoft and other tech-companies should pay the taxes they owe in every country.

    Hopefully at some point the US and Europe will follow suit and start asking Microsoft, Google and Amazon to pay some taxes there too.

  • Bill Gates at the House of Lords (London)

    , Proton2 wrote

    "Therefore, Lord Monckton remains a Member not only of the Peerage but also of the House of Lords, save only that he cannot for now sit or vote there, and he was and is fully entitled to say so.""

    http://www.parliament.uk/documents/lords-information-office/2011/letter-to-viscount-monckton-20110715.pdf

  • Are you still on XP?

    , kettch wrote

    @evildictaitor: In that case the computers will not be hooked up to the internet, so it's perfectly fine.

    That is a bold assumption.

  • Are you still on XP?

    , figuerres wrote

    I find that one hard to take, difficult yes, costly yes, but "can't be upgraded" no, more like they have no dire reason why they have to. like if the servers are not on the internet and they expect them to be able to keep working for at least 10 more years then they won't do it.

    No - as in "if we turn this computer off - even briefly to install updates - we will need to turn the whole plant off, because it manages critical safety equipment for the plant."

    "It takes a month to restart the plant, because once it is off, the fact that the furnace has been off, means that all of the ceramic plates around the furnace will have cooled and cracked, so we'll need to replace them."

    "Therefore the cost of rebooting that machine is $25m. So no. We will not upgrade it until the plant needs to stop for other reasons."

    Sometimes it genuinely is the case that upgrades contain non-IT related risks that dwarf the IT risks associated with not upgrading.

  • Are you still on XP?

    , cheong wrote

    @lgeurts: At least they're not still using NT4 servers. (And I'm not kidding. There are a few low profile government project which never get around the corner to get budget for a renewal / rewriting process. So I think these servers are very unlikely to be replaced... at most they'll be moved into VM and continue to run under... NT4)

    A depressingly large amount of the Energy sector uses NT4 servers to make sure your lights turn on when you flick the switch - and at this point they can't be upgraded, only hardened until the power stations go out of service.

  • Windows 7 lurks within Windows 8

    That's just the non-DWM (i.e. non-hardware accelerated skin) peeking through.

    You get it by default if you disable your graphics driver and go back to VESA/VGA.

  • Bing Halloween theme

    , cbae wrote

    Depends on where you live and what you're searching for.

    America, and searching for MSDN definitions - ironically on Microsoft's website - mostly.

  • 10. BINDING ARBITRATION AND CLASS ACTION WAIVER IF YOU LIVE IN THE UNITED STATES

    , Proton2 wrote

    By law, I can not pay for health care in Canada, no matter how wealthy I might be.

    Some 75% of Canadians have some form of supplementary private health insurance; many of them receive it through their employers [cite]